Re: [squid-users] Strange TCP packets

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 10 Oct 2008 13:13:35 +1300 (NZDT)

> Hi,
>
> I have transparent SQUID proxy with L2/L3 switch redirecting HTTP
> traffic to proxy through GRE tunnel. Yesterday, I've noticed that SQUID
> box is sending strange packets (TCP RST) to destination web server in
> order to terminate connection. The problem is because these packets have
> source address from client address space (A.B.169.0/24). Since I'm not
> using TPROXY mechanism I would not expect any packet originating from
> squid box with source address from client range.
>
> I was doing packet capture on physical interface and GRE tunnel
> interface. I captured these strange packets on physical interface and in
> the same time in GRE tunnel also.
>
> Packet list from physical interface:
>
> root_at_XXX:~# tcpdump -e -n 'tcp[13] & 4 != 0' and src net A.B.169.0/24
> 22:07:30.963599 00:16:3e:62:64:81 > 00:00:0c:07:ac:0d, ethertype IPv4
> (0x0800), length 54: A.B.169.230.27676 > 209.62.81.20.80: R
> 573941767:573941767(0) ack 2693938203 win 0
> 22:07:30.965285 00:16:3e:62:64:81 > 00:00:0c:07:ac:0d, ethertype IPv4
> (0x0800), length 54: A.B.169.230.27692 > 209.62.81.20.80: R
> 3935555301:3935555301(0) ack 2690274274 win 0
>
> SQUID BOX HW adress: 00:16:3e:62:64:81
> HSRP address in VLAN: 00:00:0c:07:ac:0d
>
> And same packets in tunnel:
>
> 22:07:30.963583 IP A.B.169.230.27676 > 209.62.81.20.80: R 0:0(0) ack 1
> win 0When I see those strange packet on physical interface,
> 22:07:30.965279 IP A.B.169.230.27692 > 209.62.81.20.80: R 0:0(0) ack 1
> win 0 6
>
> It look like these packets are just copied and send to destination web
> server with original source address. I tried to replicate problem in
> control environment but with no luck.
>
> Can anyone give me reason or explanation for this behavior?
>
> Thanks in advance, Dalibor
>

What release of Squid? with what configuration? on what OS?
and also what WCCP configuration on what switch IOS version?

Amos
Received on Fri Oct 10 2008 - 00:13:42 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 10 2008 - 12:00:02 MDT