Hi
I am experiencing an intermittent but quite frequent problem when load testing a transparent proxy (squid) (with 100's of connections).
I would welcome any advice on what I might be doing wrong.
The end result is that there are lot of:
* server-side connections left in TIME_WAIT state
* client-side connections left in LAST_ACK state
I am using Iptables to:
* redirect/tproxy incoming port 80 traffic to port 3129
* set a mark on outgoing port 80 traffic (for routing)
I also use the TRACE target in the raw table to log the packet paths.
The problem seems to arise when the server initiates the close of the connection.
In that case, the trace output shows:
1. the FIN from the server passing through the mangle:OUTPUT, filter:OUTPUT and filter:POSTROUTING tables
2. a FIN/ACK from the client arriving and passing through mangle:PREROUTING, mangle:INPUT and filter:INPUT tables
3. a final ACK from the server passing through the mangle:OUTPUT tables but getting no further.
Steps 2 & 3 are repeated as the client resends its unacknowledged FIN.
I am attaching the packet trace for one instance of this problem, extracted from /var/log/messages.
I have used tcpdump on both client and server and confirmed that the final ACK never leaves the server.
I have enabled logging of invalid packets, but am not seeing any reports.
This problem is happening on Fedora 14 - 2.6.35.14-103.fc14.x86_64, with iptables v1.4.9.
I don't see the problem with non-transparent connections.
I am also attaching iptables rules for the mangle table and tcp-related sysctl settings.
Regards
Simon