Re: [squid-users] Squid and WCCP (ASA)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Tue, 13 Nov 2007 22:35:41 +0100

On tis, 2007-11-13 at 09:34 -0500, Jason Gauthier wrote:

> I have multiple interfaces on this ASA that I want to make work. (4, to
> be exact).
> I've set squid to register with WCCP on the inside interface.
> Once I redirect traffic from the inside, it works.
> I have a wireless interface, where my "guests" go. This interface also
> works when I add it.
> I have two other interfaces. One for my VPN users, and the other for
> authenticated wireless users.
> NEITHER of these interfaces work, and I cannot figure out why. Cisco
> has claimed that:

I would guess that either firewalling or routing messes things up.

Have you verified with tcpdump how far things get? I.e. do you see the
SYN packets from those networks or is it completely silent?

Please remember that routing when using WCCP is a bit special. The cahce
engine will respond with the originally contacted ip:port to the client
source ip:port, and this might easily get trapped in firewall or nat
rules when running WCCP on a firewall.

> "As the previous engineer quoted from the ASA config guide: "WCCP
> redirect is supported only on the ingress of an interface. The only
> topology that the security appliance supports is when client and cache
> engine are behind the same interface of the security appliance and the
> cache engine can directly communicate with the client without going
> through the security appliance.""

So I would say you are already bending the limits of what this device is
supposed to support.

Regards
Henrik

Received on Tue Nov 13 2007 - 14:35:56 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST