On 11/7/2012 4:24 PM, Amos Jeffries wrote:
>> 1) The Cisco router sees the web cache as reported by "sh ip wccp"
>> (see attached sh_ip_wccp.txt).
>> 2) tcpdump -i tun0 reports packets arriving from the Cisco router.
>> 3) tcpdump -i eth2 reports packets leaving the cache server bound for
>> the destination web server
>> 4) The destination web server shows no hits in the access_log file
>> 5) tcpdump on the web server shows packets arriving from the client
>> IP address on port 80.
>> 6) tcpdump on the web server shows packets leaving bound for the
>> client IP
>
> ... and yet #4 ?
>
> What *type* of packets? ICMP packet-too-large messages have a way of
> disappearing silently on some networks, and in some versions of TPROXY
> kernels.
On the web server that should be receiving the hit, tcpdump reports:
16:31:21.283309 IP 64.254.49.2.33315 > 64.254.32.23.http: Flags [S], seq
4294319084, win 14600, options [mss 1460,sackOK,TS val 11023544 ecr
0,nop,wscale 7], length 0
16:31:21.283415 IP 64.254.32.23.http > 64.254.49.2.33315: Flags [S.],
seq 2198086634, ack 4294319085, win 14480, options [mss 1460,sackOK,TS
val 2023464600 ecr 11023544,nop,wscale 7], length 0
16:31:22.282510 IP 64.254.32.23.http > 64.254.49.2.33315: Flags [S.],
seq 2198086634, ack 4294319085, win 14480, options [mss 1460,sackOK,TS
val 2023465600 ecr 11023544,nop,wscale 7], length 0
(this repeats several times, in what I would presume are browser retries)
>
>> 7) The client browser times out, receiving an HTML error from Squid
>> reporting "Connection to <server ip> failed."
>> 8) When the timeout occurs, the squid access log reports
>> "TCP_MISS/504 4123 GET http://myip.valnet.net/ - DIRECT/64.254.32.23
>> text/html"
>
> Just once or many times? the most common issue with TPROXY is forwarding
> loops.
Just once.
>
> The other thing to look for is whether there is packet-level symmetry in
> the network. Catching every single server->client packet at the WCCP
> router and sending to Squid is critical.
I'm new to WCCP, so I'll need to figure out how to make that
determination. Any advice on doing so would be appreciated.
>
>>
>> I've attached numerous files containing statuses of various things
>> that need to be set, such as rp_filter sysctl values, output of "show
>> ip wccp", the squid.conf file, the cisco configuration, and the
>> contents of iptables.
>
> Please update to squid-3.2 series if possible. There are some major
> security vulnerabilities in transparent and intercepted traffic for
> older versions. The latest releases will also help catch forwarding
> loops better on intercepted traffic.
>
> Amos
>
I'll try 3.2 as well.
Thanks for taking the time to reply.
-- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet -=- We Connect You -=- - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information & 30 day free trial at - - http://www.valnet.net/services/valnet-vault - -----------------------------------------------
This archive was generated by hypermail 2.2.0 : Thu Nov 08 2012 - 12:00:03 MST