Thanks you amos
I wil try a topology where the return path doesn't use the ASA
2012/7/10 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 10.07.2012 00:44, Abdessamad BARAKAT wrote:
>>
>> In fact on the wiki
>> (http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2),
>> there is this :
>>
>> Very important passage from the Cisco-Manual
>> "The only topology that the security appliance supports is when
>> client and cache engine are behind the same interface of the security
>> appliance and the cache engine can directly communicate with the
>> client without going through the security appliance."
>>
>
> Then you have very clear documentation from the appliance manufacturer that
> they do not support your desired configuration.
>
>
>> And I can see the reply wad dropped by the ASA because I think when
>> the ASA make the wccp redirect, he doesn't record a new connection so
>> when He see the reply from the proxy to the client, the SYN was
>> dropped:
>>
>> Jul 9 14:11:26 192.168.35.250 %ASA-6-106015: Deny TCP (no connection)
>> from <Website IP> to <proxy IP> flags SYN ACK on interface <PROXY
>> LAN>
>>
>> So anyone know a workaround for this issue ? for have the client and
>> the proxy aren't behind the same interface of the firewall ASA
>>
>
> It does not matter to Squid or even to routing logics, but apparently the
> device itself has undefined behaviour when its done. As I understand it may
> be due to the way the device handles reverse-path (RP) filtering or it may
> be hard-wired.
>
> All I can say now is "good Luck" figuring out which and whether you can
> change the device. It has nothing to do with Squid.
>
> Amos
>
Received on Thu Jul 12 2012 - 07:38:16 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 12 2012 - 12:00:02 MDT