[squid-users] (Squid+WCCP+Cisco 6509) Transparent Proxying problem-

I've had squid (Stable5) working on a Linux (Fedora Core2/custom 2.6.7)
server for some time now. The server works, clients are able to use the
proxy to surf the web. The problem has always been the need to maintain
a "browser proxy config file" for end users, and the ensuing support
calls when they change their browser settings.

I have a Cisco network backend. so enter transparent proxying and WCCP.
I noticed that quite a few folks seemed to have this working, and I
decided to give it a shot. At the outset, things -seem- to be working
properly, because:

1. I was able to avoid the usual pitfalls thanks to this mailing list
and diligent Google searches - so compiling the ip_wccp module, setting
up the gre tunnel and so forth posed no problems.
2. "sh ip wccp" on the router showed that the router saw the squid box,
"debug ip wccp" confirmed it.
3. "tcpdump" on the squid box showed communication between the squid box
and the router.
4. "sh ip wccp web-cache" showed all the packets were being redirected -
zero were "denied redirect" and "unassigned"

So I connected using a client PC (Windows XP, FireFox 0.9, no proxy
configured in the browser) and tried to surf the web... without any
success.

I've attached the configs for both the squid box and the router below.
One caveat:

The Cisco router has three VLAN interfaces - instead of detecting that
the WCCP Router is at 172.16.0.1 (the VLAN interface that is on the same
LAN as the squid box) it detects it at 192.168.171.1 (the VLAN interface
on the lab network). Doesn't seem to matter to the squid box, since it
can contact the router on both IP addresses. But I figured I should
mention this anyway, in the event that someone knows how to "fix" this -
or if this is a problem.

All responses appreciated.

******** Configs attached below********

**************** Architecture *******************************

[Squid-box]---[Cisco 6509 Switch/Router]---[Firewall]---[ISP]
                   |
[Clients]----------|

Cisco 6509:
 -LAN interface: 172.16.0.1
 -WAN interface: 10.1.1.2
 -Lab interface: 192.168.171.1
Squid-box: 172.16.0.18
Clients: 172.16.0.0/255.255.0.0
Firewall: 10.1.1.1

**************** Squid box config ***************************

--> Squid-box, system details
OS: Linux, Fedora Core 2
Kernel: 2.6.7 Compiled from tarball
Module: ip_wccp
Compiled in: ip_gre

--> "vi /usr/src/linux/.config"
CONFIG_NET_IPGRE=y
CONFIG_NETFILTER=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_MANGLE=y

--> "vi /etc/sysctl.conf"
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 0

--> "iptables -L -t nat -v"
Chain PREROUTING (policy ACCEPT 4439 packets, 980K bytes)
 pkts bytes target prot opt in out source destination
    0 0 REDIRECT tcp -- eth4 any anywhere anywhere tcp dpt:http redir ports 8080

Chain POSTROUTING (policy ACCEPT 1415 packets, 91522 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1415 packets, 91522 bytes)
 pkts bytes target prot opt in out source destination

--> "lsmod"
Module Size Used by
ip_wccp 3072 0

--> "ifconfig -a"
eth4 Link encap:Ethernet HWaddr 00:00:AA:BB:CC:DD
          inet addr:172.16.0.18 Bcast:172.16.255.255 Mask:255.255.0.0
          inet6 addr: ffff::eee:dddd:cccc:6666/66 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:195014 errors:0 dropped:0 overruns:0 frame:0
          TX packets:163789 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:138103537 (131.7 Mb) TX bytes:140511711 (134.0 Mb)
          Interrupt:7 Memory:d7800000-0

gre1 Link encap:UNSPEC HWaddr CC-11-00-22-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

--> "iptunnel"
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.0.1 local 172.16.0.18 dev eth4 ttl inherit

--> with "tcpdump -i eth4 'host 172.16.0.1'" on the squid box
16:09:16.449487 IP squid-box.2048 > wccp-router.2048: UDP, length 52
16:09:16.449717 IP wccp-router.2048 > squid-box.2048: UDP, length 64
16:50:10.326695 IP wccp-router > squid-box: gre-proto-0x883e
(lines repeat over and over...)

--> squid config
visible_hostname squid-box.mydomain.com
http_port 172.16.0.18:8080
icp_port 172.16.0.18:3130
cache_mem 16 MB
cache_dir ufs /cache 1500 16 256
redirect_rewrites_host_header off
cache_replacement_policy GDSF
acl pc-LAN src 172.16.0.0/255.255.0.0
acl lab-LAN src 192.168.171.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 20 21 70 80 210 443 563 1025-65535
acl CONNECT method CONNECT GET POST PROPFIND HEAD
acl all src 0.0.0.0/0.0.0.0
http_access allow pc-LAN
http_access allow lab-LAN
http_access allow localhost
http_access allow SSL_ports
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
maximum_object_size 15000 KB
store_avg_object_size 500 KB
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
append_domain .mydomain.com
cache_effective_user squid
cache_effective_group squid
log_icp_queries off
buffered_logs on
wccp_router 172.16.0.1
wccp_version 4

**********e iisco Config ******************
--> WCCP-Router: Cisco 6509 - MSFC Sup I
!
Version: 12.1
ip wccp version 1
ip wccp web-cache
!
Interface Vlan20
 description To ISP
 ip address 10.1.1.2 255.255.255.252
 ip wccp web-cache redirect out
 no ip route-cache cef
!
interface Vlan100
 description Intranet Network
 ip address 172.16.0.1 255.255.0.0
 ip route-cache same-interface
 no ip route-cache cef
!
interface Vlan171
 description Lab Network
 ip address 192.168.171.1 255.255.255.0
 no ip route-cache cef

--> wccp-router#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier: 192.168.171.1
        Protocol Version: 1.0

    Service Identifier: web-cache
        Number of Cache Engines: 1
        Number of routers: 1
        Total Packets Redirected: 25562
        Redirect access-list: -none-
        Total Packets Denied Redirect: 0
        Total Packets Unassigned: 0
        Group access-list: -none-
        Total Messages Denied to Group: 0
        Total Authentication failures: 0

--> wccp-router#sh ip wccp web-cache detail
WCCP Cache-Engine information:
        IP Address: 172.16.0.18
        Protocol Version: 0.4
        State: Usable
        Redirection: GRE
        Initial Hash Info: 00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment: 256 (100.00%)
        Packets Redirected: 8
        Connect Time: 01:03:32

--> wccp-router#sh ip wccp web-cache view
    WCCP Routers Informed of:
        -none-

    WCCP Cache Engines Visible:
        172.16.0.18

    WCCP Cache Engines NOT Visible:
        -none-

--- with "debug ip wccp packets" on the cisco router
Aug 17 23:07:41.877 UTC: WCCP-PKT: Received valid Here_I_Am packet from 172.16.0.18 w/rcvd_id 000003FA
Aug 17 23:07:41.877 UTC: WCCP-PKT: Sending I_See_You packet to 172.16.0.18 w/ rcvd_id 000003FB
Received on Tue Aug 17 2004 - 18:40:13 MDT