G'day, * Yes you still need iptables to redirect packets going to arbitrary destinations into Squid running on a port. * Traffic will only flow over the GRE tunnel one way - from the router to the cache. On Thu, Feb 21, 2008, Ritter, Nicholas wrote: > I am trying to setup an HTTP-only WCCP v2 redirection via Cisco 2811 > router to a Linux-based Squid 2.6 box. The problem is that there is no > content showing up in the squid access log, and web connections are slow > and often timeout. I have done some research on the net and checked some > things that were noted by peoples posts, but I am still a bit stumped. > The router shows WCCP status as good in that the router and the cache > server see each other, and there appears to be redirection occurring > because 'sh ip wccp' on the router shows it, and a tcpdump session on > the web cache server sees it. The router and the web cache appliance are > layer 2 adjacent to each other, and on the same ip subnet, but the cache > server is connected via a Cisco EtherSwitch module installed in the 2811 > router, and the clients being redirected to the cache server are hanging > off a different ip subnet and different layer 2 segment. > > I also notice that the wccp2 GRE tunnel I setup on the Linux box shows > traffic in only one direction. I suspect that at least part of my > problem is that I have setup the GRE tunnel wrong. I also read that WCCP > functionality is buggy in various Cisco IOS versions, I have tried to > figure out if the IOS version I am using is a buggy one. I attempted to > use the same IOS version as is in use on a Cisco WAAS 2811 router, which > is 12.4(9) but the closest I could get to that was 12.4(10c) 12.4(15)T3 > exhibited the same problems. > > I have provided information below on my setup, can someone please > provide me with some information that can help to figure out what I am > doing wrong? > > > > > ROUTER INFO > ------------------------------------------------------------------------ > ------------------- > Router: Cisco 2811 running c2800nm-advsecurityk9-mz.124-10c > WCCP version: 2 > > #sh ip wccp > Global WCCP information: > Router information: > Router Identifier: <IIP censored> > Protocol Version: 2.0 > > Service Identifier: web-cache > Number of Service Group Clients: 1 > Number of Service Group Routers: 1 > Total Packets s/w Redirected: 4285 > Process: 0 > Fast: 0 > CEF: 4285 > Redirect access-list: -none- > Total Packets Denied Redirect: 0 > Total Packets Unassigned: 0 > Group access-list: -none- > Total Messages Denied to Group: 0 > Total Authentication failures: 0 > Total Bypassed Packets Received: 0 > > Other router configure directives: > > Clients using cache server on FastEthernet 0/0.1 > Squid server is directly connected to FastEthernet 0/2/0 > > WCCP router config directives: > ip wccp web-cache > ip wccp web-cache version 2 > interface fastethernet0/0.1 > ip wccp web-cache redirect in > > > SQUID INFO > ------------------------------------------------------------------------ > ------------------- > Squid platform: CentOS 5.1 on x86_64 > Squid version: CentOS bundled RPM which is squid-2.6.STABLE6-5.el5_1.2 > > Squid is set for transparent mode and to listen on port 80 and port > 3128. The host based firewall is disabled, because I don't need redirect > to 3128 from 80. (Could this be a problem, do I need iptables mangling > of some sort?) > > squid.conf directives: > http_port 80 transparent > http_port 3128 transparent > wccp2_router <router IP as noted in Cisco sh ip wccp router identifier> > wccp2_rebuild_wait on > wccp2_forwarding_method 1 > wccp2_return_method 1 > wccp2_assignment_method 1 > wccp2_service standard 0 > > > CENTOS Linux OS INFO > ------------------------------------------------------------------------ > ------------------- > CentOS 5.1 x86_64 on Intel Core 2 Duo > Kernel is custom compiled, version 2.6.23 > > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > /bin/echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter > /bin/echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter > /sbin/modprobe ip_gre > /sbin/ip tunnel add wccp2 mode gre remote <ip of Cisco router identifier > as listed in the sh ip wccp command> local <same ip as eth0> dev eth0 > /sbin/ifconfig wccp2 <same ip as eth0> netmask 255.255.255.255 up > > > ifconfig output from CentOS box: > > eth0 Link encap:Ethernet HWaddr 00:30:1B:44:7F:11 > inet addr:<IP censored> Bcast:<info censored> > Mask:255.255.240.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:38474 errors:0 dropped:0 overruns:0 frame:0 > TX packets:38245 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:6402032 (6.1 MiB) TX bytes:5488603 (5.2 MiB) > Interrupt:19 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > wccp2 Link encap:UNSPEC HWaddr > 0A-0C-20-3C-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:<same ip as eth0> P-t-P:<same ip as eth0> > Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 > RX packets:36330 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:4511404 (4.3 MiB) TX bytes:0 (0.0 b) > -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
