Roland,
I have the same issue. I am using cisco 2800 IOS version 12.4(13b).
But it works in transparent mode perfectly. If we go Tproxy, it's not
working. Any IOS bug ?
I just share my problems also.
Thanks
Vk.
-----Original Message-----
From: Roland Roland <R_O_L_A_N_D@xxxxxxxxxxx>
To: Ritter, Nicholas <Nicholas.Ritter@xxxxxxxxxxxxxx>;
squid-users@xxxxxxxxxxxxxxx
Sent: Sat, 17 Jan 2009 7:57 am
Subject: Re: Cisco with WCCP!! newbie here..
hello :)
I've took a break of working live on squid and started reading more
about it
to see what I'm getting myself into..
I managed to get the router and squid to see=2
0each other and
troubleshoot the
GRE tunnel..
sh ip wccp shows hits.. but when I check the access.log and cache.log
of
squid I see nothing..
any idea what might be causing this?
heres the output of router debug:
6 17:10:14.012: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000020
6 17:10:14.012: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000021
6 17:10:14.016: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000020
6 17:10:14.016: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000021
6 17:10:31.504: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0
0000021
6 17:10:31.504: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000022
6 17:10:31.508: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000021
6 17:10:31.508: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000022
6 17:10:48.640: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000022
6 17:10:48.640: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000023
6 17:10:48.644: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000022
6 17:10:48.644: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000023
6 17:11:03.656: WCCP-PKT:D90: Received valid Here_I
_Am packet from
192.168.0.2 w/rcv_id 00000023
6 17:11:03.656: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000024
6 17:11:03.656: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000023
6 17:11:03.656: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000024
6 17:11:17.056: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000024
6 17:11:17.056: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000025
6 17:11:17.060: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000024
6 17:11:17.060: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000025
6 17:11:
28.060: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000025
6 17:11:28.060: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000026
6 17:11:28.064: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000025
6 17:11:28.064: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000026
6 17:11:42.904: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000026
6 17:11:42.904: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000027
6 17:11:42.904: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000026
6 17:11:42.904: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 =0
D
w/
rcv_id 00000027
6 17:11:56.640: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000027
6 17:11:56.640: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000028
6 17:11:56.644: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000027
6 17:11:56.644: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000028
6 17:12:11.392: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000028
6 17:12:11.392: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 00000029
6 17:12:11.392: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000028
6 17:12:11.392: WCCP-PKT:D80: S
ending I_See_You packet to 192.168.0.2
w/
rcv_id 00000029
6 17:12:22.960: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000029
6 17:12:22.960: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 0000002A
6 17:12:22.968: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 00000029
6 17:12:22.968: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2
w/
rcv_id 0000002A
CME-Router#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.16.50.54
Protocol Version: 2.0
Service Identifier: web-cache
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: 198
Total Packets Denied Redirect: 0
Total Packets Unassigned:
0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 80
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 4475
Process: 0
Fast:
0
CEF: 4475
Redirect access-list: 198
Total Packets Denied Redirect: 0
Total Packets Unassigned: 1853
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 90
Number of Service Group Clients: 1
=2
0 Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: 198
Total Packets Denied Redirect: 0
Total Packets Unassigned: 1369
Group access-list: -none-
0A
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
Sent: Tuesday, December 23, 2008 8:10 AM
To: "Roland Roland" <R_O_L_A_N_D@xxxxxxxxxxx>
Subject: RE: Cisco with WCCP!! newbie here..
Sorry for the dely in getting back to you.
Ok....first manually check that squid is working properly. Do this by
configuring the proxy server settings of the client browser manually
to
point to the IP of
the squid server and the non-redirected port
number of
3128 (if you are using the redirection iptables rules. This will
seperate
WCCP and iptables from squid operation. If the squid access log show
traffic and the web browser is getting pages, switch the port number
to
port 80 on the web browser setup, this will verify iptables
redirection
functionality.
If the second test fails, do a "lsmod | grep tproxy" and see if
something
like "xt_tproxy" shows up, also check the squid access log and see if
it
is the case that squid sees the client request pages, and squid is
fetching them...it is possible that squid sees the request and is
f
etching
but not getting the data back to the client.
