Re: [squid-users] WCCPv2 strangeness

From: Jason Taylor <j@dont-contact.us>
Date: Mon, 04 Dec 2006 18:07:43 -0500

Here are the pertinent infos...

Cheers,

/Jason

=====<begin cisco section>=====
ip wccp web-cache redirect-list WCCP-USERS group-list WCCP-PROXIES

ip access-list standard WCCP-PROXIES
  permit 192.168.40.32 0.0.0.15

ip access-list standard WCCP-USERS
  permit 10.160.100.10
  permit 10.160.100.8
  permit 10.160.104.10
  permit 10.160.100.38

proxy vlan interface:
interface Vlan2005
  ip address 192.168.40.33 255.255.255.240
  no ip route-cache cef
  no ip mroute-cache

incoming interface for everybody:
  ip wccp web-cache redirect in

interface Loopback0
  ip address 172.20.1.72 255.255.255.255

RPCO1C6K1#sh ip wccp web-cache detail
WCCP Cache-Engine information:
         Web Cache ID: 192.168.40.37
         Protocol Version: 2.0
         State: Usable
         Redirection: GRE
         Packet Return: GRE
         Assignment: HASH
         Initial Hash Info: 00000000000000000000000000000000
                                00000000000000000000000000000000
         Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
         Hash Allotment: 256 (100.00%)
         Packets Redirected: 5
         Connect Time: 00:07:11

RPCO1C6K1#sh ip wccp
Global WCCP information:
     Router information:
         Router Identifier: 172.20.1.72
         Protocol Version: 2.0

     Service Identifier: web-cache
         Number of Cache Engines: 1
         Number of routers: 1
         Total Packets Redirected: 46
         Redirect access-list: WCCP-USERS
         Total Packets Denied Redirect: 0
         Total Packets Unassigned: 30
         Group access-list: WCCP-PROXIES
         Total Messages Denied to Group: 0
         Total Authentication failures: 0
=====<end of cisco section>=====

=====<begin of squid wccp stuff>=====
http_port 192.168.40.37:8080 transparent
tcp_outgoing_address 192.168.40.37
cache_effective_user squid
visible_hostname spco1pxyA-1
wccp2_router 192.168.40.33
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0
wccp2_weight 256
wccp2_address 192.168.40.37
coredump_dir /var/squid/cache-prod1
=====<end of squid wccp stuff>=====

iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.40.37:8080

ip tunnel show | grep gre1:
gre1: gre/ip remote 172.20.1.72 local 192.168.40.37 dev eth2 ttl inherit

=====<begin forwarding and anti-spoofing section>=====
[root@localhost etc]# sysctl -a | egrep -w "forwarding|rp_filter"
net.ipv4.conf.gre1.rp_filter = 0
net.ipv4.conf.gre1.forwarding = 1
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.forwarding = 1
=====<end forwarding and anti-spoofing section>=====

Adrian Chadd wrote:
> On Mon, Dec 04, 2006, Jason Taylor wrote:
>
>> However, a tcpdump on the GRE interface of the squid shows only the
>> first packet (SYN).
>> A tcpdump on the eth2 (where squid is listening) shows the SYN-ACK
>> packet being sent back to the workstation.
>
> Whats the wccp config on the router look like?
> Whats the wccp config on the squid(s) look like?
> Whats the redirection config (iptables) look like? And hm, have
> you disabled anti-spoof checks on the linux box (rp_filter) ?
>
>
> adrian
>
Received on Mon Dec 04 2006 - 16:07:51 MST

This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST