RE: [squid-users] problem with WCCP + SQUID + 6509

From: Damian-Grint Philip <pdamian-grint@dont-contact.us>
Date: Fri, 21 Jan 2005 09:42:39 -0000

Hi Luu,
 
If you obscure too much information it becomes difficult to work out what is being sent, by who and to where... The point in constructing a redirect list is that you can test your configuration using one known client and one known server before applying wccp to all http traffic crossing the interface. Perhaps you could set up and document a test using private addresses? What did your redirect list look like? - did the redirect count go up? how do the obscured icmp messages relate to the addresses of client/squid box/next-hop router?
 
ICMP debug should show icmp messages with the router/switch as source or destination, and is therefore a key wccp troubleshooting tool; administratively prohibited on Cisco routers/switches refers to the blocking of packets by an access list, but without any ip information about your test it is impossible to say whether these messages relate to your problem or not.
 
-----Original Message-----
From: Luu Trung Duong [mailto:luutd@ctu.edu.vn]
Sent: Fri 21/01/2005 01:43
To: Damian-Grint Philip
Cc: 'squid-users'
Subject: RE: [squid-users] problem with WCCP + SQUID + 6509

        I had tried a redirect-list but the problem is the same.
        
        Here some information about debug
        
        debug ip icmp
        1w5d: ICMP: dst (xxx.xxx.xxx.xxx) administratively prohibited unreachable
        sent to xxx.xxx.xxx.xxxb
        1w5d: ICMP: dst (xxx.xxx.xxx.xxx) administratively prohibited unreachable
        sent to xxx.xxx.xxx.xxx
        1w5d: ICMP: dst (xxx.xxx.xxx.xxx) administratively prohibited unreachable
        sent to xxx.xxx.xxx.xxx
        1w5d: ICMP: dst (xxx.xxx.xxx.xxx) administratively prohibited unreachable
        sent to xxx.xxx.xxx.xxx
        1w5d: ICMP: dst (xxx.xxx.xxx.xxx) administratively prohibited unreachable
        sent to xxx.xxx.xxx.xxx
        1w5d: ICMP: dst (xxx.xxx.xxx.xxx) administratively prohibited unreachable
        sent to xxx.xxx.xxx.xxx
        1w5d: ICMP: dst (xxx.xxx.xxx.xxx) administratively prohibited unreachable
        sent to xxx.xxx.xxx.xxx
        
        debug ip wccp packets
        
        1w5d: WCCP-PKT: Received valid Here_I_Am packet from xxx.xxx.xxx.xxx
        w/rcvd_id 00000069
        1w5d: WCCP-PKT: Sending I_See_You packet to xxx.xxx.xxx.xxx w/ rcvd_id
        0000006A
        1w5d: WCCP-PKT: Received valid Here_I_Am packet from xxx.xxx.xxx.xxx
        w/rcvd_id 0000006A
        1w5d: WCCP-PKT: Sending I_See_You packet to xxx.xxx.xxx.xxx w/ rcvd_id
        0000006B
        
        
        -----Original Message-----
        From: Damian-Grint Philip [mailto:pdamian-grint@collierscre.co.uk]
        Sent: Thursday, January 20, 2005 10:04 PM
        To: squid-users
        Subject: RE: [squid-users] problem with WCCP + SQUID + 6509
        
        Have you tried using a redirect-list to define traffic to be redirected?
        
        Can you show some output from the following while pushing http traffic
        across the router:
        
        term mon
        
        -----Original Message-----
        From: Luu Trung Duong [mailto:luutd@ctu.edu.vn]
        Sent: 20 January 2005 13:45
        To: 'squid-users'
        Subject: [squid-users] problem with WCCP + SQUID + 6509
        
        
        Hi All,
        
        I problem with WCCP + SQUID + 6509 as follow:
        
        "The problem is my client can't detect the proxy (where i was setting
        as transparent proxy) and he cannot browsing, but if the client using
        manual proxy, it's ok...."
        
        I use:
                Cisco 6509
                REDHAT 9.1, Kernel 2.4.20.8
                ip_wccp ver 1.7
                squid 2.5STABLE7
        
        I had follow intruction for Henrik Nordstrom and another message in
        list
        
        -----------------
        make mrproper
        cp configs/config_matching_your_kernel_type .config
           make oldconfig / make xconfig / make menuconfig
           make dep
           make clean
           make bzImage
           make modules
           [take note of the GCC flags shown during "make modules"]
        
        Install newly built kernel
        
           make modules_install
           make install
        
        Boot into the new kernel to verify that it works
        
        Change boot menu to default to the new kernel
           [default=0 in /etc/boot/grub/grub.conf]
        