Also, check to see if the router is seeing the squid server. Do this
by
doing a "sh ip wccp" in the router and see if the client/server
groups are
greater than 0.
Let me know what you see,.....we can coordinate an real-time chat
sometime
too.
Nick
________________________________
From: Roland Roland [mailto:R_O_L_A_N_D@xxxxxxxxxxx]
Sent: Sun 12/21/2008 3:13 PM
To: Ritter, Nicholas
Subject: Re: Cisco with WCCP!! newbie here..
Hello :)
I gave up!
wccp isnt
working with me...
I've tried everything you asked me to do..
and a few more tutorials from the net..
NOTHING's working!!
help!
--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
Sent: Tuesday, December 16, 2008 11:27 PM
To: <R_O_L_A_N_D@xxxxxxxxxxx>
Subject: RE: Cisco with WCCP!! newbie here..
Your squid.conf is missing "cache_dir" statements to tell it where
to put
HTTP items it is caching. For squid setup you may need to review the
docs/wiki or use the information contained in the squid config file.
As for the 20IPtables issiue, I can't help you with that without
seeing the
error it is spitting out, and seeing the contents of
"/etc/sysconfig/iptables".
Did the gre0 interface setup work?
Nick
________________________________
From: R_O_L_A_N_D@xxxxxxxxxxx [mailto:R_O_L_A_N_D@xxxxxxxxxxx]
Sent: Tue 12/16/2008 2:17 PM
To: Ritter, Nicholas
Subject: Re: Cisco with WCCP!! newbie here..
I really cant begin to thank you for all of the help you provided so
far..
but am afraid I have to bother you one more time if possible!
I followed
your instructions one by one, but I still am facing
probs.. on
booting I get a prob in iptables reading line1..
here's my squid.conf: http://pastebin.com/m401b5e09
and below is the debugging output:
[root@localhost ~]# squid -NCd10
2008/12/16 09:14:19| Starting Squid Cache version 2.6.STABLE6 for
i686-redhat-linux-gnu...
2008/12/16 09:14:19| Process ID 5099
2008/12/16 09:14:19| With 1024 file descriptors available
2008/12/16 09:14:19| Using epoll for the IO loop
2008/12/16 09:14:19| Performing DNS Tests...
2008/12/16 09:14:19| Successful DNS name lookup tests...
2008/12/16 09:14:19| DNS Socket create
d at 0.0.0.0, port 32770, FD 5
2008/12/16 09:14:19| Adding nameserver 198.6.1.5 from
/etc/resolv.conf
2008/12/16 09:14:19| Adding nameserver 4.2.2.2 from /etc/resolv.conf
2008/12/16 09:14:19| Adding domain localdomain from /etc/resolv.conf
2008/12/16 09:14:19| User-Agent logging is disabled.
2008/12/16 09:14:19| Referer logging is disabled.
2008/12/16 09:14:19| Unlinkd pipe opened on FD 10
2008/12/16 09:14:19| Swap maxSize 102400 KB, estimated 7876 objects
2008/12/16 09:14:19| Target number of buckets: 393
2008/12/16 09:14:19| Using 8192 Store buckets
2008/12/16 09:14:19| Max Mem size: 8192 KB
2008/12/16 09:14:19| Max Swap size: 102400 KB
2008/12/16 09:14:19| Local cache digest enabled; rebuild/rewrite
every
3600/3600 sec
2008/12/16 09:14:19| Rebuilding storage in /var/spool/squid (CLEAN)
2008/12/16 09:14:19| Using Least Load store dir selection
2008/12/16 09:14:19| Set Current Directory to /var/spool/squid
2008/12/16 09:14:19| Loaded Icons.
2008/12/16 09:14:19| Accepting transparently proxied HTTP
connections at
0.0.0.0, port 3128, FD 12.
2008/12/16 09:14:19| Accepting ICP messages at 0.0.0.0, port 3130,
FD 13.
2008/12/16 09:14:19| WCCP Disabled.
2008/12/16 09:14:19| Accepting WCCPv2 messages on port 2048, FD 14.
2008/12/16 09:14:19| Initialising all WCCPv2 lists
20
08/12/16 09:14:19| Ready to serve requests.
