Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid proxy - intermittent outage

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 611 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by michmoor

      Hello all,
      Im having a few issues with Squid Proxy and maybe by extension SquidGuard but not likely.
      I am running in transparent mode with SSL FILTERING / Splice All enabled. I have this setting on multiple interfaces.
      Problem 1: Randomly SSL websites or applications (Zoom) will stop working. Squid logs do not point to anything in particular but to be honest, not sure how to read it. After a few seconds, connections reestablish and I'm online

      1. One of my machines connects to the remote office through GlobalProtect (PA). If I do not connect to Global Protect, Teams and Outlook (O365) works fine. Once I connect to VPN, both applications lose connectivity. Not sure why but its related to enabling the VPN.

      2. One of my Interfaces is another network for Wireless. To be clear I have 2x wireless networks. 5G and 2G lets call them. When I switch to 5G web browsing is absolutely no issue. Once I switch to 2G I cant visit any website. SSL protocol error. This is very odd as 2G and 5G have the same setting - both set up for SSL Intercept.

      Ultimately using Squid was a test case but I do have desire to keep it running. The solution to all of the above problems is to disable Squid.

      edit: Solved problem 3.
      SquidGuard Groups ACL. You must add each interface or vlan there and whitelist or blacklist your domains otherwise its treated as a blacklist All. This is not noted in the netgate documentation but it sort of should be. If you use Groups ACL its not enough to just add an interface or group, you must add all the interfaces that will be using the firewall for proxy. To be clear, this advice is given under the Squid documentation but its not clear if it should be done under squidguard - it should.

      edit: Solved problem 2. Created a bypass for this one client in the HTTP Transparent proxy settings. Not sure why the proxy fails on this client. The VPN puts the client in a split-tunnel scenario. DNS requests are answered by the corporate firewall at HQ but internet browsing is done locally.

      Problem 1 is still an intermittent issue. Random sites such as forum.netgate.com and Zoom calls would just suddenly stop working. Few seconds later its working again.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.