On Mar 15, 2012, at 6:58 PM, Ahmad Faisal wrote: > > > Hi, > > i have some query and would like to ask anyone on squid with cisco > catalyst 6500 switch with wccpv2 > > My setup: > > > - squid2.7-stable9 on freebsd 7.2-RELEASE > - cisco switch catalyst 6500 with ios 12.2(33)SXJ1 > > Internet > | > | > --------- Cisco FWSM firewall > | | > | | > | cisco switch catalyst 6500 (Core switch) 10.4.10.1 > DMZ Segment | > | | > | Internal LAN (10.0.0.0/8) > | | > | | > Squid box User > (202.188.244.8) > > > FreeBSD conf : > ------------------------ > > ifconfig gre0 > ------------- > gre0: flags=d051<UP,POINTOPOINT,RUNNING,LINK0,LINK2,MULTICAST> metric 0 > mtu 1476 > tunnel inet 202.188.244.8 --> 10.4.10.1 > inet 202.188.244.8 --> 192.168.249.2 netmask 0xffffffff > Does "netstat -i" show any packets arriving (Inpkts) through the gre0 interface? Like: Name Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll gre0 1476 <Link#6> 15319 0 0 0 0 0 gre0 1476 169.254.254.2 169.254.254.253 0 - - 0 - - If so, can you query your ipf rules to see if they are matching? Do you have the "intercept" keyword on your squid.conf "http_port 7788" entry? I don't think you will be able to intercept port 443 at the same port as http. You would need an https_port entry in squid.conf, and redirect the port 443 traffic to the port you specify on your https_port line. HTH, Guy > > > ipnat rules: > ---------------- > rdr bce0 0.0.0.0/0 port 80 -> 202.188.244.8 port 7788 > rdr bce0 0.0.0.0/0 port 443 -> 202.188.244.8 port 7788 > rdr gre0 0.0.0.0/0 port 80 -> 202.188.244.8 port 7788 > rdr gre0 0.0.0.0/0 port 443 -> 202.188.244.8 port 7788 > > ipf rules: > ------------- > pass in log first on gre0 all > pass out log first on gre0 all > pass in log first on bce0 all > pass out log first on bce0 all > > > /etc/rc.conf > ----------------- > ifconfig_bce0="inet 202.188.244.8 netmask 255.255.255.0" > cloned_interfaces="gre0" > ifconfig_gre0="inet 202.188.244.8 192.168.249.2 netmask 255.255.255.255 > link2 tunnel 202.188.244.8 10.4.10.1 up" > > sysctl.conf > -------------- > net.inet.ip.forwarding: 1 > net.inet.ip.fastforwarding: 1 > > > squid.conf > ------------------- > wccp2_router 10.4.10.1 > wccp2_forwarding_method 1 > wccp2_return_method 1 > wccp2_service standard 0 > wccp2_address 0.0.0.0 > wccp2_assignment_method 1 > > > Cisco 6500 output: > ------------------- > #show ip wccp web-cache > Global WCCP information: > Router information: > Router Identifier: 192.168.250.2 > Protocol Version: 2.0 > > Service Identifier: web-cache > Number of Service Group Clients: 1 > Number of Service Group Routers: 1 > Total Packets s/w Redirected: 3799 > Process: 0 > CEF: 3799 > Redirect access-list: 120 > Total Packets Denied Redirect: 0 > Total Packets Unassigned: 382 > Group access-list: 20 > Total Messages Denied to Group: 0 > Total Authentication failures: 0 > Total Bypassed Packets Received: 0 > > #show ip wccp web-cache detail > WCCP Client information: > WCCP Client ID: 202.188.244.8 > Protocol Version: 2.0 > State: Usable > Redirection: GRE > Packet Return: GRE > Assignment: HASH > Initial Hash Info: 00000000000000000000000000000000 > 00000000000000000000000000000000 > Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > Hash Allotment: 256 (100.00%) > Packets s/w Redirected: 3139 > Connect Time: 00:48:27 > Bypassed Packets > Process: 0 > CEF: 0 > Errors: 0 > > > squid cache log: > 2012/03/14 19:31:51| wccp2HereIam: sending to service id 0 > 2012/03/14 19:31:51| Sending HereIam packet size 144 > 2012/03/14 19:31:51| Incoming WCCPv2 I_SEE_YOU length 132. > 2012/03/14 19:31:51| Complete packet received > 2012/03/14 19:31:51| Incoming WCCP2_I_SEE_YOU Received ID old=1591 new=1592. > 2012/03/14 19:31:51| Cleaning out cache list > > Cisco 6500 debug message: > *Mar 14 18:53:43.291: WCCP-EVNT:wccp_update_assignment_status: enter > *Mar 14 18:53:43.291: WCCP-EVNT:wccp_update_assignment_status: exit > *Mar 14 18:53:43.291: WCCP-EVNT:wccp_validate_wc_assignments: enter > *Mar 14 18:53:43.291: WCCP-EVNT:wccp_validate_wc_assignments: not mask > assignment, exit > *Mar 14 18:53:43.291: WCCP-PKT:S00: Sending I_See_You packet to > 202.188.244.8 w/ rcv_id 000005F4 > *Mar 14 18:53:53.291: WCCP-EVNT:wccp_update_assignment_status: enter > *Mar 14 18:53:53.291: WCCP-EVNT:wccp_update_assignment_status: exit > *Mar 14 18:53:53.291: WCCP-EVNT:wccp_validate_wc_assignments: enter > *Mar 14 18:53:53.291: WCCP-EVNT:wccp_validate_wc_assignments: not mask > assignment, exit > *Mar 14 18:53:53.291: WCCP-PKT:S00: Sending I_See_You packet to > 202.188.244.8 w/ rcv_id 000005F5 > *Mar 14 18:54:03.295: WCCP-EVNT:wccp_update_assignment_status: enter > *Mar 14 18:54:03.295: WCCP-EVNT:wccp_update_assignment_status: exit > *Mar 14 18:54:03.295: WCCP-EVNT:wccp_validate_wc_assignments: enter > *Mar 14 18:54:03.295: WCCP-EVNT:wccp_validate_wc_assignments: not mask > assignment, exit > *Mar 14 18:54:03.295: WCCP-PKT:S00: Sending I_See_You packet to > 202.188.244.8 w/ rcv_id 000005F6 > > 1. User can go to the internet - if proxy ip set in their browser > 2. User cannot go to internet - if proxy ip is not set in the browser > 3. squid didn't log any client access (access.log) - if they don't set > in their browser > 4. squid cache.log can see cisco 6500 & squid box communicate (refer > above log) > > > Appreciate your suggestion / feedback / tips. > > Thanks. -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
