I'm pretty sure WCCPv2 is only supported on the same interface as the clients. You'd have to run multiple interfaces w/ multiple instances. Adrian On Thu, Dec 06, 2007, Jason Gauthier wrote: > All, > > I tried to be concise with the subject ;) Let me get started. I'm > having a problem, and need some advice. I will try and lay this out: > I'm using squid (STABLE16) some dansguardian, and an ASA. I'm using > two systems for proxy. One is NTLM based, the other is transparent. > > My specific issue here is the transparent side. Basically, squid is > connecting to my Cisco ASA (GRE tunnel) and registering with the WCCP > engine. > It takes the request, passes it to dansguardian, which then passes it > another instance of squid. I know this isn't ideal, but it was > necessary (I don't want to get into the hows or whys - trust me that it > works great for what it's doing) The instance of squid that does the > WCCP connection does no logging and no caching. > It's simply to grab the transparent connections so they can be processed > by DG, and my other squid. > > Here is how I am setting up the GRE tunnel and iptables to capture the > packets. > > ip tunnel add wccp mode gre remote 192.168.79.1 local 192.168.79.2 dev > eth3 > /sbin/ip addr add 192.168.79.2 dev wccp > /sbin/ip link set wccp up > > iptables -F -t nat > iptables -t nat -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j DNAT > --to-destination 192.168.79.2:3129 > > (my IP is 79.2, and the ASA is 79.1, 3129 is my squid running on the > local system - no cache or log) > Very basic stuff, right out of the squid wiki (which is great) > > My ASA is configured to capture 4 interfaces, with some access-lists: > (omitted the IP access lists for size) > > wccp web-cache redirect-list wccp > wccp interface inside web-cache redirect in > wccp interface vpndmz web-cache redirect in > wccp interface wireless web-cache redirect in > wccp interface wirelessdmz web-cache redirect in > > With this configuration as is, my transparent proxy is working exactly > how I wanted. > Then, the trouble began. I've noticed https based traffic times out.. > but only from some of the interfaces. > >From the 'vpndmz', I can log into gmail. But from 'wireless' it simply > times out after a while. > This happens with many many https based web pages. > > I ran a tcpdump and you can see that nothing is happening: > > 20:45:06.878518 IP 192.168.78.45.3654 > od-in-f99.google.com.https: . > ack 4656 win 65535 > 20:45:06.878528 IP 192.168.78.45.3654 > od-in-f99.google.com.https: . > ack 4656 win 65535 > 20:45:10.544927 IP 192.168.78.45.3648 > an-in-f18.google.com.www: . > 1912:3372(1460) ack 1748 win 65535 > 20:45:10.544933 IP 192.168.78.45.3648 > an-in-f18.google.com.www: . > 1912:3372(1460) ack 1748 win 65535 > 20:45:25.743229 IP 192.168.78.45.3648 > an-in-f18.google.com.www: . > 1912:3372(1460) ack 1748 win 65535 > 20:45:25.743650 IP 192.168.78.45.3648 > an-in-f18.google.com.www: . > 1912:3372(1460) ack 1748 win 65535 > 20:45:56.124193 IP 192.168.78.45.3648 > an-in-f18.google.com.www: . > 1912:3372(1460) ack 1748 win 65535 > 20:45:56.124200 IP 192.168.78.45.3648 > an-in-f18.google.com.www: . > 1912:3372(1460) ack 1748 win 65535 > 20:46:34.314300 IP od-in-f99.google.com.www > 192.168.78.45.3647: F > 7657:7657(0) ack 1046 win 7896 > 20:46:34.314307 IP od-in-f99.google.com.www > 192.168.78.45.3647: F > 7657:7657(0) ack 1046 win 7896 > 20:46:34.314310 IP 192.168.78.45.3647 > od-in-f99.google.com.www: . ack > 7658 win 65535 > 20:46:34.314313 IP 192.168.78.45.3647 > od-in-f99.google.com.www: . ack > 7658 win 65535 > 20:46:56.934605 IP 192.168.78.45.3654 > od-in-f99.google.com.https: R > 3596:3596(0) ack 4656 win 0 > 20:46:56.934612 IP 192.168.78.45.3654 > od-in-f99.google.com.https: R > 3596:3596(0) ack 4656 win 0 > 20:46:56.936370 IP 192.168.78.45.3655 > an-in-f18.google.com.www: . > 2788953795:2788955255(1460) ack 256288053 win 65535 > 20:46:56.936654 IP 192.168.78.45.3655 > an-in-f18.google.com.www: . > 0:1460(1460) ack 1 win 65535 > 20:46:56.936659 IP 192.168.78.45.3655 > an-in-f18.google.com.www: P > 1460:1544(84) ack 1 win 65535 > 20:46:56.936662 IP 192.168.78.45.3655 > an-in-f18.google.com.www: P > 1460:1544(84) ack 1 win 65535 > 20:46:59.993789 IP 192.168.78.45.3655 > an-in-f18.google.com.www: . > 0:1460(1460) ack 1 win 65535 > 20:46:59.994012 IP 192.168.78.45.3655 > an-in-f18.google.com.www: . > 0:1460(1460) ack 1 win 65535 > 20:47:18.256077 IP 192.168.78.45.3655 > an-in-f18.google.com.www: . > 0:1460(1460) ack 1 win 65535 > 20:47:18.256084 IP 192.168.78.45.3655 > an-in-f18.google.com.www: . > 0:1460(1460) ack 1 win > > Https traffic should not be in question here.. it shouldn't be extracted > from the stack from iptables.. all in all.. it shouldn't be happening > it.. but it is. > Thanks for reading this lengthy text. Your advices is welcomed. > > Jason -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
