Search squid archive

Re: Squid - WCCP and ASA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Parvinder Bhasin wrote:
Amos,

 The tunnel is actually between the ASA and WCCP enabled squid.

No tunnel is between ASA and the squid box Operating System.

Squid itself has nothing to do with the tunnel. Squids only concern is that the packets are arriving via some interception method. Thus the src/dst IPs are a bit strange and it needs "transparent" or "intercept" http_port option to handle.


All the examples on squid-cache site as well as googling this issue points to creating a tunnel like this. Are you saying I don't need tunnel??? external ip???

No you still need the tunnel. But I think assigning localhost-only address to it may be a bad thing.

The other tunnels I know about all need an IP the firewall device can send to. Try without it to see if our packets start appearing.


the squid box has an internal interface and is not connected to the internet directly.

There are three categories of traffic interface:
 WAN - Internet facing
 LAN - local network facing
 localhost - not even getting past the NIC onto the wire.

The squid box itself goes out the ASA and fetches the pages. Basically its NATed.


Can you trace the packets as far as reaching Squid and starting their way out again though? If so the tunnels etc are fine. But the routing exemption to allow for Squid box connections out through the router may be whacked.

Amos

-Parvinder Bhasin

On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote:

On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin
<parvinder.bhasin@xxxxxxxxx> wrote:
I have setup of squid ..which was compiled with --enable-delay-pools
option.  Works really well but without WCCP.
I enabled WCCP support in the squid config and also enabled wccp
support on my ASA.  Setup GRE tunnel etc.
For my testing purpose I am only having ONE client IP go through
WCCP.  The problem is I am able to see that client on the GRE1
interface (the requests) of the proxy server but that client is not
getting anything back reply back.  Do I need anything in iptables to
allow etc???  do I need to compile with some transparent support?? if
so which one would I use for ASA?

 Any help is highly appreciated.


Here is part of my config:

http_port 3128 transparent

wccp2_router 192.168.100.250
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0

Additionally here is what I did to setup tunnel:

modprobe ip_gre
iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0
ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up


IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for
traffic internal to the box.
If WCCP is going on a tunnel it will likely need an externally visible IP
for the router to send to.

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter

iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j
REDIRECT --to-port
3128

I do see the RX counter going up but not the TX on gre1:

gre1      Link encap:UNSPEC  HWaddr C0-A8-64-CF-B7-BF-C8-
C2-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:1559 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:83432 (81.4 KiB)  TX bytes:0 (0.0 b)

Here is tcpdump output:

[root@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port
not ssh
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back
to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96
bytes
14:13:37.615862 IP 192.168.100.175.52257 > cf-in-f99.google.com.http:
S 3689381709:3689381709(0) win 65535 <mss 1460,sackOK,eol>
14:13:45.524999 IP 192.168.100.175.52256 >
bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535
<mss 1460,sackOK,eol>
14:13:45.525001 IP 192.168.100.175.52255 >
bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535
<mss 1460,sackOK,eol>
14:13:45.525002 IP 192.168.100.175.52254 >
bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535
<mss 1460,sackOK,eol>
14:13:45.525003 IP 192.168.100.175.52253 >
bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535
<mss 1460,sackOK,eol>
14:13:47.427509 IP 192.168.100.175.52252 >
mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535
<mss 1460,sackOK,eol>
14:13:47.886251 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
<mss 1460,nop,wscale 3,nop,nop,timestamp 322113293 0,sackOK,eol>
14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
357937093:357937093(0) win 65535 <mss 1460,nop,wscale
3,nop,nop,timestamp 322113295 0,sackOK,eol>
14:13:48.829652 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
<mss 1460,nop,wscale 3,nop,nop,timestamp 322113302 0,sackOK,eol>
14:13:49.029600 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
357937093:357937093(0) win 65535 <mss 1460,nop,wscale
3,nop,nop,timestamp 322113304 0,sackOK,eol>
14:13:49.820922 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 1111547104:1111547104(0) win 65535
<mss 1460,nop,wscale 3,nop,nop,timestamp 322113312 0,sackOK,eol>
14:13:50.030914 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
357937093:357937093(0) win 65535 <mss 1460,nop,wscale
3,nop,nop,timestamp 322113314 0,sackOK,eol>



--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.8

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux