Re: [squid-users] Squid and WCCP with Centos
On 21/04/11 00:35, Daniel Shelton wrote: One thing that always troubles me. The failure reports always seem to mention an interface. Yet the wiki examples written by people with working configs do not mention one. Your rule appears to be matching packets, so I assume its okay. Just something to be aware of. With GRE you have to be extremely careful where the OS thinks the packet is coming from. It seems to vary between kernel implementations and versions whether the gre or eth NIC is the one seen during NAT. What is the exact message displayed by Squid about that port during startup or reconfigure? Amos I thank you for replying Amos. The part of confusion for me is really on a basic level. There is a lack of topology information available with Squid that I have noticed. For example, where does the traffic come from? Where do the users reside? Which interface does what? This is the most important information to know and it can be learned very easy from a topology diagram. I haven't seen any. I understand completely. Been thinking we should add diagrams to the wiki for a while now. I'll have to remind our wiki admin about it. Okay, for background. What is generally called WCCP is a mix of up to 4 protocols. WCCP *protocol* is just a signal between Squid and the Router consisting of two packets bouncing backward and forward on the eth interface. Nicely called HERE_I_AM and I_SEE_YOU. To avoid altering the TCP/IP protocol details of client packets it uses a tunnel. Either GRE protocol or a Layer-2 (essentially a NAT of the MAC address). Squid connects out to the Internet via whatever path it has. I'm not certain myself whether the packets *have* to go back to the client over the GRE, but there is usually no need. If things work up that point we usually don't have to care. Anyhow, the question I have is does the proxy make the connection out onto the Internet itself and therefore needs an Internet on the public facing side, or does all of this traffic traverse the gre tunnel? Only client-router-Squid traffic traverses the GRE. Squid-Internet traffic traverse regular networking paths. Whether they bet via ethN to the same router or to elsewhere. The topology with one NIC on Squid box is generally: clients \ router Eth(WCCP,HTTP) Squid |\ GRE(HTTP) / | Internet The only mention I see about port 3129 is that it is Ready to accept connections at 0.0.0.0:3129. Hmm. Okay. Must be one of the versions pre-dating the update to say what type of connections. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
[squid-users] Squid and WCCP with Centos
Hello anyone, I am trying to get squid 3.1 to work with Centos 5.5 and Cisco ASA using WCCP. The ASA has the cache session established. I see traffic on the Centos box on eth0 (gre traffic) and I see traffic on the gre1 interface (raw client traffic). Take a look at the following: [root@squidbox ~]#iptables -t nat -L -v bytes target prot opt in out source destination 741 41532 DNAT tcp -- gre1 any anywhere anywhere tcp dpt:http to:0.0.0.0:3129 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 20 1952 MASQUERADE all -- anyany anywhere anywhere Chain OUTPUT (policy ACCEPT 20 packets, 1952 bytes) pkts bytes target prot opt in out source destination [root@squidbox ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:13:72:FA:45:EB inet addr:172.23.1.2 Bcast:172.23.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14361 errors:0 dropped:0 overruns:0 frame:0 TX packets:675 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1467426 (1.3 MiB) TX bytes:95311 (93.0 KiB) Interrupt:169 Memory:f800-f8012800 gre1 Link encap:UNSPEC HWaddr AC-17-01-02-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:1.2.3.4 P-t-P:1.2.3.4 Mask:0.0.0.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:5884 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:326353 (318.7 KiB) TX bytes:0 (0.0 b) loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1701 errors:0 dropped:0 overruns:0 frame:0 TX packets:1701 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2704276 (2.5 MiB) TX bytes:2704276 (2.5 MiB) [root@squidbox ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@squidbox ~]# cat /proc/sys/net/ipv4/conf/default/rp_filter 0 [root@squidbox ~]# cat /proc/sys/net/ipv4/conf/eth0/rp_filter 0 [root@squidbox ~]# cat /proc/sys/net/ipv4/conf/gre1/rp_filter 0 The problem I have is that the Squid Proxy does not ever seem to receive the traffic forwarded to it by iptables. The proxy is listening on 0.0.0.0:3129, but a debug results in Engine is idle. Any help at all would be great. I do not just want to walk away from this one.
Re: [squid-users] Squid and WCCP with Centos
On Tue, 19 Apr 2011 11:35:18 -0700 (PDT), Daniel Shelton wrote: Hello anyone, I am trying to get squid 3.1 to work with Centos 5.5 and Cisco ASA using WCCP. The ASA has the cache session established. I see traffic on the Centos box on eth0 (gre traffic) and I see traffic on the gre1 interface (raw client traffic). Take a look at the following: [root@squidbox ~]#iptables -t nat -L -v bytes target prot opt in out source destination 741 41532 DNAT tcp -- gre1 any anywhere anywheretcp dpt:http to:0.0.0.0:3129 One thing that always troubles me. The failure reports always seem to mention an interface. Yet the wiki examples written by people with working configs do not mention one. Your rule appears to be matching packets, so I assume its okay. Just something to be aware of. With GRE you have to be extremely careful where the OS thinks the packet is coming from. It seems to vary between kernel implementations and versions whether the gre or eth NIC is the one seen during NAT. Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 20 1952 MASQUERADE all -- anyany anywhere anywhere Chain OUTPUT (policy ACCEPT 20 packets, 1952 bytes) pkts bytes target prot opt in out source destination [root@squidbox ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:13:72:FA:45:EB inet addr:172.23.1.2 Bcast:172.23.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14361 errors:0 dropped:0 overruns:0 frame:0 TX packets:675 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1467426 (1.3 MiB) TX bytes:95311 (93.0 KiB) Interrupt:169 Memory:f800-f8012800 gre1 Link encap:UNSPEC HWaddr AC-17-01-02-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:1.2.3.4 P-t-P:1.2.3.4 Mask:0.0.0.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:5884 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:326353 (318.7 KiB) TX bytes:0 (0.0 b) loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1701 errors:0 dropped:0 overruns:0 frame:0 TX packets:1701 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2704276 (2.5 MiB) TX bytes:2704276 (2.5 MiB) [root@squidbox ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@squidbox ~]# cat /proc/sys/net/ipv4/conf/default/rp_filter 0 [root@squidbox ~]# cat /proc/sys/net/ipv4/conf/eth0/rp_filter 0 [root@squidbox ~]# cat /proc/sys/net/ipv4/conf/gre1/rp_filter 0 The problem I have is that the Squid Proxy does not ever seem to receive the traffic forwarded to it by iptables. The proxy is listening on 0.0.0.0:3129, but a debug results in Engine is idle. What is the exact message displayed by Squid about that port during startup or reconfigure? Amos
AW: [squid-users] squid and wccp doesn't work
Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? sh run interface sh run wccp or sh run | grep wccp Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos
Re: [squid-users] squid and wccp doesn't work
Daniel, Akos schrieb: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? sh run interface sh run wccp or sh run | grep wccp Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos Hi, the wccp standard requires GRE. Alos, you can see here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 After some testing i've found some logging-Entries at the asa, saying that it cannot found any nat-entries for the answer-packets. So, i created an nat-exempt rule for this. Thos stops the messages, but it doesn't work. But now, i'v found the solution after some researching on the web in this article: http://www.breezy.ca/?q=node/316 specially interesting was this: For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client since the proxied web client-server sessions cannot traverse the ASA. This is curious and not particularly well documented anywhere. This is also different than the Cisco IOS routers (which also support WCCP2) where the caching server can be on a different subnet. One reason this is true is that the ASA only supports proxying for packets that arrive in (ie: inbound) on an interface. Now i've created an internal interface for the server for communicating with the clients and the firewall. It's not the optimal solution, but it works now. Perhaps, it is interesting for someone else. Regards, Tom
Re: [squid-users] squid and wccp doesn't work
Tom Penndorf wrote: Daniel, Akos schrieb: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? sh run interface sh run wccp or sh run | grep wccp Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos Hi, the wccp standard requires GRE. Alos, you can see here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 After some testing i've found some logging-Entries at the asa, saying that it cannot found any nat-entries for the answer-packets. So, i created an nat-exempt rule for this. Thos stops the messages, but it doesn't work. But now, i'v found the solution after some researching on the web in this article: http://www.breezy.ca/?q=node/316 specially interesting was this: For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client since the proxied web client-server sessions cannot traverse the ASA. This is curious and not particularly well documented anywhere. This is also different than the Cisco IOS routers (which also support WCCP2) where the caching server can be on a different subnet. One reason this is true is that the ASA only supports proxying for packets that arrive in (ie: inbound) on an interface. Now i've created an internal interface for the server for communicating with the clients and the firewall. It's not the optimal solution, but it works now. Perhaps, it is interesting for someone else. Regards, Tom Excellent news. If you can provide config details that are usable by others outside your network we could do with an example in the wiki for these devices at http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
Re: [squid-users] squid and wccp doesn't work
Amos Jeffries schrieb: Tom Penndorf wrote: Daniel, Akos schrieb: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? sh run interface sh run wccp or sh run | grep wccp Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos Hi, the wccp standard requires GRE. Alos, you can see here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 After some testing i've found some logging-Entries at the asa, saying that it cannot found any nat-entries for the answer-packets. So, i created an nat-exempt rule for this. Thos stops the messages, but it doesn't work. But now, i'v found the solution after some researching on the web in this article: http://www.breezy.ca/?q=node/316 specially interesting was this: For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client since the proxied web client-server sessions cannot traverse the ASA. This is curious and not particularly well documented anywhere. This is also different than the Cisco IOS routers (which also support WCCP2) where the caching server can be on a different subnet. One reason this is true is that the ASA only supports proxying for packets that arrive in (ie: inbound) on an interface. Now i've created an internal interface for the server for communicating with the clients and the firewall. It's not the optimal solution, but it works now. Perhaps, it is interesting for someone else. Regards, Tom Excellent news. If you can provide config details that are usable by others outside your network we could do with an example in the wiki for these devices at http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 Amos Good idea. Can you give me edit-permissions? Name is Tom Penndorf. Tom
Re: [squid-users] squid and wccp doesn't work
Tom Penndorf wrote: Amos Jeffries schrieb: Tom Penndorf wrote: Daniel, Akos schrieb: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? sh run interface sh run wccp or sh run | grep wccp Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos Hi, the wccp standard requires GRE. Alos, you can see here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 After some testing i've found some logging-Entries at the asa, saying that it cannot found any nat-entries for the answer-packets. So, i created an nat-exempt rule for this. Thos stops the messages, but it doesn't work. But now, i'v found the solution after some researching on the web in this article: http://www.breezy.ca/?q=node/316 specially interesting was this: For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client since the proxied web client-server sessions cannot traverse the ASA. This is curious and not particularly well documented anywhere. This is also different than the Cisco IOS routers (which also support WCCP2) where the caching server can be on a different subnet. One reason this is true is that the ASA only supports proxying for packets that arrive in (ie: inbound) on an interface. Now i've created an internal interface for the server for communicating with the clients and the firewall. It's not the optimal solution, but it works now. Perhaps, it is interesting for someone else. Regards, Tom Excellent news. If you can provide config details that are usable by others outside your network we could do with an example in the wiki for these devices at http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 Amos Good idea. Can you give me edit-permissions? Name is Tom Penndorf. Tom I can. Done for login Tom Penndorf. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
Re: [squid-users] squid and wccp doesn't work
I have this setup working differently but did you get HTTPS working? Just wondering. Trying going to an https site. Let me know your findings. -Parvinder Bhasin On Jun 18, 2009, at 4:28 AM, Tom Penndorf wrote: Daniel, Akos schrieb: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? sh run interface sh run wccp or sh run | grep wccp Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos Hi, the wccp standard requires GRE. Alos, you can see here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 After some testing i've found some logging-Entries at the asa, saying that it cannot found any nat-entries for the answer-packets. So, i created an nat-exempt rule for this. Thos stops the messages, but it doesn't work. But now, i'v found the solution after some researching on the web in this article: http://www.breezy.ca/?q=node/316 specially interesting was this: For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client since the proxied web client-server sessions cannot traverse the ASA. This is curious and not particularly well documented anywhere. This is also different than the Cisco IOS routers (which also support WCCP2) where the caching server can be on a different subnet. One reason this is true is that the ASA only supports proxying for packets that arrive in (ie: inbound) on an interface. Now i've created an internal interface for the server for communicating with the clients and the firewall. It's not the optimal solution, but it works now. Perhaps, it is interesting for someone else. Regards, Tom
Re: [squid-users] squid and wccp doesn't work
Scratch that...https and transparent proxy ..no can't do. On Jun 18, 2009, at 2:06 PM, Parvinder Bhasin wrote: I have this setup working differently but did you get HTTPS working? Just wondering. Trying going to an https site. Let me know your findings. -Parvinder Bhasin On Jun 18, 2009, at 4:28 AM, Tom Penndorf wrote: Daniel, Akos schrieb: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? sh run interface sh run wccp or sh run | grep wccp Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos Hi, the wccp standard requires GRE. Alos, you can see here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 After some testing i've found some logging-Entries at the asa, saying that it cannot found any nat-entries for the answer-packets. So, i created an nat-exempt rule for this. Thos stops the messages, but it doesn't work. But now, i'v found the solution after some researching on the web in this article: http://www.breezy.ca/?q=node/316 specially interesting was this: For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client since the proxied web client-server sessions cannot traverse the ASA. This is curious and not particularly well documented anywhere. This is also different than the Cisco IOS routers (which also support WCCP2) where the caching server can be on a different subnet. One reason this is true is that the ASA only supports proxying for packets that arrive in (ie: inbound) on an interface. Now i've created an internal interface for the server for communicating with the clients and the firewall. It's not the optimal solution, but it works now. Perhaps, it is interesting for someone else. Regards, Tom
[squid-users] squid and wccp doesn't work
Hello, i'm trying to get squid and wccp on a cisco asa 5510 running. These are the steps, i've done to set it up. #aptitude install squid3 #vi /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow all http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/cache/squid3 3 32 256 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern (cgi-bin|\?)00%0 refresh_pattern .020%4320 wccp2_router 10.1.7.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 client_persistent_connections off icp_port 3130 coredump_dir /var/spool/squid3 #iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0 #ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up #echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter #iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # echo 1 /proc/sys/ipv4/ip_forward The asa detects the proxy and redirects the packets. On the squid-machine, i can see the syn-packets from the client, but no ack-packets. The counter for the iptables-rule is also increasing. If i remove the iptables-rule, the clients can browse the web, because the squid-machine is acting as a router, so the gre-tunnel seems to work correctly. After some research, i've found out, that the ack-packets are send out at eth0. I don't think, it's the correct way. Are there any things, i've forgotten? All howto's i've found, don't tell me any other steps. System is Debian lenny with squid 3.0.STABLE8-3. Is there anyone, who can give me a hint? Thanks, Tom
Re: [squid-users] squid and wccp doesn't work
Hi Tom, Exactly the same problem I have. Please let me know if you come across anything. -Parvinder Bhasin On Jun 17, 2009, at 11:50 AM, Tom Penndorf wrote: Hello, i'm trying to get squid and wccp on a cisco asa 5510 running. These are the steps, i've done to set it up. #aptitude install squid3 #vi /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow all http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/cache/squid3 3 32 256 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern (cgi-bin|\?)00%0 refresh_pattern .020%4320 wccp2_router 10.1.7.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 client_persistent_connections off icp_port 3130 coredump_dir /var/spool/squid3 #iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0 #ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up #echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter #iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # echo 1 /proc/sys/ipv4/ip_forward The asa detects the proxy and redirects the packets. On the squid- machine, i can see the syn-packets from the client, but no ack- packets. The counter for the iptables-rule is also increasing. If i remove the iptables-rule, the clients can browse the web, because the squid- machine is acting as a router, so the gre-tunnel seems to work correctly. After some research, i've found out, that the ack-packets are send out at eth0. I don't think, it's the correct way. Are there any things, i've forgotten? All howto's i've found, don't tell me any other steps. System is Debian lenny with squid 3.0.STABLE8-3. Is there anyone, who can give me a hint? Thanks, Tom
Re: [squid-users] squid and wccp doesn't work
On Wed, 17 Jun 2009 20:50:40 +0200, Tom Penndorf tpennd...@seibert-media.net wrote: Hello, i'm trying to get squid and wccp on a cisco asa 5510 running. These are the steps, i've done to set it up. #aptitude install squid3 #vi /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow all http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/cache/squid3 3 32 256 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern (cgi-bin|\?)00%0 refresh_pattern .020%4320 wccp2_router 10.1.7.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 client_persistent_connections off icp_port 3130 coredump_dir /var/spool/squid3 #iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0 #ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up #echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter #iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # echo 1 /proc/sys/ipv4/ip_forward The asa detects the proxy and redirects the packets. On the squid-machine, i can see the syn-packets from the client, but no ack-packets. The counter for the iptables-rule is also increasing. If i remove the iptables-rule, the clients can browse the web, because the squid-machine is acting as a router, so the gre-tunnel seems to work correctly. After some research, i've found out, that the ack-packets are send out at eth0. I don't think, it's the correct way. Are there any things, i've forgotten? All howto's i've found, don't tell me any other steps. Ack is probably between squidIP and clientIP. You may need to SNAT it back towards the client. http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect Amos
[squid-users] Squid and WCCP hardware placement
I'm working on getting this working but I'm unclear on the hardware placement for each of the devices. Is it: A) Workstation-Cisco-Squid--internet (WCCP) (NAT) B) Workstation-Cisco (WCCP) | Squid---internet (NAT) C) Workstation-Cisco-Internet | (WCCP) Squid D) or??? Thanks a bunch.
Re: [squid-users] Squid and WCCP hardware placement
Hhi, no reason (unless there's smothing i don't get) to use nat or wccp at the workstation level. wccp should configured at the cisco box (level C only) such that it forwards requests to the web through the squid box cheers charles On Thu, 2008-10-16 at 12:56 -0500, Johnson, S wrote: I'm working on getting this working but I'm unclear on the hardware placement for each of the devices. Is it: A) Workstation-Cisco-Squid--internet (WCCP)(NAT) B) Workstation-Cisco (WCCP) | Squid---internet (NAT) C) Workstation-Cisco-Internet |(WCCP) Squid D) or??? Thanks a bunch.
Re: [squid-users] Squid and WCCP hardware placement
B. cheers -Ryan Johnson, S wrote: I'm working on getting this working but I'm unclear on the hardware placement for each of the devices. Is it: A) Workstation-Cisco-Squid--internet (WCCP)(NAT) B) Workstation-Cisco (WCCP) | Squid---internet (NAT) C) Workstation-Cisco-Internet |(WCCP) Squid D) or??? Thanks a bunch.
