Re: [squid-users] Squid TCP_MISS/502

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 28 Jan 2010 00:01:16 +1300

Dawie Pretorius wrote:
> Hello Amos
>
> Here is the output that you required, please accept my apologies for sending this so late.

<snip>
> 2010/01/27 11:49:28.770| httpBuildRequestHeader: Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAIgAAAAYABgAoAAAABAAEABIAAAAHgAeAFgAAAASABIAdgAAAAAAAAC4AAAABYKIogUBKAoAAAAPVABCAEEARgBSAEkAQwBBAGQAYQB3AGkAZQAuAHAAcgBlAHQAbwByAGkAdQBzAEQAQQBXAEkARQBQAC0ATABUAJAlDcVFx5d7AAAAAAAAAAAAAAAAAAAAAGbCKlx2YoJXXKoFml2B890s8ifalh6QmA==
> 2010/01/27 11:49:28.770| httpSendRequest: FD 174:
> GET http://old.nabble.com/Linux-mod_auth_ntlm_winbind-and-TortoiseSVN-td19756507.html HTTP/1.0
> Host: old.nabble.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-gb,en;q=0.5
> Accept-Encoding: identity,gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Referer: http://www.google.co.za/url?sa=t&source=web&ct=res&cd=7&ved=0CBkQFjAG&url=http%3A%2F%2Fold.nabble.com%2FLinux-mod_auth_ntlm_winbind-and-TortoiseSVN-td19756507.html&rct=j&q=libsmb%2Fntlmssp.c%3Antlmssp_update(334)+++got+NTLMSSP+command+3%2C+expected+1&ei=RgtgS8nyC5Cx4Qad54j1Cw&usg=AFQjCNFRdfKkzLzhmxGgQpNDXJs-jiOwNg
> Cookie: __qca=P0-1811217371-1264161407178; anonymousId=joe-181842; tview=classic; customStyle=10677; searchterms=libsmb%7Cntlmssp%7Cc%7Cntlmssp_update%7C334%7Cgot%7CNTLMSSP%7Ccommand%7C3%7Cexpected%7C1; JSESSIONID=127r1nirx8s9t; prev=%3Cbig%3E%3Ca%20id%3D%22nabble.prev_search%22%20href%3D%22/forum/Search.jtp%3Fquery%3Dlibsmb%252Fntlmssp.c%253Antlmssp_update%28334%29%2520%2520%2520got%2520NTLMSSP%2520command%25203%252C%2520expected%25201%22%3ESearch%20Nabble%20for%20%22%3Cb%3Elibsmb/ntlmssp.c%3Antlmssp_update%28334%29%20%20%20got%20NTLMSSP%20command%203%2C%20expected%201%3C/b%3E%22%3C/a%3E; channels=4893802913; __utma=151598183.1597776309.1264578545.1264578545.1264585654.2; __utmc=151598183; __utmz=151598183.1264585654.2.2.utmccn=(organic)|utmcsr=google|utmctr=libsmb%2Fntlmssp.c%3Antlmssp_update(334)+++got+NTLMSSP+command+3%2C+expected+1|utmcmd=organic; tview=dump; __utmb=151598183; v=x
> If-Modified-Since: Wed, 27 Jan 2010 08:37:19 GMT
> If-None-Match: 11:19756507~1:10677~1:10676~1:10547
> Via: 1.0 ZATBIMPROXY02 (squid/3.0.STABLE10)
> X-Forwarded-For: unknown
> Cache-Control: max-age=0
>
>
> 2010/01/27 11:49:28.770| httpSendComplete: FD 174: size 1879: errflag 0.
> [2010/01/27 11:51:28, 1] libsmb/ntlmssp.c:ntlmssp_update(334)
> got NTLMSSP command 3, expected 1
>
>
> I have noticed that I'm getting this error in my cache.log:
>
> [2010/01/27 11:53:40, 1] libsmb/ntlmssp.c:ntlmssp_update(334)
> got NTLMSSP command 3, expected 1
>
> Please can you tell me what this is and how to correct this ?

Aha. Yes.
The NTLM/SSPI library built into the NTLM helper is dying when receiving
that NTLM blob. I've seen that command 3, expected 1 before and think
its related to NTLMv1/NTLMv2 support.

I'm afraid you may need to rebuild your Squid with a newer ntlmssp
library. While you are doing that you may as well build a current
release and get away from some of the NTLM handling bugs we solved in
3.0.STABLE19+.

