[c-nsp] Cisco WCCP and Squid on Linux

Reuben Farrelly reuben-cisco-nsp at reub.net
Mon Jun 27 07:34:20 EDT 2005 

Hi again Dave,

On 27/06/2005 3:42 p.m., Dave Weis wrote:
> On Mon, 27 Jun 2005, Reuben Farrelly wrote:
>> Hi Dave,
>> Dave Weis wrote, On 27/06/2005 2:32 p.m.:
>>> Does anyone have working together? I've got a client that has 2x ADSL 
>>> WIC's in a 2600 but we can't get wccp to work. The GRE tunnel comes 
>>> up and chatters, but we get no requests over the tunnel. The relevant 
>>> parts in the router config are:
>>>
>>> ip wccp version 1
>>> ip wccp web-cache
>>>
>>> interface dialer0
>>>      ip wccp web-cache redirect out

Also try redirecting inbound on the Ethernet interface...see if that helps.

>> Looks basically ok.  yes, I have the same as you have working just fine.
>> What version of code are you running?  In my experience WCCP has 
>> gotten progressively broken with the 12.3T series from 12.3(7)T 
>> onwards.  The 12.3 mainline releases are OK I think.
> 
> Version 12.3(13)

12.3(13) is deferred, go to 12.3(15) (although, I don't think it will make any 
difference to WCCP)

>> Is your cache on the same interface as the client browsers are on?
> 
> Yes, it's a very simple network, 1 Cisco router, 1 Squid server, and 1 
> 3Com total control chassis.

Blame the 3Com ;-)   But seriously....

>> Are you using the WCCP kernel module or the ip_gre interface under Linux?
> 
> It looks like ip_gre

You need to explicitly set this up and assign an (any) IP address to it, eg

gre0      Link encap:UNSPEC  HWaddr 
00-00-00-00-12-44-00-10-00-00-00-00-00-00-00-00
           inet addr:172.16.1.6  Mask:255.255.255.252
           UP RUNNING NOARP  MTU:1476  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tcpdump/tethereal can be your friend - if things like this aren't set up, then 
your kernel will complain about unsupported protocol etc etc
Despite the counts showing zero above, you do need this interface.

>> Can you manually configure a browser to use the proxy?
> 
> Yes
> 
>> Can you surf from the proxy itself?
> 
> Yes

Looks like either:

* ip forwarding is not turned on
* your interception transport (ip_wccp or ip_gre is not set up or loaded)
* your iptables rules are not right

iptables rules should look something like this:

iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.0.0 -d ! 
192.168.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 
192.168.0.3:3128

ie source of 192.168.0.0/255.255.0.0 that is NOT destined for hosts on the 
local network, coming in on gre0, protocol tcp, match tcp destination port 80 
then routed to the 192.168.0.3 port 3128

(you don't really want to redirect traffic to your cache which is destined for 
hosts on the locally attached LAN)

>> Are you using NAT?
> 
> No. We have two sites that we are trying to make this work on, one has 
> just the setup above, the other has a web server also. When we first 
> tried to set it up we broke all inbound access, so we are starting with 
> the simple config.

As a previous poster put, in this case you might want to create an access list 
to deny traffic from any hosts that you don't want to force going through the 
proxy.  However this will not impact any inbound connections to your web 
server, it's only a filter of what hosts internally are redirected.

Moving from a simple but working config to something more complex is a very 
good idea.

Hopefully you're not far off having it work now.

reuben

More information about the cisco-nsp mailing list