Re: [squid-users] transparent proxy not working!! any advice?

From: Roland Roland <R_O_L_A_N_D_at_hotmail.com>
Date: Tue, 6 Jan 2009 21:48:30 +0200

Hello,

after adding the ACL below.
I've got the following result.
if im not mistaken, it has something to due with the "dynamic" issue? should
I set it as standard 0
or ?!

 *Jan 6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 00000019
*Jan 6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 00000019
*Jan 6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183
w/bad rcv_id 00000000
*Jan 6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 0000001A
*Jan 6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183
w/bad rcv_id 00000000
*Jan 6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 0000001A
*Jan 6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to
192.168.0.183w/ rcv_id 0000001B
*Jan 6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to
192.168.0.183w/ rcv_id 0000001B
*Jan 6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client
192.168.0.183
*Jan 6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client
192.168.0.183
*Jan 6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 0000001C
*Jan 6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 0000001C

--------------------------------------------------
From: "Roland Roland" <R_O_L_A_N_D_at_hotmail.com>
Sent: Monday, January 05, 2009 9:50 PM
To: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>; <squid_at_vdvyver.net>
Cc: <squid-users_at_squid-cache.org>
Subject: Re: [squid-users] transparent proxy not working!! any advice?

>
> Hello,
> thanks for the advice ill proceed and add the new ACL.
> in the meantime, to answer your question
> yes Squid is on the same interface as all the other clients. what sort of
> entries should I add to tht access list?
>
> PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811
> (revision 53.51)
>
>
> --------------------------------------------------
> From: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>
> Sent: Monday, January 05, 2009 9:23 PM
> To: <R_O_L_A_N_D_at_hotmail.com>; <squid_at_vdvyver.net>
> Cc: <squid-users_at_squid-cache.org>
> Subject: RE: [squid-users] transparent proxy not working!! any advice?
>
>> The error on the Cisco router is stating that the squid box is trying to
>> tell the router that it is able to service the wccp group 80 and 90, but
>> for some reason the router does not see those groups as ones it is
>> servicing.
>>
>> This is odd. Try doing the following in the router:
>>
>> ip access-list 180 permit any any
>> ip wccp web-cache redirect-list 180
>> ip wccp 80 redirect-list 180
>> ip wccp 90 redirect-list 180
>>
>> Is the squid box on the same router interface as the rest of the clients?
>> If it is, you may need to add lines to the access-list 180, or put the
>> squid box on the secondary interface of the router and do a "ip wccp
>> redirect exclude in" statement on that interface.
>>
>> Which IOS feature set and version is this?
>>
>> WCCP is buggy in some IOS releases.
>>
>>
>>
>> ________________________________
>>
>> From: R_O_L_A_N_D_at_hotmail.com [mailto:R_O_L_A_N_D_at_hotmail.com]
>> Sent: Mon 1/5/2009 8:43 AM
>> To: squid_at_vdvyver.net
>> Cc: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>>
>>
>>
>> Hello,
>> actually I have both of set on the lan interface ( am I mistaken to set
>> the
>> "redirect out" on the lan interface? should I be setting it on the
>> interface
>> facing the internet?)
>>
>> ip wccp 80 redirect in
>> ip wccp 90 redirect out
>>
>> as for the wiki provided, I fail to see what's missing!
>> obviously there is something, but I'm not detecting it!
>>
>>
>>
>> --------------------------------------------------
>> From: "Regardt van de Vyver" <squid_at_vdvyver.net>
>> Sent: Monday, January 05, 2009 12:46 AM
>> Cc: <squid-users_at_squid-cache.org>
>> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>>
>>> Roland Roland wrote:
>>>> Hello,
>>>> the output of the debugging is as such:
>>>>
>>>>
>>>>
>>>> *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from
>>>> 192.168.0.183:
>>>> service not active
>>>> *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from
>>>> 192.168.0.183:
>>>> service not active
>>>>
>>>> what service is that?!
>>>>
>>>>
>>>>
>>>> --------------------------------------------------
>>>> From: "Regardt van de Vyver" <squid_at_vdvyver.net>
>>>> Sent: Sunday, January 04, 2009 9:33 PM
>>>> Cc: <squid-users_at_squid-cache.org>
>>>> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>>>>
>>>>> Roland Roland wrote:
>>>>>> i've just created a new box with the following options:
>>>>>> but wccp with router is still not working!
>>>>>> any advice?
>>>>>>
>>>>>>
>>>>>> using centos 5.2
>>>>>> and squid 2.6
>>>>>> firewall enabled
>>>>>> SElinux permissive
>>>>>> -------------------------------------------------------
>>>>>> done the following:
>>>>>>
>>>>>> yum update yum
>>>>>>
>>>>>> yum install squid
>>>>>>
>>>>>> squid -z
>>>>>> -------------------------------------------------------
>>>>>> gedit /etc/rc.d/init.d/rc.local
>>>>>>
>>>>>> #added:
>>>>>> modprobe ip_gre
>>>>>> ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up
>>>>>> #this is the same ip as my eth0
>>>>>>
>>>>>> ----------------------------------------------------
>>>>>> gedit /etc/sysconfig/iptables
>>>>>>
>>>>>> #added:
>>>>>> -A INPUT -i gre0 -j ACCEPT
>>>>>> -A INPUT -i gre0 -j ACCEPT
>>>>>> -A INPUT -p gre -j ACCEPT
>>>>>> #my routers lan interface 192.168.0.1
>>>>>> -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport
>>>>>> 2048 -j
>>>>>> ACCEPT
>>>>>> -------------------------------------------------------
>>>>>> service iptables condrestart
>>>>>> --------------------------------------------------------
>>>>>> gedit /etc/squid/squid.conf
>>>>>>
>>>>>> #edited/added the follwoing:
>>>>>> http_port 80 transparent
>>>>>> http_access allow all
>>>>>> wccp2_router 192.168.0.1
>>>>>> wccp_version 4
>>>>>> wccp2_rebuild_wait on
>>>>>> wccp2_forwarding_method 1
>>>>>> wccp2_return_method 1
>>>>>> wccp2_assignment_method 1
>>>>>> wccp2_service dynamic 80
>>>>>> wccp2_service dynamic 90
>>>>>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
>>>>>> ports=80
>>>>>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
>>>>>> priority=240 ports=80
>>>>>> ----------------------------------------------------------
>>>>>> Cisco router 2811 side:
>>>>>>
>>>>>> conf t
>>>>>> ip wccp version 2
>>>>>> ip wccp web-cache
>>>>>>
>>>>>> int f0/1 (Lan interface)
>>>>>> ip wccp 80 redirect in
>>>>>> ip wccp 90 redirect out
>>>>>> ----------------------------------------------------------
>>>>>> service squid restart
>>>>>>
>>>>>> then sh ip wccp on router gave me all hits as 0 no hits from squid to
>>>>>> router!!
>>>>>> ----------------------------------------------------------
>>>>>>
>>>>>> service iptables status
>>>>>>
>>>>>> [root_at_localhost ~]# service iptables status
>>>>>> Table: filter
>>>>>> Chain INPUT (policy ACCEPT)
>>>>>> num target prot opt source destination
>>>>>> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>> 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>> 4 ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
>>>>>>
>>>>>> Chain FORWARD (policy ACCEPT)
>>>>>> num target prot opt source destination
>>>>>> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>>
>>>>>> Chain OUTPUT (policy ACCEPT)
>>>>>> num target prot opt source destination
>>>>>>
>>>>>> Chain RH-Firewall-1-INPUT (2 references)
>>>>>> num target prot opt source destination
>>>>>> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>> 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>>>>>> icmp
>>>>>> type
>>>>>> 255
>>>>>> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
>>>>>> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
>>>>>> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp
>>>>>> dpt:5353
>>>>>> 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
>>>>>> dpt:631
>>>>>> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>>>>>> dpt:631
>>>>>> 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>>>>>> RELATED,ESTABLISHED
>>>>>> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
>>>>>> NEW
>>>>>> tcp dpt:22
>>>>>> 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
>>>>>> NEW
>>>>>> tcp dpt:80
>>>>>> 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
>>>>>> NEW
