ICAP Protocol Error

eligiable · Jul 26, 2017, 7:11 AM

Hi There
I'm running pfSense since very long time, and now the subjected issue started since a month.

I've tried multiple options, but no luck, the following is my configuration:

pfSense Version 2.3.4-RELEASE-p1
Intel Core i5 - 3 GHz
4 GB RAM (and it's not even crossing 50%)
500 GB HDD

Squid 0.4.37 with C-ICAP and CalmAV enabled

Transparent Proxy (only on HTTP)
No Remote Cache

Kindly help me in this regard.
Thanx in Advance.

Bismarck · Aug 1, 2017, 5:16 AM

Same problem here, the issue started since a month as well.

Nothing to find in the logs, it just happens at random times.

2.3.4-RELEASE-p1 (amd64)
built on Fri Jul 14 14:52:43 CDT 2017
FreeBSD 10.3-RELEASE-p19

Squid Version 3.5.26, ClamAV 0.99.2_3, C-ICAP 0.4.4,2 + SquidClamav 6.16

2x Intel(R) Xeon(R) CPU X5570 @ 2.93GHz
32 GB ECC RAM
600 GB HDD Raid 10

Temporary workaround is to set bypass=on, so at least the users don't get annoyed by the "ICAP Protocol Error" message.

CheesePatrol · Aug 30, 2017, 4:09 AM

Same here, randomly happened to me tonight. Updating SquidAV seemed to have resolved the issue. From some quick Googling, it looks like a number of people have experienced this issue but there isn't a real solution nor a reason why this occurs.

ccdmas · Sep 4, 2017, 9:43 AM

Here's a "me too".

However, I can sort of duplicate the problem or pinpoint at least one cause of it. I recently changed the proxy configuration of our email security gateway from our previous proxy to squid on PfSense, and since then the issue happens at least every second day, and apparently when the email gateway updates it's AV definition files via the proxy.

Interestingly, restarting clamav or ICAP doesn't help solving the issue, the only way to get it up again is to restart squid as a whole.

doktornotor · Sep 4, 2017, 10:46 AM

@ccdmas:

and apparently when the email gateway updates it's AV definition files via the proxy.

Ugh. You should NOT download antivirus defs via the proxy with ClamAV in the first place. It will trigger false positives and cause other issues.

ccdmas · Sep 4, 2017, 2:51 PM

Quite seriously: You need to see more of the real world out there. LOading AV defs through a http proxy is absolutely normal every day business everywhere. Are you saying to die until restart is acceptable behaviour? ::)

kuberan · Nov 28, 2017, 3:48 PM

I also have the same issue, where do you turn on ByPass?

lutel · Jan 31, 2018, 7:40 AM

Same issue here, squid at random times can no longer connect to ICAP. Any ideas what could it be?

imp · Jul 24, 2018, 8:15 PM

Same here, re-appearing in 2.4.3-RELEASE-p1 on a Netgate SG-3100. Looks to me too high i/o(???)

PFSense installed on 'thrid party' pc hardware works normally.
Restarting ClamAV works for some hours and then protocol errors appear again.
Updating ClamAV once a day lowered to once a week -> no difference
Bypassing will prevent this ICAP protocol error but is not really a solution.

Thanks,
Imp