2008/12/16 09:14:19| Done reading /var/spool/squid swaplog (0
entries)
2008/12/16 09:14:19| Finished rebuilding storage from disk.
2008/12/16 09:14:19| 0 Entries scanned
2008/12/16 09:14:19| 0 Invalid entries.
2008/12/16 09:14:19| 0 With invalid flags.
2008/12/16 09:14:19| 0 Objects loaded.
2008/12/16 09:14:19| 0 Objects expired.
2008/12/16 09:14:19| 0 Objects cancelled.
2008/12/16 09:14:19| 0 Duplicate URLs purged.
2008/12/16 09:14:19| 0 Swapfile clashes avoided.
> 2008/12/16 09:14:19| Took 0.6 seconds ( 0.0 objects/sec).
2008/12/16 09:14:19| Beginning Validation Procedure
2008/12/16 09:14:19| Completed Validation Procedure
2008/12/16 09:14:19| Validated 0 Entries
2008/12/16 09:14:19| store_swap_size = 0k
2008/12/16 09:14:20| storeLateRelease: released 0 objects
--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
Sent: Tuesday, December 16, 2008 5:17 PM
To: "Roland Roland" <R_O_L_A_N_D@xxxxxxxxxxx>
Subject: RE: Cisco with WCCP!! newbie here..
ok....given what you have presented to me below, your setup should
n
ot
be
working yet. It looks like there are several things that still need
to
be
done.
1) In squid.conf add:
wccp2_router 192.168.0.1
wccp_version 4
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service dynamic 80
wccp2_service dynamic 90
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
ports=80
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80
2) In "/etc/sysconfig/iptables" add:
-A PREROUTING -i eth0
-p tcp -m tcp --dport 80 -j REDIRECT
--to-ports
3128
-A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports
3128
3) issue command: "modprobe ip_gre"
4) issue command: "lsmod | grep gre" and make sure "ip_gre" is
returned.
5) ifconfig gre0 192.168.0.7 netmask 255.255.255.0 up
6) issue command: "service iptables condrestart"
7) In your router do the following:
global command: ip wccp web-cache
On the interface which binds 192.168.0.1:
ip wccp 80 redirect in
ip wccp 90 redirect out
8) Issue (on the centos bo
x): service squid restart
9) Wait 2 minutes, then on the router: "sh ip wccp" look for:
Service Identifier: 80
Number of Service Group Clients: 1
Number of Service Group Routers: 1
and:
Service Identifier: 90
Number of Service Group Clients: 1
Number of Service Group Routers: 1
________________________________
From: Roland Roland [mailto:R_O_L_A_N_D@xxxxxxxxxxx]
Sent: Mon 12/15/2008 5:34 PM
To: Ritter, Nicholas
> Subject: Re: Cisco with WCCP!! newbie here..
Hi yes I admit, ubuntu has been much easier, but nonetheless im
starting
to
enjoy centos! has lots of command line features missing in ubuntu..
anyway here's what you asked for:
1) Are you using a loopback interface in the router?
No, am not.
2) What is the IP of the centos server, a client machine, and the
router.
