> Hi, > > I have transparent SQUID proxy with L2/L3 switch redirecting HTTP > traffic to proxy through GRE tunnel. Yesterday, I've noticed that SQUID > box is sending strange packets (TCP RST) to destination web server in > order to terminate connection. The problem is because these packets have > source address from client address space (A.B.169.0/24). Since I'm not > using TPROXY mechanism I would not expect any packet originating from > squid box with source address from client range. > > I was doing packet capture on physical interface and GRE tunnel > interface. I captured these strange packets on physical interface and in > the same time in GRE tunnel also. > > Packet list from physical interface: > > root@XXX:~# tcpdump -e -n 'tcp[13] & 4 != 0' and src net A.B.169.0/24 > 22:07:30.963599 00:16:3e:62:64:81 > 00:00:0c:07:ac:0d, ethertype IPv4 > (0x0800), length 54: A.B.169.230.27676 > 209.62.81.20.80: R > 573941767:573941767(0) ack 2693938203 win 0 > 22:07:30.965285 00:16:3e:62:64:81 > 00:00:0c:07:ac:0d, ethertype IPv4 > (0x0800), length 54: A.B.169.230.27692 > 209.62.81.20.80: R > 3935555301:3935555301(0) ack 2690274274 win 0 > > SQUID BOX HW adress: 00:16:3e:62:64:81 > HSRP address in VLAN: 00:00:0c:07:ac:0d > > And same packets in tunnel: > > 22:07:30.963583 IP A.B.169.230.27676 > 209.62.81.20.80: R 0:0(0) ack 1 > win 0When I see those strange packet on physical interface, > 22:07:30.965279 IP A.B.169.230.27692 > 209.62.81.20.80: R 0:0(0) ack 1 > win 0 6 > > It look like these packets are just copied and send to destination web > server with original source address. I tried to replicate problem in > control environment but with no luck. > > Can anyone give me reason or explanation for this behavior? > > Thanks in advance, Dalibor > What release of Squid? with what configuration? on what OS? and also what WCCP configuration on what switch IOS version? Amos
