RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

From: Davan Wong <davan@dont-contact.us>
Date: Thu, 14 Feb 2008 11:10:49 -0700

I required the following to allow Hotmail and Gmail:

acl Hotmail dstdomain .hotmail.com .hotmail.msn.com .login.live.com
.mail.live.com .passport.com calendar.msn.com g.live.com
acl Gmail dstdomain .gmail.com mail.google.com ssl.google-analytics.com
acl GmailUrlRegExp url_regex -i .google.com/accounts .google.ca/accounts

These were used in combination with a couple other lines to allow Gmail
without allowing Google, and allowing Hotmail without allowing MSN or
Microsoft sites.

Davan Wong
World Health Club
Information Technology Department

 

> -----Original Message-----
> From: Miraj Shah [mailto:Miraj.Shah@is.co.ke]
> Sent: February 13, 2008 11:38 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail
> and hotmail not working
>
> Hello All,
>
> I have run into some problems with a the two websites not
> able to load when squid is configured with wccp2. I have
> followed the example by Adrian Chadd, and the wiki:
>
> http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?hig
> hlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
>
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
>
>
> Everything is working great until when we open up
> http://mail.google.com and http://www.hotmail.com, the
> websites open up ok, and you can enter the login credentials,
> goes pass the https stage and just before getting to the
> emails. The page goes quiet, and blank. Have tested this on
> different computers and different browsers but get the same problem.
>
> If I disable the squid, and let the users browse thru NAT on
> the ASA, they are able to get thru to these two sites, also
> when I reconfigure the squid to be non-transparent and change
> the settings on my browser to point to the proxy, am able to
> open the two sites in question.
>
> I don't see anything unusual in cache.log or access.log
>
> After googleing around for a bit, I came across a site that
> mentioned lowering the MTU size on the GRE tunnel, which I
> did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400)
>
> For hotmail, the intercepting proxy guide mentions to put the
> following entries on squid.conf, but that did not help:
>
> acl hotmail_domains dstdomain .hotmail.msn.com header_access
> Accept-Encoding deny hotmail_domains
>
> I know this is probably a repeated problem, though I hope
> someone can assist. Do let me know if there are any other
> details that you might need.
>
> Many thanks, and kind regards,
>
> Miraj Shah.
>
>
>
>
> here is a quick network diagram;
>  
> LAN - ASA - Router - Internet
>    |
>  Squid
>  
> below is the config i have set up:
>  
>  
> asa-firewall# sh run int vlan 10
> !
> interface Vlan10
>  description Internet Interface
>  nameif internet
>  security-level 0
>  ip address xxx.xxx.179.86 255.255.255.252
>
> asa-firewall# sh run interface vlan 40
> !
> interface Vlan40
>  description Inside Interface
>  nameif inside
>  security-level 100
>  ip address 10.110.150.252 255.255.254.0
>
> route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1 access-list
> inside_nat0_outbound extended permit ip any 10.110.150.0
> 255.255.0.0 nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 10.110.150.0 255.255.254.0 wccp web-cache wccp
> interface inside web-cache redirect in
>  
> asa-firewall# sh wccp web-cache detail
> WCCP Cache-Engine information:
>         Web Cache ID:          10.110.150.253
>         Protocol Version:      2.0
>         State:                 Usable
>         Initial Hash Info:     00000000000000000000000000000000
>                                00000000000000000000000000000000
>         Assigned Hash Info:    00000000000000000000000000000000
