All,
I tried to be concise with the subject ;) Let me get started. I'm
having a problem, and need some advice. I will try and lay this out:
I'm using squid (STABLE16) some dansguardian, and an ASA. I'm using
two systems for proxy. One is NTLM based, the other is transparent.
My specific issue here is the transparent side. Basically, squid is
connecting to my Cisco ASA (GRE tunnel) and registering with the WCCP
engine.
It takes the request, passes it to dansguardian, which then passes it
another instance of squid. I know this isn't ideal, but it was
necessary (I don't want to get into the hows or whys - trust me that it
works great for what it's doing) The instance of squid that does the
WCCP connection does no logging and no caching.
It's simply to grab the transparent connections so they can be processed
by DG, and my other squid.
Here is how I am setting up the GRE tunnel and iptables to capture the
packets.
ip tunnel add wccp mode gre remote 192.168.79.1 local 192.168.79.2 dev
eth3
/sbin/ip addr add 192.168.79.2 dev wccp
/sbin/ip link set wccp up
iptables -F -t nat
iptables -t nat -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.79.2:3129
(my IP is 79.2, and the ASA is 79.1, 3129 is my squid running on the
local system - no cache or log)
Very basic stuff, right out of the squid wiki (which is great)
My ASA is configured to capture 4 interfaces, with some access-lists:
(omitted the IP access lists for size)
wccp web-cache redirect-list wccp
wccp interface inside web-cache redirect in
wccp interface vpndmz web-cache redirect in
wccp interface wireless web-cache redirect in
wccp interface wirelessdmz web-cache redirect in
With this configuration as is, my transparent proxy is working exactly
how I wanted.
Then, the trouble began. I've noticed https based traffic times out..
but only from some of the interfaces.
From the 'vpndmz', I can log into gmail. But from 'wireless' it simply
times out after a while.
This happens with many many https based web pages.
I ran a tcpdump and you can see that nothing is happening:
20:45:06.878518 IP 192.168.78.45.3654 > od-in-f99.google.com.https: .
ack 4656 win 65535
20:45:06.878528 IP 192.168.78.45.3654 > od-in-f99.google.com.https: .
ack 4656 win 65535
20:45:10.544927 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
1912:3372(1460) ack 1748 win 65535
20:45:10.544933 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
1912:3372(1460) ack 1748 win 65535
20:45:25.743229 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
1912:3372(1460) ack 1748 win 65535
20:45:25.743650 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
1912:3372(1460) ack 1748 win 65535
20:45:56.124193 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
1912:3372(1460) ack 1748 win 65535
20:45:56.124200 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
1912:3372(1460) ack 1748 win 65535
20:46:34.314300 IP od-in-f99.google.com.www > 192.168.78.45.3647: F
7657:7657(0) ack 1046 win 7896
20:46:34.314307 IP od-in-f99.google.com.www > 192.168.78.45.3647: F
7657:7657(0) ack 1046 win 7896
20:46:34.314310 IP 192.168.78.45.3647 > od-in-f99.google.com.www: . ack
7658 win 65535
20:46:34.314313 IP 192.168.78.45.3647 > od-in-f99.google.com.www: . ack
7658 win 65535
20:46:56.934605 IP 192.168.78.45.3654 > od-in-f99.google.com.https: R
3596:3596(0) ack 4656 win 0
20:46:56.934612 IP 192.168.78.45.3654 > od-in-f99.google.com.https: R
3596:3596(0) ack 4656 win 0
20:46:56.936370 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
2788953795:2788955255(1460) ack 256288053 win 65535
20:46:56.936654 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
0:1460(1460) ack 1 win 65535
20:46:56.936659 IP 192.168.78.45.3655 > an-in-f18.google.com.www: P
1460:1544(84) ack 1 win 65535
20:46:56.936662 IP 192.168.78.45.3655 > an-in-f18.google.com.www: P
1460:1544(84) ack 1 win 65535
20:46:59.993789 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
0:1460(1460) ack 1 win 65535
20:46:59.994012 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
0:1460(1460) ack 1 win 65535
20:47:18.256077 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
0:1460(1460) ack 1 win 65535
20:47:18.256084 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
0:1460(1460) ack 1 win
Https traffic should not be in question here.. it shouldn't be extracted
from the stack from iptables.. all in all.. it shouldn't be happening
it.. but it is.
Thanks for reading this lengthy text. Your advices is welcomed.
Jason
Received on Thu Dec 06 2007 - 19:33:49 MST
This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST