Re: [squid-users] WCCP, Cisco ASA and assymetric path

From: Abdessamad BARAKAT <>
Date: Thu, 12 Jul 2012 09:38:08 +0200

Thanks you amos

I wil try a topology where the return path doesn't use the ASA

2012/7/10 Amos Jeffries <>:
> On 10.07.2012 00:44, Abdessamad BARAKAT wrote:
>> In fact on the wiki
>> (,
>> there is this :
>> Very important passage from the Cisco-Manual
>> "The only topology that the security appliance supports is when
>> client and cache engine are behind the same interface of the security
>> appliance and the cache engine can directly communicate with the
>> client without going through the security appliance."
> Then you have very clear documentation from the appliance manufacturer that
> they do not support your desired configuration.
>> And I can see the reply wad dropped by the ASA because I think when
>> the ASA make the wccp redirect, he doesn't record a new connection so
>> when He see the reply from the proxy to the client, the SYN was
>> dropped:
>> Jul 9 14:11:26 %ASA-6-106015: Deny TCP (no connection)
>> from <Website IP> to <proxy IP> flags SYN ACK on interface <PROXY
>> LAN>
>> So anyone know a workaround for this issue ? for have the client and
>> the proxy aren't behind the same interface of the firewall ASA
> It does not matter to Squid or even to routing logics, but apparently the
> device itself has undefined behaviour when its done. As I understand it may
> be due to the way the device handles reverse-path (RP) filtering or it may
> be hard-wired.
> All I can say now is "good Luck" figuring out which and whether you can
> change the device. It has nothing to do with Squid.
> Amos
Received on Thu Jul 12 2012 - 07:38:16 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 12 2012 - 12:00:02 MDT