I required the following to allow Hotmail and Gmail: acl Hotmail dstdomain .hotmail.com .hotmail.msn.com .login.live.com .mail.live.com .passport.com calendar.msn.com g.live.com acl Gmail dstdomain .gmail.com mail.google.com ssl.google-analytics.com acl GmailUrlRegExp url_regex -i .google.com/accounts .google.ca/accounts These were used in combination with a couple other lines to allow Gmail without allowing Google, and allowing Hotmail without allowing MSN or Microsoft sites. Davan Wong World Health Club Information Technology Department > -----Original Message----- > From: Miraj Shah [mailto:Miraj.Shah@xxxxxxxx] > Sent: February 13, 2008 11:38 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: WCCP2 + Cisco ASA + FreeBSD 6.3, gmail > and hotmail not working > > Hello All, > > I have run into some problems with a the two websites not > able to load when squid is configured with wccp2. I have > followed the example by Adrian Chadd, and the wiki: > > http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?hig > hlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29 > > http://wiki.squid-cache.org/SquidFaq/InterceptionProxy > > > Everything is working great until when we open up > http://mail.google.com and http://www.hotmail.com, the > websites open up ok, and you can enter the login credentials, > goes pass the https stage and just before getting to the > emails. The page goes quiet, and blank. Have tested this on > different computers and different browsers but get the same problem. > > If I disable the squid, and let the users browse thru NAT on > the ASA, they are able to get thru to these two sites, also > when I reconfigure the squid to be non-transparent and change > the settings on my browser to point to the proxy, am able to > open the two sites in question. > > I don't see anything unusual in cache.log or access.log > > After googleing around for a bit, I came across a site that > mentioned lowering the MTU size on the GRE tunnel, which I > did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400) > > For hotmail, the intercepting proxy guide mentions to put the > following entries on squid.conf, but that did not help: > > acl hotmail_domains dstdomain .hotmail.msn.com header_access > Accept-Encoding deny hotmail_domains > > I know this is probably a repeated problem, though I hope > someone can assist. Do let me know if there are any other > details that you might need. > > Many thanks, and kind regards, > > Miraj Shah. > > > > > here is a quick network diagram; > > LAN - ASA - Router - Internet > | > Squid > > below is the config i have set up: > > > asa-firewall# sh run int vlan 10 > ! > interface Vlan10 > description Internet Interface > nameif internet > security-level 0 > ip address xxx.xxx.179.86 255.255.255.252 > > asa-firewall# sh run interface vlan 40 > ! > interface Vlan40 > description Inside Interface > nameif inside > security-level 100 > ip address 10.110.150.252 255.255.254.0 > > route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1 access-list > inside_nat0_outbound extended permit ip any 10.110.150.0 > 255.255.0.0 nat (inside) 0 access-list inside_nat0_outbound > nat (inside) 1 10.110.150.0 255.255.254.0 wccp web-cache wccp > interface inside web-cache redirect in > > asa-firewall# sh wccp web-cache detail > WCCP Cache-Engine information: > Web Cache ID: 10.110.150.253 > Protocol Version: 2.0 > State: Usable > Initial Hash Info: 00000000000000000000000000000000 > 00000000000000000000000000000000 > Assigned Hash Info: 00000000000000000000000000000000 > 00000000000000000000000000000000 > Hash Allotment: 0 (0.00%) > Packets Redirected: 113242 > Connect Time: 00:00:12 > > asa-firewall# sh wccp web-cache > Global WCCP information: > Router information: > Router Identifier: xxx.xxx.179.86 > Protocol Version: 2.0 > Service Identifier: web-cache > Number of Cache Engines: 1 > Number of routers: 1 > Total Packets Redirected: 113242 > Redirect access-list: -none- > Total Connections Denied Redirect: 0 > Total Packets Unassigned: 241 > Group access-list: -none- > Total Messages Denied to Group: 0 > Total Authentication failures: 0 > Total Bypassed Packets Received: 0 > > > asa-firewall# sh ver > > Cisco Adaptive Security Appliance Software Version 7.2(2) > Device Manager Version 5.2(2) > > Compiled on Wed 22-Nov-06 14:16 by builders System image file > is "disk0:/asa722-k8.bin" > Config file at boot was "startup-config" > > sarova-firewall up 3 days 3 hours > > Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz Internal > ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB > > Encryption hardware device : Cisco ASA-5505 on-board > accelerator (revision 0x0) > Boot microcode : > CNlite-MC-Boot-Cisco-1.2 > SSL/IKE microcode: > CNlite-MC-IPSEC-Admin-3.03 > IPSec microcode : > CNlite-MC-IPSECm-MAIN-2.04 > 0: Int: Internal-Data0/0 : address is 001b.531b.5bb2, irq 11 > 1: Ext: Ethernet0/0 : address is 001b.531b.5baa, irq 255 > 2: Ext: Ethernet0/1 : address is 001b.531b.5bab, irq 255 > 3: Ext: Ethernet0/2 : address is 001b.531b.5bac, irq 255 > 4: Ext: Ethernet0/3 : address is 001b.531b.5bad, irq 255 > 5: Ext: Ethernet0/4 : address is 001b.531b.5bae, irq 255 > 6: Ext: Ethernet0/5 : address is 001b.531b.5baf, irq 255 > 7: Ext: Ethernet0/6 : address is 001b.531b.5bb0, irq 255 > 8: Ext: Ethernet0/7 : address is 001b.531b.5bb1, irq 255 > 9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255 > 10: Int: Not used : irq 255 > 11: Int: Not used : irq 255 > > Licensed features for this platform: > Maximum Physical Interfaces : 8 > VLANs : 20, DMZ Unrestricted Inside > Hosts : Unlimited Failover > : Active/Standby VPN-DES : Enabled > VPN-3DES-AES : Enabled VPN Peers > : 25 WebVPN Peers : 2 Dual ISPs > : Enabled VLAN Trunk Ports : 8 > > This platform has an ASA 5505 Security Plus license. > > Serial Number: JMX1111Z0QV > Running Activation Key: 0xffffffff 0xffffffff 0xfffffffff > 0xfffffffff 0xfffffffff Configuration register is 0x1 > Configuration last modified by enable_15 at 10:51:03.103 EAT > Wed Feb 13 2008 > > > ###FreeBSD Setup### > > #kernel config (extra) > proxy# cat /usr/src/sys/i386/conf/TransProxy #---snip---# > options IPFIREWALL options IPFIREWALL_VERBOSE #enable logging > to syslogd(8) options IPFIREWALL_FORWARD options > IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity options > IPSTEALTH #support for stealth forwarding options DUMMYNET > options NETGRAPH options DEVICE_POLLING options HZ=1000 > options SHMSEG=128 options SHMMNI=256 options SHMMAX=50331648 > # max shared memory segment size (bytes) options SHMALL=16384 > # max amount of shared memory (pages) options MSGMNB=16384 # > max # of bytes in a queue options MSGMNI=48 # number of > message queue identifiers options MSGSEG=768 # number of > message segments options MSGSSZ=64 # size of a message > segment options MSGTQL=4096 # max messages in system options > IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT # if you intend > to use NAT device apic # I/O APIC > device gre #---snip---# > > proxy# cat /etc/rc.conf > gateway_enable="YES" > hostname="proxy.customer.co.ke" > ifconfig_bge0="inet 10.110.150.253 netmask 