[squid-users] CentOS 5.1, Squid, PIX WCCP

From: Dennis B. Hopp <dhopp@dont-contact.us>
Date: Tue, 05 Feb 2008 15:30:57 -0600

I'm trying to get squid to use WCCP v2 with a cisco PIX. The PIX has
ios 7.2(1) on it which has the WCCP feature.

The linux box I'm using is running CentOS 5.1 (kernel
2.6.18-53.1.6.el5). sqiod 2.6.STABLE6-5.el5_1.2. I have also tried
the lastest 2.6.STABLE18 with the same results.

The WCCP seems to work except when going to certain sites
(foxnews.com, cnn.com, espn.com, msnbc.com to name a few). What
happens with those sites is the browser will go to "waiting for ..."
or "transferring data from ..." and never gets passed that. In the
squid access.log I see the request for the site but nothing else.
Sometimes I get part of the page loaded (anywhere from 50-90% of the
page).

I can go to other sites fine though. If I configure my browser to use
squid as a proxy then the sites load fine, so it's something with wccp
or my configuration of it. I don't know where to start to determine
what the problem is.

PIX configuration:

wccp web-cache redirect-list WCCP_REDIRECT
wccp interface inside web-cache redirect in

access-list WCCP_REDIRECT extended permit tcp host 172.22.1.245 any

NOTE: I'm currently only forcing one host to use WCCP.

Squid Configuration:

http_port 10.1.4.100:3128 transparent
wccp2_router 172.22.0.2
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
cache_dir aufs /var/spool/squid/cache0 8000 16 256
cache_dir aufs /var/spool/squid/cache1 8000 16 256
cache_dir aufs /var/spool/squid/cache2 8000 16 256

I have done this to the linux system as well:

eth0 has IP of 10.1.4.100/24

modify /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

modprobe ip_gre

ifconfig gre0 10.1.4.100 netmask 255.255.255.255 up

I've tried using a different ip that isn't assigned to eth0 and wccp
doesn't work at all.

iptables -t nat -A PREROUTING -i gre0 -p tcp --dport 80 -j DNAT
--to-destination 10.1.4.100:3128

Any ideas?

Thanks,

--Dennis
Received on Tue Feb 05 2008 - 14:31:06 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:04 MST