Re: [squid-users] WCCP

On Mon, 19 Oct 2009 20:06:55 -0400, Ross Kovelman
<rkovelman_at_gruskingroup.com> wrote:
>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>> Date: Tue, 20 Oct 2009 12:40:02 +1300
>> To: Ross Kovelman <rkovelman_at_gruskingroup.com>
>> Cc: "squid-users_at_squid-cache.org" <squid-users_at_squid-cache.org>
>> Subject: Re: [squid-users] WCCP
>>
>> On Mon, 19 Oct 2009 18:26:18 -0400, Ross Kovelman
>> <rkovelman_at_gruskingroup.com> wrote:
>>>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>>>> Date: Tue, 20 Oct 2009 11:04:42 +1300
>>>> To: Ross Kovelman <rkovelman_at_gruskingroup.com>
>>>> Cc: "squid-users_at_squid-cache.org" <squid-users_at_squid-cache.org>
>>>> Subject: Re: [squid-users] WCCP
>>>>
>>>> On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote:
>>>>>> From: Amos Jeffries
>>>>>>
>>>>>> Ross Kovelman wrote:
>>>>>>>> From: Amos Jeffries:
>>>>>>>>
>>>>>>>> Ross Kovelman wrote:
>>>>>>>>> I am going to be using WCCP. I did another reconfigure with the
>>>>>>>>> --enable
>>>>>>>>> WCCP option. How can I check that it is on and running? The
next
>>>>>>>>> step I
>>>>>>>>> need to do is upgrade to version 2 since the Cisco only
>> communicates
>>>>>>>>> on
>>>>>>>>> version 2. I tried to do the patch < upgrade patch but then I
get
>> a
>>>>>>>>> response with path to upgrade and I am not sure where the file
is
>> I
>>>>>>>>> need
>>>>>>>>> patch.
>>>>>>>> There is zero need to patch for support WCCPv2. It's been built
>> into
>>>>>>>> Squid for many years now.
>>>>>>>>
>>>>>>>> Run "./configure --help".
>>>>>>>> * If it lists "--disable-wccpv2" there is no need to do
anything.
>>>>>>>> * If it lists "--enable-wccpv2" , add that to your build
options.
>>>>>>>> * If it does not mention "wccpv2" at all upgrade your Squid
>>>> version.
>>>>>>>>
>>>>>>>> Then setup squid.conf with the relevant wccp2_* options.
>>>>>>>>
>>>>>>>> http://www.squid-cache.org/Doc/config/ or the wiki example
configs
>>>> have
>>>>>>>> details on those.
>>>>>>>
>>>>>>> Thanks again.
>>>>>>> Running the ./configure --help only says this:
>>>>>>> --disable-wccp Disable Web Cache Coordination V1
Protocol
>>>>>>> --disable-wccpv2 Disable Web Cache Coordination V2
Protocol
>>>>>>>
>>>>>>> When I did the install I ran the ./configure --enable wccp option.
I
>>>>>>> didn't
>>>>>>> say --enable-wccpv2, does this matter? I also have this in the
>>>> config:
>>>>>>> wccp2_router 192.168.16.1
>>>>>>> wccp2_forwarding_method 1
>>>>>>> wccp2_return_method 1
>>>>>>>
>>>>>>> I am running Squid Web Proxy 2.7.STABLE5.
>>>>>>
>>>>>> Okay. Thats fine.
>>>>>>
>>>>>> The ./configure results mean that both WCCP versions are built into
>>>>>> Squid by default unless you explicitly say --disable. Nothing extra
>>>>>> needed to build them.
>>>>>>
>>>>>> The config options you have there are already WCCPv2-only options
for
>>>>>> Cisco. Nothing new needed there either.
>>>>>>
>>>>>> If thats not working its a config error somewhere.
>>>>>>
>>>>>
>>>>> I am getting this in my cache log:
>>>>>
>>>>> Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20.
>>>>> commBind: Cannot bind socket FD 21 to *:3128: (48) Address already
in
>>>> use
>>>>> Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21.
>>>>> commBind: Cannot bind socket FD 22 to *:80: (48) Address already in
>> use
>>>>
>>>>
>>
http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_
>>>> to_.2A:8080_.28125.29_Address_already_in_use
>>>>
>>>> I would suspect this as part of the problem. The WCCP router will be
>>>> trying to contact whatever software is already running on port 3128,
>> not
>>>> the Squid you are starting with WCCP config.