255.255.254.0" > defaultrouter="10.110.150.252" > keymap="uk.iso" > linux_enable="YES" > sshd_enable="YES" > usbd_enable="YES" > firewall_enable="YES" > firewall_type="/etc/firewall.local" > squid_enable="YES" > ipfilter_enable="YES" > ipnat_enable="YES" > ipmon_enable="YES" > ipfs_enable="YES" > > proxy# cat /etc/rc.local > #tunnel to cisco asa for transparent proxy /sbin/ifconfig > gre0 plumb /sbin/ifconfig gre0 link2 /sbin/ifconfig gre0 > tunnel 10.110.150.253 xxx.xxx.179.86 /sbin/ifconfig gre0 inet > 1.1.1.1 1.1.1.2 > > proxy# ifconfig gre0 > gre0: > flags=d051<UP,POINTOPOINT,RUNNING,LINK0,LINK2,MULTICAST> mtu 1476 > tunnel inet 10.110.150.253 --> xxx.xxx.179.86 > inet 1.1.1.1 --> 1.1.1.2 netmask 0xff000000 > > proxy# cat /etc/firewall.local > add fwd 127.0.0.1,3128 tcp from any to any 80 recv gre0 > > proxy# ipfw show > 00100 21909 3567762 fwd 127.0.0.1,3128 tcp from any to any > dst-port 80 recv gre0 > 65535 836384 314106493 allow ip from any to any > > proxy# cat /etc/sysctl.conf > net.inet.icmp.icmplim=0 > net.inet.tcp.msl=3000 > kern.maxfilesperproc=65536 > kern.maxfiles=262144 > kern.ipc.maxsockets=131072 > kern.ipc.somaxconn=1024 > net.inet.tcp.recvspace=16384 > net.inet.tcp.sendspace=16384 > kern.ipc.nmbclusters=32768 > net.inet.ip.forwarding=1 > > proxy# cat /usr/local/etc/squid/squid.conf #---snip---# > http_port 127.0.0.1:3128 transparent always_direct allow all > wccp2_router 10.110.150.252 wccp2_rebuild_wait on > wccp2_forwarding_method 1 wccp2_return_method 1 > wccp2_assignment_method 1 wccp2_service standard 0 > wccp2_weight 10000 wccp2_address 0.0.0.0 debug_options ALL,1 > visible_hostname proxy.customer.co.ke #---snip---# > #---snip---# #ACL's acl my_network src 10.110.150.0/23 > http_access allow my_network http_access deny all #---snip---# > > proxy# cat /usr/local/squid/logs/cache.log > 2008/02/13 10:42:01| Starting Squid Cache version > 2.6.STABLE18 for i386-portbld-freebsd6.3... > 2008/02/13 10:42:01| Process ID 6721 > 2008/02/13 10:42:01| With 32768 file descriptors available > 2008/02/13 10:42:01| Using kqueue for the IO loop > 2008/02/13 10:42:01| DNS Socket created at 0.0.0.0, port 63552, FD 6 > 2008/02/13 10:42:01| Adding domain sarova.co.ke from /etc/resolv.conf > 2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.2 from > /etc/resolv.conf > 2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.3 from > /etc/resolv.conf > 2008/02/13 10:42:01| Adding nameserver 10.110.120.11 from > /etc/resolv.conf > 2008/02/13 10:42:01| Adding nameserver 10.110.120.6 from > /etc/resolv.conf > 2008/02/13 10:42:01| Unlinkd pipe opened on FD 11 > 2008/02/13 10:42:01| Swap maxSize 262144 KB, estimated 20164 objects > 2008/02/13 10:42:01| Target number of buckets: 1008 > 2008/02/13 10:42:01| Using 8192 Store buckets > 2008/02/13 10:42:01| Max Mem size: 131072 KB > 2008/02/13 10:42:01| Max Swap size: 262144 KB > 2008/02/13 10:42:01| Local cache digest enabled; > rebuild/rewrite every 3600/3600 sec > 2008/02/13 10:42:01| Rebuilding storage in > /usr/local/squid/cache (CLEAN) > 2008/02/13 10:42:01| Using Least Load store dir selection > 2008/02/13 10:42:01| Set Current Directory to /usr/local/squid/cache > 2008/02/13 10:42:01| Loaded Icons. > 2008/02/13 10:42:02| Accepting transparently proxied HTTP > connections at 127.0.0.1, port 3128, FD 13. > 2008/02/13 10:42:02| Accepting proxy HTTP connections at > 10.110.150.253, port 3128, FD 14. > 2008/02/13 10:42:02| Accepting ICP messages at 0.0.0.0, port > 3130, FD 15. > 2008/02/13 10:42:02| Accepting WCCPv2 messages on port 2048, FD 16. > 2008/02/13 10:42:02| Initialising all WCCPv2 lists > 2008/02/13 10:42:02| Ready to serve requests. > 2008/02/13 10:42:02| Configuring Parent proxy.iconnect.co.ke/3128/7 > 2008/02/13 10:42:02| Store rebuilding is 18.6% complete > 2008/02/13 10:42:02| Done reading /usr/local/squid/cache > swaplog (21963 entries) > 2008/02/13 10:42:02| Finished rebuilding storage from disk. > 2008/02/13 10:42:02| 21963 Entries scanned > 2008/02/13 10:42:02| 0 Invalid entries. > 2008/02/13 10:42:02| 0 With invalid flags. > 2008/02/13 10:42:02| 21963 Objects loaded. > 2008/02/13 10:42:02| 0 Objects expired. > 2008/02/13 10:42:02| 0 Objects cancelled. > 2008/02/13 10:42:02| 0 Duplicate URLs purged. > 2008/02/13 10:42:02| 0 Swapfile clashes avoided. > 2008/02/13 10:42:02| Took 0.5 seconds (46011.6 objects/sec). > 2008/02/13 10:42:02| Beginning Validation Procedure > 2008/02/13 10:42:02| Completed Validation Procedure > 2008/02/13 10:42:02| Validated 21963 Entries > 2008/02/13 10:42:02| store_swap_size = 235922k > 2008/02/13 10:42:02| storeLateRelease: released 0 objects > 2008/02/13 11:11:41| Preparing for shutdown after 2555 requests > 2008/02/13 11:11:41| Waiting 30 seconds for active > connections to finish > 2008/02/13 11:11:41| FD 13 Closing HTTP connection > 2008/02/13 11:11:41| FD 14 Closing HTTP connection > 2008/02/13 11:11:41| FD 16 Closing WCCP socket > 2008/02/13 11:12:12| Shutting down... > 2008/02/13 11:12:12| FD 15 Closing ICP connection > 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 > connection due to lifetime timeout > 2008/02/13 11:12:12| > http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400 > 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 > connection due to lifetime timeout > 2008/02/13 11:12:12| > http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF > 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 > connection due to lifetime timeout > 2008/02/13 11:12:12| > http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400 > 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 > connection due to lifetime timeout > 2008/02/13 11:12:12| > http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF > 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.55 > connection due to lifetime timeout > 2008/02/13 11:12:12| > http://b.mail.google.com/mail/channel/bind?at=tfpl7aa80y0xw75x > evv9065zwg9408&ui=1&RID=rpc&SID=3DAE21FF8E7AAB22&CI=0&AID=60&T > YPE=html&zx=6216rrq6uixn&DOMAIN=mail.google.com&t=1 > 2008/02/13 11:12:12| WARNING: Closing client 10.110.120.30 > connection due to lifetime timeout > 2008/02/13 11:12:12| > http://stats.update.microsoft.com/ReportingWebService/Reportin > gWebService.asmx > 2008/02/13 11:12:12| WARNING: Closing client 10.110.120.145 > connection due to lifetime timeout > 2008/02/13 11:12:12| > http://stats.update.microsoft.com/ReportingWebService/Reportin > gWebService.asmx > 2008/02/13 11:12:12| Closing unlinkd pipe on FD 11 > 2008/02/13 11:12:12| storeDirWriteCleanLogs: Starting... > 2008/02/13 11:12:12| Finished. Wrote 22081 entries. > 2008/02/13 11:12:12| Took 0.0 seconds (3743176.8 entries/sec). > CPU Usage: 2.019 seconds = 1.140 user + 0.878 sys Maximum > Resident Size: 21292 KB Page faults with physical i/o: 0 > 2008/02/13 11:12:12| Squid Cache (Version 2.6.STABLE18): > Exiting normally. > Please note: This email and its content are subject to the > disclaimer as displayed at the following link > http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Di > sclaimer.htm. Should you not have Web access, send a mail to > disclaimers@xxxxxxxx and a copy will be emailed to you.