[squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

From: Miraj Shah <Miraj.Shah@dont-contact.us>
Date: Thu, 14 Feb 2008 08:38:12 +0200

Hello All,

I have run into some problems with a the two websites not able to load when squid is configured with wccp2. I have followed the example by Adrian Chadd, and the wiki:

http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy

Everything is working great until when we open up http://mail.google.com and http://www.hotmail.com, the websites open up ok, and you can enter the login credentials, goes pass the https stage and just before getting to the emails. The page goes quiet, and blank. Have tested this on different computers and different browsers but get the same problem.

If I disable the squid, and let the users browse thru NAT on the ASA, they are able to get thru to these two sites, also when I reconfigure the squid to be non-transparent and change the settings on my browser to point to the proxy, am able to open the two sites in question.

I don't see anything unusual in cache.log or access.log

After googleing around for a bit, I came across a site that mentioned lowering the MTU size on the GRE tunnel, which I did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400)

For hotmail, the intercepting proxy guide mentions to put the following entries on squid.conf, but that did not help:

acl hotmail_domains dstdomain .hotmail.msn.com
header_access Accept-Encoding deny hotmail_domains

I know this is probably a repeated problem, though I hope someone can assist. Do let me know if there are any other details that you might need.

Many thanks, and kind regards,

Miraj Shah.

here is a quick network diagram;
 
LAN - ASA - Router - Internet
   |
 Squid
 
below is the config i have set up:
 
 
asa-firewall# sh run int vlan 10
!
interface Vlan10
 description Internet Interface
 nameif internet
 security-level 0
 ip address xxx.xxx.179.86 255.255.255.252

asa-firewall# sh run interface vlan 40
!
interface Vlan40
 description Inside Interface
 nameif inside
 security-level 100
 ip address 10.110.150.252 255.255.254.0

route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1
access-list inside_nat0_outbound extended permit ip any 10.110.150.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.110.150.0 255.255.254.0
wccp web-cache
wccp interface inside web-cache redirect in
 
asa-firewall# sh wccp web-cache detail
WCCP Cache-Engine information:
        Web Cache ID:          10.110.150.253
        Protocol Version:      2.0
        State:                 Usable
        Initial Hash Info:     00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info:    00000000000000000000000000000000
                               00000000000000000000000000000000
        Hash Allotment:        0 (0.00%)
        Packets Redirected:    113242
        Connect Time:          00:00:12

asa-firewall# sh wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   xxx.xxx.179.86
        Protocol Version:                    2.0
    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            113242
        Redirect access-list:                -none-
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            241
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

asa-firewall# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"

sarova-firewall up 3 days 3 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001b.531b.5bb2, irq 11
 1: Ext: Ethernet0/0         : address is 001b.531b.5baa, irq 255
 2: Ext: Ethernet0/1         : address is 001b.531b.5bab, irq 255
 3: Ext: Ethernet0/2         : address is 001b.531b.5bac, irq 255
 4: Ext: Ethernet0/3         : address is 001b.531b.5bad, irq 255
 5: Ext: Ethernet0/4         : address is 001b.531b.5bae, irq 255
 6: Ext: Ethernet0/5         : address is 001b.531b.5baf, irq 255
 7: Ext: Ethernet0/6         : address is 001b.531b.5bb0, irq 255
 8: Ext: Ethernet0/7         : address is 001b.531b.5bb1, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 20, DMZ Unrestricted
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 25
WebVPN Peers                : 2
Dual ISPs                   : Enabled
VLAN Trunk Ports            : 8

This platform has an ASA 5505 Security Plus license.

Serial Number: JMX1111Z0QV
Running Activation Key: 0xffffffff 0xffffffff 0xfffffffff 0xfffffffff 0xfffffffff
Configuration register is 0x1
Configuration last modified by enable_15 at 10:51:03.103 EAT Wed Feb 13 2008
 
