Re: [squid-users] WCCP+Squid not working

Do you have a gre tunnel interface configured? On my FreeBSD systems, I
have these additions to /etc/rc.conf:

ifconfig_gre0="inet 169.254.254.253/30 169.254.254.254 link0 link2
tunnel 10.10.10.250 172.16.2.3 up"
cloned_interfaces="gre0"

where the tunnel is from the FreeBSD system's IP address (10.10.10.250)
to the router's Router Identifier IP address (172.16.2.3).

My ipfw configuration contains this line near the beginning of my rule
list to redirect packets received via the gre tunnel to squid on
localhost; note that I have "in recv gre*" to match only packets
received through the gre tunnel interface:

fwd 10.10.10.250,3128 tcp from any to any dst-port 80 in recv gre*

I would think that your access-list 150 should match only outgoing TCP
packets to destination port 80 to be consistent with the destination
port 80 in you fwd rule.

It might help to show the output of "netstat -i" and "ipfw show" to see
whether packets are being received through the gre tunnel, and whether
packets are matching the ipfw fwd rule.

Guy

Anthony DeMatteis wrote:
> Greetings all,
>
> I'm still trying to get wccp working between my squid server and a Cisco
> 7200. I am now getting a wccp response from the router, albeit not via
> a GRE tunnel as I've seen in example after example on the net. Any
> additional information would be greatly appreciated.
>
> tail -f /usr/local/etc/squid/logs/cache.log
> ...
> 2009/01/29 09:27:06| wccp2HereIam: Called
> 2009/01/29 09:27:06| wccp2HereIam: sending to service id 0
> 2009/01/29 09:27:06| Sending HereIam packet size 144
> 2009/01/29 09:27:06| wccp2HandleUdp: Called.
> 2009/01/29 09:27:06| Incoming WCCPv2 I_SEE_YOU length 132.
> 2009/01/29 09:27:06| Complete packet received
> 2009/01/29 09:27:06| Incoming WCCP2_I_SEE_YOU Received ID old=305
> new=306.
> 2009/01/29 09:27:06| Cleaning out cache list
> 2009/01/29 09:27:06| checking cache list: (9f0213d8:9f0213d8)
> 2009/01/29 09:27:06| Change not detected (2 = 2)
>
> ar1.dc.az#sh ip wccp web-cache detail
> WCCP Cache-Engine information:
> Web Cache ID: 211.22.2.159
> Protocol Version: 2.0
> State: Usable
> Initial Hash Info: 00000000000000000000000000000000
> 00000000000000000000000000000000
> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> Hash Allotment: 256 (100.00%)
> Packets Redirected: 302
> Connect Time: 00:04:30
>
> ar1.dc.az#sh ip wccp web-cache
> Global WCCP information:
> Router information:
> Router Identifier: 211.22.1.254
> Protocol Version: 2.0
>
> Service Identifier: web-cache
> Number of Cache Engines: 1
> Number of routers: 1
> Total Packets Redirected: 3463
> Redirect access-list: 150
> Total Packets Denied Redirect: 164188
> Total Packets Unassigned: 779
> Group access-list: -none-
> Total Messages Denied to Group: 0
> Total Authentication failures: 0
>
>
> But no squid/access.log activity, i.e. no traffic is being redirected.
>
>
> My Router config: (sanitized)
>
> ar1.dc.az#sh run
> Building configuration...
>
> Current configuration : 4519 bytes
> !
> ! Last configuration change at 15:33:55 UTC Thu Jan 29 2009
> ! NVRAM config last updated at 19:40:48 UTC Tue Jan 20 2009
> !
> version 12.2
> no service pad
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> no service dhcp
> no service single-slot-reload-enable
> !
> hostname ar1.dc.az
> !
> no logging monitor
> !
> ip subnet-zero
> ip wccp web-cache redirect-list 150
> ip cef distributed
> ip domain-name commspeed.net
> ip name-server 211.22.2.81
> ip name-server 211.22.2.82
> !
> !
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> controller T1 4/0/0
> framing esf
> clock source internal
> linecode b8zs
> channel-group 0 timeslots 1-24
> description Customer123 PTP T1 - Qwest-CID: 14.HCXX.XXXXXX..MS
> !
> controller T1 4/0/1
> shutdown
> framing esf
> linecode b8zs
> !
> controller T1 4/0/2
> shutdown
> framing esf
> linecode b8zs
> !