Re: [squid-users] squid 2.6, wccp and tproxy
For a very light use... Even a single PC would experience problems with squid 3.1 and TPROXY 4.1... I switched back to 2.6.20.21+cttproxy and squid 2.6STAB-20 for a time being. On Friday 30 May 2008 09:05, Amos Jeffries wrote: That is interesting to note, and part of where my problem lies. Given the way the files are marked on the balabit site, I would not have known of the support versions and differences. I just downloaded the patches for the versions of squid, iptables, and kernel I was using. So you have the Balabit 2.6s18 patch mentioned at http://wiki.squid-cache.org/Features/TproxyUpdate During the setup of the software, so far anyway, I have not seen ways to specify the version of Tproxy, etc. The initial tproxy README file I was using must have been an older version because it didn't use the difference in iptables table names that the newer README mentions, and that someone was gracious enough to point out to me on the TPROXY listserv. It's a little bit tricky at present, Balabit no longer support v2.2 and I don't know if/where one would get the necessary patches. Squid-2 performs detection at configure time with --enable-tproxy to see if its supported tproxy method is available, disabling tproxy support and warns if its not. The configure log I believe should tell you if it was successful or failed. Unless you able to use the old version, I don't think it will succeed though. You may need to migrate to 3-HEAD, its beta testing code, but stable enough for light use. Amos Once I get Tproxy working, I would love to contribute docs to the squid project. On the Tproxy enabled system I have now, which is the same unit as my working WCCP/Squid 2.6 boxes now, WCCP does not seem to be redirecting traffic to the squid box. I am sure it is something I have done wrong, and will figure out, but I wanted to be sure the end result was possible before spending more time on the project. I am currently using the following for my TPROXY setup: CentOS 5.1 x86_64 Squid 2.6 STABLE 18 (custom compiled) iptables 1.4.0 (custom compiled) kernel 2.6.25.4 (custom compiled) tproxy-iptables-1.4.0-20080521-113954-1211362794.patch tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2 tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.pa tch BTW - to Henrik, I was aware of a websense piece that ran on a linux/windows based Squid box running squid 2.5. The issues I currently have with that are: 1) Is the squid agent free to enterprise users? (I posed this question to our sales rep) 2) Does it support Squid 2.6, or only 2.5. 3) Does it truly change the reporting such that original client Ips can be seen, or does it just fetch enforcement policies? -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 7:12 AM To: Ritter, Nicholas Cc: Adrian Chadd; squid-users@squid-cache.org Subject: Re: [squid-users] squid 2.6, wccp and tproxy Ritter, Nicholas wrote: In websense the client IP addresses that show up are those of the squid boxes I have deployed. Websense does not utilize, as far as I know, the x-forwarded-for header. The doc on squid-cache.org about how to setup TPROXY with squid is a bit out of date because the latest version of tproxy uses the mangle table and not a tproxy table. The docs as far as we know are correct for all current releases of Squid. Unpatched Squid up to 3.1 still require TPROXY v2.2, so far only 3-HEAD/3.1 has proper integrated support for TPROXY v4+ If you have any updates for the wiki regarding the TPROXYv4 configs for when 3.1 is released, please point out the variations. Amos Nick -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Wed 5/28/2008 4:52 PM To: Ritter, Nicholas Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid 2.6, wccp and tproxy On Wed, May 28, 2008, Ritter, Nicholas wrote: Can tproxy, squid 2.6, and wccp be used together? Yes. I want to work around the hiding of the original client ip because it is breaking websense. Any suggestions/comments? What do you mean? Nick -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
Re: [squid-users] squid 2.6, wccp and tproxy
Ritter, Nicholas wrote: In websense the client IP addresses that show up are those of the squid boxes I have deployed. Websense does not utilize, as far as I know, the x-forwarded-for header. The doc on squid-cache.org about how to setup TPROXY with squid is a bit out of date because the latest version of tproxy uses the mangle table and not a tproxy table. The docs as far as we know are correct for all current releases of Squid. Unpatched Squid up to 3.1 still require TPROXY v2.2, so far only 3-HEAD/3.1 has proper integrated support for TPROXY v4+ If you have any updates for the wiki regarding the TPROXYv4 configs for when 3.1 is released, please point out the variations. Amos Nick -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Wed 5/28/2008 4:52 PM To: Ritter, Nicholas Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid 2.6, wccp and tproxy On Wed, May 28, 2008, Ritter, Nicholas wrote: Can tproxy, squid 2.6, and wccp be used together? Yes. I want to work around the hiding of the original client ip because it is breaking websense. Any suggestions/comments? What do you mean? Nick -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
RE: [squid-users] squid 2.6, wccp and tproxy
That is interesting to note, and part of where my problem lies. Given the way the files are marked on the balabit site, I would not have known of the support versions and differences. I just downloaded the patches for the versions of squid, iptables, and kernel I was using. During the setup of the software, so far anyway, I have not seen ways to specify the version of Tproxy, etc. The initial tproxy README file I was using must have been an older version because it didn't use the difference in iptables table names that the newer README mentions, and that someone was gracious enough to point out to me on the TPROXY listserv. Once I get Tproxy working, I would love to contribute docs to the squid project. On the Tproxy enabled system I have now, which is the same unit as my working WCCP/Squid 2.6 boxes now, WCCP does not seem to be redirecting traffic to the squid box. I am sure it is something I have done wrong, and will figure out, but I wanted to be sure the end result was possible before spending more time on the project. I am currently using the following for my TPROXY setup: CentOS 5.1 x86_64 Squid 2.6 STABLE 18 (custom compiled) iptables 1.4.0 (custom compiled) kernel 2.6.25.4 (custom compiled) tproxy-iptables-1.4.0-20080521-113954-1211362794.patch tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2 tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch BTW - to Henrik, I was aware of a websense piece that ran on a linux/windows based Squid box running squid 2.5. The issues I currently have with that are: 1) Is the squid agent free to enterprise users? (I posed this question to our sales rep) 2) Does it support Squid 2.6, or only 2.5. 3) Does it truly change the reporting such that original client Ips can be seen, or does it just fetch enforcement policies? -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 7:12 AM To: Ritter, Nicholas Cc: Adrian Chadd; squid-users@squid-cache.org Subject: Re: [squid-users] squid 2.6, wccp and tproxy Ritter, Nicholas wrote: In websense the client IP addresses that show up are those of the squid boxes I have deployed. Websense does not utilize, as far as I know, the x-forwarded-for header. The doc on squid-cache.org about how to setup TPROXY with squid is a bit out of date because the latest version of tproxy uses the mangle table and not a tproxy table. The docs as far as we know are correct for all current releases of Squid. Unpatched Squid up to 3.1 still require TPROXY v2.2, so far only 3-HEAD/3.1 has proper integrated support for TPROXY v4+ If you have any updates for the wiki regarding the TPROXYv4 configs for when 3.1 is released, please point out the variations. Amos Nick -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Wed 5/28/2008 4:52 PM To: Ritter, Nicholas Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid 2.6, wccp and tproxy On Wed, May 28, 2008, Ritter, Nicholas wrote: Can tproxy, squid 2.6, and wccp be used together? Yes. I want to work around the hiding of the original client ip because it is breaking websense. Any suggestions/comments? What do you mean? Nick -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
RE: [squid-users] squid 2.6, wccp and tproxy
That is interesting to note, and part of where my problem lies. Given the way the files are marked on the balabit site, I would not have known of the support versions and differences. I just downloaded the patches for the versions of squid, iptables, and kernel I was using. So you have the Balabit 2.6s18 patch mentioned at http://wiki.squid-cache.org/Features/TproxyUpdate During the setup of the software, so far anyway, I have not seen ways to specify the version of Tproxy, etc. The initial tproxy README file I was using must have been an older version because it didn't use the difference in iptables table names that the newer README mentions, and that someone was gracious enough to point out to me on the TPROXY listserv. It's a little bit tricky at present, Balabit no longer support v2.2 and I don't know if/where one would get the necessary patches. Squid-2 performs detection at configure time with --enable-tproxy to see if its supported tproxy method is available, disabling tproxy support and warns if its not. The configure log I believe should tell you if it was successful or failed. Unless you able to use the old version, I don't think it will succeed though. You may need to migrate to 3-HEAD, its beta testing code, but stable enough for light use. Amos Once I get Tproxy working, I would love to contribute docs to the squid project. On the Tproxy enabled system I have now, which is the same unit as my working WCCP/Squid 2.6 boxes now, WCCP does not seem to be redirecting traffic to the squid box. I am sure it is something I have done wrong, and will figure out, but I wanted to be sure the end result was possible before spending more time on the project. I am currently using the following for my TPROXY setup: CentOS 5.1 x86_64 Squid 2.6 STABLE 18 (custom compiled) iptables 1.4.0 (custom compiled) kernel 2.6.25.4 (custom compiled) tproxy-iptables-1.4.0-20080521-113954-1211362794.patch tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2 tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch BTW - to Henrik, I was aware of a websense piece that ran on a linux/windows based Squid box running squid 2.5. The issues I currently have with that are: 1) Is the squid agent free to enterprise users? (I posed this question to our sales rep) 2) Does it support Squid 2.6, or only 2.5. 3) Does it truly change the reporting such that original client Ips can be seen, or does it just fetch enforcement policies? -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 7:12 AM To: Ritter, Nicholas Cc: Adrian Chadd; squid-users@squid-cache.org Subject: Re: [squid-users] squid 2.6, wccp and tproxy Ritter, Nicholas wrote: In websense the client IP addresses that show up are those of the squid boxes I have deployed. Websense does not utilize, as far as I know, the x-forwarded-for header. The doc on squid-cache.org about how to setup TPROXY with squid is a bit out of date because the latest version of tproxy uses the mangle table and not a tproxy table. The docs as far as we know are correct for all current releases of Squid. Unpatched Squid up to 3.1 still require TPROXY v2.2, so far only 3-HEAD/3.1 has proper integrated support for TPROXY v4+ If you have any updates for the wiki regarding the TPROXYv4 configs for when 3.1 is released, please point out the variations. Amos Nick -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Wed 5/28/2008 4:52 PM To: Ritter, Nicholas Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid 2.6, wccp and tproxy On Wed, May 28, 2008, Ritter, Nicholas wrote: Can tproxy, squid 2.6, and wccp be used together? Yes. I want to work around the hiding of the original client ip because it is breaking websense. Any suggestions/comments? What do you mean? Nick -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
[squid-users] squid 2.6, wccp and tproxy
Can tproxy, squid 2.6, and wccp be used together? I want to work around the hiding of the original client ip because it is breaking websense. Any suggestions/comments? Nick
Re: [squid-users] squid 2.6, wccp and tproxy
On Wed, May 28, 2008, Ritter, Nicholas wrote: Can tproxy, squid 2.6, and wccp be used together? Yes. I want to work around the hiding of the original client ip because it is breaking websense. Any suggestions/comments? What do you mean? Nick -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] squid 2.6, wccp and tproxy
On ons, 2008-05-28 at 16:32 -0500, Ritter, Nicholas wrote: Can tproxy, squid 2.6, and wccp be used together? Yes. What it's designed for. I want to work around the hiding of the original client ip because it is breaking websense. Any suggestions/comments? Websense has a Squid integration which doesn't suffer from this.. Regards Henrik
RE: [squid-users] squid 2.6, wccp and tproxy
In websense the client IP addresses that show up are those of the squid boxes I have deployed. Websense does not utilize, as far as I know, the x-forwarded-for header. The doc on squid-cache.org about how to setup TPROXY with squid is a bit out of date because the latest version of tproxy uses the mangle table and not a tproxy table. Nick -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Wed 5/28/2008 4:52 PM To: Ritter, Nicholas Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid 2.6, wccp and tproxy On Wed, May 28, 2008, Ritter, Nicholas wrote: Can tproxy, squid 2.6, and wccp be used together? Yes. I want to work around the hiding of the original client ip because it is breaking websense. Any suggestions/comments? What do you mean? Nick -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] squid and wccp
Still with no luck, I would I know if my router IOS is working properly with wccp2 (C7200-IS-M), Version 12.2(31), RELEASE SOFTWARE (fc2), also how would I know it my gre and wccp is working properly with my linux and it is not broken (Fedora Core 8 64 bit with kernel 2.6.24-64.fc8) - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: Adrian Chadd [EMAIL PROTECTED], squid-users squid-users@squid-cache.org Sent: Monday, April 28, 2008 9:13:51 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp On mån, 2008-04-28 at 12:03 +0300, Wennie V. Lagmay wrote: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter Ok 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 [...] 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up [...] 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter Ok. 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 Ok. 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 Why? Global WCCP information: Router information: Router Identifier: 192.168.255.6 Hmm.. This does not match your configuration above. The Cisco router identifier is important for WCCP operation. This is the address the Cisco uses for GRE. Regards Henrik
Re: [squid-users] squid and wccp
I am trying to configure squid wccp and cisco router but with no luck. This is what I have done. Please check my procedure and confoguration: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 wccp2_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_address 0.0.0.0 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 On Cisco router7206 npe300 with 12.2(31) ip wccp version 2 ip wccp web-cache ! interface fastethernet 1/0 description LAN ip address 192.168.255.6 255.255.255.252 ! interface fastethernet 3/0 description internet connection ip address xx.xx.184.177 ip wccp web-cache redirect out ! ip route 0.0.0.0 0.0.0.0 192.158.255.5 Logs: with linux cache.log I can see messages as: wccp2HereIam: Sending to device id 0 Sending HereIam packet size 144 Incoming WCCPv2 I_SEE_YOU lenth 132 Complete packet receive In Cisco router: sho ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.255.6 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:201 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 sho ip wccp web-cache detail Web Cache ID: xx.xx.184.178 Protocol Version: 2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:201 Connect Time: 01:14:03 It seems everything is working fine but configuring client browser without any proxy it is not browsing. note that if I manually define the Ip address of the transparent proxy I can browse the web. Can anybody help me on my problem? thank you very much, Wennie - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: Adrian Chadd [EMAIL PROTECTED], squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 8:31:43 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: I have a question, do I need to enable ip_gre, ip_wccp on my system? using kernel 2.6.24, i enable the ip_gre does it mean it aoutmatically enables the ip_wccp? Just ip_gre. the GRE code shipped in linux these days includes WCCPv2 packet decoding. HTH, Adrian thanks - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 12:38:07 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp http://wiki.squid-cache.org/ConfigExamples/ Adrian On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: Hi all, Can anybody give me a step by step configuration to enable WCCP in both router and squid2.6.stable19. Here are the details: router = cisco7206VXR IOS ver = 12.3 (8) T, RELEASE SOFTWARE (fc2) FE0/0 = xx.xx.184.17/28 squid: OS = FC8 64bit with kernel version 2.6.24.4-64.fc8 #1 SMP squid version = squid-2.6Stable19 eth1 = xx.xx.184.22/28 I am trying to follow the configuration in squid FAQ but it is very hard for me because this my first time to do thus kind of setup. I would highly appreciate if you can provide me a step by step configuration for cisco router and squid box to enable WCCP version 2 Thank you and best regards, wennie -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] squid and wccp
On Mon, 28 Apr 2008, Wennie V. Lagmay wrote: I am trying to configure squid wccp and cisco router but with no luck. This is what I have done. Please check my procedure and confoguration: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter please provide output of squid -v 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 wccp2_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_address 0.0.0.0 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 On Cisco router7206 npe300 with 12.2(31) ip wccp version 2 ip wccp web-cache ! interface fastethernet 1/0 description LAN ip address 192.168.255.6 255.255.255.252 ! interface fastethernet 3/0 description internet connection ip address xx.xx.184.177 ip wccp web-cache redirect out ! ip route 0.0.0.0 0.0.0.0 192.158.255.5 which interface connects to internet. default route indicates fa1/0 to be connected to internet. if it is fa1/0 the ip wccp web-cache redirect out command should be in fa1/0. Logs: with linux cache.log I can see messages as: wccp2HereIam: Sending to device id 0 Sending HereIam packet size 144 Incoming WCCPv2 I_SEE_YOU lenth 132 Complete packet receive In Cisco router: sho ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.255.6 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:201 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 sho ip wccp web-cache detail Web Cache ID: xx.xx.184.178 Protocol Version: 2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:201 Connect Time: 01:14:03 what about tcpdump on wccp0 interface.. does show any traffic being redirected. does access.log show the connections?? It seems everything is working fine but configuring client browser without any proxy it is not browsing. note that if I manually define the Ip address of the transparent proxy I can browse the web. Can anybody help me on my problem? thank you very much, Wennie - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: Adrian Chadd [EMAIL PROTECTED], squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 8:31:43 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: I have a question, do I need to enable ip_gre, ip_wccp on my system? using kernel 2.6.24, i enable the ip_gre does it mean it aoutmatically enables the ip_wccp? Just ip_gre. the GRE code shipped in linux these days includes WCCPv2 packet decoding. HTH, Adrian thanks - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 12:38:07 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp http://wiki.squid-cache.org/ConfigExamples/ Adrian On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: Hi all, Can anybody give me a step by step configuration to enable WCCP in both router and squid2.6.stable19. Here are the details: router = cisco7206VXR IOS ver = 12.3 (8) T, RELEASE SOFTWARE (fc2) FE0/0 = xx.xx.184.17/28 squid: OS = FC8 64bit with kernel version 2.6.24.4-64.fc8 #1 SMP squid version = squid-2.6Stable19 eth1 = xx.xx.184.22/28 I am trying to follow the configuration in squid FAQ but it is very hard for me because this my first time to do thus kind of setup. I would highly appreciate if you can provide me a step by step configuration for cisco router and squid box to enable WCCP version 2 Thank you and best regards, wennie -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available
Re: [squid-users] squid and wccp
A. squid -v Squid Cache: Version 2.6.STABLE19 configure options: '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/spool/squid' '--sysconfdir=/etc/squid' '--enable-snmp' '--enable-kill-parent-hack' '--enable-delay-pools' '--enable-storeio=aufs,diskd,null' '--enable-removal-policies=heap,lru' '--enable-arp-acl' '--enable-large-files' '--enable-ssl' '--enable-linux-netfilter' '--with-maxfd=16384' B. ip wccp version 2 ip wccp web-cache ! interface fastethernet 1/0 description internet connection ip address 192.168.255.6 255.255.255.252 ! interface fastethernet 3/0 description LAN ip address xx.xx.184.177 ip wccp web-cache redirect out ! ip route 0.0.0.0 0.0.0.0 192.158.255.5 C. [EMAIL PROTECTED] ~]# tcpdump -i wccp0 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes :note that 778 is my ssh port, also there is no log being shown in the access.log tcpdump IP 192.168.255.6 xx.xx.184.178: GREv0, length 56: gre-proto-0x883e STP 802.1d, Config, Flags [none], bridge-id xx, length 43 D. ifconfig wccp0 Link encap:UNSPEC HWaddr 4F-62-B8-B2-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:xx.xx.184.178 P-t-P:xx.xx.184.178 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) :note packets received and send - Original Message - From: Manoj_Rajkarnikar [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Monday, April 28, 2008 2:22:34 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp On Mon, 28 Apr 2008, Wennie V. Lagmay wrote: I am trying to configure squid wccp and cisco router but with no luck. This is what I have done. Please check my procedure and confoguration: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter please provide output of squid -v 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 wccp2_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_address 0.0.0.0 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 On Cisco router7206 npe300 with 12.2(31) ip wccp version 2 ip wccp web-cache ! interface fastethernet 1/0 description LAN ip address 192.168.255.6 255.255.255.252 ! interface fastethernet 3/0 description internet connection ip address xx.xx.184.177 ip wccp web-cache redirect out ! ip route 0.0.0.0 0.0.0.0 192.158.255.5 which interface connects to internet. default route indicates fa1/0 to be connected to internet. if it is fa1/0 the ip wccp web-cache redirect out command should be in fa1/0. Logs: with linux cache.log I can see messages as: wccp2HereIam: Sending to device id 0 Sending HereIam packet size 144 Incoming WCCPv2 I_SEE_YOU lenth 132 Complete packet receive In Cisco router: sho ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.255.6 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:201 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 sho ip wccp web-cache detail Web Cache ID: xx.xx.184.178 Protocol Version: 2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:201 Connect Time: 01:14:03 what about tcpdump on wccp0 interface.. does show any traffic being redirected. does access.log show
Re: [squid-users] squid and wccp
On mån, 2008-04-28 at 12:03 +0300, Wennie V. Lagmay wrote: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter Ok 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 [...] 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up [...] 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter Ok. 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 Ok. 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 Why? Global WCCP information: Router information: Router Identifier: 192.168.255.6 Hmm.. This does not match your configuration above. The Cisco router identifier is important for WCCP operation. This is the address the Cisco uses for GRE. Regards Henrik
Re: [squid-users] squid and wccp
1 win 65114 1.5 iptables: echo 1 /proc/sys/net/ipv4/ip_forward echo 0 /proc/sys/net/ipv4/conf/default/rp_filter echo 0 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 /proc/sys/net/ipv4/conf/gre0/rp_filter /sbin/iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp -s lan network --dport 80 -j REDIRECT --to-port squid port /sbin/iptables -A INPUT -i gre0 -p tcp -s lan network --dport squid port -j ACCEPT 2. Router: 2.1 Router version: 7204VXR npe 300 IOS version 12.2(46a) 2.2 Config ip wccp version 2 ip wccp web-cache redirect-list SQUID-BYPASS-NEW interface FastEthernet0/0.128 description Connection to internet bandwidth 24000 encapsulation dot1Q 128 ip address xxx.xxx.xxx.201 255.255.255.252 ip access-group PORT_BLOCK in ip access-group PORT_BLOCK out ip wccp web-cache redirect out no cdp enable Router#sh ip wccp web-cache detail WCCP Cache-Engine information: Web Cache ID: xxx.xxx.xxx.234 Protocol Version: 2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:1166385116 Connect Time: 3w3d Router#sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: xxx.xxx.xxx.226 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:553854367 Redirect access-list:SQUID-BYPASS-NEW Total Packets Denied Redirect: 1050502969 Total Packets Unassigned:126368 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 ### That's it... working great for us. - Original Message - From: Manoj_Rajkarnikar [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Monday, April 28, 2008 2:22:34 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp On Mon, 28 Apr 2008, Wennie V. Lagmay wrote: I am trying to configure squid wccp and cisco router but with no luck. This is what I have done. Please check my procedure and confoguration: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter please provide output of squid -v --
[squid-users] squid and wccp
Hi all, Can anybody give me a step by step configuration to enable WCCP in both router and squid2.6.stable19. Here are the details: router = cisco7206VXR IOS ver = 12.3 (8) T, RELEASE SOFTWARE (fc2) FE0/0 = xx.xx.184.17/28 squid: OS = FC8 64bit with kernel version 2.6.24.4-64.fc8 #1 SMP squid version = squid-2.6Stable19 eth1 = xx.xx.184.22/28 I am trying to follow the configuration in squid FAQ but it is very hard for me because this my first time to do thus kind of setup. I would highly appreciate if you can provide me a step by step configuration for cisco router and squid box to enable WCCP version 2 Thank you and best regards, wennie
Re: [squid-users] squid and wccp
http://wiki.squid-cache.org/ConfigExamples/ Adrian On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: Hi all, Can anybody give me a step by step configuration to enable WCCP in both router and squid2.6.stable19. Here are the details: router = cisco7206VXR IOS ver = 12.3 (8) T, RELEASE SOFTWARE (fc2) FE0/0 = xx.xx.184.17/28 squid: OS = FC8 64bit with kernel version 2.6.24.4-64.fc8 #1 SMP squid version = squid-2.6Stable19 eth1 = xx.xx.184.22/28 I am trying to follow the configuration in squid FAQ but it is very hard for me because this my first time to do thus kind of setup. I would highly appreciate if you can provide me a step by step configuration for cisco router and squid box to enable WCCP version 2 Thank you and best regards, wennie -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] squid and wccp
I have a question, do I need to enable ip_gre, ip_wccp on my system? using kernel 2.6.24, i enable the ip_gre does it mean it aoutmatically enables the ip_wccp? thanks - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 12:38:07 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp http://wiki.squid-cache.org/ConfigExamples/ Adrian On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: Hi all, Can anybody give me a step by step configuration to enable WCCP in both router and squid2.6.stable19. Here are the details: router = cisco7206VXR IOS ver = 12.3 (8) T, RELEASE SOFTWARE (fc2) FE0/0 = xx.xx.184.17/28 squid: OS = FC8 64bit with kernel version 2.6.24.4-64.fc8 #1 SMP squid version = squid-2.6Stable19 eth1 = xx.xx.184.22/28 I am trying to follow the configuration in squid FAQ but it is very hard for me because this my first time to do thus kind of setup. I would highly appreciate if you can provide me a step by step configuration for cisco router and squid box to enable WCCP version 2 Thank you and best regards, wennie -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] squid and wccp
On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: I have a question, do I need to enable ip_gre, ip_wccp on my system? using kernel 2.6.24, i enable the ip_gre does it mean it aoutmatically enables the ip_wccp? Just ip_gre. the GRE code shipped in linux these days includes WCCPv2 packet decoding. HTH, Adrian thanks - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 12:38:07 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp http://wiki.squid-cache.org/ConfigExamples/ Adrian On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: Hi all, Can anybody give me a step by step configuration to enable WCCP in both router and squid2.6.stable19. Here are the details: router = cisco7206VXR IOS ver = 12.3 (8) T, RELEASE SOFTWARE (fc2) FE0/0 = xx.xx.184.17/28 squid: OS = FC8 64bit with kernel version 2.6.24.4-64.fc8 #1 SMP squid version = squid-2.6Stable19 eth1 = xx.xx.184.22/28 I am trying to follow the configuration in squid FAQ but it is very hard for me because this my first time to do thus kind of setup. I would highly appreciate if you can provide me a step by step configuration for cisco router and squid box to enable WCCP version 2 Thank you and best regards, wennie -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Squid and WCCP (ASA)
On Tue, Nov 13, 2007, Jason Gauthier wrote: All, I asked some generic questions earlier in the week and got some great documentation. This has led me to a working WCCP/Squid implementation. I thank you. Good-o. Care to share your WCCP + ASA setup so I can put it into the Squid Wiki? However, I still have problems. Firstly, please understand that I am using WCCP on a Cisco ASA. (Firewall, not the same IOS as a router). I have multiple interfaces on this ASA that I want to make work. (4, to be exact). I've set squid to register with WCCP on the inside interface. Once I redirect traffic from the inside, it works. I have a wireless interface, where my guests go. This interface also works when I add it. I have two other interfaces. One for my VPN users, and the other for authenticated wireless users. NEITHER of these interfaces work, and I cannot figure out why. Cisco has claimed that: As the previous engineer quoted from the ASA config guide: WCCP redirect is supported only on the ingress of an interface. The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance. They are using this as an excuse to tell me that what I want to do is not possible. However, I've explained that I am doing exactly this with two interfaces right now. I haven't heard back from them quite yet. I also think they are using the words in this text to their advantage. Hm, security levels perhaps? What are the security levels for each of your interfaces? It -is- a closed source firewall, they can claim whatever they want. Noone's sued Cisco over lack of functionality/features that I know about and won.. :) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
RE: [squid-users] Squid and WCCP (ASA)
I asked some generic questions earlier in the week and got some great documentation. This has led me to a working WCCP/Squid implementation. I thank you. Good-o. Care to share your WCCP + ASA setup so I can put it into the Squid Wiki? Adrian, I was able to pull off the working config from the wiki :) Job well done! Hm, security levels perhaps? What are the security levels for each of your interfaces? It -is- a closed source firewall, they can claim whatever they want. Noone's sued Cisco over lack of functionality/features that I know about and won.. :) Turn out I can do this. But I have to choose between authenticated proxy and transparent. I want both. So I am moving to test WCCP off the ASA and onto the core router. Thanks everyone!
Re: [squid-users] Squid and WCCP (ASA)
On Wed, Nov 14, 2007, Jason Gauthier wrote: Good-o. Care to share your WCCP + ASA setup so I can put it into the Squid Wiki? Adrian, I was able to pull off the working config from the wiki :) Job well done! Cool! Turn out I can do this. But I have to choose between authenticated proxy and transparent. I want both. So I am moving to test WCCP off the ASA and onto the core router. You won't be able to get both of them, sorry! Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
[squid-users] Squid and WCCP (ASA)
All, I asked some generic questions earlier in the week and got some great documentation. This has led me to a working WCCP/Squid implementation. I thank you. However, I still have problems. Firstly, please understand that I am using WCCP on a Cisco ASA. (Firewall, not the same IOS as a router). I have multiple interfaces on this ASA that I want to make work. (4, to be exact). I've set squid to register with WCCP on the inside interface. Once I redirect traffic from the inside, it works. I have a wireless interface, where my guests go. This interface also works when I add it. I have two other interfaces. One for my VPN users, and the other for authenticated wireless users. NEITHER of these interfaces work, and I cannot figure out why. Cisco has claimed that: As the previous engineer quoted from the ASA config guide: WCCP redirect is supported only on the ingress of an interface. The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance. They are using this as an excuse to tell me that what I want to do is not possible. However, I've explained that I am doing exactly this with two interfaces right now. I haven't heard back from them quite yet. I also think they are using the words in this text to their advantage. Can anyone lend any help or information, if they've ever done anything similar? Thanks!
Re: [squid-users] Squid and WCCP (ASA)
On tis, 2007-11-13 at 09:34 -0500, Jason Gauthier wrote: I have multiple interfaces on this ASA that I want to make work. (4, to be exact). I've set squid to register with WCCP on the inside interface. Once I redirect traffic from the inside, it works. I have a wireless interface, where my guests go. This interface also works when I add it. I have two other interfaces. One for my VPN users, and the other for authenticated wireless users. NEITHER of these interfaces work, and I cannot figure out why. Cisco has claimed that: I would guess that either firewalling or routing messes things up. Have you verified with tcpdump how far things get? I.e. do you see the SYN packets from those networks or is it completely silent? Please remember that routing when using WCCP is a bit special. The cahce engine will respond with the originally contacted ip:port to the client source ip:port, and this might easily get trapped in firewall or nat rules when running WCCP on a firewall. As the previous engineer quoted from the ASA config guide: WCCP redirect is supported only on the ingress of an interface. The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance. So I would say you are already bending the limits of what this device is supposed to support. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Squid and WCCP (ASA)
All, Has anyone been successful in using squid (2.6) to connect and utilize WCCPv2 on a Cisco ASA? I have configured it, but I'm not getting web traffic. I'm confused mostly on all the conflicting commands for WCCP that I find the on the web for squid. If someone could at least point me in a definitive document on that, it would help a lot. Thanks! Jason
Re: [squid-users] Squid and WCCP (ASA)
All, Has anyone been successful in using squid (2.6) to connect and utilize WCCPv2 on a Cisco ASA? I have configured it, but I'm not getting web traffic. I'm confused mostly on all the conflicting commands for WCCP that I find the on the web for squid. If someone could at least point me in a definitive document on that, it would help a lot. The Authoritative documentation is: http://www.squid-cache.org/Versions/v2/2.6/cfgman/ with some examples: http://wiki.squid-cache.org/FrontPage?action=fullsearchcontext=180value=wccptitlesearch=Titles Amos
Re: [squid-users] Squid and WCCP
Hi Henrik, We got it working in the end after debugging on the cisco we saw that the traffic was coming from the ADSL PPPoE's IP and not from the routers LAN address. We changed the tunnel to be 10.10.250.1 - 41.x.x.x and it then worked fine. Thanks :) Ian On 8/30/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: On ons, 2007-08-29 at 08:45 +0200, Ian wrote: Hi, Yes, the GRE is working. My unit is 10.10.11.1 and the cisco is 10.10.250.1: Do you see packets arriving on the GRE interface? And do you have matching firewall rules to redirect these packets to the Squid port? Regards Henrik
Re: [squid-users] Squid and WCCP
On tor, 2007-08-30 at 19:15 +0200, Ian wrote: Hi Henrik, We got it working in the end after debugging on the cisco we saw that the traffic was coming from the ADSL PPPoE's IP and not from the routers LAN address. We changed the tunnel to be 10.10.250.1 - 41.x.x.x and it then worked fine. Yes, the Ciscos use of source IP is a little confusing at best.. uses the Router ID as source, which if I have understood correctly is the highest IP address configured on the router or something like that... Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid and WCCP
On Thu, Aug 30, 2007, Henrik Nordstrom wrote: On tor, 2007-08-30 at 19:15 +0200, Ian wrote: Hi Henrik, We got it working in the end after debugging on the cisco we saw that the traffic was coming from the ADSL PPPoE's IP and not from the routers LAN address. We changed the tunnel to be 10.10.250.1 - 41.x.x.x and it then worked fine. Yes, the Ciscos use of source IP is a little confusing at best.. uses the Router ID as source, which if I have understood correctly is the highest IP address configured on the router or something like that... .. or the first loopback. Adrian
Re: [squid-users] Squid and WCCP
Hi Juan, Thanks for the tip, could you possibly explain a little more about the loopback ip, im a little confused :) Thanks On 8/30/07, Juan C. Crespo R. [EMAIL PROTECTED] wrote: You should use one loopback ip instead of one adquiring from a dhcp server, remember if the Wan ip changes, your tunnel will not work.. And that will not make you happy :D Ian escribió: Hi Henrik, We got it working in the end after debugging on the cisco we saw that the traffic was coming from the ADSL PPPoE's IP and not from the routers LAN address. We changed the tunnel to be 10.10.250.1 - 41.x.x.x and it then worked fine. Thanks :) Ian On 8/30/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: On ons, 2007-08-29 at 08:45 +0200, Ian wrote: Hi, Yes, the GRE is working. My unit is 10.10.11.1 and the cisco is 10.10.250.1: Do you see packets arriving on the GRE interface? And do you have matching firewall rules to redirect these packets to the Squid port? Regards Henrik
Re: [squid-users] Squid and WCCP
Hi, Yes, the GRE is working. My unit is 10.10.11.1 and the cisco is 10.10.250.1: gre0: flags=b051UP,POINTOPOINT,RUNNING,LINK0,LINK1,MULTICAST mtu 1476 tunnel inet 10.10.11.1 -- 10.10.250.1 inet 10.10.11.1 -- 10.20.30.40 netmask 0x and this from the router: WCCP Client ID: 10.10.11.1 Protocol Version:2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment: 128 (50.00%) Packets s/w Redirected: 0 Connect Time:00:04:20 Bypassed Packets Process: 0 Fast: 0 CEF: 0 Thanks again, Ian On 8/29/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: On tis, 2007-08-28 at 21:12 +0200, Ian wrote: Hi, I am trying to get squid working with my cisco router.How it works is network flows through my unit and enters the cisco on FE0. Below are copies of both configurations which seem correct, yet the whole setup doesnt work correctly, which is my question as why not? Is everything correct and just the physical layout, or is my configuration wrong? Have you set up the required GRE endpoint on the cache server and added the needed firewall rules to have the redirected traffic sent to the proxy? Regards Henrik
Re: [squid-users] Squid and WCCP
On ons, 2007-08-29 at 08:45 +0200, Ian wrote: Hi, Yes, the GRE is working. My unit is 10.10.11.1 and the cisco is 10.10.250.1: Do you see packets arriving on the GRE interface? And do you have matching firewall rules to redirect these packets to the Squid port? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid and WCCP
On tis, 2007-08-28 at 21:12 +0200, Ian wrote: Hi, I am trying to get squid working with my cisco router.How it works is network flows through my unit and enters the cisco on FE0. Below are copies of both configurations which seem correct, yet the whole setup doesnt work correctly, which is my question as why not? Is everything correct and just the physical layout, or is my configuration wrong? Have you set up the required GRE endpoint on the cache server and added the needed firewall rules to have the redirected traffic sent to the proxy? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid and WCCP v1 (squid-2.5.STABLE11-3.FC3) on Fedora Core 3 (2.6.9-1.667smp) -- SOS
