Re: [squid-users] WCCP + Squid with Cisco 2811. Not working

Amos Jeffries <squid3_at_treenet.co.nz> writes:
>
>I'm trying to remember how we debugged these issues previously.
> * It sounds a lot like rp_filter deleting the packets in its
>anti-spoofing security. A cache.log trace with debug_options 5,9 89,9
>should show the connections arriving at Squid.
I've used the following commands to disable rp_filter:
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter

When I use the debug_options 5,9 89,9 I get nothing but this in my
cache.log:
2010/09/14 13:42:51| comm_call_handlers(): got fd=14 read_event=8
write_event=8 F->read_handler=0x80d9f40 F->write_handler=(nil)
2010/09/14 13:42:51| comm_call_handlers(): Calling read handler on fd=14
2010/09/14 13:42:51| commSetSelect: FD 14 type 1
2010/09/14 13:42:51| commSetEvents(fd=14)
2010/09/14 13:42:51| comm_select: timeout 423
2010/09/14 13:42:51| comm_select: time out
2010/09/14 13:42:51| comm_select: timeout 389
2010/09/14 13:42:52| comm_select: time out
2010/09/14 13:42:52| comm_select: timeout 1000
2010/09/14 13:42:52| comm_select: time out
2010/09/14 13:42:52| comm_select: timeout 392
2010/09/14 13:42:53| comm_select: time out
2010/09/14 13:42:53| comm_select: timeout 1000
2010/09/14 13:42:53| comm_select: time out
2010/09/14 13:42:53| comm_select: timeout 392
2010/09/14 13:42:54| comm_select: time out
2010/09/14 13:42:54| comm_select: timeout 1
2010/09/14 13:42:54| comm_select: time out
2010/09/14 13:42:54| comm_select: timeout 1000
2010/09/14 13:42:54| comm_select: time out
2010/09/14 13:42:54| comm_select: timeout 396
2010/09/14 13:42:55| comm_select: time out
2010/09/14 13:42:55| comm_select: timeout 588
2010/09/14 13:42:55| comm_select: time out
2010/09/14 13:42:55| comm_select: timeout 1
2010/09/14 13:42:55| comm_select: time out
2010/09/14 13:42:55| comm_select: timeout 409
2010/09/14 13:42:55| comm_select: time out
2010/09/14 13:42:55| comm_select: timeout 397
2010/09/14 13:42:56| comm_select: time out
2010/09/14 13:42:56| comm_select: timeout 1000
2010/09/14 13:42:56| comm_select: time out
2010/09/14 13:42:56| comm_select: timeout 401
2010/09/14 13:42:57| comm_select: time out
2010/09/14 13:42:57| comm_select: timeout 1000
2010/09/14 13:42:57| comm_select: time out
2010/09/14 13:42:57| comm_select: timeout 405
2010/09/14 13:42:58| comm_select: time out
2010/09/14 13:42:58| comm_select: timeout 1000
2010/09/14 13:42:58| comm_select: time out
2010/09/14 13:42:58| comm_select: timeout 409
2010/09/14 13:42:59| comm_select: time out
2010/09/14 13:42:59| comm_select: timeout 1000
2010/09/14 13:42:59| comm_select: time out
2010/09/14 13:42:59| comm_select: timeout 413
2010/09/14 13:43:00| comm_select: time out
2010/09/14 13:43:00| comm_select: timeout 585
2010/09/14 13:43:00| comm_select: time out
2010/09/14 13:43:00| comm_select: timeout 1
2010/09/14 13:43:00| comm_select: time out
2010/09/14 13:43:00| comm_select: timeout 412
2010/09/14 13:43:01| comm_select: time out
2010/09/14 13:43:01| comm_select: timeout 548
2010/09/14 13:43:01| comm_select: time out
2010/09/14 13:43:01| comm_select: timeout 452

>
>
> * Sometimes it's also due to the wrong libcap version being used, Squid
>requires libcap2.09 or later to set the socket spoofing privileges. The
>latest libcap2.x you can get your hands on anyway would be good.

Libcap loks good:
ii libcap1 1:1.10-14 support
for getting/setting POSIX.1e capabilities
ii libcap2 2.11-2 support
for getting/setting POSIX.1e capabilities
>
>
> * I don't think so but there is a chance that any other NAT rules or
>mangle tables rules might be doing things? either before TPROXY matches,
>or
>to the return packets setting up the connection?
I literally don't have any iptables rules on the proxy server except the
one's in the tutorial on the squid wiki. The proxy server hangs directly
off of the cisco 2811 router. The router sits behind a sonicwall connected
to our isp with a firewall and NAT rules in place, but that shouldn't
matter should it?

Not sure if this means anything, but I'm not able to use the proxy when I
specify it in my browsers preferences anymore. I used to be able to fine
before I followed the squid tutorial, but now I get a Access Denied page
from squid.
>
>
>Amos

Thanks for the help thus far. I'm gonna keep looking into it. Do you have
any other ideas?

-Chris
___________________________
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY 12303
518-836-2341
Received on Tue Sep 14 2010 - 18:05:27 MDT