>>>>
>>>>> Accepting ICP messages at 0.0.0.0, port 3130, FD 22.
>>>>> WCCP Disabled.
>>>>> Accepting WCCPv2 messages on port 2048, FD 23.
>>
>> To answer your earlier question:
>> the above two lines means WCCPv1 is disabled, WCCPv2 is being used.
>>
>>>>> Initialising all WCCPv2 lists
>>>>>
>>>>> As from my other posting I need WCCP enabled but it is showing
>> disabled.
>>>>> Any reason why? How can I resolve this. Below is my lines in
config
>>>>>
>>>>> wccp2_router 192.168.16.1
>>>>> wccp2_forwarding_method 1
>>>>> wccp2_return_method 1
>>>>
>>>> The above are only the config of how squid sends packets to the
Cisco.
>>>> WCCP requires configuration Cisco, the squid box OS and firewall, and
>>>> routing tables. Any one of which could be the problem.
>>>> The tutorials and troubleshooting info we have at present is a little
>>>> spread out and disjointed. What how-to are you working from?
>>>>
>>>> Amos
>>>
>>> Amos,
>>> I just did a TCP dump and I think my problem is the GRE packet. It is
>>> being
>>> listed I think as unknown. Shouldn't squid be able to pick the packet
>> up
>>> and open it? The Cisco sees squid and relays the information good but
>> it
>>> is
>>> stopping at the squid box. Any ideas? I am just google'ing around no
>> set
>>> how to.
>>
>> Okay. I've polished up our exemplar configs a little:
>> http://wiki.squid-cache.org/Features/Wccp2
>> (some way to go though).
>>
>> There are four parts to WCCP systems:
>>
>> 1) WCCP capture and redirect
>>
>> 2) gre tunnel between the Cisco and Squid boxes
>>
>> 3) squid box firewall settings and NAT capture of received gre packets
>>
>>
http://wiki.squid-cache.org/ConfigExamples/Intercept#Traffic_Interception_capt
>> ure_into_Squid
>>
>> 4) squid.conf settings to make Squid contact the cisco router
>>
>> Amos
>>
> From what I have read and what you show only for the PIX and ASA should
be
> the same. The Pix is actually correct for the ASA, although that is
what
> Cisco told me to do.
>
> As far as:
> wccp2_router - My cisco router address
> wccp2_forwarding_method - I took this out of my config as GRE is default
> wccp2_return_method - same as forward
> wccp2_assignment_method - nothing in config
> wccp2_service - nothing in config
>
> Am I missing something? If I have my cisco config turned on for WCCP
and
> squid running no one can browse the web. If I turn squid off and leave
> wccp
> running on the Cisco browsing web is perfect. No issues. Anything else
to
> check?

... rp_filter settings on the Squid box are turned off.

... iptables does REDIRECT or DNAT capture of the packets to the Squid
http_port marked with "transparent"

>
> bert:~ administrator$ sudo tcpdump -n -i en1 ip proto gre
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
> listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:00:33.599161 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 60:
> gre-proto-0x883e
> 15:00:34.715585 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 60:
> gre-proto-0x883e
> 15:00:34.805734 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56:
> gre-proto-0x883e
> 15:00:34.808181 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56:
> gre-proto-0x883e gre-proto-0x883e
> 15:00:34.805734 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56:
> gre-proto-0x883e
> 15:00:34.808181 IP 192.168.xx.1 > 192.168.xx.xxx: GREv0, length 56:
> gre-proto-0x883e
>
> Does that help? Let me know what you need from me so we can resolve
this.
> I did mask off my IP but the IP prior to the > is the ASA and the
numbers
> after is the squid server
>
> Thanks
Received on Tue Oct 20 2009 - 00:20:31 MDT