>                                00000000000000000000000000000000
>         Hash Allotment:        0 (0.00%)
>         Packets Redirected:    113242
>         Connect Time:          00:00:12
>
> asa-firewall# sh wccp web-cache
> Global WCCP information:
>     Router information:
>         Router Identifier:                   xxx.xxx.179.86
>         Protocol Version:                    2.0
>     Service Identifier: web-cache
>         Number of Cache Engines:             1
>         Number of routers:                   1
>         Total Packets Redirected:            113242
>         Redirect access-list:                -none-
>         Total Connections Denied Redirect:   0
>         Total Packets Unassigned:            241
>         Group access-list:                   -none-
>         Total Messages Denied to Group:      0
>         Total Authentication failures:       0
>         Total Bypassed Packets Received:     0
>
>
> asa-firewall# sh ver
>
> Cisco Adaptive Security Appliance Software Version 7.2(2)
> Device Manager Version 5.2(2)
>
> Compiled on Wed 22-Nov-06 14:16 by builders System image file
> is "disk0:/asa722-k8.bin"
> Config file at boot was "startup-config"
>
> sarova-firewall up 3 days 3 hours
>
> Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz Internal
> ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB
>
> Encryption hardware device : Cisco ASA-5505 on-board
> accelerator (revision 0x0)
>                              Boot microcode   :
> CNlite-MC-Boot-Cisco-1.2
>                              SSL/IKE microcode:
> CNlite-MC-IPSEC-Admin-3.03
>                              IPSec microcode  :
> CNlite-MC-IPSECm-MAIN-2.04
>  0: Int: Internal-Data0/0    : address is 001b.531b.5bb2, irq 11
>  1: Ext: Ethernet0/0         : address is 001b.531b.5baa, irq 255
>  2: Ext: Ethernet0/1         : address is 001b.531b.5bab, irq 255
>  3: Ext: Ethernet0/2         : address is 001b.531b.5bac, irq 255
>  4: Ext: Ethernet0/3         : address is 001b.531b.5bad, irq 255
>  5: Ext: Ethernet0/4         : address is 001b.531b.5bae, irq 255
>  6: Ext: Ethernet0/5         : address is 001b.531b.5baf, irq 255
>  7: Ext: Ethernet0/6         : address is 001b.531b.5bb0, irq 255
>  8: Ext: Ethernet0/7         : address is 001b.531b.5bb1, irq 255
>  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
> 10: Int: Not used            : irq 255
> 11: Int: Not used            : irq 255
>
> Licensed features for this platform:
> Maximum Physical Interfaces : 8
> VLANs                       : 20, DMZ Unrestricted Inside
> Hosts                : Unlimited Failover                   
> : Active/Standby VPN-DES                     : Enabled
> VPN-3DES-AES                : Enabled VPN Peers               
>     : 25 WebVPN Peers                : 2 Dual ISPs            
>        : Enabled VLAN Trunk Ports            : 8
>
> This platform has an ASA 5505 Security Plus license.
>
> Serial Number: JMX1111Z0QV
> Running Activation Key: 0xffffffff 0xffffffff 0xfffffffff
> 0xfffffffff 0xfffffffff Configuration register is 0x1
> Configuration last modified by enable_15 at 10:51:03.103 EAT
> Wed Feb 13 2008
>  
>  
> ###FreeBSD Setup###
>  
> #kernel config (extra)
> proxy# cat /usr/src/sys/i386/conf/TransProxy #---snip---#
> options IPFIREWALL options IPFIREWALL_VERBOSE #enable logging
> to syslogd(8) options IPFIREWALL_FORWARD options
> IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity options
> IPSTEALTH #support for stealth forwarding options DUMMYNET
> options NETGRAPH options DEVICE_POLLING options HZ=1000
> options SHMSEG=128 options SHMMNI=256 options SHMMAX=50331648
> # max shared memory segment size (bytes) options SHMALL=16384
> # max amount of shared memory (pages) options MSGMNB=16384 #
> max # of bytes in a queue options MSGMNI=48 # number of
