Here's a TCP dump I'm trying to debug. Maybe someone can help. Setup is transparent proxy: Squid 2.5 / OpenSuse 10.1/ WCCPv1 /Cisco Router 3620 (full configs below) Symptom is that the client's browser times out when trying to reach web sites when wccp web-cache is enabled on the router. (Configuring the browser manually to use the cache works fine.) 172.16.1.45 = client browsing the web 172.16.1.254 = cisco router with WCCP, redirecting port 80 traffic to squid cache 172.16.1.171 = squid box (aka squid.beachbooks.org) Looks like packets are getting from the client to the squid cache, but when the squid cache tries to respond, it can't reach the client? 11:34:00.555517 IP squid.beachbooks.org > 172.16.1.45: ICMP time exceeded in-transit, length 56 I can ping from the squid box to the client no problem... TCPDump Trace: 11:34:00.551577 IP 172.16.1.45.itm-mccs > p7.www.scd.yahoo.com.http: S 4138401172:4138401172(0) win 16384 <mss 1460,nop,nop,sackOK> 11:34:00.552040 IP 172.16.1.254 > squid.beachbooks.org: GREv0, length 52: gre-proto-0x883e 11:34:00.552053 IP 172.16.1.45.itm-mccs > p7.www.scd.yahoo.com.http: S 4138401172:4138401172(0) win 16384 <mss 1460,nop,nop,sackOK> 11:34:00.552508 IP 172.16.1.254 > squid.beachbooks.org: GREv0, length 52: gre-proto-0x883e 11:34:00.552518 IP 172.16.1.45.itm-mccs > p7.www.scd.yahoo.com.http: S 4138401172:4138401172(0) win 16384 <mss 1460,nop,nop,sackOK> 11:34:00.552981 IP 172.16.1.254 > squid.beachbooks.org: GREv0, length 52: gre-proto-0x883e 11:34:00.552993 IP 172.16.1.45.itm-mccs > p7.www.scd.yahoo.com.http: S 4138401172:4138401172(0) win 16384 <mss 1460,nop,nop,sackOK> 11:34:00.553451 IP 172.16.1.254 > squid.beachbooks.org: GREv0, length 52: gre-proto-0x883e 11:34:00.553463 IP 172.16.1.45.itm-mccs > p7.www.scd.yahoo.com.http: S 4138401172:4138401172(0) win 16384 <mss 1460,nop,nop,sackOK> 11:34:00.553996 IP 172.16.1.254 > squid.beachbooks.org: GREv0, length 52: gre-proto-0x883e 11:34:00.554008 IP 172.16.1.45.itm-mccs > p7.www.scd.yahoo.com.http: S 4138401172:4138401172(0) win 16384 <mss 1460,nop,nop,sackOK> 11:34:00.554542 IP 172.16.1.254 > squid.beachbooks.org: GREv0, length 52: gre-proto-0x883e 11:34:00.554553 IP 172.16.1.45.itm-mccs > p7.www.scd.yahoo.com.http: S 4138401172:4138401172(0) win 16384 <mss 1460,nop,nop,sackOK> 11:34:00.555013 IP 172.16.1.254 > squid.beachbooks.org: GREv0, length 52: gre-proto-0x883e 11:34:00.555024 IP 172.16.1.45.itm-mccs > p7.www.scd.yahoo.com.http: S 4138401172:4138401172(0) win 16384 <mss 1460,nop,nop,sackOK> 11:34:00.555483 IP 172.16.1.254 > squid.beachbooks.org: GREv0, length 52: gre-proto-0x883e 11:34:00.555517 IP squid.beachbooks.org > 172.16.1.45: ICMP time exceeded in-transit, length 56 11:34:04.386134 IP squid.beachbooks.org.dls-monitor > 172.16.1.254.dls-monitor: UDP, length 52 11:34:04.389891 IP 172.16.1.254.dls-monitor > squid.beachbooks.org.dls-monitor: UDP, length 64 Here's my config info. Perhaps someone wiser could point me in a direction to try? -------------------------------------- OpenSuse 10.1 x86 (Kernel 2.6.16) (installed from downloaded CDs, no kernel customization) Cisco 3620 with IOS Version 12.2(15)T17 Squid squid-2.5.STABLE14 built from source with '--enable-linux-netfilter' Instructions I'm following: ==== http://wiki.squid-cache.org/SquidFaq/InterceptionProxy (I've actually been using several sources, but the link above seems pretty definitive.) Relevant IPs: ==== 172.16.1.254 (the internal router port, where both squid and the clients reside) 172.16.50.254 (router port that points to the outside world) 172.16.1.171 (squid host, has only a single interface) squid.conf (relevant stuff): ==== http_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on wccp_router 172.16.1.254 Linux config stuff ==== echo `1` > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 ip tunnel add wccp0 mode gre remote 172.16.1.254 local 172.16.1.171 dev eth0 ip addr add 172.16.1.171/24 dev wccp0 ip link set wccp0 up Cisco router stuff ==== config t ip wccp version 1 ip wccp web-cache redirect-list 150 access-list 150 permit tcp host 172.16.1.45 any access-list 150 deny tcp any any config t int eth1/2 (the 172.16.50.254 interface) ip wccp web-cache redirect-list 150 (I want to get squid working on a test workstation, before I point everyone to it) Wade Guidry, MCSE, Network+ Systems Manager, Coastal Resource Sharing Network 503.801.2073 wade@xxxxxxxxxxxxxx http://crsn.beachbooks.org