Hi, I have a RHELv4 cache + Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(14)T2, RELEASE SOFTWARE (fc4). I have applied your suggestions, but it's still not working. Please take a lookt at my Router's + Squid config. Am I missing something ? - ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable password ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip wccp version 1 ip wccp web-cache ! ! no ip dhcp use vrf connected ! ! ip cef no ip ips deny-action ips-interface ! no ftp-server write-enable ! interface Ethernet0 ip address x.x.x.x 255.255.255.x no ip route-cache cef full-duplex ! interface FastEthernet0 ip address y.y.y.y 255.255.255.x ip wccp web-cache redirect out speed auto full-duplex ! interface Serial0 no ip address shutdown no fair-queue ! ip classless ip route 0.0.0.0 0.0.0.0 y.y.y.5 no ip http server no ip http secure-server ! control-plane ! line con 0 line aux 0 line vty 0 4 password login ! end /etc/sysctl.conf --- [EMAIL PROTECTED] conf]# cat gre0/rp_filter 1 [EMAIL PROTECTED] conf]# cat bond0/rp_filter 1 Squid.conf http_port [Server IP]:3128 icp_port 3130 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 256 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB cache_dir ufs /usr/local/squid/var/cache 20240 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /usr/local/squid/etc/mime.conf pid_filename /var/run/squid.pid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl Local src [My Local Network] http_access allow Local http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src [my network] http_access allow our_networks http_access deny all http_reply_access allow all icp_access allow all icp_access allow all tcp_outgoing_address [Server IP] cache_mgr [EMAIL PROTECTED] cache_effective_user squid cache_effective_group squid visible_hostname cache.mydomain.com httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on logfile_rotate 10 forwarded_for on cachemgr_passwd shutdown snmp_port 3401 snmp_access deny all wccp_router [Router IP] wccp_outgoing_address [Server IP] coredump_dir /usr/local/squid/var/cache Much regards, Waiting for answers Daniel --- Oliver Chato [EMAIL PROTECTED] wrote: Hi. Just for the sake of others who are looking to make Transparent/Interception caching with Squid, WCCP v1 and Fedora Core 3, this is what we did to get it working: On the router (IOS 12.3(2)T): ip cef ip wccp version 1 ip wccp web-cache interface interface either directly or indirectly connected to the Internet ip wccp web-cache redirect out end Also, we did: conf t ip cef # some systems may already have 'ip cef global' int interface directly or indirectly connected to the Squid Server (or int FastEthernet 0/0 or other internal interface) no ip route-cache cef CTRL Z That's it. For debugging, we used: show ip wccp show ip wccp web-caches show ip wccp web-cache detail show ip wccp web-cache view (or: show ip wccp 99 detail) On the Linux Server (Fedora Core 3 (2.6.9-1.667smp)): In squid.conf: http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on tcp_outgound_address ip address of your interface connected to the WCCP router wccp_outgoing_address ip address of your interface connected to the
Re: [squid-users] Squid and WCCP v1 (squid-2.5.STABLE11-3.FC3) on Fedora Core 3 (2.6.9-1.667smp) -- it works
Hi. Just for the sake of others who are looking to make Transparent/Interception caching with Squid, WCCP v1 and Fedora Core 3, this is what we did to get it working: On the router (IOS 12.3(2)T): ip cef ip wccp version 1 ip wccp web-cache interface interface either directly or indirectly connected to the Internet ip wccp web-cache redirect out end Also, we did: conf t ip cef # some systems may already have 'ip cef global' int interface directly or indirectly connected to the Squid Server (or int FastEthernet 0/0 or other internal interface) no ip route-cache cef CTRL Z That's it. For debugging, we used: show ip wccp show ip wccp web-caches show ip wccp web-cache detail show ip wccp web-cache view (or: show ip wccp 99 detail) On the Linux Server (Fedora Core 3 (2.6.9-1.667smp)): In squid.conf: http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on tcp_outgound_address ip address of your interface connected to the WCCP router wccp_outgoing_address ip address of your interface connected to the WCCP router wccp_router ip address of the WCCP router itself wccp_version 4 In /etc/sysconfig/network-scripts/ifcfg-gre0: DEVICE=gre0 BOOTPROTO=static IPADDR=172.16.1.6 NETMASK=255.255.255.252 ONBOOT=yes IPV6INIT=no For netfilter: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 service iptables save You also might want to limit this in a way so that you specify source addresses and limit it to only those networks/hosts you want to proxy for. I think this would mean one entry (or line) per configured network For ip forwarding: echo 0 /proc/sys/net/ipv4/ip_forward You might even want to do the following in /etc/sysctl.conf: net.ipv4.ip_forward = 1 For rp_filter, which must be turned off: echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/gre0/rp_filter You might even want to do the following in /etc/sysctl.conf: net.ipv4.conf.default.rp_filter = 0 This last one was where our problem was. We have turned off rp_filter for eth0 but not for gre0. Once we turned it off for gre0, it worked. Also, for debugging: For WCCP connection with the router: tethereal -V -s 1500 port 2048 You should see here_i_am and i_see_you packets going through. For redirected connections coming from the router: tcpdump -i gre0 or tcpdump -i gre0 port 80 You should see http requests redirected through the gre interface. For squid: tail -f your squid log files location/access.log You should see requests from clients. Hope this helps. -- Oliver -- [EMAIL PROTECTED] wrote: Greetings. Sorry for the long message. We are trying to implement Transparent/Interception caching using the following: -- Squid 2.5 Stable 11 (We were able to obtain an RPM for Fedora Core 3) with WCCP v1 -- Fedora Core 3 (64-bit, 2.6.9-1.667smp) -- Cisco Router (IOS 12.2) in the following configuration (not real IP addresses and interface designations used): |---| | Squid (2.5 S11) | | Fedora Core 3 | |---| eth 0 | 201. 1.1.2/255.255.255.252 | | | int 0/0 | 201.1.1.1/255.255.255.252 |int 0/1 |--| - to Internet * Networks ofATM interface | | 203.1.1.1/255.255.255.224 Dial Up Users via various | Cisco Router (IOS 12.2) |
[squid-users] Squid and WCCP v1 (squid-2.5.STABLE11-3.FC3) on Fedora Core 3 (2.6.9-1.667smp)
Greetings. Sorry for the long message. We are trying to implement Transparent/Interception caching using the following: -- Squid 2.5 Stable 11 (We were able to obtain an RPM for Fedora Core 3) with WCCP v1 -- Fedora Core 3 (64-bit, 2.6.9-1.667smp) -- Cisco Router (IOS 12.2) in the following configuration (not real IP addresses and interface designations used): |---| | Squid (2.5 S11) | | Fedora Core 3 | |---| eth 0 | 201. 1.1.2/255.255.255.252 | | | int 0/0 | 201.1.1.1/255.255.255.252 |int 0/1 |--| - to Internet * Networks ofATM interface | | 203.1.1.1/255.255.255.224 Dial Up Users via various | Cisco Router (IOS 12.2) | Terminal Servers 202.1.1.1/255.255.255.252 | | 203.1.1.2/255.255.255.224 |--|-- to Internet * int 0/2 * The two network interfaces (int 0/1 and int 0/2) are connected to the same network and load balanced via OSPF. (Please pardon the interface designations on the router as I am not too familiar with it and we have no administrative control of the router) On the router (IOS 12.2): -- As mentioned above, connections to the internet (int 0/1 and int 0/2) are load balanced over OSPF -- An access list has been defined on ATM interface for various networks (dialups, DSL, etc.) -- We have turned CEF off on the interface connected to the Squid CACHE (we actually tried it with CEF as well). -- WCCP v1 is enabled and applied at the 2 outbound internet connections (int 0/1 and int 0/2) with redirect out option -- We have also tried to apply WCCP v1 at the ATM interface with redirect in option. -- WCCP v1 was enabled and applied to the various interfaces as detailed above with access lists (as specified above, defined for the ATM interface) On the Linux Box (FC3, 2.6.9-1.667smp): -- We used the WCCP v1 module on Squid as pre-compiled with the RPM. -- We are using GRE instead of WCCP patch as we have read in the FAQs and lists that this is the implementation to use for kernel versions = 2.6.9. -- We are also using iptables to redirect traffic coming in from port 80 to 3128 (the squid port we are using).. -- We specified and enabled the appropriate variables in squid.conf for both transparent/interception caching and WCCP v1. Configurations used: We have tried the various setups as detailed in the following URLs: -- http://www.squid-cache.org/mail-archive/squid-users/200505/0678.html -- http://www.sublime.com.au/squid-wccp/ -- http://www.reub.net/node/3 -- http://www.spc.int/it/TechHead/Wccp-squid.html Symptoms: We were able to configure it so that the Cisco Router WCCP v1 configuration actually registers the Squid Server as a usable Cache Engine. We also traced the GRE connections via the following Linux commands: -- tethereal -V -s 1500 port 2048 -- tcpdump -lenx -s 1500 port 2048 and we see the Here I Am and I See You packets and observed the following: -- the Here I Am packets specify that 0 to 255 buckets ARE NOT ASSIGNED. -- the I See You packets specify that 0 to 255 buckets ARE ASSIGNED. Also, we can see the router configuration specifying our squid server registered in the web cache. On the router, using the show ip wccp command, we see the
[squid-users] Squid and WCCP
I am running squid 2.5 stable 10 on fedora core 3 I have it working great by proxy but now they want me to use it for our wireless clients and public access areas. Our Networking guys want me to get WCCP working but I can not get the server to send the I am here packets to the router. I have set the routers ip in the squid config and installed the ip_wccp module. I am not sure what I am missing. Squid is running on the default port 3128. Any help or a point in the right direction would be appricated. -- _ Randy Hill Server Administrator Computer Infrastructure Support Serviceshttp://www.ciss.ilstu.edu/ Illinois State University http://www.ilstu.edu/ Phone: 309-438-8313 Fax: 309-438-7312
Re: [squid-users] Squid and WCCP
I am running squid 2.5 stable 10 on fedora core 3 I have it working great by proxy but now they want me to use it for our wireless clients and public access areas. Our Networking guys want me to get WCCP working but I can not get the server to send the I am here packets to the router. I have set the routers ip in the squid config and installed the ip_wccp module. I am not sure what I am missing. Squid is running on the default port 3128. Any help or a point in the right direction would be appricated. The FAQ contains a number of references to WCCP; check these (too). M.