Amos

>
> Dawie Pretorius
>
>
> -----Original Message-----
> From: Dawie Pretorius
> Sent: 21 January 2010 07:28 AM
> To: 'Amos Jeffries'; squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Squid TCP_MISS/502
>
> Hello Amos
>
> We have a windows internal DNS server, I used those DNS servers to resolve my IP's
>
> I changed the dns_nameserver to my ISP dns servers, and the problem went away, loaded ads and the complete page.
>
> I tried this morning eary before most of the staff came in to replicate the problem, but to no avail.
>
> I will try again when the office is busy again. Will send you the logs asap.
>
> Regards,
>
> Dawie Pretorius wrote:
>> Hello Amos
>>
>> The problem was DNS, my apologies for wasting your time.
>
> ? how so?
>
>> "Meanwhile can you add debug_options 11,9 to your squid.conf and run a
>> test please. The resulting cache.log file will have a lot of garbage,
>> but amongst that some messages about what headers were received back
>> and what happened in the processing"
>>
>> I can still run this for you and send you the output?
>
> I think yes. I'm intrigued how that came out of a DNS problem.
> I'd expect connection or DNs errors to show up.
>
> Amos.
>
>> Again thanks! :D
>>
>> Regards
>> Dawie
>>
>>
>>
>>
>> Dawie Pretorius wrote:
>>> Hello Amos
>>>
>>> Thanks for coming back to me,
>>>
>>> I upgraded to squid Beta Squid 3.1.0.15, /var/log/squid/access.log now has this error:
>>>
>>> 1263975667.799 92 172.16.9.158 TCP_MISS/302 1361 GET http://googleads.g.doubleclick.net/pagead/ads? Xxxxxxxxxxxxxxx DIRECT/72.14.204.154 text/html
>> <snip repeats>
>>
>> 302 with that content? Thats a not-modified response from the server.
>>
>>> Here is the cache.log
>>>
>> <snip>
>>
>> Not even a hint of problems.
>>
>>> Here is the page that I get back from the browser:
>>>
>>> ERROR
>>> The requested URL could not be retrieved
>>>
>>> Invalid Response error was encountered while trying to process the request:
>>>
>>> GET
>>> /pagead/ads?client=ca-pub-7266757337600734&format=336x280_as&output=h
>>> tml&h=280&w=336&lmt=1199983288&channel=5629109116%2B6771450170%2B2275
>>> 486144&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fwww.mail-arch
>>> ive.com%2Fblank.png&color_bg=FFFFFF&color_border=FFFFFF&color_link=00
>>> 6792&color_text=000000&color_url=006792&flash=10.0.32&url=http%3A%2F%
>>> 2Fwww.mail-archive.com%2Fsquid-users%40squid-cache.org%2Fmsg51945.htm
>>> l&dt=1263975312151&correlator=1263975312153&frm=0&ga_vid=866186005.12
>>> 63975312&ga_sid=1263975312&ga_hid=523487483&ga_fc=0&u_tz=120&u_his=1&
>>> u_java=0&u_h=1024&u_w=1280&u_ah=1024&u_aw=1280&u_cd=32&u_nplug=8&u_nm
>>> ime=24&biw=1280&bih=862&ref=http%3A%2F%2Fwww.google.co.za%2Furl%3Fsa%
>>> 3Dt%26source%3Dweb%26ct%3Dres%26cd%3D1%26ved%3D0CAcQFjAA%26url%3Dhttp
>>> %253A%252F%252Fwww.mail-archive.com%252Fsquid-users%2540squid-cache.o
>>> rg%252Fmsg51945.html%26rct%3Dj%26q%3DTCP_MISS%252F502%2Bsquid%26ei%3D
>>> V7tWS7yqK4S9lAeP-dz3Aw%26usg%3DAFQjCNGZUlUd4iFBeTKD1KXThtG3w31cLQ&fu=
>>> 0&ifi=1&dtd=3
> 1
>> &xpc=WgwVHxdvOD&p=http%3A//www.mail-archive.com HTTP/1.1
>>> Host: googleads.g.doubleclick.net
>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
>>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Language: en-gb,en;q=0.5
>>> Accept-Encoding: gzip,deflate
>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>> Keep-Alive: 300
>>> Proxy-Connection: keep-alive
>>> Referer: http://www.mail-archive.com/squid-users@squid-cache.org/msg51945.html
>>> Cookie: test_cookie=CheckForPermission; id=22ac216e0800009b||t=1263975130|et=730|cs=mr_u8kmr
>>> Proxy-Authorization: NTLM
>>> TlRMTVNTUAADAAAAGAAYAIgAAAAYABgAoAAAABAAEABIAAAAHgAeAFgAAAASABIAdgAAA
>>> AAAAAC4AAAABYKIogUBKAoAAAAPVABCAEEARgBSAEkAQwBBAGQAYQB3AGkAZQAuAHAAcg
>>> BlAHQAbwByAGkAdQBzAEQAQQBXAEkARQBQAC0ATABUACncpJrZCLgCAAAAAAAAAAAAAAA
>>> AAAAAAOpZoYZfwwoauJ0u1F2AVKjAm/c35ZRlVw==
>>>
>>> The HTTP Response message received from the contacted server could not be understood or was otherwise malformed. Please contact the site operator.
>>>
>>> Your cache administrator may be able to provide you with more details about the exact nature of the problem if needed.
>>>
>>> Your cache administrator is webmaster.
>>>
>>> Generated Wed, 20 Jan 2010 08:19:13 GMT by XXXXXXXXXXXXX
>>> (squid/3.1.0.15)
>>>
>>> Is this something in squid causing this? Or is this something on the network?
>> > If you are not getting this errors, then this has to be something
>> on my side?
>>
>> I'm not sure at this point.
>> There is no indication yet what error Squid thinks exists in the reply.
>>
>> Comparing the two error pages it looks like 3.0 was barfing on the
>> Cookie. 3.1 seems to find something else.
>>
>> I'm adding some debug to Squid permanently that should help track
>> these down in future.
>>
>> Meanwhile can you add debug_options 11,9 to your squid.conf and run a
>> test please. The resulting cache.log file will have a lot of garbage,
>> but amongst that some messages about what headers were received back
>> and what happened in the processing.
>>
>> Amos
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
> Current Beta Squid 3.1.0.15

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
   Current Beta Squid 3.1.0.15
Received on Wed Jan 27 2010 - 11:01:30 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 27 2010 - 12:00:05 MST