Hello All, I have run into some problems with a the two websites not able to load when squid is configured with wccp2. I have followed the example by Adrian Chadd, and the wiki: http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29 http://wiki.squid-cache.org/SquidFaq/InterceptionProxy Everything is working great until when we open up http://mail.google.com and http://www.hotmail.com, the websites open up ok, and you can enter the login credentials, goes pass the https stage and just before getting to the emails. The page goes quiet, and blank. Have tested this on different computers and different browsers but get the same problem. If I disable the squid, and let the users browse thru NAT on the ASA, they are able to get thru to these two sites, also when I reconfigure the squid to be non-transparent and change the settings on my browser to point to the proxy, am able to open the two sites in question. I don't see anything unusual in cache.log or access.log After googleing around for a bit, I came across a site that mentioned lowering the MTU size on the GRE tunnel, which I did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400) For hotmail, the intercepting proxy guide mentions to put the following entries on squid.conf, but that did not help: acl hotmail_domains dstdomain .hotmail.msn.com header_access Accept-Encoding deny hotmail_domains I know this is probably a repeated problem, though I hope someone can assist. Do let me know if there are any other details that you might need. Many thanks, and kind regards, Miraj Shah. here is a quick network diagram; LAN - ASA - Router - Internet | Squid below is the config i have set up: asa-firewall# sh run int vlan 10 ! interface Vlan10 description Internet Interface nameif internet security-level 0 ip address xxx.xxx.179.86 255.255.255.252 asa-firewall# sh run interface vlan 40 ! interface Vlan40 description Inside Interface nameif inside security-level 100 ip address 10.110.150.252 255.255.254.0 route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1 access-list inside_nat0_outbound extended permit ip any 10.110.150.0 255.255.0.0 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 10.110.150.0 255.255.254.0 wccp web-cache wccp interface inside web-cache redirect in asa-firewall# sh wccp web-cache detail WCCP Cache-Engine information: Web Cache ID: 10.110.150.253 Protocol Version: 2.0 State: Usable Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Hash Allotment: 0 (0.00%) Packets Redirected: 113242 Connect Time: 00:00:12 asa-firewall# sh wccp web-cache Global WCCP information: Router information: Router Identifier: xxx.xxx.179.86 Protocol Version: 2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 113242 Redirect access-list: -none- Total Connections Denied Redirect: 0 Total Packets Unassigned: 241 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 asa-firewall# sh ver Cisco Adaptive Security Appliance Software Version 7.2(2) Device Manager Version 5.2(2) Compiled on Wed 22-Nov-06 14:16 by builders System image file is "disk0:/asa722-k8.bin" Config file at boot was "startup-config" sarova-firewall up 3 days 3 hours Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz Internal ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot-Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04 0: Int: Internal-Data0/0 : address is 001b.531b.5bb2, irq 11 1: Ext: Ethernet0/0 : address is 001b.531b.5baa, irq 255 2: Ext: Ethernet0/1 : address is 001b.531b.5bab, irq 255 3: Ext: Ethernet0/2 : address is 001b.531b.5bac, irq 255 4: Ext: Ethernet0/3 : address is 001b.531b.5bad, irq 255 5: Ext: Ethernet0/4 : address is 001b.531b.5bae, irq 255 6: Ext: Ethernet0/5 : address is 001b.531b.5baf, irq 255 7: Ext: Ethernet0/6 : address is 001b.531b.5bb0, irq 255 8: Ext: Ethernet0/7 : address is 001b.531b.5bb1, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255 10: Int: Not used : irq 255 11: Int: Not used : irq 255 Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 8 This platform has an ASA 5505 Security Plus license. Serial Number: JMX1111Z0QV Running Activation Key: 0xffffffff 0xffffffff 0xfffffffff 0xfffffffff 0xfffffffff Configuration register is 0x1 Configuration last modified by enable_15 at 10:51:03.103 EAT Wed Feb 13 2008 ###FreeBSD Setup### #kernel config (extra) proxy# cat /usr/src/sys/i386/conf/TransProxy #---snip---# options IPFIREWALL options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity options IPSTEALTH #support for stealth forwarding options DUMMYNET options NETGRAPH options DEVICE_POLLING options HZ=1000 options SHMSEG=128 options SHMMNI=256 options SHMMAX=50331648 # max shared memory segment size (bytes) options SHMALL=16384 # max amount of shared memory (pages) options MSGMNB=16384 # max # of bytes in a queue options MSGMNI=48 # number of message queue identifiers options MSGSEG=768 # number of message segments options MSGSSZ=64 # size of a message segment options MSGTQL=4096 # max messages in system options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT # if you intend to use NAT device apic # I/O APIC device gre #---snip---# proxy# cat /etc/rc.conf gateway_enable="YES" hostname="proxy.customer.co.ke" ifconfig_bge0="inet 10.110.150.253 netmask 255.255.254.0" defaultrouter="10.110.150.252" keymap="uk.iso" linux_enable="YES" sshd_enable="YES" usbd_enable="YES" firewall_enable="YES" firewall_type="/etc/firewall.local" squid_enable="YES" ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ipfs_enable="YES" proxy# cat /etc/rc.local #tunnel to cisco asa for transparent proxy /sbin/ifconfig gre0 plumb /sbin/ifconfig gre0 link2 /sbin/ifconfig gre0 tunnel 10.110.150.253 xxx.xxx.179.86 /sbin/ifconfig gre0 inet 1.1.1.1 1.1.1.2 proxy# ifconfig gre0 gre0: flags=d051<UP,POINTOPOINT,RUNNING,LINK0,LINK2,MULTICAST> mtu 1476 tunnel inet 10.110.150.253 --> xxx.xxx.179.86 inet 1.1.1.1 --> 1.1.1.2 netmask 0xff000000 proxy# cat /etc/firewall.local add fwd 127.0.0.1,3128 tcp from any to any 80 recv gre0 proxy# ipfw show 00100 21909 3567762 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 recv gre0 65535 836384 314106493 allow ip from any to any proxy# cat /etc/sysctl.conf net.inet.icmp.icmplim=0 net.inet.tcp.msl=3000 kern.maxfilesperproc=65536 kern.maxfiles=262144 kern.ipc.maxsockets=131072 kern.ipc.somaxconn=1024 net.inet.tcp.recvspace=16384 net.inet.tcp.sendspace=16384 kern.ipc.nmbclusters=32768 net.inet.ip.forwarding=1 proxy# cat /usr/local/etc/squid/squid.conf #---snip---# http_port 127.0.0.1:3128 transparent always_direct allow all wccp2_router 10.110.150.252 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service standard 0 wccp2_weight 10000 wccp2_address 0.0.0.0 debug_options ALL,1 visible_hostname proxy.customer.co.ke #---snip---# #---snip---# #ACL's acl my_network src 10.110.150.0/23 http_access allow my_network http_access deny all #---snip---# proxy# cat /usr/local/squid/logs/cache.log 2008/02/13 10:42:01| Starting Squid Cache version 2.6.STABLE18 for i386-portbld-freebsd6.3... 2008/02/13 10:42:01| Process ID 6721 2008/02/13 10:42:01| With 32768 file descriptors available 2008/02/13 10:42:01| Using kqueue for the IO loop 2008/02/13 10:42:01| DNS Socket created at 0.0.0.0, port 63552, FD 6 2008/02/13 10:42:01| Adding domain sarova.co.ke from /etc/resolv.conf 2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.2 from /etc/resolv.conf 2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.3 from /etc/resolv.conf 2008/02/13 10:42:01| Adding nameserver 10.110.120.11 from /etc/resolv.conf 2008/02/13 10:42:01| Adding nameserver 10.110.120.6 from /etc/resolv.conf 2008/02/13 10:42:01| Unlinkd pipe opened on FD 11 2008/02/13 10:42:01| Swap maxSize 262144 KB, estimated 20164 objects 2008/02/13 10:42:01| Target number of buckets: 1008 2008/02/13 10:42:01| Using 8192 Store buckets 2008/02/13 10:42:01| Max Mem size: 131072 KB 2008/02/13 10:42:01| Max Swap size: 262144 KB 2008/02/13 10:42:01| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2008/02/13 10:42:01| Rebuilding storage in /usr/local/squid/cache (CLEAN) 2008/02/13 10:42:01| Using Least Load store dir selection 2008/02/13 10:42:01| Set Current Directory to /usr/local/squid/cache 2008/02/13 10:42:01| Loaded Icons. 