Re: [squid-users] Transparent WCCP/GRE HTTPS issue

I'm pretty sure WCCPv2 is only supported on the same interface as the
clients. You'd have to run multiple interfaces w/ multiple instances.

Adrian

On Thu, Dec 06, 2007, Jason Gauthier wrote:
> All,
>
> I tried to be concise with the subject ;) Let me get started. I'm
> having a problem, and need some advice. I will try and lay this out:
> I'm using squid (STABLE16) some dansguardian, and an ASA. I'm using
> two systems for proxy. One is NTLM based, the other is transparent.
>
> My specific issue here is the transparent side. Basically, squid is
> connecting to my Cisco ASA (GRE tunnel) and registering with the WCCP
> engine.
> It takes the request, passes it to dansguardian, which then passes it
> another instance of squid. I know this isn't ideal, but it was
> necessary (I don't want to get into the hows or whys - trust me that it
> works great for what it's doing) The instance of squid that does the
> WCCP connection does no logging and no caching.
> It's simply to grab the transparent connections so they can be processed
> by DG, and my other squid.
>
> Here is how I am setting up the GRE tunnel and iptables to capture the
> packets.
>
> ip tunnel add wccp mode gre remote 192.168.79.1 local 192.168.79.2 dev
> eth3
> /sbin/ip addr add 192.168.79.2 dev wccp
> /sbin/ip link set wccp up
>
> iptables -F -t nat
> iptables -t nat -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.79.2:3129
>
> (my IP is 79.2, and the ASA is 79.1, 3129 is my squid running on the
> local system - no cache or log)
> Very basic stuff, right out of the squid wiki (which is great)
>
> My ASA is configured to capture 4 interfaces, with some access-lists:
> (omitted the IP access lists for size)
>
> wccp web-cache redirect-list wccp
> wccp interface inside web-cache redirect in
> wccp interface vpndmz web-cache redirect in
> wccp interface wireless web-cache redirect in
> wccp interface wirelessdmz web-cache redirect in
>
> With this configuration as is, my transparent proxy is working exactly
> how I wanted.
> Then, the trouble began. I've noticed https based traffic times out..
> but only from some of the interfaces.
> >From the 'vpndmz', I can log into gmail. But from 'wireless' it simply
> times out after a while.
> This happens with many many https based web pages.
>
> I ran a tcpdump and you can see that nothing is happening:
>
> 20:45:06.878518 IP 192.168.78.45.3654 > od-in-f99.google.com.https: .
> ack 4656 win 65535
> 20:45:06.878528 IP 192.168.78.45.3654 > od-in-f99.google.com.https: .
> ack 4656 win 65535
> 20:45:10.544927 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
> 1912:3372(1460) ack 1748 win 65535
> 20:45:10.544933 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
> 1912:3372(1460) ack 1748 win 65535
> 20:45:25.743229 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
> 1912:3372(1460) ack 1748 win 65535
> 20:45:25.743650 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
> 1912:3372(1460) ack 1748 win 65535
> 20:45:56.124193 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
> 1912:3372(1460) ack 1748 win 65535
> 20:45:56.124200 IP 192.168.78.45.3648 > an-in-f18.google.com.www: .
> 1912:3372(1460) ack 1748 win 65535
> 20:46:34.314300 IP od-in-f99.google.com.www > 192.168.78.45.3647: F
> 7657:7657(0) ack 1046 win 7896
> 20:46:34.314307 IP od-in-f99.google.com.www > 192.168.78.45.3647: F
> 7657:7657(0) ack 1046 win 7896
> 20:46:34.314310 IP 192.168.78.45.3647 > od-in-f99.google.com.www: . ack
> 7658 win 65535
> 20:46:34.314313 IP 192.168.78.45.3647 > od-in-f99.google.com.www: . ack
> 7658 win 65535
> 20:46:56.934605 IP 192.168.78.45.3654 > od-in-f99.google.com.https: R
> 3596:3596(0) ack 4656 win 0
> 20:46:56.934612 IP 192.168.78.45.3654 > od-in-f99.google.com.https: R
> 3596:3596(0) ack 4656 win 0
> 20:46:56.936370 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
> 2788953795:2788955255(1460) ack 256288053 win 65535
> 20:46:56.936654 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
> 0:1460(1460) ack 1 win 65535
> 20:46:56.936659 IP 192.168.78.45.3655 > an-in-f18.google.com.www: P
> 1460:1544(84) ack 1 win 65535
> 20:46:56.936662 IP 192.168.78.45.3655 > an-in-f18.google.com.www: P
> 1460:1544(84) ack 1 win 65535
> 20:46:59.993789 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
> 0:1460(1460) ack 1 win 65535
> 20:46:59.994012 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
> 0:1460(1460) ack 1 win 65535
> 20:47:18.256077 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
> 0:1460(1460) ack 1 win 65535
> 20:47:18.256084 IP 192.168.78.45.3655 > an-in-f18.google.com.www: .
> 0:1460(1460) ack 1 win
>
> Https traffic should not be in question here.. it shouldn't be extracted
> from the stack from iptables.. all in all.. it shouldn't be happening
> it.. but it is.
> Thanks for reading this lengthy text. Your advices is welcomed.
>
> Jason

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -