Before saying this or that, did you had the chance of looking at: http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2 ?? What version of IOS the 2901 has on it?
Eliezer On 09/24/2013 02:31 AM, Jordan Dalley wrote: > Thanks for your reply Bob, > > I tried what you said - completely removed any ifcfg-gre0 config and simply > ran the commands: > > ifconfig gre0 inet 1.1.1.1 netmask 255.255.255.0 up > iptables -F -t nat > iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT > --to-destination 10.112.4.4:3127 > > On the router side (I had to modify your acl's a bit) > > ip access-list standard wccp-servers > permit host 10.112.4.4 > ip access-list extended wccp-traffic > permit tcp 10.114.32.0 0.0.7.255 any eq www > > ip wccp web-cache redirect-list wccp-traffic group-list wccp-servers > > Upon inspection, I can see the router forwarding packets through the gre > tunnel: > > [root@tsv-squid1 ~]# tcpdump -i gre0 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on gre0, link-type LINUX_SLL (Linux cooked), capture size 65535 > bytes > 20:40:04.370754 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq > 2779756886, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 > 20:40:04.370861 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq > 1665803222, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 > 20:40:07.381696 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq > 2779756886, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 > 20:40:07.381779 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq > 1665803222, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 > 20:40:13.387792 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq > 2779756886, win 8192, options [mss 1460,nop,nop,sackOK], length 0 > 20:40:13.387812 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq > 1665803222, win 8192, options [mss 1460,nop,nop,sackOK], length 0 > > Here's the weird thing.. > > [root@tsv-squid1 ~]# ifconfig gre0 > gre0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-82-12-00-00-00-00-00-00-00-00 > inet addr:1.1.1.1 Mask:255.255.255.0 > UP RUNNING NOARP MTU:1476 Metric:1 > RX packets:143 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:7136 (6.9 KiB) TX bytes:0 (0.0 b) > > Note my GRE tunnel is not transmitting, only receiving. > > I can confirm, ip forwarding is enabled. > > [root@tsv-squid1 ~]# cat /proc/sys/net/ipv4/ip_forward > 1 > [root@tsv-squid1 ~]# > > Cheers, > J. > > -----Original Message----- > From: Luderitz Bob [mailto:[email protected]] > Sent: Tuesday, 24 September 2013 1:38 AM > To: [email protected] > Subject: [squid-users] RE: WCCP issues with Centos 6.3 and Cisco 2901 > > Hey Jordan, I am running a similar config with wccp and CentOS 6.3 with > Cisco routers. > > Your config looks close to what I have but I use the built-in gre0 > tunnel so don't have the interface explicitly setup just have it in rc.local > like this: > ifconfig gre0 inet 1.2.3.4 netmask 255.255.255.0 up > echo 1 > /proc/sys/net/ipv4/ip_forward > (same iptables statement as you have) > iptables -F -t nat > iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT > --to-destination 10.80.166.227:3127 > > From the router - I did not set the config up but have to documentation > and have these additional statements defined to force http traffic to the > squid - 166.227) > access-list wccp-servers extended permit ip host 10.80.166.227 any > access-list wccp-traffic extended permit tcp object-group > DM_INLINE_NETWORK_7 any eq www > wccp web-cache redirect-list wccp-traffic group-list wccp-servers > > hope this helps.... > > -----Original Message----- > From: Jordan Dalley [mailto:[email protected]] > Sent: Monday, September 23, 2013 6:17 AM > To: > Subject: [squid-users] WCCP issues with Centos 6.3 and Cisco 2901 > > Hi Squid community, > > I have an issue whereby I am just struggling to find out why it wont work. > > I have trawled through multiple forums, howto's, faq's etc but no matter what > I do, I cannot get it to work properly. > > Here is what I have done so far: > > Router IP: 10.114.3.34 > Squid IP: 10.112.4.4 > WAN Subnet: 10.112.0.0 / 255.252.0.0 > > Squid Config: > > http_port 3127 intercept > wccp2_router 10.114.3.34 > wccp2_forwarding_method gre > wccp2_return_method gre > wccp2_service standard 0 > > Confirm I can access and use port 3127 directly without issue from any > location in the WAN. > > Router Config: > > ip wccp web-cache > interface G0/1 > !Inside interface > ip wccp web-cache redirect in > > Added to sysctl.conf: > > # Controls IP packet forwarding > net.ipv4.ip_forward = 1 > > # Controls source route verification > net.ipv4.conf.default.rp_filter = 0 > net.ipv4.conf.eth0.rp_filter = 0 > net.ipv4.conf.eth0.ip_filter = 0 > net.ipv4.conf.gre0.rp_filter = 0 > net.ipv4.conf.gre0.ip_filter = 0 > > Added to /etc/sysconfig/network-scripts/ifcfg-gre0 > > DEVICE=gre0 > BOOTPROTO=static > IPADDR=127.0.0.2 > NETMASK=255.255.255.0 > ONBOOT=YES > IPV6INIT=NO > > Linux Configuration: > > modprobe ip_gre > ifup gre0 > iptables -t nat -F > iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT > --to-destination 10.112.4.4:3127 > > If, I then do a tcpdump -i gre0 I can see packets flowing through this > interface with destination port 80. Unfortunately it seems as if they are > somehow not being natted to the squid server. > > I've tried different varying methods of doing this, but none of them seem to > work. > > Does anyone have any ideas? > > Regards, > Jordan. > > ______________________________________________________ > > NIPRO GLASS > ______________________________________________________ > > CAUTION - This message may contain privileged and confidential information > intended only for the use of the addressee named above. If you are not the > intended recipient of this message you are hereby notified that any use, > dissemination, distribution or reproduction of this message is prohibited. If > you have received this message in error please notify NIPRO GLASS > immediately. Any views expressed in this message are those of the individual > sender and may not necessarily reflect the views of NIPRO GLASS. > >
