Re: [squid-users] WCCP, Cisco ASA and assymetric path

From: Amos Jeffries <>
Date: Tue, 10 Jul 2012 10:12:46 +1200

On 10.07.2012 00:44, Abdessamad BARAKAT wrote:
> In fact on the wiki
> (,
> there is this :
> Very important passage from the Cisco-Manual
> "The only topology that the security appliance supports is when
> client and cache engine are behind the same interface of the security
> appliance and the cache engine can directly communicate with the
> client without going through the security appliance."

Then you have very clear documentation from the appliance manufacturer
that they do not support your desired configuration.

> And I can see the reply wad dropped by the ASA because I think when
> the ASA make the wccp redirect, he doesn't record a new connection so
> when He see the reply from the proxy to the client, the SYN was
> dropped:
> Jul 9 14:11:26 %ASA-6-106015: Deny TCP (no
> connection)
> from <Website IP> to <proxy IP> flags SYN ACK on interface <PROXY
> LAN>
> So anyone know a workaround for this issue ? for have the client and
> the proxy aren't behind the same interface of the firewall ASA

It does not matter to Squid or even to routing logics, but apparently
the device itself has undefined behaviour when its done. As I understand
it may be due to the way the device handles reverse-path (RP) filtering
or it may be hard-wired.

All I can say now is "good Luck" figuring out which and whether you can
change the device. It has nothing to do with Squid.

Received on Mon Jul 09 2012 - 22:12:52 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 12 2012 - 12:00:02 MDT