Hi, all, In a nutshell, I am trying to install squid as a third proxy to alleviate some pressure from our two Bluecoat proxies into a currently working wccpv2 configuration. We now have 5000+ users. My current squid configuration works perfectly fine in explicit mode. The problem I am having, is that squid can't seem to join the wccp service groups. I've tried the configuration examples from http://wiki.squid-cache.org/ConfigExamples/ to no avail. We have two Cisco 6513's in our core and we are using wccp to load balance between the proxies. I'm posting my sanitized configs hoping someone can shed some light on this and show me what my squid.conf, iptables and network interfaces should look like. I would also appreciate any recommended settings for memory and disk use based on the hardware spec I am posting. This server will be dedicated to squid. Server: cat /etc/redhat-release Fedora release 12 (Constantine) rpm -qa squid squid-3.1.1-1.fc12.i686 4 x Intel(R) Xeon(R) CPU 5160 @ 3.00GHz free -m total Mem: 7991 600 Gig on /var ip tunnel add wccp1 mode gre remote x.x.0.1 local x.x.1.77 dev eth0 ifconfig wccp1 inet x.x.1.76 netmask 255.255.255.192 up ifconfig eth0 inet addr:x.x.1.77 Bcast:x.x.1.127 Mask:255.255.255.192 wccp1 inet addr:x.x.1.76 P-t-P:x.x.1.76 Mask:255.255.255.192 iptables: echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter iptables -F -t nat iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.1.77:55555 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 20 -j DNAT --to-destination x.x.1.77:20 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 21 -j DNAT --to-destination x.x.1.77:21 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 443 -j DNAT --to-destination x.x.1.77:443 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 1755 -j DNAT --to-destination x.x.1.77:1755 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 7070 -j DNAT --to-destination x.x.1.77:7070 from server: ping -c 4 x.x.0.1 PING x.x.0.1 (x.x.0.1) 56(84) bytes of data. 64 bytes from x.x.0.1: icmp_seq=1 ttl=255 time=0.396 ms 64 bytes from x.x.0.1: icmp_seq=2 ttl=255 time=0.363 ms 64 bytes from x.x.0.1: icmp_seq=3 ttl=255 time=0.298 ms 64 bytes from x.x.0.1: icmp_seq=4 ttl=255 time=0.283 ms ping -c 4 x.x.0.2 PING x.x.0.2 (x.x.0.2) 56(84) bytes of data. 64 bytes from x.x.0.2: icmp_seq=1 ttl=255 time=3.20 ms 64 bytes from x.x.0.2: icmp_seq=2 ttl=255 time=3.06 ms 64 bytes from x.x.0.2: icmp_seq=3 ttl=255 time=3.33 ms 64 bytes from x.x.0.2: icmp_seq=4 ttl=255 time=3.19 ms squid.conf: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl to_localhost dst ::1/128 acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl localnet src x.x.0.0/16 # Our network acl SSL_ports port 443 # SSL acl SSL_ports port 8082 # Bluecoat administration acl SSL_ports port 9443 # Websense administration acl SSL_ports port 81 # alternate https acl SSL_ports port 81 # alternate http acl Safe_ports port 80 # http acl Safe_ports port 20 # ftp acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 8080 # Alternate http acl Safe_ports port 8000 # Alternate http acl Safe_ports port 7070 # Streaming acl CONNECT method CONNECT acl donotscan dstdomain .yahoo.com acl donotscan dstdomain .google.com acl donotscan dstdomain .microsoft.com http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port x.x.1.77:55555 transparent vport=80 http_port x.x.1.77:443 transparent vport=443 http_port x.x.1.77:20 transparent vport=20 http_port x.x.1.77:21 transparent vport=21 http_port x.x.1.77:1755 transparent vport=1755 http_port x.x.1.77:7070 transparent vport=7070 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_dir aufs /var/spool/squid 230400 16 256 cache_mem 2 GB maximum_object_size 32 MB maximum_object_size_in_memory 2048 KB follow_x_forwarded_for allow localhost follow_x_forwarded_for allow localnet visible_hostname xxxx.xxxx.xxxx icap_enable on icap_send_client_ip on icap_send_client_username on icap_preview_enable on icap_preview_size 128 icap_client_username_encode on icap_client_username_header X-Authenticated-User icap_log /var/log/squid/icap.log icap_io_timeout 60 seconds icap_uses_indirect_client off icap_persistent_connections on icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/srv_clamav adaptation_access service_req deny donotscan adaptation_access service_req allow all icap_service service_resp respmod_precache routing=on bypass=0 icap://127.0.0.1:1344/srv_clamav adaptation_access service_resp deny donotscan adaptation_access service_resp allow all url_rewrite_children 30 redirector_bypass off url_rewrite_program /opt/Websense/bin/WsRedtor wccp2_service dynamic 6 wccp2_service_info 6 protocol=tcp priority=240 ports=20,21,80,443,1755,7070 wccp2_router x.x.0.1 wccp2_forwarding_method gre wccp2_return_method gre Network: 2 x cisco WS-C6513 Both routers are the same IOS and hardware. >From router: ping x.x.1.76 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to x.x.1.76, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms show ver Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Thu 16-Apr-09 17:59 by prod_rel_team ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1) <snipped> cisco WS-C6513 (R7000) processor (revision 2.0) with 983008K/65536K bytes of memory. Processor board ID XXXXXXXXXXX SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache Last reset from power-on 28 Virtual Ethernet interfaces 60 Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. 8192K bytes of packet buffer memory. 65536K bytes of Flash internal SIMM (Sector size 512K). Configuration register is 0x2102 The x.x.0.x addresses are Loopback1000 Router x.x.0.1 show runn | inc wccp ip wccp 6 redirect-list webcache ip wccp 6 redirect out show runn interface loopback1000 interface Loopback1000 ip address x.x.0.1 255.255.255.255 end show ip wccp 6 detail WCCP Client information: WCCP Client ID: x.x.1.69 Protocol Version: 2.0 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 00000000000000000000000000000000 Hash Allotment: 128 (50.00%) Packets s/w Redirected: 1238481 Connect Time: 1d22h Bypassed Packets Process: 0 CEF: 29778128 Errors: 0 WCCP Client ID: x.x.1.68 Protocol Version: 2.0 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: 00000000000000000000000000000000 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 128 (50.00%) Packets s/w Redirected: 1745585 Connect Time: 1d22h Bypassed Packets Process: 0 CEF: 29778128 Errors: 0 Router x.x.0.2 ping x.x.1.76 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to x.x.1.76, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms show runn | inc wccp ip wccp 60 redirect-list webcache ip wccp 60 redirect out show runn interface loopback1000 interface Loopback1000 ip address x.x.0.2 255.255.255.255 end show ip wccp 60 detail WCCP Client information: WCCP Client ID: x.x.1.69 Protocol Version: 2.0 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 00000000000000000000000000000000 Hash Allotment: 128 (50.00%) Packets s/w Redirected: 1605570 Connect Time: 1d22h Bypassed Packets Process: 3 CEF: 36197978 Errors: 0 WCCP Client ID: x.x.1.68 Protocol Version: 2.0 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: 00000000000000000000000000000000 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 128 (50.00%) Packets s/w Redirected: 2247884 Connect Time: 1d22h Bypassed Packets Process: 3 CEF: 36197978 Errors: 0 If I left anything out that can help you help, please just ask. Thank you, Jeff