        Build & install ip_wccp module
        
           gcc [flags collected above] -o ip_wccp.o ip_wccp.c
        
        mkdir /lib/modules/2.4.XX-yycustom/net
           cp ip_wccp.o /lib/modules/2.4.XX-yycustom/net/
           depmod -a
        Load ip_wccp module and verify WCCP functionality
           modprobe ip_wccp
        Set up the sytem to load ip_wccp automatically on system boot
           echo "modprobe ip_wccp" >>/etc/rc.d/rc.local
           [alternatively add the modprobe line to /etc/rc.d/init.d/squid]
        -----------------
               
        
        WCCP on 6509
        ---------------
        ip wccp version 1
        ip wccp web-cache
        -----------------
        
        WCCP on vlan Int
        ---------------
        ip wccp web-cache redirect out
        ---------------
        sh ip wccp web-cache
        ------------------------------------------------------------
        Global WCCP information:
            Router information:
                Router Identifier: xxxx.xxxx.xxxx.xxx
                Protocol Version: 1.0
        
            Service Identifier: web-cache
                Number of Cache Engines: 1
                Number of routers: 1
                Total Packets Redirected: 10
                Redirect access-list: -none-
                Total Packets Denied Redirect: 0
                Total Packets Unassigned: 0
                Group access-list: -none-
                Total Messages Denied to Group: 0
                Total Authentication failures: 0
        ------------------------------------------------------------
        
        sh ip wccp web-cache view
        ----------------------------------
            WCCP Routers Informed of:
                -none-
        
            WCCP Cache Engines Visible:
                203.162.202.133
        
            WCCP Cache Engines NOT Visible:
                -none-
        ------------------------------------
        
        sh ip wccp web-cache detail
        ----------------------------------------------
        WCCP Cache-Engine information:
                IP Address: 203.162.202.133
                Protocol Version: 0.4
                State: Usable
                Redirection: GRE
                Initial Hash Info: 00000000000000000000000000000000
                                       00000000000000000000000000000000
                Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                       FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                Hash Allotment: 256 (100.00%)
                Packets Redirected: 0
                Connect Time: 00:41:25
        --------------------------------------------------
        
        [squid@cache-2 sbin]$ lsmod
        Module Size Used by Not tainted
        ipt_REDIRECT 1272 2 (autoclean)
        iptable_nat 19448 1 (autoclean) [ipt_REDIRECT]
        ip_conntrack 24960 1 (autoclean) [ipt_REDIRECT iptable_nat]
        ip_wccp 1832 0 (unused)
        parport_pc 17028 1 (autoclean)
        lp 8292 0 (autoclean)
        parport 33120 1 (autoclean) [parport_pc lp]
        autofs 11860 0 (autoclean) (unused)
        e100 54148 1
        ipt_REJECT 3512 6 (autoclean)
        iptable_filter 2284 1 (autoclean)
        ip_tables 13624 6 [ipt_REDIRECT iptable_nat ipt_REJECT
        iptable_filter]
        keybdev 2688 0 (unused)
        mousedev 5044 1
        hid 20100 0 (unused)
        input 5472 0 [keybdev mousedev hid]
        usb-uhci 23692 0 (unused)
        ehci-hcd 17480 0 (unused)
        usbcore 71136 1 [hid usb-uhci ehci-hcd]
        ext3 61792 2
        jbd 46612 2 [ext3]
        ------------------------------------------------------
        
        [root@cache-2 sbin]# iptables -t nat -L
        Chain PREROUTING (policy ACCEPT)
        target prot opt source destination
        REDIRECT tcp -- anywhere anywhere tcp dpt:http
        redir ports 3128
        
        Chain POSTROUTING (policy ACCEPT)
        target prot opt source destination
        
        Chain OUTPUT (policy ACCEPT)
        target prot opt source destination
        [root@cache-2 sbin]#
        --------------------------------------------------------
        
        
        
        
        ________________________________________________________________________
        This e-mail has been scanned for all viruses by Star. The
        service is powered by MessageLabs. For more information on a proactive
        anti-virus service working around the clock, around the globe, visit:
        http://www.star.net.uk
        ________________________________________________________________________
        
        ________________________________________________________________________
        This e-mail has been scanned for all viruses by Star. The
        service is powered by MessageLabs. For more information on a proactive
        anti-virus service working around the clock, around the globe, visit:
        http://www.star.net.uk
        ________________________________________________________________________
        
        
        
        
        
        ________________________________________________________________________
        This e-mail has been scanned for all viruses by Star. The
        service is powered by MessageLabs. For more information on a proactive
        anti-virus service working around the clock, around the globe, visit:
        http://www.star.net.uk
        ________________________________________________________________________
        

________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
Received on Fri Jan 21 2005 - 02:42:48 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:36 MST