Thanks you amos I wil try a topology where the return path doesn't use the ASA 2012/7/10 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 10.07.2012 00:44, Abdessamad BARAKAT wrote: >> >> In fact on the wiki >> (http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2), >> there is this : >> >> Very important passage from the Cisco-Manual >> "The only topology that the security appliance supports is when >> client and cache engine are behind the same interface of the security >> appliance and the cache engine can directly communicate with the >> client without going through the security appliance." >> > > Then you have very clear documentation from the appliance manufacturer that > they do not support your desired configuration. > > >> And I can see the reply wad dropped by the ASA because I think when >> the ASA make the wccp redirect, he doesn't record a new connection so >> when He see the reply from the proxy to the client, the SYN was >> dropped: >> >> Jul 9 14:11:26 192.168.35.250 %ASA-6-106015: Deny TCP (no connection) >> from <Website IP> to <proxy IP> flags SYN ACK on interface <PROXY >> LAN> >> >> So anyone know a workaround for this issue ? for have the client and >> the proxy aren't behind the same interface of the firewall ASA >> > > It does not matter to Squid or even to routing logics, but apparently the > device itself has undefined behaviour when its done. As I understand it may > be due to the way the device handles reverse-path (RP) filtering or it may > be hard-wired. > > All I can say now is "good Luck" figuring out which and whether you can > change the device. It has nothing to do with Squid. > > Amos >