Search squid archive

Re: AW: Squid - WCCP and ASA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Akos,
You are right ASA does not support any GRE tunnels. But from what I have read by googling "squid asa wccp" is that tunnel is GRE on the proxy server side where as ASA is WCCP. Like I mentioned that I do see ASA REDIRECTING the packets . I see the redirected packets appearing on the proxy server but then I don't get any response back. I think there could be some issue with iptables rule maybe. 

-Parvinder Bhasin

On Jun 17, 2009, at 1:38 AM, Daniel, Akos wrote:



Hi,
ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? 
Once I tried WCCP and collected my info here:
http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.html

Regards,
Akos

-----Ursprüngliche Nachricht-----
Von: Parvinder Bhasin [mailto:parvinder.bhasin@xxxxxxxxx]
Gesendet: Mittwoch, 17. Juni 2009 08:06
An: Amos Jeffries
Cc: squid-users@xxxxxxxxxxxxxxx
Betreff: Re:  Squid - WCCP and ASA

Amos,

 The tunnel is actually between the ASA and WCCP enabled squid.  All
the examples on squid-cache site as well as googling this issue points
to creating a tunnel like this.  Are you saying I don't need
tunnel???  external ip??? the squid box has an internal interface and
is not connected to the internet directly.  The squid box itself goes
out the ASA and fetches the pages.  Basically its NATed.

-Parvinder Bhasin

On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote:


On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin
<parvinder.bhasin@xxxxxxxxx> wrote:

I have setup of squid ..which was compiled with --enable-delay-pools
option.  Works really well but without WCCP.
I enabled WCCP support in the squid config and also enabled wccp
support on my ASA.  Setup GRE tunnel etc.
For my testing purpose I am only having ONE client IP go through
WCCP.  The problem is I am able to see that client on the GRE1
interface (the requests) of the proxy server but that client is not
getting anything back reply back.  Do I need anything in iptables to
allow etc??? do I need to compile with some transparent support?? if 
so which one would I use for ASA?

Any help is highly appreciated.


Here is part of my config:

http_port 3128 transparent

wccp2_router 192.168.100.250
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0

Additionally here is what I did to setup tunnel:

modprobe ip_gre
iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0
ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up



IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be
usable for
traffic internal to the box.
If WCCP is going on a tunnel it will likely need an externally
visible IP
for the router to send to.


echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter

iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j
REDIRECT --to-port
3128

I do see the RX counter going up but not the TX on gre1:

gre1      Link encap:UNSPEC  HWaddr C0-A8-64-CF-B7-BF-C8-
C2-00-00-00-00-00-00-00-00
         inet addr:127.0.0.2  P-t-P:127.0.0.2  Mask:255.255.255.0
         UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
         RX packets:1559 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:83432 (81.4 KiB)  TX bytes:0 (0.0 b)

Here is tcpdump output:

[root@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and
port
not ssh
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back 
to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on gre1, link-type LINUX_SLL (Linux cooked), capture size
96
bytes
14:13:37.615862 IP 192.168.100.175.52257 > cf-in- f99.google.com.http: 
S 3689381709:3689381709(0) win 65535 <mss 1460,sackOK,eol>
14:13:45.524999 IP 192.168.100.175.52256 >
bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535
<mss 1460,sackOK,eol>
14:13:45.525001 IP 192.168.100.175.52255 >
bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535
<mss 1460,sackOK,eol>
14:13:45.525002 IP 192.168.100.175.52254 >
bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535
<mss 1460,sackOK,eol>
14:13:45.525003 IP 192.168.100.175.52253 >
bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535
<mss 1460,sackOK,eol>
14:13:47.427509 IP 192.168.100.175.52252 >
mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win
65535
<mss 1460,sackOK,eol>
14:13:47.886251 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
<mss 1460,nop,wscale 3,nop,nop,timestamp 322113293 0,sackOK,eol>
14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
357937093:357937093(0) win 65535 <mss 1460,nop,wscale
3,nop,nop,timestamp 322113295 0,sackOK,eol>
14:13:48.829652 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
<mss 1460,nop,wscale 3,nop,nop,timestamp 322113302 0,sackOK,eol>
14:13:49.029600 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
357937093:357937093(0) win 65535 <mss 1460,nop,wscale
3,nop,nop,timestamp 322113304 0,sackOK,eol>
14:13:49.820922 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
<mss 1460,nop,wscale 3,nop,nop,timestamp 322113312 0,sackOK,eol>
14:13:50.030914 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
357937093:357937093(0) win 65535 <mss 1460,nop,wscale
3,nop,nop,timestamp 322113314 0,sackOK,eol>
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux