On Tue, 14 Jul 2009 10:19:43 +0800, Adrian Chadd <adrian_at_squid-cache.org>
wrote:
> 2009/7/14 Amos Jeffries <squid3_at_treenet.co.nz>:
>
>> Aha! duplicate syn-ack is exactly the case I got a good trace of
>> earlier.
>> Turned out to be missing config on the cisco box.
>
> Do you have an example of this particular (mis) configuration? The
> note in the Wiki article isn't very clear.
I don't. The admin only mentioned that by adding a bypass on service group
fixed the issue.
I had a tcpdump of as set of requests showing pairs of seemingly identical
requests arriving from the router within 1sec of each other. On deep
inspection the slightly delayed one showed some minor alterations such as
Squid makes from the first.
If there is any way to make the wiki clearer without wholesale including of
per-IOS config setting go for it.
>
>> The Features/Tproxy4 wiki page now makes explicit mention of this and
>> several possible workarounds.
>
>> The problem seems to be that the WCCP automatic bypass for return
traffic
>> uses IP, which is not usable under TPROXY. Some other method of traffic
>> detection and bypass must be explicitly added for traffic
>> Squid->Cisco->Internet. In the old tproxy v2 configs (which still apply)
>> the class 90 was used for this.
>
> .. uhm, again, that isn't very clear. "automatic bypass" isn't
> explicitly configured anywhere nor do I see anything in the tproxy2
> config which mentions bypass with class 90. So I'm very curious what
> exactly it is that people are seeing, with what exact
> configuration(s).
Sorry, I can't be any clearer with the half-info I have. I'm not sure of
the Cisco config.
The behavior I saw was:
enable wccpv2 + NAT intercept with wiki config
==> perfectly working, not a sign of any squid-sourced packets.
swap NAT for tproxy4 with the wiki config (no change to WCCP or links)
==> loop trace showing squid outward packets coming IN from WCCP.
So I say "seems" and "appears" to be an automatic bypass in WCCP or router
somewhere. No idea where. "may" need bypassing manually to fix tproxy.
Amos
Received on Tue Jul 14 2009 - 04:03:35 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 14 2009 - 12:00:03 MDT