Centos: 192.168.0.7
Client machine: 192.168.0.2
Router: 192.168.0.1
3) The output of "service iptables status"
[ro
ot@localhost squid]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.122.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
=2
01 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
udp
dpt:53
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
tcp
dpt:53
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
udp
dpt:67
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
tcp
dpt:67
5 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot
opt source destination
1 ACCEPT all -- 0.0.0.0/0 192.168.122.0/24
state
RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
6 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
=0
A
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
icmp
type
255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT=2
0 udp -- 0.0.0.0/0 224.0.0.251
udp
dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
udp
dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
tcp
dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
state
RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
state
NEW
tcp dpt:22
10 ACCEPT 20 tcp -- 0.0.0.0/0 0.0.0.0/0
state
NEW
tcp dpt:80
11 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
4) The output of "lsmod"
Module Size Used by
netloop 10945 0
netbk 78145 0 [permanent]
blktap 115941 2 [permanent]
blkbk 22241 0 [permane
nt]
ipt_MASQUERADE 7617 1
iptable_nat 11205 1
ip_nat 21101 2 ipt_MASQUERADE,iptable_nat
bridge 53853 0
autofs4 24389 2
hidp 23105 2
rfcomm 42457 0
l2cap 29505 10 hidp,rfcomm
bluetooth 53797 5 hidp,rfcomm,l2cap
sunrpc 144893 1
ip_conntrack_netbios_ns 6977 0
>> ipt_REJECT 9537 3
xt_state 6208 4
ip_conntrack 53025 5
ipt_MASQUERADE,iptable_nat,ip_nat,ip_conntrack_netbios_ns,xt_state
nfnetlink 10713 2 ip_nat,ip_conntrack
iptable_filter 7105 1
ip_tables 17029 2 iptable_nat,iptable_filter
ip6t_REJECT 9409 1
xt_tcpudp 7105 16
ip6table_filter 6849 1
ip6_tables 18053 1 ip6table_filter
x_tables 20 17349 8
ipt_MASQUERADE,iptable_nat,ipt_REJECT,xt_state,ip_tables,ip6t_REJECT,xt_t
cpudp,ip6_tables
dm_multipath 22089 0
video 21193 0
sbs 18533 0
backlight 10049 1 video
i2c_ec 9025 1 sbs
button 10705 0
battery 13637 0
asus_acpi 19289 0
ac 9157 0
ipv6 20 258401 15 ip6t_REJECT
xfrm_nalgo 13765 1 ipv6
crypto_api 11969 1 xfrm_nalgo
lp 15849 0
floppy 54949 0
i2c_piix4 12237 0
pcnet32 36805 0
pcspkr 7105 0
i2c_core 23745 2 i2c_ec,i2c_piix4
mii 9409 1 pcnet32
serio_raw 10693 0
ide_cd =2
0 40033 0
parport_pc 29157 1
cdrom 36705 1 ide_cd
serial_core 23617 0
parport 37641 2 lp,parport_pc
dm_snapshot 21477 0
dm_zero 6209 0
dm_mirror 29381 0
dm_mod 61405 9
dm_multipath,dm_snapshot,dm_zero,dm_mirror
ata_piix 22341 0
libata 144637 1 ata_piix
> sd_mod 24897 0
scsi_mod 134861 2 libata,sd_mod
ext3 123593 2
jbd 56553 1 ext3
uhci_hcd 25677 0
ohci_hcd 23517 0
ehci_hcd 33741 0
5) The output of "ifconfig"
eth0 Link encap:Ethernet HWaddr 00:0C:29:C8:8E:D5
inet addr:192.168.146.132 Bcast:192.168.146.255
Mask:255.255.255.0
20 inet6 addr: fe80::20c:29ff:fec8:8ed5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1787 errors:0 dropped:0 overruns:0 frame:0
TX packets:1444 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1754176 (1.6 MiB) TX bytes:89731 (87.6 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2819 20errors:0 dropped:0 overruns:0 frame:0
TX packets:2819 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6214808 (5.9 MiB) TX bytes:6214808 (5.9 MiB)
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:1790 errors:0 dropped:0 overruns:0 frame:0
TX packets:1510 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
=2
0 RX bytes:1754743 (1.6 MiB) TX bytes:101982 (99.5 KiB)
Interrupt:16 Base address:0x1080
vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:1444 errors:0 dropped:0 overruns:0 frame:0
TX packets:1787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:89731 (87.6 KiB) TX bytes:1754176 (1.6 MiB)
virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.122.1 Bcast:192.168.122.255
Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:11976 (11.6 KiB)
xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:40 err
ors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10537 (10.2 KiB) TX bytes:0 (0.0 b)
6) The output from the router of the command: "sho ip wccp"
omega#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: X.X.X.X (interface
facing
the
internet/Public ip)
Protocol Version: 2.0
=2
0 Service Identifier: web-cache
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
20 Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
as for squid.conf, no I havent changed anything but these two:
access list to allow my network
http_access allowing that ACL.
PS: I'm currently using a virtual machine, which is why you'll
notice
the
masquarading part. it's nated to my WIFI interface.
20once our setup is up and running I'll move set it all up again on
a
server.. thought you should know :)
--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
Sent: Monday, December 15, 2008 11:52 PM
To: "Roland Roland" <R_O_L_A_N_D@xxxxxxxxxxx>
Subject: RE: Cisco with WCCP!! newbie here..