>>>>>> tcp dpt:5900
>>>>>> 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp
>>>>>> dpt:2048
>>>>>> 13 REJECT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>> reject-with icmp-host-prohibited
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> lsmod:
>>>>>>
>>>>>> Module Size Used by
>>>>>> ip_conntrack_netbios_ns 6977 0
>>>>>> xt_state 6209 4
>>>>>> ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state
>>>>>> nfnetlink 10713 1 ip_conntrack
>>>>>> iptable_filter 7105 1
>>>>>> ip_tables 17029 1 iptable_filter
>>>>>> ip6table_filter 6849 1
>>>>>> ip6_tables 18053 1 ip6table_filter
>>>>>> nls_utf8 6208 1
>>>>>> ip_gre 16737 0
>>>>>> autofs4 24517 2
>>>>>> hidp 23105 2
>>>>>> rfcomm 42457 0
>>>>>> l2cap 29505 10 hidp,rfcomm
>>>>>> bluetooth 53797 5 hidp,rfcomm,l2cap
>>>>>> sunrpc 144893 1
>>>>>> ipt_REJECT 9537 1
>>>>>> ip6t_REJECT 9409 1
>>>>>> xt_tcpudp 7105 15
>>>>>> x_tables 17349 6
>>>>>> xt_state,ip_tables,ip6_tables,ipt_REJECT,ip6t_REJECT,xt_tcpudp
>>>>>> dm_multipath 22089 0
>>>>>> video 21193 0
>>>>>> sbs 18533 0
>>>>>> backlight 10049 1 video
>>>>>> i2c_ec 9025 1 sbs
>>>>>> button 10705 0
>>>>>> battery 13637 0
>>>>>> asus_acpi 19289 0
>>>>>> ac 9157 0
>>>>>> ipv6 258273 17 ip6t_REJECT
>>>>>> xfrm_nalgo 13765 1 ipv6
>>>>>> crypto_api 11969 1 xfrm_nalgo
>>>>>> lp 15849 0
>>>>>> floppy 57125 0
>>>>>> i2c_piix4 12237 0
>>>>>> pcnet32 35141 0
>>>>>> pcspkr 7105 0
>>>>>> i2c_core 23745 2 i2c_ec,i2c_piix4
>>>>>> mii 9409 1 pcnet32
>>>>>> ide_cd 40033 1
>>>>>> cdrom 36705 1 ide_cd
>>>>>> parport_pc 29157 1
>>>>>> serio_raw 10693 0
>>>>>> parport 37513 2 lp,parport_pc
>>>>>> dm_snapshot 21477 0
>>>>>> dm_zero 6209 0
>>>>>> dm_mirror 29125 0
>>>>>> dm_mod 61405 9
>>>>>> dm_multipath,dm_snapshot,dm_zero,dm_mirror
>>>>>> ata_piix 22341 0
>>>>>> libata 143997 1 ata_piix
>>>>>> sd_mod 24897 0
>>>>>> scsi_mod 134605 2 libata,sd_mod
>>>>>> ext3 123593 2
>>>>>> jbd 56553 1 ext3
>>>>>> uhci_hcd 25421 0
>>>>>> ohci_hcd 23261 0
>>>>>> ehci_hcd 33357 0
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> ifconfig:
>>>>>>
>>>>>> [root_at_localhost ~]# ifconfig
>>>>>> eth0 Link encap:Ethernet HWaddr 00:0C:29:F8:D0:AF
>>>>>> inet addr:192.168.0.183 Bcast:192.168.0.255
>>>>>> Mask:255.255.255.0
>>>>>> inet6 addr: fe80::20c:29ff:fef8:d0af/64 Scope:Link
>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>>> RX packets:29956 errors:0 dropped:0 overruns:0 frame:0
>>>>>> TX packets:11948 errors:0 dropped:0 overruns:0 carrier:0
>>>>>> collisions:0 txqueuelen:1000
>>>>>> RX bytes:3673892 (3.5 MiB) TX bytes:7234153 (6.8 MiB)
>>>>>> Interrupt:169 Base address:0x2000
>>>>>>
>>>>>> gre0 Link encap:UNSPEC HWaddr
>>>>>> 00-00-00-00-B2-BF-68-33-00-00-00-00-00-00-00-00
>>>>>> inet addr:192.168.0.183 Mask:255.255.255.0
>>>>>> UP RUNNING NOARP MTU:1476 Metric:1
>>>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>>> collisions:0 txqueuelen:0
>>>>>> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>>>>>>
>>>>>> lo Link encap:Local Loopback
>>>>>> inet addr:127.0.0.1 Mask:255.0.0.0
>>>>>> inet6 addr: ::1/128 Scope:Host
>>>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>>>>>> RX packets:2926 errors:0 dropped:0 overruns:0 frame:0
>>>>>> TX packets:2926 errors:0 dropped:0 overruns:0 carrier:0
>>>>>> collisions:0 txqueuelen:0
>>>>>> RX bytes:3257748 (3.1 MiB) TX bytes:3257748 (3.1 MiB)
>>>>>>
>>>>>> -------------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>> Hi Roland,
>>>>>
>>>>> Have you had a look at the WCCP debugging messages on the Cisco?
>>>>> eg. on the cisco
>>>>> debug ip wccp events
>>>>> debug ip wccp packets
>>>>> terminal monitor
>>>>>
>>>>> That should give you some indication of wccp activity, also what does
>>>>> "sh ip wccp web-cache detail" show?
>>>>>
>>>>> Regardt
>>>>>
>>>>>
>>>>
>>> Hi Roland,
>>>
>>> Off the bat I'd guess its a missing
>>> "ip wccp 80" and a "ip wccp 90" on the Cisco.
>>>
>>> Also, just rechecking your config I'm wondering about missing /proc bits
>>> as per:
>>> http://wiki.squid-cache.org/ConfigExamples/MultiplePortsWithWccp2
>>>
>>> Regardt
>>>
>>>
>>
>>
>>
>>
>
Received on Tue Jan 06 2009 - 19:48:44 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 07 2009 - 12:00:02 MST