1 2 Previous Next 11 Replies Latest reply on Feb 18, 2013 2:32 AM by asabban

    Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)

      There is an application we are trying in our environment. It seems that its URLs need authentication and are unable to do so, I am attaching the detailed logs for the same. Corresponding access logs are as following:

       

      407 "CONNECT https://sip.reuters.net HTTP/1.1" "" "-" "" 0 "" "" "0"

       

      All I can guess is that this URL is demanding authentication and not getting any. Any ideas, how this could be circumvented?

      Options already tried:

      1. Disabling SSL server (added the hostname to SSL bypass list)

      2. Adding the hostnames to ICAP bypass list. (Dont send this data to ICAP server for vetting)

       

      My proxy setup is explicit, it receives requests at port 8080 and treats port 443 as SSL; additionally, HTTPS traffic from no other port than 443 is entertained.

       

      Regards,

      Ankit

        • 1. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)
          asabban

          Hi Ankit,

           

          the traces do not look so bad. You can see CONNECT requests being made and authentication is sent. The first request sends the NTLM handshake, then MWG answers with a 407 requesting the client to continue the handshake, a new request is sent with all necessary data, and the connection is sent to the server and some data it coming back.

           

          From what I can tell authentication looks pretty good.

           

          Can you share some information about the issues that you are seeing? Is the log file filled up with the log line you mentioned above? Do you have problems using the application?

           

          Thanks,

          Andre

          • 2. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)

            The mentioned log line was reported 4 to 5 times concurrently in the log report, indicating continuous Authentication request by the website. The application I am trying to access is sip.reuters.net:443; it's a kind of corporate chat application running on session initiation protocol; as of now we are unable to connect to the reuters server through this application.

             

            Regards,

            Ankit

            • 3. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)

              Additionally I am unable to comprehend the message in packet trace:

              14:32:19.644: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR) 124.153.70.50:80

              14:32:19.675: Connection is still ok

              14:32:19.675: Connection is still ok

              14:32:19.675: Connection is still ok

              • 4. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)
                asabban

                Hi Ankit,

                 

                the traces actually contain some information that may be confusing. Especially the "Would block" does not mean that this connection is blocked by MWG. It is an internal status information that is usually only relevant for engineering. If MWG blocks something you will see an error template being returned in the C trace. Also the "Connection is still ok" is information that is not really necessary for basic troubleshooting.

                 

                Do you think there is a chance to provide a packet capture and some screenshots of the application when issues occur? Probably it makes sense to provide this information also to support since they may have better ways to troubleshoot why the connection fails.

                 

                Best,

                Andre

                • 5. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)

                  Hi Andre,

                   

                  Another website is giving us similar issue, I am attaching the screenshot and packet trace for this website (http://goibibo.ibibo.com/)

                  authentication error.jpg

                  You can use the filename of the tcpdump as query. Hope it helps, if anymore data is required, please let me know.

                   

                  Regards,

                  Ankit

                  • 6. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)
                    asabban

                    Hi Ankit,

                     

                    sorry for the late reply. I looked into the dump but I cannot see anything unusual here. The requests to the embedded (and missing) objects are authenticated as expected:

                     

                    1.) GET Request from Client

                    2.) 407 from MWG requesting authentication

                    3.) GET Request from Client with NTLMSSP_NEGOTIATE message

                    4.) 407 from MWG with NTLMSSP_CHALLENGE message

                    5.) GET Request from Client with NTLMSSP_AUTH message

                     

                    Actually step 6 may be your problem:

                     

                    6.) 403 from because the embedded objects are categorized as Content Server, Social Networking.

                     

                    I believe one of those categories is blocked, which causes the page to look like shown in your screenshot.

                     

                    I hope this helps.

                    Best,

                    Andre

                    • 7. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)

                      Got it, there were components in the parent site, that were getting blocked because they were getting categorized in Professional networking, once recategorized, the application is getting connected to the server. I get that authentication was not the issue here.However, should authentication of each and every URL be a concern from responsiveness perspective? Currently my user base is small, so responsiveness is good, as number of users increase, will authentication pose any bottleneck?

                       

                      Regards,

                      Ankit

                      • 8. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)
                        asabban

                        Hi Ankit,

                         

                        hard to say. Basically I can say that authentication is not a big deal. We have really really large deployments, and they do authentication as well. Compared to AV or similar, authentication is a minor task.

                         

                        You should notice that not each URL is being authenticated. Basically when you access a web site which has lets say 300 objects (like a big newspaper site or similar), your browser will open up to 10 parallel TCP sessions to the proxy. For each TCP session, the very first request is authenticated. All other requests which are sent to MWG within the same TCP session are not authenticated again. So if the browser opens 10 sessions and downloads the 300 objects without closing a session in between, you would perform the complete authentication process 10 times (not 300 times).

                         

                        Basically it is not possible to predict how many sessions a browser opens, whether it re-uses existing sessions or create new ones etc. This is up to the browser to decide, but it works well with all browsers I have seen so far.

                         

                        Best,

                        Andre

                        • 9. Re: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR)

                          hey i am not getting solution. i want to solution to this problem. please provide me some more solution

                           

                          sip telephone service

                          1 2 Previous Next