Hi Henrik,
I caught this thread as I was fighting the same issue, and this dialogue got me
much farther. But not quite there so i have a question if you do not mind.
I have a Cisco 1841 doing wccpv2 with an ACL that, for now, trap only my wifi
laptops web traffic on the DSL egress BVI1 interface. Squid is a Gentoo Linux
box on a 10.0.0.20/24 address, off FastEtherenet0/0.1. My Wifi Station is
10.0.2.10/24 off FastEtherenet0/0.5.
Squid listening on port 3128 transparent, iptables REDIRECT from 80 to 3128.
wccp0 gre tunnel is up and shows traffic recieved from the router.
Squid works great as I have firefox manually using 10.0.0.20 port 80 as a
proxy, so my iptables redirect is doing it's job, and Squid is happy as a
proxy.
When I run IE7 on the same laptop with no proxy, I see my router catch it, and
send ther request to my proxy. The eth0/wccp0 port has it come in (tshark -i
wccp0 shows the web request, tshark -i eth0 -R ip proto gre shows the gre
traffic of the same)
But Squid in debug mode shows no hit to the proxy server process.
I suspect that the WCCPv2 is working, but the traffic is not making it to Squid
from the end of the GRE tunnel.
Debug from router:
WCCP-PKT:S00: Received valid Here_I_Am packet from 10.0.0.20 w/rcv_id 00000B48
WCCP-PKT:S00: Sending I_See_You packet to 10.0.0.20 w/ rcv_id 00000B49
WCCP-PKT:S00: Received valid Here_I_Am packet from 10.0.0.20 w/rcv_id 00000B49
WCCP-PKT:S00: Sending I_See_You packet to 10.0.0.20 w/ rcv_id 00000B4A
Debug ip packet (permit gre any any)
IP: s=222.222.222.222 (FastEthernet0/0.5), d=10.0.0.20 (FastEthernet0/0.1),
IP: g=10.0.0.20, len 80, forward, proto=47
IP: s=222.222.222.222 (FastEthernet0/0.5), d=10.0.0.20 (FastEthernet0/0.1),
IP: g=10.0.0.20, len 80, forward, proto=47
My router has a loopback of 222.222.222.222 so I would know it easily in tunnel
config. The real outside IP it was using was 209.162.205.230 on BVI1 and that
is where the "ip wccp web-cache redirect out" command lives.
A sniff on my proxy server, as I have IE7 do a google search:
goonie ~ # tshark -R gre
Capturing on eth0
8.212647 mater.nickellson.com -> po-in-f147.google.com TCP 2087 > http [SYN]
Seq=0 Len=0 MSS=1260 WS=0
11.218921 mater.nickellson.com -> po-in-f147.google.com TCP 2087 > http [SYN]
Seq=0 Len=0 MSS=1260 WS=0
17.255232 mater.nickellson.com -> po-in-f147.google.com TCP 2087 > http [SYN]
Seq=0 Len=0 MSS=1260 WS=0
This is how I am surmizing WCCPv2 is OK, as I get the GRE redirect.
Squid cache.log under debug:
2007/05/19 15:31:37| wccp2HereIam: sending to service id 0
2007/05/19 15:31:37| Sending HereIam packet size 144
2007/05/19 15:31:37| Incoming WCCPv2 I_SEE_YOU length 132.
2007/05/19 15:31:37| Complete packet received
2007/05/19 15:31:37| Incoming WCCP2_I_SEE_YOU Received ID old=3039 new=3040.
2007/05/19 15:31:37| Cleaning out cache list
2007/05/19 15:31:37| checking cache list: (1400000a:1400000a)
2007/05/19 15:31:37| Change not detected (5 = 5)
I think I have followed the bunny trail pretty far here and I wold love some
advice on how to debug this further. How can I see between the redirect packet
landing on eth0 from the wccp0 tunnel to why iptables never gets it to squid?
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere 10.0.2.0/24
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir
ports 3128
ACCEPT 0 -- anywhere 10.0.0.0/24
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir
ports 3128
ip addr show wccp0
4: wccp0@eth0: <POINTOPOINT,NOARP,UP,10000> mtu 1476 qdisc noqueue
link/gre 10.0.0.20 peer 222.222.222.222
inet 10.0.0.20/32 scope global wccp0
Nick
-- Nick Ellson Dad CCDA, CCNP, CCSP, CCAI, MCSE 2000, Security+, Network+ Network Hobbyist, VFR Private Pilot.Received on Sat May 19 2007 - 16:39:04 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT