Re: [squid-users] WCCP

> From: Amos Jeffries <squid3_at_treenet.co.nz>
> Date: Tue, 20 Oct 2009 12:40:02 +1300
> To: Ross Kovelman <rkovelman_at_gruskingroup.com>
> Cc: "squid-users_at_squid-cache.org" <squid-users_at_squid-cache.org>
> Subject: Re: [squid-users] WCCP
>
> On Mon, 19 Oct 2009 18:26:18 -0400, Ross Kovelman
> <rkovelman_at_gruskingroup.com> wrote:
>>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>>> Date: Tue, 20 Oct 2009 11:04:42 +1300
>>> To: Ross Kovelman <rkovelman_at_gruskingroup.com>
>>> Cc: "squid-users_at_squid-cache.org" <squid-users_at_squid-cache.org>
>>> Subject: Re: [squid-users] WCCP
>>>
>>> On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote:
>>>>> From: Amos Jeffries
>>>>>
>>>>> Ross Kovelman wrote:
>>>>>>> From: Amos Jeffries:
>>>>>>>
>>>>>>> Ross Kovelman wrote:
>>>>>>>> I am going to be using WCCP. I did another reconfigure with the
>>>>>>>> --enable
>>>>>>>> WCCP option. How can I check that it is on and running? The next
>>>>>>>> step I
>>>>>>>> need to do is upgrade to version 2 since the Cisco only
> communicates
>>>>>>>> on
>>>>>>>> version 2. I tried to do the patch < upgrade patch but then I get
> a
>>>>>>>> response with path to upgrade and I am not sure where the file is
> I
>>>>>>>> need
>>>>>>>> patch.
>>>>>>> There is zero need to patch for support WCCPv2. It's been built
> into
>>>>>>> Squid for many years now.
>>>>>>>
>>>>>>> Run "./configure --help".
>>>>>>> * If it lists "--disable-wccpv2" there is no need to do anything.
>>>>>>> * If it lists "--enable-wccpv2" , add that to your build options.
>>>>>>> * If it does not mention "wccpv2" at all upgrade your Squid
>>> version.
>>>>>>>
>>>>>>> Then setup squid.conf with the relevant wccp2_* options.
>>>>>>>
>>>>>>> http://www.squid-cache.org/Doc/config/ or the wiki example configs
>>> have
>>>>>>> details on those.
>>>>>>
>>>>>> Thanks again.
>>>>>> Running the ./configure --help only says this:
>>>>>> --disable-wccp Disable Web Cache Coordination V1 Protocol
>>>>>> --disable-wccpv2 Disable Web Cache Coordination V2 Protocol
>>>>>>
>>>>>> When I did the install I ran the ./configure --enable wccp option. I
>>>>>> didn't
>>>>>> say --enable-wccpv2, does this matter? I also have this in the
>>> config:
>>>>>> wccp2_router 192.168.16.1
>>>>>> wccp2_forwarding_method 1
>>>>>> wccp2_return_method 1
>>>>>>
>>>>>> I am running Squid Web Proxy 2.7.STABLE5.
>>>>>
>>>>> Okay. Thats fine.
>>>>>
>>>>> The ./configure results mean that both WCCP versions are built into
>>>>> Squid by default unless you explicitly say --disable. Nothing extra
>>>>> needed to build them.
>>>>>
>>>>> The config options you have there are already WCCPv2-only options for
>>>>> Cisco. Nothing new needed there either.
>>>>>
>>>>> If thats not working its a config error somewhere.
>>>>>
>>>>
>>>> I am getting this in my cache log:
>>>>
>>>> Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20.
>>>> commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in
>>> use
>>>> Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21.
>>>> commBind: Cannot bind socket FD 22 to *:80: (48) Address already in
> use
>>>
>>>
> http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_
>>> to_.2A:8080_.28125.29_Address_already_in_use
>>>
>>> I would suspect this as part of the problem. The WCCP router will be
>>> trying to contact whatever software is already running on port 3128,
> not
>>> the Squid you are starting with WCCP config.
>>>
>>>> Accepting ICP messages at 0.0.0.0, port 3130, FD 22.
>>>> WCCP Disabled.
>>>> Accepting WCCPv2 messages on port 2048, FD 23.
>
> To answer your earlier question:
> the above two lines means WCCPv1 is disabled, WCCPv2 is being used.
>
>>>> Initialising all WCCPv2 lists
>>>>
>>>> As from my other posting I need WCCP enabled but it is showing
> disabled.
>>>> Any reason why? How can I resolve this. Below is my lines in config
>>>>
>>>> wccp2_router 192.168.16.1
>>>> wccp2_forwarding_method 1
>>>> wccp2_return_method 1
>>>
>>> The above are only the config of how squid sends packets to the Cisco.
>>> WCCP requires configuration Cisco, the squid box OS and firewall, and
>>> routing tables. Any one of which could be the problem.
>>> The tutorials and troubleshooting info we have at present is a little
>>> spread out and disjointed. What how-to are you working from?
>>>
>>> Amos
>>
>> Amos,
>> I just did a TCP dump and I think my problem is the GRE packet. It is
>> being
>> listed I think as unknown. Shouldn't squid be able to pick the packet
> up
>> and open it? The Cisco sees squid and relays the information good but
> it
>> is
>> stopping at the squid box. Any ideas? I am just google'ing around no
> set
>> how to.
>
> Okay. I've polished up our exemplar configs a little:
> http://wiki.squid-cache.org/Features/Wccp2
> (some way to go though).
>
> There are four parts to WCCP systems:
>
> 1) WCCP capture and redirect
>
> 2) gre tunnel between the Cisco and Squid boxes
>
> 3) squid box firewall settings and NAT capture of received gre packets
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept#Traffic_Interception_capt
> ure_into_Squid
>
> 4) squid.conf settings to make Squid contact the cisco router
>
> Amos
>
From what I have read and what you show only for the PIX and ASA should be
the same. The Pix is actually correct for the ASA, although that is what
Cisco told me to do.

As far as:
wccp2_router - My cisco router address
wccp2_forwarding_method - I took this out of my config as GRE is default
wccp2_return_method - same as forward
wccp2_assignment_method - nothing in config
wccp2_service - nothing in config

Am I missing something? If I have my cisco config turned on for WCCP and
squid running no one can browse the web. If I turn squid off and leave wccp
running on the Cisco browsing web is perfect. No issues. Anything else to
check?

bert:~ administrator$ sudo tcpdump -n -i en1 ip proto gre
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
15:00:33.599161 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 60:
gre-proto-0x883e
15:00:34.715585 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 60:
gre-proto-0x883e
15:00:34.805734 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56:
gre-proto-0x883e
15:00:34.808181 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56:
gre-proto-0x883e gre-proto-0x883e
15:00:34.805734 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56:
gre-proto-0x883e
15:00:34.808181 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56:
gre-proto-0x883e

Does that help? Let me know what you need from me so we can resolve this.
I did mask off my IP but the IP prior to the > is the ASA and the numbers
after is the squid server

Thanks
Received on Tue Oct 20 2009 - 00:07:19 MDT