Re: [squid-users] Re: Strange issues with squid

On Thu, Jan 17, 2008, Ryan Thoryk wrote:

> Well in our current setup, we have 4 cisco 7200 routers (IOS 12.2(27))
> redirecting to the first squid machine (squid is currently shut down on
> it, due to the problems), and so it's not something we can easily test
> that way. If I can get a test machine up somewhere on that part of the
> network, and have a router redirect for just that machine, then I'd be
> able to test it fully.

It might be an IOS release issue then. You may need to upgrade to some
more recent?

If you're really nice then I can load that IOS version on the 7200 I have
here. Let me know the output of "show ver" and I'll see what I can do.

> The 2nd squid machine gets redirects from a cisco switch, and is still
> running without any noticeable problems. Also the reports I currently
> have show that the problems were happening with users on the 4th router,
> but I have no way of verifying that it was just the 4th.

Which platform/IOS version? That switch will be doing L2 redirect.

> I took a few tcpdump captures but they were only on the ethernet
> interface (not gre), and seemed fine. But with what I said previously,
> it's starting to seem like it's either an issue with the GRE tunnels
> (either on the router side, or with squid), since it seems to be fine
> with the switch & the L2 forwarding redirection method. I also read
> this in a Squid FAQ, but don't know if it's still relevant or if it was
> fixed:
>
> "Some people report problems with WCCP and IOS 12.x. They see truncated
> or fragmented GRE packets arriving at the cache. Apparently it works if
> you disable Cisco Express Forwarding for the interface"

Well, its for some IOS releases. The trick here is to realise the GRE MTU
will be smaller than the ethernet MTU, so you need to make certain that
all packets that'll come to you over GRE will fit unfragmented inside it.
You do this by ensuring the MSS the Squid box negotiates on its incoming
and outgoing TCP connections is less than the default (1460); something
like 1360 would definitely bypass the GRE packet size issue.

Its also potentially a topology related issue. Its hard to tell without
a diagram and set of configs. :)

Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -