Hi,
I have transparent SQUID proxy with L2/L3 switch redirecting HTTP
traffic to proxy through GRE tunnel. Yesterday, I've noticed that SQUID
box is sending strange packets (TCP RST) to destination web server in
order to terminate connection. The problem is because these packets have
source address from client address space (A.B.169.0/24). Since I'm not
using TPROXY mechanism I would not expect any packet originating from
squid box with source address from client range.
I was doing packet capture on physical interface and GRE tunnel
interface. I captured these strange packets on physical interface and in
the same time in GRE tunnel also.
Packet list from physical interface:
root_at_XXX:~# tcpdump -e -n 'tcp[13] & 4 != 0' and src net A.B.169.0/24
22:07:30.963599 00:16:3e:62:64:81 > 00:00:0c:07:ac:0d, ethertype IPv4
(0x0800), length 54: A.B.169.230.27676 > 209.62.81.20.80: R
573941767:573941767(0) ack 2693938203 win 0
22:07:30.965285 00:16:3e:62:64:81 > 00:00:0c:07:ac:0d, ethertype IPv4
(0x0800), length 54: A.B.169.230.27692 > 209.62.81.20.80: R
3935555301:3935555301(0) ack 2690274274 win 0
SQUID BOX HW adress: 00:16:3e:62:64:81
HSRP address in VLAN: 00:00:0c:07:ac:0d
And same packets in tunnel:
22:07:30.963583 IP A.B.169.230.27676 > 209.62.81.20.80: R 0:0(0) ack 1
win 0When I see those strange packet on physical interface,
22:07:30.965279 IP A.B.169.230.27692 > 209.62.81.20.80: R 0:0(0) ack 1
win 0 6
It look like these packets are just copied and send to destination web
server with original source address. I tried to replicate problem in
control environment but with no luck.
Can anyone give me reason or explanation for this behavior?
Thanks in advance, Dalibor
Received on Thu Oct 09 2008 - 22:19:15 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 10 2008 - 12:00:02 MDT