If you can't get around the MTU/DF problem, you can always force the DF
bit off in a particular direction using route maps (we have
ieclient->privaterouter->greovermpls->privaterouter->squidwccp->thirdpar
tyrouter->mpls->ourfirewall->internet):
access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
! don't touch internal traffic
access-list 100 permit ip 10.0.0.0 0.255.255.255 any ! mark
internet-bound traffic only for WCCP
access-list 100 deny ip any any
access-list 102 deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
! don't touch internal traffic
access-list 102 permit tcp any 10.0.0.0 0.255.255.255 ! but do match
traffic returning from the internet
access-list 102 deny tcp any any
ip wccp version 1
ip wccp web-cache redirect-list 100
route-map clear-df permit 10
match ip address 102
set ip df 0
interface Ethernet0/0
ip address 10.64.0.254 255.255.0.0
no ip redirects
ip wccp web-cache redirect out
ip route-cache same-interface
ip policy route-map clear-df
ipx network 64 encapsulation SAP
Where our squid boxes are on the E0/0 network and so is the next hop to
the internet - here, the DF is switched off on returning traffic before
it is pushed into GRE tunnels back to clients.
-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: 10 December 2004 13:38
To: sk
Cc: Squid Users
Subject: Re: [squid-users] wccp and MTU
You can try the patch in Bug #1154
Regards
Henrik
On Fri, 10 Dec 2004, sk wrote:
> Thanks for the reply.
>
> Could you throw some more light on how to set the path mtu.
>
> TIA
> Sk
>
> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@squid-cache.org>
> To: "sk" <suresh.kumar@online.com.kh>
> Cc: <squid-users@squid-cache.org>
> Sent: Friday, December 10, 2004 8:04 PM
> Subject: Re: [squid-users] wccp and MTU
>
>
>> On Fri, 10 Dec 2004, sk wrote:
>>
>>> Could somebody tell how to set mtu for wccp redirection
>>>
>>> a lot of clients using pppoe have problem with wccp redirection.
They
> can
>>> work if they point their browsers directly to the squid.
>>
>> I guess these PPPoE users using a smaller MTU than the default? Such
>> situation is a common source of problems with most WCCP routers as
they do
>> not track connections and fails to send the ICMP "must fragment"
messages
>> to the Squid server.
>>
>> The MTU is set by the MTU of the interface or route on the Squid
server.
>>
>> Another viable option is to disable Path-MTU discovery towards the
>> clients.
>>
>> Regards
>> Henrik
>>
>
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
Received on Mon Dec 13 2004 - 03:44:39 MST
This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST