Here are the pertinent infos...
Cheers,
/Jason
=====<begin cisco section>=====
ip wccp web-cache redirect-list WCCP-USERS group-list WCCP-PROXIES
ip access-list standard WCCP-PROXIES
permit 192.168.40.32 0.0.0.15
ip access-list standard WCCP-USERS
permit 10.160.100.10
permit 10.160.100.8
permit 10.160.104.10
permit 10.160.100.38
proxy vlan interface:
interface Vlan2005
ip address 192.168.40.33 255.255.255.240
no ip route-cache cef
no ip mroute-cache
incoming interface for everybody:
ip wccp web-cache redirect in
interface Loopback0
ip address 172.20.1.72 255.255.255.255
RPCO1C6K1#sh ip wccp web-cache detail
WCCP Cache-Engine information:
Web Cache ID: 192.168.40.37
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets Redirected: 5
Connect Time: 00:07:11
RPCO1C6K1#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.20.1.72
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 46
Redirect access-list: WCCP-USERS
Total Packets Denied Redirect: 0
Total Packets Unassigned: 30
Group access-list: WCCP-PROXIES
Total Messages Denied to Group: 0
Total Authentication failures: 0
=====<end of cisco section>=====
=====<begin of squid wccp stuff>=====
http_port 192.168.40.37:8080 transparent
tcp_outgoing_address 192.168.40.37
cache_effective_user squid
visible_hostname spco1pxyA-1
wccp2_router 192.168.40.33
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0
wccp2_weight 256
wccp2_address 192.168.40.37
coredump_dir /var/squid/cache-prod1
=====<end of squid wccp stuff>=====
iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.40.37:8080
ip tunnel show | grep gre1:
gre1: gre/ip remote 172.20.1.72 local 192.168.40.37 dev eth2 ttl inherit
=====<begin forwarding and anti-spoofing section>=====
[root@localhost etc]# sysctl -a | egrep -w "forwarding|rp_filter"
net.ipv4.conf.gre1.rp_filter = 0
net.ipv4.conf.gre1.forwarding = 1
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.forwarding = 1
=====<end forwarding and anti-spoofing section>=====
Adrian Chadd wrote:
On Mon, Dec 04, 2006, Jason Taylor wrote:
However, a tcpdump on the GRE interface of the squid shows only the
first packet (SYN).
A tcpdump on the eth2 (where squid is listening) shows the SYN-ACK
packet being sent back to the workstation.
Whats the wccp config on the router look like?
Whats the wccp config on the squid(s) look like?
Whats the redirection config (iptables) look like? And hm, have
you disabled anti-spoof checks on the linux box (rp_filter) ?
adrian
