[c-nsp] Squid cannot see wccp traffic through GRE Tunnel

Christina Klam cklam at ias.edu
Tue Apr 7 08:57:38 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
All,

We have been having some problems with wccpv2 working through a GRE
tunnel between a 6504e (version
s3223-ipservicesk9_wan-mz.122-33.SXI.bin) and a Squid server (RHEL5).
The tunnel is up; and we an see GRE traffic on both sides.  WCCP is up
as well.  But, when we try to redirect wccp traffic to the Squid
server, the Squid server never receives it.  We are not having this
problem on a separate network where we are using wccp but not though a
GRE tunnel.  Any ideas?

interface Tunnel2
 description GRE_Squid
 ip address 172.16.X.Y 255.255.255.252
 ip wccp web-cache redirect out
 tunnel source Loopback1
 tunnel destination 172.16.C.C
end

interface Loopback1
 ip address 172.16.X.A 255.255.255.255
 ip wccp web-cache redirect out
 ip flow ingress

Internet facing interface:
interface Vlan3
 description #Uplink_Packeteer_Nitroguard_FW#
 ip address 172.16.X.X 255.255.255.0
 ip wccp web-cache redirect out
 ip wccp web-cache redirect in
 ip flow ingress

gateway-resnet#sh ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          172.16.X.Z
        Protocol Version:        2.0
        State:                   Usable
        Redirection:             GRE
        Packet Return:           GRE
        Assignment:              HASH
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:          256 (100.00%)
        Packets s/w Redirected:  0
        Connect Time:            01:21:48
        Bypassed Packets
          Process:               0
          CEF:                   0
          Errors:                0

gateway-resnet#sh int tunn 2
Tunnel2 is up, line protocol is up
  Hardware is Tunnel
  Description: GRE_Squid
  Internet address is 172.16.X.Y/30
  MTU 17868 bytes, BW 100 Kbit, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.16.X.A (Loopback1), destination 172.16.C.C
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     226578 packets input, 47805578 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     114505 packets output, 23682296 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

sh log:
Mar 11 14:58:09 172.16.X.X  1654: Mar 11 14:58:08.985 EST:
%SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
64.233.161.147(0), 3 packets
Mar 11 14:58:09 172.16.X.X 1655: Mar 11 14:58:08.989 EST:
%SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
209.85.133.101(0), 3 packets
Mar 11 14:59:10 172.16.X.X 1658: Mar 11 14:59:09.013 EST:
%SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
209.85.133.102(0), 2 packets

Squid ACL:
Extended IP access list SquidProxy
    10 permit tcp host 172.16.A.A any log
    20 permit tcp host 172.16.B.B any log (1220 matches)
    30 deny ip any any (118 matches)


Thank you,

- -- Christina




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQEVAwUBSdtNwt9pUgshfvqBAQKrnwgAh9TciUhv2kEdF8bgPJ/fzqU3gf33JD3F
BLlHXCVOdWNz7TmcFqWc7+jkbEtkOJ89/MFH6pD7zwzwRUfauH2O66Fwg8eJVYgO
qh4GTbwWwU0rFJ7IUhUQNDlN5Yw4zQtvMKaQmfOvNIGgp77eLj7E9PkPw0lBu7+E
O6qt1HCjASPpUVlh6onH6sVz3gjxuhYshkN+O8qO+Bt6uSNUQKit5JqrZ4vZkVWw
Syx/SN5DhwPpqQ5MSoyDLwvq41x8cfZ59C/+cnfNW9Sgv7XXMYJhnyO5mYBPhb8W
y1zwNtzI19l/x9DNPQeXlvV24jACkx3YD3471CYsJL8X5smDdF28HQ==
=XCEq
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list