On 11/7/2012 4:24 PM, Amos Jeffries wrote:
1) The Cisco router sees the web cache as reported by "sh ip wccp" (see attached sh_ip_wccp.txt). 2) tcpdump -i tun0 reports packets arriving from the Cisco router. 3) tcpdump -i eth2 reports packets leaving the cache server bound for the destination web server 4) The destination web server shows no hits in the access_log file 5) tcpdump on the web server shows packets arriving from the client IP address on port 80. 6) tcpdump on the web server shows packets leaving bound for the client IP... and yet #4 ? What *type* of packets? ICMP packet-too-large messages have a way of disappearing silently on some networks, and in some versions of TPROXY kernels.
On the web server that should be receiving the hit, tcpdump reports:16:31:21.283309 IP 64.254.49.2.33315 > 64.254.32.23.http: Flags [S], seq 4294319084, win 14600, options [mss 1460,sackOK,TS val 11023544 ecr 0,nop,wscale 7], length 0 16:31:21.283415 IP 64.254.32.23.http > 64.254.49.2.33315: Flags [S.], seq 2198086634, ack 4294319085, win 14480, options [mss 1460,sackOK,TS val 2023464600 ecr 11023544,nop,wscale 7], length 0 16:31:22.282510 IP 64.254.32.23.http > 64.254.49.2.33315: Flags [S.], seq 2198086634, ack 4294319085, win 14480, options [mss 1460,sackOK,TS val 2023465600 ecr 11023544,nop,wscale 7], length 0
(this repeats several times, in what I would presume are browser retries)
7) The client browser times out, receiving an HTML error from Squid reporting "Connection to <server ip> failed." 8) When the timeout occurs, the squid access log reports "TCP_MISS/504 4123 GET http://myip.valnet.net/ - DIRECT/64.254.32.23 text/html"Just once or many times? the most common issue with TPROXY is forwarding loops.
Just once.
The other thing to look for is whether there is packet-level symmetry in the network. Catching every single server->client packet at the WCCP router and sending to Squid is critical.
I'm new to WCCP, so I'll need to figure out how to make that determination. Any advice on doing so would be appreciated.
I've attached numerous files containing statuses of various things that need to be set, such as rp_filter sysctl values, output of "show ip wccp", the squid.conf file, the cisco configuration, and the contents of iptables.Please update to squid-3.2 series if possible. There are some major security vulnerabilities in transparent and intercepted traffic for older versions. The latest releases will also help catch forwarding loops better on intercepted traffic. Amos
I'll try 3.2 as well. Thanks for taking the time to reply. -- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet -=- We Connect You -=- - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information & 30 day free trial at - - http://www.valnet.net/services/valnet-vault - -----------------------------------------------
<<attachment: smime.p7s>>
