On Mon, 19 Oct 2009 20:06:55 -0400, Ross Kovelman <rkovelman@xxxxxxxxxxxxxxxx> wrote: >> From: Amos Jeffries <squid3@xxxxxxxxxxxxx> >> Date: Tue, 20 Oct 2009 12:40:02 +1300 >> To: Ross Kovelman <rkovelman@xxxxxxxxxxxxxxxx> >> Cc: "squid-users@xxxxxxxxxxxxxxx" <squid-users@xxxxxxxxxxxxxxx> >> Subject: Re: WCCP >> >> On Mon, 19 Oct 2009 18:26:18 -0400, Ross Kovelman >> <rkovelman@xxxxxxxxxxxxxxxx> wrote: >>>> From: Amos Jeffries <squid3@xxxxxxxxxxxxx> >>>> Date: Tue, 20 Oct 2009 11:04:42 +1300 >>>> To: Ross Kovelman <rkovelman@xxxxxxxxxxxxxxxx> >>>> Cc: "squid-users@xxxxxxxxxxxxxxx" <squid-users@xxxxxxxxxxxxxxx> >>>> Subject: Re: WCCP >>>> >>>> On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote: >>>>>> From: Amos Jeffries >>>>>> >>>>>> Ross Kovelman wrote: >>>>>>>> From: Amos Jeffries: >>>>>>>> >>>>>>>> Ross Kovelman wrote: >>>>>>>>> I am going to be using WCCP. I did another reconfigure with the >>>>>>>>> --enable >>>>>>>>> WCCP option. How can I check that it is on and running? The next >>>>>>>>> step I >>>>>>>>> need to do is upgrade to version 2 since the Cisco only >> communicates >>>>>>>>> on >>>>>>>>> version 2. I tried to do the patch < upgrade patch but then I get >> a >>>>>>>>> response with path to upgrade and I am not sure where the file is >> I >>>>>>>>> need >>>>>>>>> patch. >>>>>>>> There is zero need to patch for support WCCPv2. It's been built >> into >>>>>>>> Squid for many years now. >>>>>>>> >>>>>>>> Run "./configure --help". >>>>>>>> * If it lists "--disable-wccpv2" there is no need to do anything. >>>>>>>> * If it lists "--enable-wccpv2" , add that to your build options. >>>>>>>> * If it does not mention "wccpv2" at all upgrade your Squid >>>> version. >>>>>>>> >>>>>>>> Then setup squid.conf with the relevant wccp2_* options. >>>>>>>> >>>>>>>> http://www.squid-cache.org/Doc/config/ or the wiki example configs >>>> have >>>>>>>> details on those. >>>>>>> >>>>>>> Thanks again. >>>>>>> Running the ./configure --help only says this: >>>>>>> --disable-wccp Disable Web Cache Coordination V1 Protocol >>>>>>> --disable-wccpv2 Disable Web Cache Coordination V2 Protocol >>>>>>> >>>>>>> When I did the install I ran the ./configure --enable wccp option. I >>>>>>> didn't >>>>>>> say --enable-wccpv2, does this matter? I also have this in the >>>> config: >>>>>>> wccp2_router 192.168.16.1 >>>>>>> wccp2_forwarding_method 1 >>>>>>> wccp2_return_method 1 >>>>>>> >>>>>>> I am running Squid Web Proxy 2.7.STABLE5. >>>>>> >>>>>> Okay. Thats fine. >>>>>> >>>>>> The ./configure results mean that both WCCP versions are built into >>>>>> Squid by default unless you explicitly say --disable. Nothing extra >>>>>> needed to build them. >>>>>> >>>>>> The config options you have there are already WCCPv2-only options for >>>>>> Cisco. Nothing new needed there either. >>>>>> >>>>>> If thats not working its a config error somewhere. >>>>>> >>>>> >>>>> I am getting this in my cache log: >>>>> >>>>> Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. >>>>> commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in >>>> use >>>>> Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. >>>>> commBind: Cannot bind socket FD 22 to *:80: (48) Address already in >> use >>>> >>>> >> http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_ >>>> to_.2A:8080_.28125.29_Address_already_in_use >>>> >>>> I would suspect this as part of the problem. The WCCP router will be >>>> trying to contact whatever software is already running on port 3128, >> not >>>> the Squid you are starting with WCCP config. >>>> >>>>> Accepting ICP messages at 0.0.0.0, port 3130, FD 22. >>>>> WCCP Disabled. >>>>> Accepting WCCPv2 messages on port 2048, FD 23. >> >> To answer your earlier question: >> the above two lines means WCCPv1 is disabled, WCCPv2 is being used. >> >>>>> Initialising all WCCPv2 lists >>>>> >>>>> As from my other posting I need WCCP enabled but it is showing >> disabled. >>>>> Any reason why? How can I resolve this. Below is my lines in config >>>>> >>>>> wccp2_router 192.168.16.1 >>>>> wccp2_forwarding_method 1 >>>>> wccp2_return_method 1 >>>> >>>> The above are only the config of how squid sends packets to the Cisco. >>>> WCCP requires configuration Cisco, the squid box OS and firewall, and >>>> routing tables. Any one of which could be the problem. >>>> The tutorials and troubleshooting info we have at present is a little >>>> spread out and disjointed. What how-to are you working from? >>>> >>>> Amos >>> >>> Amos, >>> I just did a TCP dump and I think my problem is the GRE packet. It is >>> being >>> listed I think as unknown. Shouldn't squid be able to pick the packet >> up >>> and open it? The Cisco sees squid and relays the information good but >> it >>> is >>> stopping at the squid box. Any ideas? I am just google'ing around no >> set >>> how to. >> >> Okay. I've polished up our exemplar configs a little: >> http://wiki.squid-cache.org/Features/Wccp2 >> (some way to go though). >> >> There are four parts to WCCP systems: >> >> 1) WCCP capture and redirect >> >> 2) gre tunnel between the Cisco and Squid boxes >> >> 3) squid box firewall settings and NAT capture of received gre packets >> >> http://wiki.squid-cache.org/ConfigExamples/Intercept#Traffic_Interception_capt >> ure_into_Squid >> >> 4) squid.conf settings to make Squid contact the cisco router >> >> Amos >> > From what I have read and what you show only for the PIX and ASA should be > the same. The Pix is actually correct for the ASA, although that is what > Cisco told me to do. > > As far as: > wccp2_router - My cisco router address > wccp2_forwarding_method - I took this out of my config as GRE is default > wccp2_return_method - same as forward > wccp2_assignment_method - nothing in config > wccp2_service - nothing in config > > Am I missing something? If I have my cisco config turned on for WCCP and > squid running no one can browse the web. If I turn squid off and leave > wccp > running on the Cisco browsing web is perfect. No issues. Anything else to > check? ... rp_filter settings on the Squid box are turned off. ... iptables does REDIRECT or DNAT capture of the packets to the Squid http_port marked with "transparent" > > bert:~ administrator$ sudo tcpdump -n -i en1 ip proto gre > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes > 15:00:33.599161 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 60: > gre-proto-0x883e > 15:00:34.715585 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 60: > gre-proto-0x883e > 15:00:34.805734 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56: > gre-proto-0x883e > 15:00:34.808181 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56: > gre-proto-0x883e gre-proto-0x883e > 15:00:34.805734 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56: > gre-proto-0x883e > 15:00:34.808181 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56: > gre-proto-0x883e > > Does that help? Let me know what you need from me so we can resolve this. > I did mask off my IP but the IP prior to the > is the ASA and the numbers > after is the squid server > > Thanks
