Re: [squid-users] WCCP, Cisco ASA and assymetric path

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 Jul 2012 10:12:46 +1200

On 10.07.2012 00:44, Abdessamad BARAKAT wrote:
> In fact on the wiki
> (http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2),
> there is this :
>
> Very important passage from the Cisco-Manual
> "The only topology that the security appliance supports is when
> client and cache engine are behind the same interface of the security
> appliance and the cache engine can directly communicate with the
> client without going through the security appliance."
>

Then you have very clear documentation from the appliance manufacturer
that they do not support your desired configuration.

> And I can see the reply wad dropped by the ASA because I think when
> the ASA make the wccp redirect, he doesn't record a new connection so
> when He see the reply from the proxy to the client, the SYN was
> dropped:
>
> Jul 9 14:11:26 192.168.35.250 %ASA-6-106015: Deny TCP (no
> connection)
> from <Website IP> to <proxy IP> flags SYN ACK on interface <PROXY
> LAN>
>
> So anyone know a workaround for this issue ? for have the client and
> the proxy aren't behind the same interface of the firewall ASA
>

It does not matter to Squid or even to routing logics, but apparently
the device itself has undefined behaviour when its done. As I understand
it may be due to the way the device handles reverse-path (RP) filtering
or it may be hard-wired.

All I can say now is "good Luck" figuring out which and whether you can
change the device. It has nothing to do with Squid.

Amos
Received on Mon Jul 09 2012 - 22:12:52 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 12 2012 - 12:00:02 MDT