2008/02/13 10:42:02| Accepting transparently proxied HTTP connections at 127.0.0.1, port 3128, FD 13. 2008/02/13 10:42:02| Accepting proxy HTTP connections at 10.110.150.253, port 3128, FD 14. 2008/02/13 10:42:02| Accepting ICP messages at 0.0.0.0, port 3130, FD 15. 2008/02/13 10:42:02| Accepting WCCPv2 messages on port 2048, FD 16. 2008/02/13 10:42:02| Initialising all WCCPv2 lists 2008/02/13 10:42:02| Ready to serve requests. 2008/02/13 10:42:02| Configuring Parent proxy.iconnect.co.ke/3128/7 2008/02/13 10:42:02| Store rebuilding is 18.6% complete 2008/02/13 10:42:02| Done reading /usr/local/squid/cache swaplog (21963 entries) 2008/02/13 10:42:02| Finished rebuilding storage from disk. 2008/02/13 10:42:02| 21963 Entries scanned 2008/02/13 10:42:02| 0 Invalid entries. 2008/02/13 10:42:02| 0 With invalid flags. 2008/02/13 10:42:02| 21963 Objects loaded. 2008/02/13 10:42:02| 0 Objects expired. 2008/02/13 10:42:02| 0 Objects cancelled. 2008/02/13 10:42:02| 0 Duplicate URLs purged. 2008/02/13 10:42:02| 0 Swapfile clashes avoided. 2008/02/13 10:42:02| Took 0.5 seconds (46011.6 objects/sec). 2008/02/13 10:42:02| Beginning Validation Procedure 2008/02/13 10:42:02| Completed Validation Procedure 2008/02/13 10:42:02| Validated 21963 Entries 2008/02/13 10:42:02| store_swap_size = 235922k 2008/02/13 10:42:02| storeLateRelease: released 0 objects 2008/02/13 11:11:41| Preparing for shutdown after 2555 requests 2008/02/13 11:11:41| Waiting 30 seconds for active connections to finish 2008/02/13 11:11:41| FD 13 Closing HTTP connection 2008/02/13 11:11:41| FD 14 Closing HTTP connection 2008/02/13 11:11:41| FD 16 Closing WCCP socket 2008/02/13 11:12:12| Shutting down... 2008/02/13 11:12:12| FD 15 Closing ICP connection 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 connection due to lifetime timeout 2008/02/13 11:12:12| http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 connection due to lifetime timeout 2008/02/13 11:12:12| http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 connection due to lifetime timeout 2008/02/13 11:12:12| http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 connection due to lifetime timeout 2008/02/13 11:12:12| http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.55 connection due to lifetime timeout 2008/02/13 11:12:12| http://b.mail.google.com/mail/channel/bind?at=tfpl7aa80y0xw75xevv9065zwg9408&ui=1&RID=rpc&SID=3DAE21FF8E7AAB22&CI=0&AID=60&TYPE=html&zx=6216rrq6uixn&DOMAIN=mail.google.com&t=1 2008/02/13 11:12:12| WARNING: Closing client 10.110.120.30 connection due to lifetime timeout 2008/02/13 11:12:12| http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 2008/02/13 11:12:12| WARNING: Closing client 10.110.120.145 connection due to lifetime timeout 2008/02/13 11:12:12| http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 2008/02/13 11:12:12| Closing unlinkd pipe on FD 11 2008/02/13 11:12:12| storeDirWriteCleanLogs: Starting... 2008/02/13 11:12:12| Finished. Wrote 22081 entries. 2008/02/13 11:12:12| Took 0.0 seconds (3743176.8 entries/sec). CPU Usage: 2.019 seconds = 1.140 user + 0.878 sys Maximum Resident Size: 21292 KB Page faults with physical i/o: 0 2008/02/13 11:12:12| Squid Cache (Version 2.6.STABLE18): Exiting normally. Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@xxxxxxxx and a copy will be emailed to you.