> controller T1 4/0/3
> shutdown
> framing esf
> linecode b8zs
> !
> controller T1 4/0/4
> shutdown
> framing esf
> linecode b8zs
> !
> controller T1 4/0/5
> shutdown
> framing esf
> linecode b8zs
> !
> controller T1 4/0/6
> shutdown
> framing esf
> linecode b8zs
> !
> controller T1 4/0/7
> shutdown
> framing esf
> linecode b8zs
> !
> !
> !
> interface Loopback0
> description Loopback for BGP Peering
> ip address 211.22.1.254 255.255.255.255
> !
> interface Tunnel0
> no ip address
> !
> interface FastEthernet2/0
> description Prescott Valley Data Center - Core Network
> ip address 211.22.2.1 255.255.254.0 secondary
> ip address 211.22.0.1 255.255.255.0 secondary
> ip address 211.22.47.65 255.255.255.224 secondary
> ip address 211.22.4.34 255.255.255.224 secondary
> ip address 211.22.8.1 255.255.255.0 secondary
> ip address 211.22.4.33 255.255.255.224
> ip access-group block-phisher in
> ip route-cache same-interface
> full-duplex
> !
> interface FastEthernet2/1
> ip address 211.22.1.33 255.255.255.224 secondary
> ip address 211.22.5.1 255.255.255.192
> full-duplex
> !
> interface Serial4/0/0:0
> description Arcosanti PTP T1 - Qwest-CID: 14.HCXX.XXXXXX..MS
> bandwidth 1544
> ip address 211.22.1.13 255.255.255.252
> encapsulation ppp
> !
> interface FastEthernet4/1/0
> no ip address
> shutdown
> half-duplex
> !
> router eigrp 4492
> redistribute connected
> redistribute static
> passive-interface default
> no passive-interface FastEthernet2/1
> network 211.22.5.0 0.0.0.63
> distribute-list 86 out static
> no auto-summary
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 211.22.5.4
> ip route 10.1.0.20 255.255.255.255 211.22.3.6
> ip route 211.22.28.0 255.255.255.0 211.22.2.152
> ip route 211.22.47.32 255.255.255.224 211.22.1.14
> ip route 211.22.56.0 255.255.255.128 211.22.1.41
> ip route 211.22.56.128 255.255.255.128 211.22.1.41
> ip route 211.22.57.0 255.255.255.128 211.22.1.45
> ip route 211.22.57.128 255.255.255.128 211.22.1.43
> ip route 211.22.59.128 255.255.255.128 211.22.1.46
> no ip http server
> !
> !
> ip access-list extended block-mf-smtp
> deny tcp any host 211.22.2.15 eq smtp
> deny tcp any host 211.22.2.16 eq smtp
> permit ip any any
> ip access-list extended block-phisher
> deny ip 80.255.59.0 0.0.0.247 any log
> deny ip 41.220.64.0 0.0.15.255 any log
> permit ip any any
> ip access-list extended block-spam1
> deny tcp any host 211.22.2.14 eq smtp
> permit ip any any
> ip access-list extended block-spam2
> deny tcp any host 211.22.2.15 eq smtp
> permit ip any any
> ip access-list extended block-spam3
> deny tcp any host 211.22.2.16 eq smtp
> permit ip any any
> ip access-list extended temp
> deny tcp any host 211.22.2.15 eq smtp
> permit ip any any
> access-list 86 deny 0.0.0.0
> access-list 86 permit any
> access-list 150 permit ip any any
> snmp-server enable traps tty
> !
>
> End
>
> FreeBSD Server:
>
> gateway_enable="NO"
> defaultrouter="211.22.2.1"
> hostname="cache1.ispdomain.net"
> ifconfig_em0="inet 211.22.2.159 netmask 255.255.254.0"
>
> linux_enable="YES"
> sshd_enable="YES"
> usbd_enable="YES"
> apache_enable="YES"
>
> squid_enable="YES"
>
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall.cache"
> firewall_logging="YES"
> firewall_flags=""
> #firewall_type="open"
>
> router_enable="YES"
> gateway_enable="YES"
> #natd_enable="YES"
>
> rc.firewall.cache
> #!/bin/sh
> ipfw -q /etc/custom_firewall
>
> custom_firewall:
> cache1# cat /etc/custom_firewall
> -q flush
> -q queue flush
> -q pipe flush
>
> # for testing with the ip on the 2 network
> add 65533 allow tcp from 211.22.2.159 to any
> add 65534 fwd 211.22.2.159,3128 tcp from any to any 80
>
> Squid.conf (partial)
> http_port 211.11.2.159:3128 transparent
> wccp2_router 211.22.4.33
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_service standard 0
> wccp2_rebuild_wait off
>
>

-- 
Guy Helmer, Ph.D.
Chief System Architect
Palisade Systems, Inc.