 
###FreeBSD Setup###
 
#kernel config (extra)
proxy# cat /usr/src/sys/i386/conf/TransProxy
#---snip---#
options IPFIREWALL
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity
options IPSTEALTH #support for stealth forwarding
options DUMMYNET
options NETGRAPH
options DEVICE_POLLING
options HZ=1000
options SHMSEG=128
options SHMMNI=256
options SHMMAX=50331648 # max shared memory segment size (bytes)
options SHMALL=16384 # max amount of shared memory (pages)
options MSGMNB=16384 # max # of bytes in a queue
options MSGMNI=48 # number of message queue identifiers
options MSGSEG=768 # number of message segments
options MSGSSZ=64 # size of a message segment
options MSGTQL=4096 # max messages in system
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT # if you intend to use NAT
device          apic                    # I/O APIC
device          gre
#---snip---#
 
proxy# cat /etc/rc.conf
gateway_enable="YES"
hostname="proxy.customer.co.ke"
ifconfig_bge0="inet 10.110.150.253 netmask 255.255.254.0"
defaultrouter="10.110.150.252"
keymap="uk.iso"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
firewall_enable="YES"
firewall_type="/etc/firewall.local"
squid_enable="YES"
ipfilter_enable="YES"
ipnat_enable="YES"
ipmon_enable="YES"
ipfs_enable="YES"
 
proxy# cat /etc/rc.local
#tunnel to cisco asa for transparent proxy
/sbin/ifconfig gre0 plumb
/sbin/ifconfig gre0 link2
/sbin/ifconfig gre0 tunnel 10.110.150.253 xxx.xxx.179.86
/sbin/ifconfig gre0 inet 1.1.1.1 1.1.1.2
 
proxy# ifconfig gre0
gre0: flags=d051<UP,POINTOPOINT,RUNNING,LINK0,LINK2,MULTICAST> mtu 1476
        tunnel inet 10.110.150.253 --> xxx.xxx.179.86
        inet 1.1.1.1 --> 1.1.1.2 netmask 0xff000000

proxy# cat /etc/firewall.local
add fwd 127.0.0.1,3128 tcp from any to any 80 recv gre0

proxy# ipfw show
00100  21909   3567762 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 recv gre0
65535 836384 314106493 allow ip from any to any

proxy# cat /etc/sysctl.conf
net.inet.icmp.icmplim=0
net.inet.tcp.msl=3000
kern.maxfilesperproc=65536
kern.maxfiles=262144
kern.ipc.maxsockets=131072
kern.ipc.somaxconn=1024
net.inet.tcp.recvspace=16384
net.inet.tcp.sendspace=16384
kern.ipc.nmbclusters=32768
net.inet.ip.forwarding=1

proxy# cat /usr/local/etc/squid/squid.conf
#---snip---#
http_port 127.0.0.1:3128 transparent
always_direct allow all
wccp2_router 10.110.150.252
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0
wccp2_weight 10000
wccp2_address 0.0.0.0
debug_options ALL,1
visible_hostname proxy.customer.co.ke
#---snip---# 
#---snip---#
#ACL's
acl my_network src 10.110.150.0/23
http_access allow my_network
http_access deny all
#---snip---#

