Re: Regular proxying works but Transparent proxying times out

Richi Plana wrote:

> Perhaps I should have added that the setup works initially but after a
> while (we still haven't determined how long or how much access is
> necessary), transparent proxying stops working. All we get are network
> timeouts.

Is it only transparent proxying being affected, or does normal proxying
also cease to function?

> Here're the pertinent parts of squid.conf:
>
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on

Looks fine. (not an Cisco expert so I let others comment on your Cisco
configuration)

> |o| Are you using a plain port policy route, or something fancier?
>
> Plain. Has there been much success using WCCP?

Some people do use it. There are some restrictions on which IOS versions
can be used, and some patching is required to get the Squid host to
accept Cisco WCCP GRE traffic..

> |o| What is the smallest Path MTU used in the path from Squid to the
> |o| browser?
>
> Browser to Squid?

Yes.

> It varies, but we tried it on a workstation on the same
> ethernet switch.

There shouldn't be any MTU related issues if you are on the same
ethernet switch I guess..

> Or did you mean between Squid and the object server?

No. MTU related problems are for the return traffic of the redirected
path. If the redirection only redirects TCP port 80, then ICMP messages
sent by devices in response to the return traffic may miss the
redirection and instead end up at the real destination server..

Hmm.. maybe you should try to do a packet trace to get a better
understanding of what is going on. This does not sound like one of the
usual problems.

Further guesses on what may be going on:

* Something may be wrong with the TCP redirection on the host where
Squid runs, causing it to not forward some traffic to the Squid process.

* Something is causing a loop of ICMP redirect messages to be generated.

--
Henrik Nordstrom
Squid hacker