WCCP and Squid

DRZ · 24 Jan 2011 at 16:38

I'm at the end of my tether with this, it should be relatively straightforward to set up but it just doesn't want to work for me.

All of the configuration examples make it seem like childsplay to get working but it just doesn't seem to slot together!

Cisco ASA 5510 with Security Plus licence running 8.2(1)

Relevant stuff:

Code:

firewall transparent

access-list wccp_redirect extended deny ip host 10.33.0.17 any
access-list wccp_redirect extended permit tcp any any

wccp web-cache redirect-list wccp_redirect
wccp interface inside web-cache redirect in

Code:

wccpfw1(config)# sh wccp

Global WCCP information:
    Router information:
        Router Identifier:                   10.33.0.16
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            105
        Redirect access-list:                wccp_redirect
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            7
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

So it successfully registers with the Squid proxy...

Squid config is set up as:

Code:

http_port 3129 tproxy #also used intercept to no avail
wccp2_router 10.33.0.16
#All other options defaulted to use GRE

iptables on the Squid box:

Code:

root@squidtest:/# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:www redir ports 3129

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

iptables -t nat -L -v shows hits to the redirect rule as expected and in line with the packet counter from the ASA.

I can tcpdump the GRE tunnel interface and see the redirected packets but tailing /var/log/squid3/access.log shows absolutely nothing at all. If I point my browser straight at the Squid box it works absolutely fine.

I am running kernel version 2.6.35 (which should work), iptables 1.4.4 (again should work!) and Squid 3.1.6 with netfilter support compiled in!

Code:

root@squidtest:/# uname -r
2.6.35-22-generic
root@squidtest:/# iptables -V
iptables v1.4.4
root@squidtest:/# squid3 -v
Squid Cache: Version 3.1.6
configure options:  '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2' --with-squid=/build/buildd/squid3-3.1.6

I have googled this into oblivion and I just can't see what is wrong!

zetec452 · 24 Jan 2011 at 18:19

Are you allowing connections from the router and network in squid?

If you point your pc browser to squid does it work?

DRZ · 24 Jan 2011 at 19:10

JonRohan said:
Are you allowing connections from the router and network in squid?

If you point your pc browser to squid does it work?

I should have posted the ACLs but yes, anything from the subnet is allowed. As I said in my post above, if I point my browser straight at the proxy it all works fine and dandy.

I have had wireshark on the case and I see syns and syn acks but the whole TCP handshake never completes, highly odd.

AndrewP · 24 Jan 2011 at 22:05

IP forwarding set on the squid box?

DRZ · 24 Jan 2011 at 22:36

Yep and rp_filter disabled on the eth0 and gre tunnel interfaces...

AndrewP · 24 Jan 2011 at 23:00

If it's not getting from gre to squid then that points at iptables, maybe match protocol gre instead of or as well as tcp in your redirect rule? Adding a LOG action somewhere would probably help too

.