On 10.07.2012 00:44, Abdessamad BARAKAT wrote:
In fact on the wiki
(http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2),
there is this :
Very important passage from the Cisco-Manual
"The only topology that the security appliance supports is when
client and cache engine are behind the same interface of the security
appliance and the cache engine can directly communicate with the
client without going through the security appliance."
Then you have very clear documentation from the appliance manufacturer
that they do not support your desired configuration.
And I can see the reply wad dropped by the ASA because I think when
the ASA make the wccp redirect, he doesn't record a new connection so
when He see the reply from the proxy to the client, the SYN was
dropped:
Jul 9 14:11:26 192.168.35.250 %ASA-6-106015: Deny TCP (no
connection)
from <Website IP> to <proxy IP> flags SYN ACK on interface <PROXY
LAN>
So anyone know a workaround for this issue ? for have the client and
the proxy aren't behind the same interface of the firewall ASA
It does not matter to Squid or even to routing logics, but apparently
the device itself has undefined behaviour when its done. As I understand
it may be due to the way the device handles reverse-path (RP) filtering
or it may be hard-wired.
All I can say now is "good Luck" figuring out which and whether you can
change the device. It has nothing to do with Squid.
Amos
