Henrik Nordstrom wrote:
On Monday 04 August 2003 07.52, Larry M. Smith wrote:
I am trying to set up Squid 2.5-STABLE3 as a transparent proxy with
a Cisco 7204 VXR (running IOS 12.2(6))and am running across a
maddening problem - works in test network, doesn't work in
production network.
will show the redirected packet counter incrementing, access.log is
logging client accesses, cache.log shows no abnormalities, and
barely breaking a sweat (squid taking < 1% of CPU), but the clients
never get pages and eventually time out. Did a sniff of the
Have you instructed your router to not intercept Squid's own traffic?
Same thing in the interception rules on your Squid server? (but if you
disable the interception on the Cisco I don't think this is the
problem..)
The sniff of the network activity showed that Squid never (well, almost
never) put anything back onto the network wire that would have been
intercepted.
The only difference between the production and test networks (other
than client load) is the production network is redirecting off of
atm1/0 while the test network is redirecting off of fa0/0 (and the
requisite addressing/configuration changes). I don't believe that
to be cause of the functionality problem as in the production
network I do see the packets being redirected to Squid.
If you see traffic in access.log then the redirection is working.
If you have enabled interception and then normal proxying does not
work then the interception is intercepting too much, preventing the
proxy itself from doing what it should. Remember that the proxy is
just a HTTP client like any other in the eye of interception rules
and if the proxy uses the same router as your clients then rules is
needed to instruct the router on what to do with the traffic.
How would one go about testing this, and would should I be looking for
in the logs.
A very good test when verifying networing, interception rules etc is
to start by verifying that browsing directly from the proxy server
without using the proxy always works. For this purpose you can use
lynx/wgetor even squidclient (just remember to specify host and port
options to squidclient, or else it assumes you want to ask the
proxy..). If browsing from the proxy server does not work then there
is networking errors and proxying via the same can not work until the
networking errors are corrected.
Again in the test WCCP environment everything works, when we put a few
hundred clients onto Squid it fails.
