HTTP - Server Timeouts



  • I've posted this previously in the Packages group, with no responses.  Thiought I'd try the general group, if this fails may stump for commercial support…..

    We have a pfSense 2.1 firewall, running Squid 2.6.18.1_07.  The unit has one lan, two load-balanced wan interfaces and a third enabled interface (bridged with LAN) that connects to an external VPN device.

    Occasionally http connections to certain servers on the VPN connection fail with server timeout messages from Squid.  We are able to ping the servers over the VPN, even though the we get HTTP time outs.  If we disable/enable the VPN connected interface http connectivity is restored to the sites.

    Has anyone come across this type of issue before or have any suggestions as to a possible solution.

    Andy



  • If restarting the VPN solves the problem then it's unlikely to be Squid related.  The problem is most likely network related, though without packet captures (at both ends) it'll be hard to say.



  • I would only be able to get a packet capture from one end of the connection (pfSense).

    What level of packet capture be useful?



  • The far end is the important bit.  What you do is to put a packet capture device on the far end, configured to log traffic to the web servers on HTTP.  When you get the timeouts you can check the capture and see if the packets made it through the VPN.

    If they did, your problem is at the far end.  If they didn't, the problem is before that point and you can repeat the process at the near side of the VPN link.



  • I see what you mean, unfortunately it's not possible to packet capture at the remote end.

    If I capure in pfSense, with a Count of 0, will it loop the logs at a certain point? Also, will these logs be any use to me for examination?

    Andy



  • Not sure about the packet capture in pfSense.  Captures from that end may help, they may not.  If it's all you can do then it's worth trying.



  • I run some network monitoring software  (Hobbit), that I should be able to perform some captures from.

    I'll have a check on Monday.



  • Umm, Hobbit (now Xymon) is for monitoring the health of systems, not performing packet captures.  Indeed, it has no packet capture facilities.



  • Sorry, I meant that I would run a capture from the system that's running Hobbit.

    PS - Didn't realise that Hobbit is now Xymon - I'll look at the new version :)


Log in to reply