Hello again,
A little bit more info on this problem...
The setup:
The squid:
- Squid 2.6 STABLE5-20061204
- RedHat Enterprise Linux v4 update 3
- IP/mask/gw: 192.168.40.37/255.255.255.240/192.168.40.33
- ip tunnel add gre1 mode gre \
remote 192.168.40.33 local 192.168.40.37 \
dev eth2 nopmtudisc
- iptables -t nat -A PREROUTING -i gre1 \
-d ! 10.160.100.0/24 -p tcp --dport 80 \
-j DNAT --to-destination 192.168.40.37:8080
The intercept router:
- Cisco 6509
- IOS version 12.2.18sxf
- loopback IP: 172.20.1.72
- WCCP IP (IP facing squid): 192.168.40.33 (default gateway for squid)
The workstation:
- OpenBSD using lynx browser.
- IP/mask/gw: 10.160.100.8/255.255.255.0/10.160.100.1
The network between the workstation and the Internet is as follows.
Hooray for ascii art!
+---------------+
| Workstation |
| 10.160.100.8 |
+-------+-------+
|
+-------+-------+
| 10.160.100.1 |
| Cisco 3745 |
| v12.3.21 |
|192.168.251.19 |
+-------+-------+
|
+-------+-------+ +------------+
| 192.168.251.1 | | Internet |
| Cisco 6509 +---+ Firewall +==> To Internet
| v12.2.18 sxf | | NAT is here|
| 192.168.40.33 | +------------+
+-------+-------+
|
+-------+-------+
| 192.168.40.37 |
| Squid Proxy |
+---------------+
Squid.conf settings:
wccp2_router 192.168.40.33
wccp2_address 192.168.40.37
wccp2_service standard 0
We tried doing the wccp intercept on the cisco 3745 in the above setup
and it works beautifully.
We would prefer to do the intercept on the 6509 since all of our branch
offices are connected to this router, as well as its brother in the
second datacentre.
The pertinent cisco 6509 config section has already been sent to the
list yesterday evening.
With the 6509 as the intercept-point, we see the following:
- the squid properly registers itself as a cache-engine with the router
- we see udp:2048 traffic every 10 seconds from each to the other.
- The GRE tunnel is set up properly using the command "ip tunnel"
command above.
- I am running "tcpdump" on both the GRE and the ethernet of the squid
- I am running "tcpdump" on the workstation as well.
- when I attempt to browse, I see the "SYN" packet on the GRE interface
- I see the squid send the SYN-ACK back out the ethernet and I see it
arrive on the workstation.
- I then see the workstation send the ACK and a PSH (the http request)
but these packets don't make it to the squid by the GRE or ethernet.
- since the squid never receives the ACK, it retransmits the SYN-ACK
I have not yet tried sniffing at the intervening router nor on the
192.168.251.1 interface of the c6509 but I am about to do that now.
Do you think there is an IOS problem on the 6509 versus the 3745?
If you would like any more information, please do not hesitate to ask.
Cheers,
/Jason