Ubuntu configures Squid more out of the box then CentOS does,
which is
why
the HTTP browsing should not be working yet.
telnet should be disabled altogether, but only in the sense of a
telnet-transport based terminal=2
0server (ie: telnetting into the
centos
server to get a command shell.)
Can you list the following:
1) Are you using a loopback interface in the router?
2) What is the IP of the centos server, a client maching, and the
router.
3) The output of "service iptables status"
4) The output of "lsmod"
5) The output of "ifconfig"
6) The output from the router of the command: "sho ip wccp"
With the above information, I think I can straighten this out for
you.
Also, did you edit the squid config file other than the "MyNet"
acl and
>>>> "http_access"?
________________________________
From: Roland Roland [mailto:R_O_L_A_N_D@xxxxxxxxxxx]
Sent: Mon 12/15/2008 3:21 PM
To: Ritter, Nicholas
Subject: Re: Cisco with WCCP!! newbie here..
ya I guess so..
but is it a firewall issue? because I could perfeclty telnet to it
doing
as
such :
telnet 192.168.0.7 3128
and a session opens up normaly (this is my current centos)
but I cant browse or use it as a proxy
--------------------------------------------------
Fr
om: "Ritter, Nicholas" <nicholas.ritter@xxxxxxxxxxxxxx>
Sent: Monday, December 15, 2008 11:18 PM
To: "Roland Roland" <R_O_L_A_N_D@xxxxxxxxxxx>
Subject: RE: Cisco with WCCP!! newbie here..
Telnet or ssh?
This is why I have issues with ubuntu. Sure things work, but
often at
the
expense of security.
Sent from my Windows Mobile® phone.
-----Original Message-----
From: Roland Roland <R_O_L_A_N_D@xxxxxxxxxxx>
Sent: Monday, December 15, 2008 3:02 PM
To: Ritter, Nicholas <Nicholas.Ritter@xxxxxxxxxxxxxx>
Subject: Re: Cisco wit
h WCCP!! newbie here..
I can't believe I got back to worse than I first started!!!
I can't seem to use squid now.
I simply installed it with yum install squid on centos 5.2
and added:
acl MyNet src 192.168.0.0/24
http_access allow MyNet
that's wht I did when I frst installed it on ubuntu and it worked
back
then..!
now on centos, I could telnet from outside to my box (that means
it
opened
tht port on the firewall)
but nothing is returned!
heres the output of firefox when I try to ope
n any site to test
using
my
squid's IP/port:
Connection Interrupted
connection to the server was reset while the page was loading.
The network link was interrupted while negotiating a connection.
Please
try
again.
any advice on what might be the prob ?
--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
Sent: Monday, December 15, 2008 4:50 PM
To: "Roland Roland" <R_O_L_A_N_D@xxxxxxxxxxx> 0D
Subject: RE: Cisco with WCCP!! newbie here..
Here are some items that will need to be accomplisted:
1) you will need to configure iptables to redirect port 80
traffic to
3128
2) Setup a GRE tunnel interface between the squid box, and the
router.
3) configure WCCP on the router
4) Edit the squid.conf config file for the squid server.
With step 1, this step is largly depending on if you are ok with
running
the squid server on port 80 or not. If you choose to run the
squid
server
on port 80, you still need to edit iptables rules to allow port
80
connections.
Reference the following squid-cache.org wiki articles. And let
me
know
where I can fill in information and specific steps to help you
get up
and
running:
http://wiki.squid-cache.org/ConfigExamples/Wccp2AndNat
http://wiki.squid-cache.org/ConfigExamples/SquidAndWccp2
Create and bring up the GRE interface:
modprobe ip_gre
ifconfig gre0 <address of squid server (duplicate of the eth0
interface
address)> netmask 255.255.255.0 up
=0
A>>>>>> If the above commands don't give errors, you can add them to
"/etc/rc.d/init.d/rc.local" so that get done at each boot up.
For the GRE tunnel rules for iptables, you will need something
like
(add
to /etc/sysconfig/iptables, then "service iptables
condrestart"):
iptables -A INPUT -i gre0 -j ACCEPT iptables -A INPUT -i gre0 -j
ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s <address of router>/32 -p udp
-m
udp --dport 2048 -j ACCEPT
The first to rules allow gre protocol, and 20traffic onthe gre
interface,
the second rule allows WCCP control traffic.
________________________________
From: Roland Roland [mailto:R_O_L_A_N_D@xxxxxxxxxxx]
Sent: Sun 12/14/2008 3:17 PM
To: Ritter, Nicholas
Subject: Re: Cisco with WCCP!! newbie here..
Hey :)
I just installed centos 5.2 out of dvd with desktop-gnome.
and followed the instructions u've specified as well as
installed
squid
using "yum install squid" and backed up squid.conf to desktop.
now what are the steps you want me to follow..
=0
A>>>>>>
thanks in advance,
Roland
--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
Sent: Friday, December 12, 2008 6:58 PM
To: <R_O_L_A_N_D@xxxxxxxxxxx>
Subject: RE: Cisco with WCCP!! newbie here..
with the netinstall, the http url is tricky...but doable. The
DVD
works
the best regardless. IM'ing would work better, I just don't
have an
IM
client installed. I have an IRC client installed....or...now
that I
think
about it...I have a gmail account
....could use gmail IM...never
done
it
though.
Nick
-----Original Message-----
From: R_O_L_A_N_D@xxxxxxxxxxx [mailto:R_O_L_A_N_D@xxxxxxxxxxx]
Sent: Fri 12/12/2008 9:45 AM
To: Ritter, Nicholas
Subject: Re: Cisco with WCCP!! newbie here..
hey :) am downloading the DVD release just now..
half way through!
I got the netinstall image, burned it and gave the HTTP option
a
try,
it
gets stuck on image retrieval..
I guess the DVD image would be done soon=2
0enough, I'm going to
install
it
on
a virtual machine in order to test, and if everything is setup
smoothly
(centos/squid) I'll proceed with the squid configuration
depending
on
your
advice..
if you don't mind is there a sort of IM I could contact you on?
or
you
prefer to keep it over here..?
--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
Sent: Friday, December 12, 2008 4:51 PM
To: <R_O_L_A_N_D@xxxxxxxxxxx>
Subject: RE: [s
quid-users] Cisco with WCCP!! newbie here..
Sure.
I never use the live cd for installs, always other the DVD, or
netinstall
cd.
Make sure you do a minimal install. Don't install any of the
package
groups, although it won't hurt if you do.
If you have never installed CentOS before, let me know if you
have
questions, but after the initial install and boot up, you will
be
presented with a semi-graphical (ncurses) interface that has a
menu
and
items on it for configuring running services
, firewall,
network,
etc.
You
want to make sure the box has a static IP (a private ip behind
the
NAT
GW
is fine.) In the "Firewall configuration", set the "Security
Level"
to
"Enabled" and "SELinux" to "Permissive". In "System Services",
disable
any
service that contains "sendmail", and/or "rpc", and/or "nfs".
If you don't get to a menu, or want to go back to it, just
type
"setup"
at
the root CLI prompt.
Note: step 1 and 2 are separate for=2
0a reason, as it will
produce
the
most
effect way of accomplishing specific goals for updating
software.
1) run (as root): yum update yum rpm python
- this will update yum, rpm, and python
- you will be asked to confirm selections, just type: y
- you will be asked to import an GPG signing key, just type: y
2) run (as root): yum update
- this will update the rest of the software packages on the
system
- you will be asked to confirm selections, just type: y
3) reboot
-----
Original Message-----
From: R_O_L_A_N_D@xxxxxxxxxxx [mailto:R_O_L_A_N_D@xxxxxxxxxxx]
Sent: Fri 12/12/2008 7:55 AM
To: Ritter, Nicholas
Subject: Re: Cisco with WCCP!! newbie here..
Hi :)
I'm having a bit of trouble installing centos from the lvie
cd..
am downloading at the moment.. centos dvd..
in the meantime could you provide any sort of step that youd
like
me
to
do..!
since im going to install squid over centos I guess your
already
familiar
with all the steps?
--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
Sent: Friday, December 12, 2008 1:54 AM
To: "RoLaNd RoLaNd" <r_o_l_a_n_d@xxxxxxxxxxx>
Subject: RE: Cisco with WCCP!! newbie here..
hey :) i cant begin to thank you for your help..
