Am 10.07.2009 um 08:19 schrieb Behnam B.Marandi:
Thanks for quick replay.
I did set "ip wccp web-cache" in the router config but;
#sh ip wccp web-cache detail
No information is available for the service.
try to debug wccp
#debug wccp packet
can you see any packets from your squid engine?
In case of access-list, what I got from step 35 is that access-list
just used for excluding specific web sites from redirecting to
cache. Otherwise I don't know how and where (in router config or
squid config) to put an access-list.
ok, i didn't have to configure a cisco router for some time.
Behnam.
Tom Penndorf wrote:
Hi,
Am 10.07.2009 um 07:29 schrieb Behnam B.Marandi:
I did setup a full transparent caching machine based on Nicholas
Ritter's guide:
http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/
msg65056.html
Cache machine is a Cent OS 5.3
Router is;
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(11)T8, RELEASE
SOFTWARE (fc1)
Squid config is;
http_port 194.225.241.40:5119 tproxy disable-pmtu-discovery=always
wccp2_router xx.xx.241.39
wccp_version 4
wccp2_rebuild_wait off
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service dynamic 80
wccp2_service dynamic 90
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
ports=80
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal
network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal
network
acl localnet src xx.xx.240.0/20
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
cache_dir ufs /var/spool/squid 4000 16 256
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /usr/local/squid/var/cache
visible_hostname tco53
I'm not sure IOS version is critical or not, and in case of
"wccp2_rebuild_wait" I had to set it "off" so the router can see
the cache machine;
6#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: xx.xx.241.39
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Service Identifier: 80
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Service Identifier: 90
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
What are the last 2 entries? Is it your squid machine, too?
As you can see, the router isn't redirecting the traffic to the
proxy. Please send the output of "show ip wccp detail". Also you
don't have defined any access-list for redirecting, so the router
don't knows, which traffic to redirect.
Clients can browse web but there is no transfer between router and
cache machine:
[root@tco53 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10:22:FE:6E:EC
inet addr:xx.xx.241.40 Bcast:194.225.241.63 Mask:255.255.255.192
inet6 addr: fe80::210:22ff:fefe:6eec/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83610 errors:0 dropped:0 overruns:1 frame:0
TX packets:24135 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7179021 (6.8 MiB) TX bytes:3493119 (3.3 MiB)
Interrupt:5
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-AC-BF-
F4-6F-00-00-00-00-00-00-00-00 inet addr:xx.xx.241.40
Mask:255.255.255.192
UP RUNNING NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback inet addr:127.0.0.1
Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10097 errors:0 dropped:0 overruns:0 frame:0
TX packets:10097 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:424456 (414.5 KiB) TX bytes:424456 (414.5 KiB)
[root@tco53 ~]# cat /etc/rc.local
ifconfig gre0 194.225.241.40 netmask 255.255.255.192 up
touch /var/lock/subsys/local
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
/usr/local/squid/sbin/squid
I compiled gre in the kernel so there is no need to modprobe it;
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y
[root@tco53 ~]# ip ru sh
0: from all lookup 255
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
[root@tco53 ~]# ip ro sh ta 100
local default dev lo scope host
[root@tco53 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3416]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i gre0 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport
5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
55936 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -s xx.xx.241.39/32 -p udp -m udp --dport
2048 -j ACCEPT
COMMIT
# Completed on Sun Jul 5 17:04:57 2009
# Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
*mangle
:PREROUTING ACCEPT [10:1680]
:INPUT ACCEPT [38:3760]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3416]
:POSTROUTING ACCEPT [26:3416]
:DIVERT - [0:0]
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 5119 --
on-ip xx.xx.241.40 --tproxy-mark 0x1/0x1 COMMIT
# Completed on Sun Jul 5 17:04:57 2009
I don't know where this line came from; "-A RH-Firewall-1-INPUT -d
224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT"
I guess despite identification of cache machine by router, it does
not qualified by the router to route web traffic trough it.
Don't know how to debug this, any idea to help this out would be
greatly appreciated.
Behnam.
Tom