TCP_MISS/503



  • Hello everyone,

    we recently switched to using pfSense with squid as transparent proxy server.

    We're facing some issues with specific sites (plain http) that return error :

    The following error was encountered while trying to retrieve the URL: http://<public ip>:8080/
    Connection to <public ip> failed.
    The system returned: (60) Operation timed out
    The remote host or network may be down. Please try the request again.

    Squid's access.log shows a TCP_MISS/503 error.

    I've tried the following settings:

    • Added my IP to "Bypass Proxy for These Source IPs" - not working
    • Added the public IP to "Bypass Proxy for These Destination IPs" - not working
    • "Prefer IPv4 over IPv6" is checked

    Any ideas on how to make this work?

    Thanks in advance,
    Pavlos



  • First you need to figure out what the actual problem is first before you can fix it. What does your squid realtime log say at the moment that this error happens?



  • @kom As already stated, realtime monitor shows the TCP_MISS/503 error status.



  • I saw that but I was hoping there was more. A MISS is very common. I assume it works fine when not going though squid? You may have to modify your Integrations to add debug options to get more log detail.

    http://www.squid-cache.org/Doc/config/debug_options/



  • @pavlos-g
    Is there HTTP to HTTPS redirect ?



  • @rootvallum No, it's plain http with no redirection to https.



  • @kom Actually the MISS part seems to be ok, cause ASAIK it means that the content requested is just not cached.
    The real problem is the 503 part.



  • The 503 is the MISS and it's not an error. It has nothing to do with your problem.



  • @kom ummm no. The 503 is NOT anything to due with squid itself. Squid reports a "tag" to tell you something about the action or result of a request from its end (i.e. TCP_MISS or TCP_TUNNEL or TCP_NONE) and also the HTTP error code (in this case 503). That is a standard HTTP code that means "Service Unavailable" which means the site that it tried to load did not work (for whatever reason).

    @pavlos-g I would suggest testing without the proxy (mobile device or something not going through your firewall) and confirm the site is not down.



  • @pavlos-g Also, there is a setting in Squid on the general tab that says "Resolve DNS IPv4 First" that can help with some issues especially if you are blocking IPv6. Without more detail into your configuration and the specific site in question maybe you could check that setting as well. This is all also assuming the site is working on a device that is not going through the proxy



  • @onyxfire It's already set, didn't help either. Thanks for the tip though ;)



  • @pavlos-g said in TCP_MISS/503:

    @rootvallum No, it's plain http with no redirection to https.

    By any chance destination web-server is on Microsoft IIS ?



  • @rootvallum Nope, the response i got is Apache-Coyote/1.1


Log in to reply