> message queue identifiers options MSGSEG=768 # number of
> message segments options MSGSSZ=64 # size of a message
> segment options MSGTQL=4096 # max messages in system options
> IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT # if you intend
> to use NAT device          apic                    # I/O APIC
> device          gre #---snip---#
>  
> proxy# cat /etc/rc.conf
> gateway_enable="YES"
> hostname="proxy.customer.co.ke"
> ifconfig_bge0="inet 10.110.150.253 netmask 255.255.254.0"
> defaultrouter="10.110.150.252"
> keymap="uk.iso"
> linux_enable="YES"
> sshd_enable="YES"
> usbd_enable="YES"
> firewall_enable="YES"
> firewall_type="/etc/firewall.local"
> squid_enable="YES"
> ipfilter_enable="YES"
> ipnat_enable="YES"
> ipmon_enable="YES"
> ipfs_enable="YES"
>  
> proxy# cat /etc/rc.local
> #tunnel to cisco asa for transparent proxy /sbin/ifconfig
> gre0 plumb /sbin/ifconfig gre0 link2 /sbin/ifconfig gre0
> tunnel 10.110.150.253 xxx.xxx.179.86 /sbin/ifconfig gre0 inet
> 1.1.1.1 1.1.1.2
>  
> proxy# ifconfig gre0
> gre0:
> flags=d051<UP,POINTOPOINT,RUNNING,LINK0,LINK2,MULTICAST> mtu 1476
>         tunnel inet 10.110.150.253 --> xxx.xxx.179.86
>         inet 1.1.1.1 --> 1.1.1.2 netmask 0xff000000
>
> proxy# cat /etc/firewall.local
> add fwd 127.0.0.1,3128 tcp from any to any 80 recv gre0
>
> proxy# ipfw show
> 00100  21909   3567762 fwd 127.0.0.1,3128 tcp from any to any
> dst-port 80 recv gre0
> 65535 836384 314106493 allow ip from any to any
>
> proxy# cat /etc/sysctl.conf
> net.inet.icmp.icmplim=0
> net.inet.tcp.msl=3000
> kern.maxfilesperproc=65536
> kern.maxfiles=262144
> kern.ipc.maxsockets=131072
> kern.ipc.somaxconn=1024
> net.inet.tcp.recvspace=16384
> net.inet.tcp.sendspace=16384
> kern.ipc.nmbclusters=32768
> net.inet.ip.forwarding=1
>
> proxy# cat /usr/local/etc/squid/squid.conf #---snip---#
> http_port 127.0.0.1:3128 transparent always_direct allow all
> wccp2_router 10.110.150.252 wccp2_rebuild_wait on
> wccp2_forwarding_method 1 wccp2_return_method 1
> wccp2_assignment_method 1 wccp2_service standard 0
> wccp2_weight 10000 wccp2_address 0.0.0.0 debug_options ALL,1
> visible_hostname proxy.customer.co.ke #---snip---#
> #---snip---# #ACL's acl my_network src 10.110.150.0/23
> http_access allow my_network http_access deny all #---snip---#
>
> proxy# cat /usr/local/squid/logs/cache.log
> 2008/02/13 10:42:01| Starting Squid Cache version
> 2.6.STABLE18 for i386-portbld-freebsd6.3...
> 2008/02/13 10:42:01| Process ID 6721
> 2008/02/13 10:42:01| With 32768 file descriptors available
> 2008/02/13 10:42:01| Using kqueue for the IO loop
> 2008/02/13 10:42:01| DNS Socket created at 0.0.0.0, port 63552, FD 6
> 2008/02/13 10:42:01| Adding domain sarova.co.ke from /etc/resolv.conf
> 2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.2 from
> /etc/resolv.conf
> 2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.3 from
> /etc/resolv.conf
> 2008/02/13 10:42:01| Adding nameserver 10.110.120.11 from
> /etc/resolv.conf
> 2008/02/13 10:42:01| Adding nameserver 10.110.120.6 from
> /etc/resolv.conf
> 2008/02/13 10:42:01| Unlinkd pipe opened on FD 11
> 2008/02/13 10:42:01| Swap maxSize 262144 KB, estimated 20164 objects
> 2008/02/13 10:42:01| Target number of buckets: 1008
> 2008/02/13 10:42:01| Using 8192 Store buckets
> 2008/02/13 10:42:01| Max Mem  size: 131072 KB
> 2008/02/13 10:42:01| Max Swap size: 262144 KB
> 2008/02/13 10:42:01| Local cache digest enabled;
> rebuild/rewrite every 3600/3600 sec
> 2008/02/13 10:42:01| Rebuilding storage in
> /usr/local/squid/cache (CLEAN)
> 2008/02/13 10:42:01| Using Least Load store dir selection
> 2008/02/13 10:42:01| Set Current Directory to /usr/local/squid/cache
> 2008/02/13 10:42:01| Loaded Icons.
> 2008/02/13 10:42:02| Accepting transparently proxied HTTP
> connections at 127.0.0.1, port 3128, FD 13.