[squid-users] Squid and Wccp
Hi, I need set squid + wccp + WBEL 4.0 , what i need do? My router support wccp v2 My squid is 2.5
Re: [squid-users] Squid and Wccp
: Hi, I need set squid + wccp + WBEL 4.0 , what i need do? My router support wccp v2 My squid is 2.5 Check the squid FAQ. M.
[squid-users] squid with wccp on redhat9
Does anyone have a cookbook for setting up squid with wccp on redhat9? Thanks. James Zhao [EMAIL PROTECTED]
Re: [squid-users] squid with wccp on redhat9
On Tue, 23 Mar 2004, James Zhao wrote: Does anyone have a cookbook for setting up squid with wccp on redhat9? The instructions in the FAQ should work. Compiling the module is a little messy but works.. Regards Henrik
RE: [squid-users] squid with wccp on solaris
I got the gre kernel module from oops and loaded it on my solaris box, still, it's not working. Has anyone successfully made this work on solaris? I have searched the web for several days and I haven't seen anyone claiming it's working on solaris. Maybe I have to switch to linux for this. James -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 6:10 PM To: James Zhao Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] squid with wccp on solaris On Mon, 15 Mar 2004, James Zhao wrote: I am trying to build a squid server on solaris 8 for wccp, but It doesn't seems to work yet, here is what I did so far and I am hoping someone can point out the problem: Have you loaded the WCCP kernel module? There is a WCCP kernel module for Solaris in the Oops proxy source tree I think. The WCCP kernel module is responsible for decapsulating the WCCP/GRE packets the WCCP router encapsulates the redirected traffic within. If you do not have this your proxy server box will know nothing about what the packets redirected to it by the router is. In addition to the WCCP kernel module you also need interception rules to intercept the packets once decapsulated and have them delivered to the proxy port. This is the job of ip-filter in a Solaris WCCP setup. Regards Henrik
RE: [squid-users] squid with wccp on solaris
On Tue, 16 Mar 2004, James Zhao wrote: I got the gre kernel module from oops and loaded it on my solaris box, still, it's not working. Does the router indicate it has redirected packets to the cache? What does tcpdump on the cache server say? Does anything hit your ip-filter interception rules? Has anyone successfully made this work on solaris? Not sure, but I think there was some users having success some years ago.. It is not at all a common WCCP environment. I have searched the web for several days and I haven't seen anyone claiming it's working on solaris. Maybe I have to switch to linux for this. Linux and FreeBSD is well known environments often used in this type of setups. Regards Henrik
[squid-users] squid with wccp on solaris
Hello, I am trying to build a squid server on solaris 8 for wccp, but It doesn't seems to work yet, here is what I did so far and I am hoping someone can point out the problem: 1. compiled squid 2.5STABLE5 with enable-ipf-transparent, the squid is configured so that it redirects all request to one URL, squid.conf: http_port 8080 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on wccp_router 167.206.45.97 cache_effective_user nobody cache_effective_group nogroup store_avg_object_size 2 KB cache_dir ufs /opt/squid-2.5.STABLE5/cache 1000 16 256 cache_access_log /var/log/localhost/squid/access.log cache_log /var/log/localhost/squid/cache.log cache_store_log /var/log/localhost/squid/store.log icon_directory /opt/squid-2.5.STABLE5/share/icons error_directory /opt/squid-2.5.STABLE5/share/errors/English mime_table /opt/squid-2.5.STABLE5/etc/mime.conf pid_filename /opt/squid-2.5.STABLE5/logs/squid.pid unlinkd_program /opt/squid-2.5.STABLE5/libexec/unlinkd redirect_program /usr/local/asqredir/asqredir /usr/local/asqredir/urls.txt redirect_children 5 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 563 22 acl Safe_ports port 7001 80 21 22 443 563 70 210 1025-65535 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports miss_access allow all icp_access allow all 2. installed ipf version 3.4.32 ipnat config file: rdr bge0 0.0.0.0/0 port 80 - 167.206.45.99 port 8080 tcp output for ipnat -l: #ipnat -l List of active MAP/Redirect filters: rdr bge0 0.0.0.0/0 port 80 - 167.206.45.99 port 8080 tcp List of active sessions: The network guy told me that the cisco router sees the wccp server (my squid server) ok and they can communicate, but when I open a web browser on a server which connects to this cisco router, it just times out every time. It didn't get to the redirected URL as I wanted. ( I was snooping on the squid server and didn't see any incoming packets from the cisco router, but not sure if the snoop works under ipf ). Thanks for your help. James Zhao
Re: [squid-users] squid with wccp on solaris
The network guy told me that the cisco router sees the wccp server (my squid server) ok and they can communicate, but when I open a web browser on a server which connects to this cisco router, it just times out every time. It didn't get to the redirected URL as I wanted. ( I was snooping on the squid server and didn't see any incoming packets from the cisco router, but not sure if the snoop works under ipf ). Squid and ipnat Settings are ok. What type of switching route type you are using on cisco router.? Did you get the message in the cache.log as wccp enabled? If the request is getting timed out means, your ipnat settings with bge0 may be the problem. Regards, Muthukumar.
Re: [squid-users] squid with wccp on solaris
ipnat config file: rdr bge0 0.0.0.0/0 port 80 - 167.206.45.99 port 8080 tcp output for ipnat -l: #ipnat -l List of active MAP/Redirect filters: rdr bge0 0.0.0.0/0 port 80 - 167.206.45.99 port 8080 tcp List of active sessions: The network guy told me that the cisco router sees the wccp server (my squid server) ok and they can communicate, but when I open a web browser on a server which connects to this cisco router, it just times out every time. It didn't get to the redirected URL as I wanted. ( I was snooping on the squid server and didn't see any incoming packets from the cisco router, but not sure if the snoop works under ipf ). You may have a forwarding loop. I don't know IP filter well enough off the top of my head, but you might need to add a more specific rule before 'rdr' to allow Squid's outgoing TCP connections. Duane W.
Re: [squid-users] squid with wccp on solaris
On Mon, 15 Mar 2004, James Zhao wrote: I am trying to build a squid server on solaris 8 for wccp, but It doesn't seems to work yet, here is what I did so far and I am hoping someone can point out the problem: Have you loaded the WCCP kernel module? There is a WCCP kernel module for Solaris in the Oops proxy source tree I think. The WCCP kernel module is responsible for decapsulating the WCCP/GRE packets the WCCP router encapsulates the redirected traffic within. If you do not have this your proxy server box will know nothing about what the packets redirected to it by the router is. In addition to the WCCP kernel module you also need interception rules to intercept the packets once decapsulated and have them delivered to the proxy port. This is the job of ip-filter in a Solaris WCCP setup. Regards Henrik
[squid-users] SQUID and WCCP on CISCO router
Hello, Can someone help me install and configure squid to work with wccp and a cisco router running IOS 122-19. I am installing the latest stable squid version on Linux Redhat 9. Thank you, Regards, Wilhelm
Re: [squid-users] SQUID and WCCP on CISCO router
Wilhelm Farrugia wrote: Hello, Can someone help me install and configure squid to work with wccp and a cisco router running IOS 122-19. I am installing the latest stable squid version on Linux Redhat 9. Thank you, Regards, http://www.sublime.com.au/squid-wccp/ M. Wilhelm -- 'Love is truth without any future. (M.E. 1997)
RE: [squid-users] SQUID and WCCP on CISCO router
10x for the info. Is it possible to have further detail on the kernel compilation for the version 2.4.22. The kernel was compiled sucessful however the ethernet was not working fine, receiving message: Oct 20 18:16:16 frodo kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 20 18:16:16 frodo kernel: eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. Oct 20 18:16:28 frodo kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 20 18:16:28 frodo kernel: eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. Oct 20 18:16:40 frodo kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 20 18:16:40 frodo kernel: eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. Oct 20 18:16:52 frodo kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 20 18:16:52 frodo kernel: eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. Oct 20 18:17:04 frodo kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 20 18:17:04 frodo kernel: eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. Oct 20 18:17:16 frodo kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 20 18:17:16 frodo kernel: eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. Oct 20 18:17:28 frodo kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 20 18:17:28 frodo kernel: eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. Oct 20 18:17:40 frodo kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 20 18:17:40 frodo kernel: eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. Thank you, Regards, Wilhelm -Original Message- From: Marc Elsen [mailto:[EMAIL PROTECTED] Sent: 20 October 2003 09:34 To: Wilhelm Farrugia Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] SQUID and WCCP on CISCO router Wilhelm Farrugia wrote: Hello, Can someone help me install and configure squid to work with wccp and a cisco router running IOS 122-19. I am installing the latest stable squid version on Linux Redhat 9. Thank you, Regards, http://www.sublime.com.au/squid-wccp/ M. Wilhelm -- 'Love is truth without any future. (M.E. 1997)