Re: [squid-users] Wccp/ transparent proxy/ gmail

Check the standard stuff - disable TCP Window scaling/rfc1323?, ECN, set
the MTU to <1500 via a route statement (not ifconfig eth0 mtu 1400!); etc.

You're also not using the tproxy stuff the way it should be, it won't be
fully transparent in this setup. You're no better off using tproxy here than
normal netfilter (you're using "transparent" instead of "tproxy", you've only
created one wccp service group and not two, and I'm not sure that iptables
rule is going to be sufficient for proper TPROXY support.)

Finally, it'd be helpful to know which ASA/PIX software version and hardware
platform you're using this on.

Adrian

On Wed, Nov 07, 2007, Santos, Ruben wrote:
> We recently deployed a squid server with tproxy and wccp. I followed some of
> the steps listed at
> http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY,
> compiling tproxy support on iptables, squid, and recompiling the linux
> kernel with tproxy support. We able to browse all sites with, but receive
> timeouts after logging into gmail or hotmail. Yahoo mail seems to works.
>
> Can anyone point me in the right direction, and tell me what I may be doing
> wrong. BTW, we are using PIX for wccp, and have compiled ip_wccp.
>
> Squid Conf:
>
> debug_options ALL,1
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /var/log/squid/access.log squid
> hosts_file /etc/hosts
> log_fqdn on
> cache_dir ufs /var/spool/squid 2048 16 256
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl EDN src X.X.X.X/X
> acl all src 0.0.0.0/0.0.0.0
> acl CONNECT method CONNECT
> visible_hostname mirror2.pelco.org
> http_access allow all
> http_reply_access allow all
>
> visible_hostname mirror2.pelco.org
> coredump_dir /var/spool/squid
> always_direct allow all
> # memory mgmt ----------
> #cache_mem 100 MB
> #maximum_object_size 10 MB
> #-----------------------
> cache_effective_user squid
>
> # WCCP
> wccp2_router x.x.x.x
> wccp2_service standard 0
>
> iptables:
> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY
> --on-port 3128
>
>
> Confidentiality Notice:
> The information contained in this transmission is legally
> privileged and confidential, intended only for the use of the
> individual(s) or entities named above. This email and any files
> transmitted with it are the property of Pelco. If the reader of
> this message is not the intended recipient, or an employee or agent
> responsible for delivering this message to the intended recipient,
> you are hereby notified that any review, disclosure, copying,
> distribution, retention, or any action taken or omitted to be taken
> in reliance on it is prohibited and may be unlawful. If you receive
> this communication in error, please notify us immediately by
> telephone call to +1-559-292-1981 or forward the e-mail to
> administrator@pelco.com and then permanently delete the e-mail and
> destroy all soft and hard copies of the message and any
> attachments. Thank you for your cooperation.

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -