Re: [squid-users] WCCP + Squid with Cisco 2811. Not working

Amos Jeffries <squid3_at_treenet.co.nz> writes:
>On Tue, 07 Sep 2010 13:59:05 -0400, "Chris Abel" <cabel_at_wildwood.edu>
>wrote:
>> Hello Everyone!
>>
>> I seem to be very close to getting this to work, but I'm running into
>some
>> problems. First I'll explain my background story.
>>
>> I need a transparent proxy and the proxy server will need to be able to
>> view the client's IP address. I currently have a sonicwall router which
>> forwards all web traffic to the proxy. This is transparent and it works,
>> but it gives the sonicwall ip address as the client's ip address. I
>cannot
>> see who went to what.
>>
>> I was told WCCP will maintain the source ip address. I've been following
>> this tutorial almost strictly word by word:
>> http://www.digitalnerds.net/linux/transparent-squid-with-wccp/
>
>OMG! that tutorial is so broken I'm surprised their Squid even starts.
>
>>
>> The only thing I changed is that I am using wccpv2 instead of 1. When I
>> enable wccp on the router I can no longer download web pages, but I can
>> ping the web servers. On the router side I do see traffic going through
>as
>> CEF when I do a "show ip wccp". On the linux server side I also see gre1
>> encapsulation packets on the gre interface and I also get entrys in my
>> cache.log for squid, but I don't know what they mean:
>
>Please understand WCCP *only* routes packets going to port 80. ping and
>any other testing which involves protocols and ports other than port 80
>HTTP give false results.
>
><snip>
>> 50.
>> 2010/09/03 14:47:08| WCCP Disabled.
>
>WCCPv1 is turned off...
>
>
>> 51.
>> 2010/09/03 14:47:08| Accepting WCCPv2 messages on port 2048, FD
>14.
>
>WCCPv2 is turned on...
>
>> 52.
>> 2010/09/03 14:47:08| Initialising all WCCPv2 lists
>> 53.
>> 2010/09/03 14:47:08| Ready to serve requests.
>> 54.
>> 2010/09/03 14:47:08| Done reading /var/spool/squid swaplog (3901
>> entries)
>> 55.
>> 2010/09/03 14:47:08| Finished rebuilding storage from disk.
>> 56.
>> 2010/09/03 14:47:08| 3901 Entries scanned
>> 57.
>> 2010/09/03 14:47:08| 0 Invalid entries.
>> 58.
>> 2010/09/03 14:47:08| 0 With invalid flags.
>> 59.
>> 2010/09/03 14:47:08| 3901 Objects loaded.
>> 60.
>> 2010/09/03 14:47:08| 0 Objects expired.
>> 61.
>> 2010/09/03 14:47:08| 0 Objects cancelled.
>> 62.
>> 2010/09/03 14:47:08| 0 Duplicate URLs purged.
>> 63.
>> 2010/09/03 14:47:08| 0 Swapfile clashes avoided.
>> 64.
>> 2010/09/03 14:47:08| Took 0.4 seconds (11008.4 objects/sec).
>> 65.
>> 2010/09/03 14:47:08| Beginning Validation Procedure
>> 66.
>> 2010/09/03 14:47:08| Completed Validation Procedure
>> 67.
>> 2010/09/03 14:47:08| Validated 3901 Entries
>> 68.
>> 2010/09/03 14:47:08| store_swap_size = 92096k
>> 69.
>> 2010/09/03 14:47:08| storeLateRelease: released 0 objects
>>
>>
>> I'm not sure where to go from here. It looks like everythings working,
>but
>> it obviously is not. Is there anything else I can try? Any other ways to
>> help me debug this?
>>
>
>First, check your configuration for Squid and its firewall match this
>page:
>http://wiki.squid-cache.org/Features/Wccp2#Squid_configuration_for_WCCP_version_2
>
>An alternative to WCCP is to do real routing, we have an example for a
>2501 here:
>http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute
>
>
>For the troubleshooting;
> * There is no indication in the cache.log that the cisco or Squid are in
>contact with each other. Check the cisco wccp information to see if its
>got
>any knowledge of Squid.
> * check if requests are getting into Squid. access.log should have
>records of every request attempt made, even failed ones.
> * the 'usual' problem when this behaviour is seen is that packets going
>from squid get looped back somewhere strange. They are supposed to get a
>free pass out to the Internet. Whether or not they go back to the cisco to
>do so is optional.
>
>
>Squid by default will hold off sending its HERE_I_AM message to the cisco
>until the cache has been fully loaded and Squid is actually ready for
>service. If you have a large cache (GB) wccp2_rebuild_wait can make it not
>wait, but you will see degraded service until the cache is available.
>
>
>Amos

I have used the squid wiki on wccp word for word and I am still having
trouble. I'm getting a different kind of problem though. Instead of the
webservers timing out, I get an immediate 404 response. I can see that the
router is sending the wccp packets from "show ip wccp":
Global WCCP information:
    Router information:
        Router Identifier: 192.168.0.22
        Protocol Version: 2.0

    Service Identifier: web-cache
        Number of Service Group Clients: 1
        Number of Service Group Routers: 1
        Total Packets s/w Redirected: 254
          Process: 2
          Fast: 0
          CEF: 252
        Redirect access-list: -none-
        Total Packets Denied Redirect: 0
        Total Packets Unassigned: 112
        Group access-list: -none-
        Total Messages Denied to Group: 0
        Total Authentication failures: 0
        Total Bypassed Packets Received: 0

I also see that my squid server is getting activity on the gre tunnel
using "tcpdump -ni wccp0":

12:17:32.446759 IP 10.131.5.215.49859 > 173.194.10.167.80: . ack
2241056207 win 65535 <nop,nop,timestamp 497582527 3217260831,nop,nop,sack
1 {1449:7241}>
12:17:32.448952 IP 10.131.4.24.63323 > 194.47.250.18.80: . ack 2006719259
win 65535 <nop,nop,timestamp 903097936 64231447,nop,nop,sack 1 {1449:4345}>

BUT I do not see any activity in my squid logs. I did a tail -f * in the
directory my squid logs are in and I did not recieve anything.

Could I trying anything else?

Thanks in advance!
Chris

___________________________
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY 12303
518-836-2341
Received on Fri Sep 10 2010 - 16:23:39 MDT