On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin <parvinder.bhasin@xxxxxxxxx> wrote: > I have setup of squid ..which was compiled with --enable-delay-pools > option. Works really well but without WCCP. > I enabled WCCP support in the squid config and also enabled wccp > support on my ASA. Setup GRE tunnel etc. > For my testing purpose I am only having ONE client IP go through > WCCP. The problem is I am able to see that client on the GRE1 > interface (the requests) of the proxy server but that client is not > getting anything back reply back. Do I need anything in iptables to > allow etc??? do I need to compile with some transparent support?? if > so which one would I use for ASA? > > Any help is highly appreciated. > > > Here is part of my config: > > http_port 3128 transparent > > wccp2_router 192.168.100.250 > wccp_version 4 > wccp2_forwarding_method 1 > wccp2_return_method 1 > wccp2_service standard 0 > > Additionally here is what I did to setup tunnel: > > modprobe ip_gre > iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0 > ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up > IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for traffic internal to the box. If WCCP is going on a tunnel it will likely need an externally visible IP for the router to send to. > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 0 > /proc/sys/net/ipv4/tcp_window_scaling > echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter > > iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j > REDIRECT --to-port > 3128 > > I do see the RX counter going up but not the TX on gre1: > > gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8- > C2-00-00-00-00-00-00-00-00 > inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0 > UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 > RX packets:1559 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b) > > Here is tcpdump output: > > [root@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port > not ssh > tcpdump: WARNING: arptype 778 not supported by libpcap - falling back > to cooked socket > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 > bytes > 14:13:37.615862 IP 192.168.100.175.52257 > cf-in-f99.google.com.http: > S 3689381709:3689381709(0) win 65535 <mss 1460,sackOK,eol> > 14:13:45.524999 IP 192.168.100.175.52256 > > bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535 > <mss 1460,sackOK,eol> > 14:13:45.525001 IP 192.168.100.175.52255 > > bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535 > <mss 1460,sackOK,eol> > 14:13:45.525002 IP 192.168.100.175.52254 > > bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535 > <mss 1460,sackOK,eol> > 14:13:45.525003 IP 192.168.100.175.52253 > > bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535 > <mss 1460,sackOK,eol> > 14:13:47.427509 IP 192.168.100.175.52252 > > mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535 > <mss 1460,sackOK,eol> > 14:13:47.886251 IP 192.168.100.175.52259 > > f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535 > <mss 1460,nop,wscale 3,nop,nop,timestamp 322113293 0,sackOK,eol> > 14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S > 357937093:357937093(0) win 65535 <mss 1460,nop,wscale > 3,nop,nop,timestamp 322113295 0,sackOK,eol> > 14:13:48.829652 IP 192.168.100.175.52259 > > f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535 > <mss 1460,nop,wscale 3,nop,nop,timestamp 322113302 0,sackOK,eol> > 14:13:49.029600 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S > 357937093:357937093(0) win 65535 <mss 1460,nop,wscale > 3,nop,nop,timestamp 322113304 0,sackOK,eol> > 14:13:49.820922 IP 192.168.100.175.52259 > > f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535 > <mss 1460,nop,wscale 3,nop,nop,timestamp 322113312 0,sackOK,eol> > 14:13:50.030914 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S > 357937093:357937093(0) win 65535 <mss 1460,nop,wscale > 3,nop,nop,timestamp 322113314 0,sackOK,eol>