No prob...I know what it is like to want to accomplish
something
and
needing help.
1) i dont think that would make a difference (correct me if
im
wrong)
=0
A>>>>>>>>>>>since the destination would only see my router's public ip!
unless if theres something i'm not familiar with please do
advise
me
whts
the best course of action..
If you are NATing to the Internet, than you are correct and
you
don't
need
client spoofing...which is good because it is easier to do.
2) Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811
(revision
53.51
Cisco IOS has been buggy at times with the WCCP feature. Make
sure
you
are
running something in the T release train. Do you have access
to
the
IOS
downloads on Cisco.com?
as for the rest, well my squid isnt active, so i dont have a
problem
installing CENTOS and squid again on on my box if that would
help
me
reach >>my goal..
i never used centos before! i'm only familiar with Ubuntu
and
fedora.
but
i do have one of it's images ( CentOS-5.1-i386-LiveCD )
would this do?! i'll format with it and install squid
on
it..
Get the netinstall ISO and do a minimal install and I would
say
that
you
could install the squid that comes with the CentOS 5.2
distro, or
we
can
custom build it. After install, do a "yum update"
do u have a specific squid version ud like to advise me with
?!
or
anything i should do before installign it ?
The latest 2.6STABLE release is fine.
Subject: RE: Cisco with WCCP!! newbie here..
Date: Thu, 11 Dec 20
08 13:37:36 -0600
From: Nicholas.Ritter@xxxxxxxxxxxxxx
To: r_o_l_a_n_d@xxxxxxxxxxx
Here are a few questions:
1) Do you want transparent redirection via WCCP with or
without
the
remote website seeing the client machine IP?
2) What IOS feature set and version/revision are you using
on the
2811
router? (WCCP support is buggy depending on the revision
level.)
3) Which version of Squid are you running?
4) Which version of Linux kernel are you running?
On you ubuntu box, run "insmod gre" 20then "lsmod" and see if
the
gre
module loads, if you get an error, try "insmod ip_gre"
instead.
I can help you more if you are using CentOS 5.2 rather than
Ubuntu.
With
ubuntu, I can't give you all of the specific command lines
with
arguments, etc.
Nick
-----Original Message-----
From: RoLaNd RoLaNd [mailto:r_o_l_a_n_d@xxxxxxxxxxx]
Sent: Thu 12/11/2008 1:28 PM
To: nicholas.ritter@xxxxxxxxxxxxxx
Subject: RE: Cisco with WCCP!! newbie here..
Hi Nicholas,
thanks for replying so soon...
is there anything specific you'd like to know about my
topology
in
order
for u to help out?!
> Date: Thu, 11 Dec 2008 13:21:12 -0600
> From: Nicholas.Ritter@xxxxxxxxxxxxxx
> To: r_o_l_a_n_d@xxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxx
> Subject: RE: Cisco with WCCP!! newbie here..
>
> I can help you out with this as needed.
>
> Nick
>>>>>>> >
>
> -----Original Message-----
> From: RoLaNd RoLaNd [mailto:r_o_l_a_n_d@xxxxxxxxxxx]
> Sent: Thu 12/11/2008 1:05 PM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject: Cisco with WCCP!! newbie here..
>
>
> Hi All,
>
> am obviously a newbie here so am seeking an advice if i
may..
>
> my current topology is as such:
>
> cisco 2811 router---Lan (contains users/squid)
>
> Squid is installed on ubuntu.
> and has one NIC
with static ip 192.168.0.14/24
>
> i've managed to get direct proxy working with minimal
> settings..
> but am finding it hard to set it as transparent..
> i looked around and found at squid-cache that i could use
> cisco's
> WCCP
> prot=
> ocol...
> i've checked the config examples but as i'm a newbie i got
a
> little
> bit
> los=
> t!!!
>
> could anyone help out?!
>
> any advice would be appreciated:)
>>> >
> thank you in advance..
>
> Roland
>
_________________________________________________________________
> Connect to the next generation of MSN Messenger
>
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
>
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
_________________________________________________________________
News, entertainment and everythin
g you care about at
Live.com. Get
it
now!
http://www.live.com/getstarted.aspx
________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
