Am 14.07.2009 um 06:25 schrieb Adrian Chadd:
2009/7/14 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
Do you have an example of this particular (mis) configuration? The
note in the Wiki article isn't very clear.
I don't. The admin only mentioned that by adding a bypass on
service group
fixed the issue.
I had a tcpdump of as set of requests showing pairs of seemingly
identical
requests arriving from the router within 1sec of each other. On deep
inspection the slightly delayed one showed some minor alterations
such as
Squid makes from the first.
Right. But what was the squid config, cisco config and network
topology for both the "doesn't work" and "works" setups?
If there is any way to make the wiki clearer without wholesale
including of
per-IOS config setting go for it.
Well, it may boil down to per-IOS config and per-platform, per-IOS
config. The problem is getting some more information to at least
document what is needed.
The behavior I saw was:
enable wccpv2 + NAT intercept with wiki config
==> perfectly working, not a sign of any squid-sourced packets.
Right, probably because it was using one service group and the
half-duplex redirection needed for normal, non-tproxy interception was
being done.
swap NAT for tproxy4 with the wiki config (no change to WCCP or
links)
==> loop trace showing squid outward packets coming IN from WCCP.
Yeah that won't work. :)
So I say "seems" and "appears" to be an automatic bypass in WCCP or
router
somewhere. No idea where. "may" need bypassing manually to fix
tproxy.
Well, the automatic bypass should be "if the router sees packets from
an IP address or MAC of a registered device, it should be passing it
through." I have no idea whether it is doing this without explicit
"don't further redirect" rules (eg by deny entries in the redirect
list, or "wccp exclude in", etc) because that may absolutely be
platform, IOS and WCCPv2 negotiation type dependant.
So please, poke the admin in question to get as much information about
the configuration and setup of everything.
Adrian
If it's possible, the easier solution could be, to have the squid
behind the same interface of the router with the clients.
Tom