proxy# cat /usr/local/squid/logs/cache.log
2008/02/13 10:42:01| Starting Squid Cache version 2.6.STABLE18 for i386-portbld-freebsd6.3...
2008/02/13 10:42:01| Process ID 6721
2008/02/13 10:42:01| With 32768 file descriptors available
2008/02/13 10:42:01| Using kqueue for the IO loop
2008/02/13 10:42:01| DNS Socket created at 0.0.0.0, port 63552, FD 6
2008/02/13 10:42:01| Adding domain sarova.co.ke from /etc/resolv.conf
2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.2 from /etc/resolv.conf
2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.3 from /etc/resolv.conf
2008/02/13 10:42:01| Adding nameserver 10.110.120.11 from /etc/resolv.conf
2008/02/13 10:42:01| Adding nameserver 10.110.120.6 from /etc/resolv.conf
2008/02/13 10:42:01| Unlinkd pipe opened on FD 11
2008/02/13 10:42:01| Swap maxSize 262144 KB, estimated 20164 objects
2008/02/13 10:42:01| Target number of buckets: 1008
2008/02/13 10:42:01| Using 8192 Store buckets
2008/02/13 10:42:01| Max Mem  size: 131072 KB
2008/02/13 10:42:01| Max Swap size: 262144 KB
2008/02/13 10:42:01| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2008/02/13 10:42:01| Rebuilding storage in /usr/local/squid/cache (CLEAN)
2008/02/13 10:42:01| Using Least Load store dir selection
2008/02/13 10:42:01| Set Current Directory to /usr/local/squid/cache
2008/02/13 10:42:01| Loaded Icons.
2008/02/13 10:42:02| Accepting transparently proxied HTTP connections at 127.0.0.1, port 3128, FD 13.
2008/02/13 10:42:02| Accepting proxy HTTP connections at 10.110.150.253, port 3128, FD 14.
2008/02/13 10:42:02| Accepting ICP messages at 0.0.0.0, port 3130, FD 15.
2008/02/13 10:42:02| Accepting WCCPv2 messages on port 2048, FD 16.
2008/02/13 10:42:02| Initialising all WCCPv2 lists
2008/02/13 10:42:02| Ready to serve requests.
2008/02/13 10:42:02| Configuring Parent proxy.iconnect.co.ke/3128/7
2008/02/13 10:42:02| Store rebuilding is 18.6% complete
2008/02/13 10:42:02| Done reading /usr/local/squid/cache swaplog (21963 entries)
2008/02/13 10:42:02| Finished rebuilding storage from disk.
2008/02/13 10:42:02|     21963 Entries scanned
2008/02/13 10:42:02|         0 Invalid entries.
2008/02/13 10:42:02|         0 With invalid flags.
2008/02/13 10:42:02|     21963 Objects loaded.
2008/02/13 10:42:02|         0 Objects expired.
2008/02/13 10:42:02|         0 Objects cancelled.
2008/02/13 10:42:02|         0 Duplicate URLs purged.
2008/02/13 10:42:02|         0 Swapfile clashes avoided.
2008/02/13 10:42:02|   Took 0.5 seconds (46011.6 objects/sec).
2008/02/13 10:42:02| Beginning Validation Procedure
2008/02/13 10:42:02|   Completed Validation Procedure
2008/02/13 10:42:02|   Validated 21963 Entries
2008/02/13 10:42:02|   store_swap_size = 235922k
2008/02/13 10:42:02| storeLateRelease: released 0 objects
2008/02/13 11:11:41| Preparing for shutdown after 2555 requests
2008/02/13 11:11:41| Waiting 30 seconds for active connections to finish
2008/02/13 11:11:41| FD 13 Closing HTTP connection
2008/02/13 11:11:41| FD 14 Closing HTTP connection
2008/02/13 11:11:41| FD 16 Closing WCCP socket
2008/02/13 11:12:12| Shutting down...
2008/02/13 11:12:12| FD 15 Closing ICP connection
2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 connection due to lifetime timeout
2008/02/13 11:12:12|    http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400
2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 connection due to lifetime timeout
2008/02/13 11:12:12|    http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF
2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 connection due to lifetime timeout
2008/02/13 11:12:12|    http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400
2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 connection due to lifetime timeout
2008/02/13 11:12:12|    http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF
2008/02/13 11:12:12| WARNING: Closing client 10.110.150.55 connection due to lifetime timeout
2008/02/13 11:12:12|    http://b.mail.google.com/mail/channel/bind?at=tfpl7aa80y0xw75xevv9065zwg9408&ui=1&RID=rpc&SID=3DAE21FF8E7AAB22&CI=0&AID=60&TYPE=html&zx=6216rrq6uixn&DOMAIN=mail.google.com&t=1
2008/02/13 11:12:12| WARNING: Closing client 10.110.120.30 connection due to lifetime timeout
2008/02/13 11:12:12|    http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
2008/02/13 11:12:12| WARNING: Closing client 10.110.120.145 connection due to lifetime timeout
2008/02/13 11:12:12|    http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
2008/02/13 11:12:12| Closing unlinkd pipe on FD 11
2008/02/13 11:12:12| storeDirWriteCleanLogs: Starting...
2008/02/13 11:12:12|   Finished.  Wrote 22081 entries.
2008/02/13 11:12:12|   Took 0.0 seconds (3743176.8 entries/sec).
CPU Usage: 2.019 seconds = 1.140 user + 0.878 sys
Maximum Resident Size: 21292 KB
Page faults with physical i/o: 0
2008/02/13 11:12:12| Squid Cache (Version 2.6.STABLE18): Exiting normally.
Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
Received on Wed Feb 13 2008 - 23:38:35 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST