Re: [squid-users] Connection time out error with tproxy

From: <viveksnv_at_aol.in>
Date: Wed, 14 Jan 2009 06:13:45 -0500

Hi Amos,

Thank you very much.

This is ifconfig result of the squid server.

But it works in transparent mode. but why not in tproxy ?

eth0 Link encap:Ethernet HWaddr
          inet addr:xx.xx.xx.xx Bcast:xx.xx.xx.xx Mask:255.255.255.252
          inet6 addr: fe80::21a:4bff:fe34:9af0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:2435572 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2694449 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1371738325 (1.2 GiB) TX bytes:1495109099 (1.3 GiB)
          Interrupt:16 Memory:f8000000-f8012100

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:2715 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2715 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:216227 (211.1 KiB) TX bytes:216227 (211.1 KiB)

wccp Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:xx.xx.xx.xx P-t-P:xx.xx.xx.xx Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
          RX packets:1298005 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:142161462 (135.5 MiB) TX bytes:0 (0.0 b)

WCCP -- GRE tunnel interface.

Thanks,
vk

viveksnv_at_aol.in wrote:

>
> Amos,

>
> Thanks again for your reply.

>
>
> We have configured squid + Tproxy + WCCP and client ip is redirect to
> the web server, but browser shows a connection timeout(110) error and
it
> takes a long time even to display this error message. The access.log
> shows long timestamp value.

>
> forward log shows the request has been forwarded. Squid wotks
perfectly
> fine when configured as transparent proxy.

Aha. Check MTUs. This type of forwarded and no reply issue is usually
seen on links where MTU-discovery is broken.

It may be that there are ICMP info packets being sent to the client
instead of Squid.

Amos

>
> We need your valuable advice and if possible can you point out few
areas
> where are all the possibilities for the problems to arise.

>
> Thanks,

> vk

>
> viveksnv_at_aol.in wrote:

>
>> Amos,

>
>>

>> Thanks for your reply.

>
>>

>> Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables
> 1.3.8

>> and linux kernal 2.6.20.21.

>
>> Cisco IOS 2800 Ver 12.4 (13b)

>
>>

>> WCCP+Tranparent proxy works good. Trproxy without wccp works well by
> not

>> revealing the server ip and only displaying the client ip. But once
> the

>> wccp is enabled with tproxy, the sever ip is revealed instead of the

>> client ip.

>
>>

>> Please scroll down below to check our previous mails.

>
>>

>> Any suggestions please.

>
>
> Other than checking your squid is built with --enable-linux-tproxy,
none

> from me sorry.

>
> cttproxy was obsolete and officially unsupported before I ever heard
of it.

>
>
> Amos

>
>
>>

>>

>> VK

>
>>

>>

>>

>> -----Original Message-----

>
>> From: Amos Jeffries <squid3_at_treenet.co.nz>

>
>> To: Ritter, Nicholas <Nicholas.Ritter_at_americantv.com>

>
>> Cc: viveksnv_at_aol.in; squid-users_at_squid-cache.org

>
>> Sent: Sat, 10 Jan 2009 8:06 am

>
>> 0ASubject: Re: [squid-users] Re: WCCP configuration

>
>>

>>

>>

>> Ritter, Nicholas wrote:

>>

>>> With TProxy, I think you need to use Squid3-HEAD to reliably fix
> your

>> issue....Amos would know for sure.

>>

>>>

>
>>> Nick

>>

>>>

>>

>> Yes. Squid-2.* has no support for TPROXY v4.1+

>>

>>

>> 3.1.0.3 or later is needed. Which is at least an RC beta now, more

>
>> stable that pure 3.HEAD alpha code.

>>

>>

>> Also the squid.conf and configure details have changed.

>>

>> http://wiki.squid-cache.org/Features/Tproxy4

>>

>>

>> Amos

>>

>>

>>>

>
>>> ________________________________

>>

>>>

>
>>> From: viveksnv_at_aol.in [mailto:viveksnv_at_aol.in]

>>

>>> Sent: Fri 1/9/2009 8:39 A

>
>> M

>>

>>> To: henrik_at_henriknordstrom.net

>>

>>> Cc: squid-users_at_squid-cache.org; squid3_at_treenet.co.nz

>>

>>> Subject: [squid-users] Re: WCCP configuration

>>

>>>

>
>>>

>
>>>

>
>>> Hi,

>>

>>>

>
>>> Thanks for the reply. It did help us solve the problem.

>>

>>>

>
>>> But there is a new issue.

>>

>>>

>
>>> We have configured as squid+tproxy. The squid ip is not displayed
> and

>>

>>> only the client ip is displayed when we do the proxy test. But
after

>>

>>> configuring wccp we find that the server ip is displayed in the
> proxy

>>

>>> test instead of the client ip.

>>

>>>

>
>>> We also find that the http request is pathetically slow.

>>

>>>

>
>>> squid.conf

>> =0

>
>> A

>
>>>

>
>>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240

>>

>>> ports=80

>>

>>> wccp2_service dynamic 90

>>

>>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source

>>

>>> priority=240 ports=80

>>

>>>

>
>>> http_port 3128 transparent tproxy

>>

>>>

>
>>> iptable:

>>

>>> /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m

>> tcp

>>

>>> --dport 80 -j TPROXY --on-port 3128

>>

>>>

>
>>>

>
>>> We created a gre tunnel based on the router identifier.

>>

>>>

>
>>> wccp2_router xx.xx.xxx.xx (ip of router interface connected to
squid

>>

>>> machine)

>>

>>>

>
>>> The following command is assigned at the router interface connected

>> =0

>
>> Ato

>>

>>> the lan.

>>

>>> ip wccp 80 redirect in

>>

>>> ip wccp 90 redirect out

>>

>>>

>
>>> Following command at the router interface connected to squid.

>>

>>> ip wccp redirect exclude in

>>

>>>

>
>>> Router : Cisco IOS Software, 2800 Software

>> (C2800NM-ADVIPSERVICESK9-M),

>>

>>> Version 12.4(13b)

>>

>>> Kernel : linux-2.6.20.21

>>

>>> IPtable : iptables-1.3.8

>>

>>> Os Ver : squid-2.7 Stable 5

>>

>>>

>
>>> #lsmod

>>

>>>

>
>>> ip_gre 19616 0

>>

>>> iptable_filter 11136 0

>>

>>> ipt_TPROXY 11136 1

>>

>>> ipt_REDIRECT 10624

>> 0

>>

>>> xt_tcpudp 11904 1

>>

>>> reiserfs 235144 5

>>

>>> iptable_tproxy 23036 2 ipt_TPROXY

>>

>>> iptable_nat 15492 1 iptable_tproxy

>>

>>> ip_nat 24620 3

>> ipt_REDIRECT,iptable_tproxy,iptable_nat

>>

>>> ip_tables 25448 3

>>

>>> iptable_filter,iptable_tproxy,iptable_nat

>>

>>> x_tables 23560 5

>>

>>> ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables

>>

>>> ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat

>>

>>>

>
>>>

>
>>> The internet works, b

>
>> ut the browsing is dead slow. Temporarily we have

>>

>>> bypassed squid to browse the net.

>>

>>>

>
>>>

>
>>> Thanks

>>

>>> VK

>>

>>>

>
>>>

>
>>> -----Original Message-----

>>

>>> From: Henrik Nordstrom <henrik_at_henriknordstrom.net>

>>

>>> To: viveksnv_at_aol.in

>>

>>> Cc: squid3_at_treenet.co.nz; squid-users_at_squid-cache.org

>>

>>> Sent: Thu, 8 Jan 2009 12:05 am

>>

>>> Subject: Re: WCCP configuration

>>

>>>

>
>>>

>
>>> ons 2009-01-07 klockan 08:46 -0500 skrev viveksnv_at_aol.in:

>>

>>>

>
>>>> wccp2_router xxx.xx.xxx.xxx

>>

>>>> wccp_version 4

>>

>>>> wccp2_forwarding_method 1

>>

>>>> wccp2_return_method 1

>>

>>>> wccp2_assignment_method 1

>>

>>>> wccp2_service dynamic 8

>
>> 0

>>

>>>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240

>>

>>>> ports=80

>>

>>>> wccp2_service dynamic 90

>>

>>>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source

>>

>>>> priority=240 ports=80

>>

>>>>

>>

>>>>

>>

>>>> Router Eth0 - connected to lan. Eth1 - connecte to squid.

>>

>>>

>
>>> Have you also configured

>>

>>> * A loopback address on the router, giving it a easily identified

>> router

>>

>>> ID

>>

>>>

>
>>> * the required GRE/WCCP tunnel interface on the Squid server

>>

>>>

>
>>> * disabled rp_filter on the above GRE/WCCP interface.

>>

>>>

>
>>> * And adjusted the REDIRECT/NAT rules to act on traffic=2

>
>> 0received on the

>>

>>> GRE/WCCP interface configured above?

>>

>>>

>
>>>

>
>>>> Service Identifier: web-cache

>>

>>>> Number of Service Group Clients: 1

>>

>>>> Number of Service Group Routers: 1

>>

>>>> Total Packets s/w Redirected: 11336

>>

>>>> Process: 0

>>

>>>> Fast: 0

>>

>>>> CEF: 11336

>>

>>>

>
>>> Looks fine.

>> =0

>
>> A

>
>>>

>
>>>> Is there any simple way of configuring WCCP. We have beating round

>>

>>> the

>>

>>>> bush all day long to configure wccp.

>>

>>>

>
>>> WCCP as such is configured. But something is missing in the

>> interception

>>

>>> at the proxy. Most likely the GRE interface mentioned above.

>>

>>>

>
>>> Regards

>>

>>> Henrik

>>

>>>

>
>>>

>
>>>

>
>>>

>
>>>

>
>>>

>
>>>

>
>>>

>
>>

>
________________________________________________________________________

>>

>>

>>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

>> <http://webmail.aol.in/>

>
>>>

>
>>>

>
>>>

>
>>>

>>

>>

>> --
>> Please be using

>>

>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11

>>

>> Current Beta Squid 3.1.0.3

>>

>>

>>

>>

>>

>>

>>

>
________________________________________________________________________

>
>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

>
>
>
> --
> Please be using

>
> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11

>
> Current Beta Squid 3.1.0.3

>
>
>
>
>
>
>
________________________________________________________________________

> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

> 

--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3
________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Received on Wed Jan 14 2009 - 11:14:43 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 14 2009 - 12:00:03 MST