> 2008/02/13 10:42:02| Accepting proxy HTTP connections at
> 10.110.150.253, port 3128, FD 14.
> 2008/02/13 10:42:02| Accepting ICP messages at 0.0.0.0, port
> 3130, FD 15.
> 2008/02/13 10:42:02| Accepting WCCPv2 messages on port 2048, FD 16.
> 2008/02/13 10:42:02| Initialising all WCCPv2 lists
> 2008/02/13 10:42:02| Ready to serve requests.
> 2008/02/13 10:42:02| Configuring Parent proxy.iconnect.co.ke/3128/7
> 2008/02/13 10:42:02| Store rebuilding is 18.6% complete
> 2008/02/13 10:42:02| Done reading /usr/local/squid/cache
> swaplog (21963 entries)
> 2008/02/13 10:42:02| Finished rebuilding storage from disk.
> 2008/02/13 10:42:02|     21963 Entries scanned
> 2008/02/13 10:42:02|         0 Invalid entries.
> 2008/02/13 10:42:02|         0 With invalid flags.
> 2008/02/13 10:42:02|     21963 Objects loaded.
> 2008/02/13 10:42:02|         0 Objects expired.
> 2008/02/13 10:42:02|         0 Objects cancelled.
> 2008/02/13 10:42:02|         0 Duplicate URLs purged.
> 2008/02/13 10:42:02|         0 Swapfile clashes avoided.
> 2008/02/13 10:42:02|   Took 0.5 seconds (46011.6 objects/sec).
> 2008/02/13 10:42:02| Beginning Validation Procedure
> 2008/02/13 10:42:02|   Completed Validation Procedure
> 2008/02/13 10:42:02|   Validated 21963 Entries
> 2008/02/13 10:42:02|   store_swap_size = 235922k
> 2008/02/13 10:42:02| storeLateRelease: released 0 objects
> 2008/02/13 11:11:41| Preparing for shutdown after 2555 requests
> 2008/02/13 11:11:41| Waiting 30 seconds for active
> connections to finish
> 2008/02/13 11:11:41| FD 13 Closing HTTP connection
> 2008/02/13 11:11:41| FD 14 Closing HTTP connection
> 2008/02/13 11:11:41| FD 16 Closing WCCP socket
> 2008/02/13 11:12:12| Shutting down...
> 2008/02/13 11:12:12| FD 15 Closing ICP connection
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67
> connection due to lifetime timeout
> 2008/02/13 11:12:12|   
> http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67
> connection due to lifetime timeout
> 2008/02/13 11:12:12|   
> http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67
> connection due to lifetime timeout
> 2008/02/13 11:12:12|   
> http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67
> connection due to lifetime timeout
> 2008/02/13 11:12:12|   
> http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.55
> connection due to lifetime timeout
> 2008/02/13 11:12:12|   
> http://b.mail.google.com/mail/channel/bind?at=tfpl7aa80y0xw75x
> evv9065zwg9408&ui=1&RID=rpc&SID=3DAE21FF8E7AAB22&CI=0&AID=60&T
> YPE=html&zx=6216rrq6uixn&DOMAIN=mail.google.com&t=1
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.120.30
> connection due to lifetime timeout
> 2008/02/13 11:12:12|   
> http://stats.update.microsoft.com/ReportingWebService/Reportin
> gWebService.asmx
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.120.145
> connection due to lifetime timeout
> 2008/02/13 11:12:12|   
> http://stats.update.microsoft.com/ReportingWebService/Reportin
> gWebService.asmx
> 2008/02/13 11:12:12| Closing unlinkd pipe on FD 11
> 2008/02/13 11:12:12| storeDirWriteCleanLogs: Starting...
> 2008/02/13 11:12:12|   Finished.  Wrote 22081 entries.
> 2008/02/13 11:12:12|   Took 0.0 seconds (3743176.8 entries/sec).
> CPU Usage: 2.019 seconds = 1.140 user + 0.878 sys Maximum
> Resident Size: 21292 KB Page faults with physical i/o: 0
> 2008/02/13 11:12:12| Squid Cache (Version 2.6.STABLE18):
> Exiting normally.
> Please note: This email and its content are subject to the
> disclaimer as displayed at the following link
> http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Di
> sclaimer.htm. Should you not have Web access, send a mail to
> disclaimers@is.co.za and a copy will be emailed to you.
Received on Thu Feb 14 2008 - 11:10:59 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST