[c-nsp] Squid cannot see wccp traffic through GRE Tunnel

Adrian Chadd adrian at creative.net.au
Tue Apr 7 09:38:57 EDT 2009 

On Tue, Apr 07, 2009, Christina Klam wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> All,
> 
> We have been having some problems with wccpv2 working through a GRE
> tunnel between a 6504e (version
> s3223-ipservicesk9_wan-mz.122-33.SXI.bin) and a Squid server (RHEL5).
> The tunnel is up; and we an see GRE traffic on both sides.  WCCP is up

Error - don't use a GRE tunnel with a 65xx series switch.

> as well.  But, when we try to redirect wccp traffic to the Squid
> server, the Squid server never receives it.  We are not having this
> problem on a separate network where we are using wccp but not though a
> GRE tunnel.  Any ideas?

Don't use GRE redirection/return. Use L2 redirection and return.
Use mask assignment rather than hash assignment. The traffic will
then stay 100% in the hardware path.

Anyway, for GRE redirection, you don't configure up a tunnel on the Cisco
router - the router just prepends the GRE packet header onto it.




Adrian

> 
> interface Tunnel2
>  description GRE_Squid
>  ip address 172.16.X.Y 255.255.255.252
>  ip wccp web-cache redirect out
>  tunnel source Loopback1
>  tunnel destination 172.16.C.C
> end
> 
> interface Loopback1
>  ip address 172.16.X.A 255.255.255.255
>  ip wccp web-cache redirect out
>  ip flow ingress
> 
> Internet facing interface:
> interface Vlan3
>  description #Uplink_Packeteer_Nitroguard_FW#
>  ip address 172.16.X.X 255.255.255.0
>  ip wccp web-cache redirect out
>  ip wccp web-cache redirect in
>  ip flow ingress
> 
> gateway-resnet#sh ip wccp web-cache detail
> WCCP Client information:
>         WCCP Client ID:          172.16.X.Z
>         Protocol Version:        2.0
>         State:                   Usable
>         Redirection:             GRE
>         Packet Return:           GRE
>         Assignment:              HASH
>         Initial Hash Info:       00000000000000000000000000000000
>                                  00000000000000000000000000000000
>         Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>                                  FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>         Hash Allotment:          256 (100.00%)
>         Packets s/w Redirected:  0
>         Connect Time:            01:21:48
>         Bypassed Packets
>           Process:               0
>           CEF:                   0
>           Errors:                0
> 
> gateway-resnet#sh int tunn 2
> Tunnel2 is up, line protocol is up
>   Hardware is Tunnel
>   Description: GRE_Squid
>   Internet address is 172.16.X.Y/30
>   MTU 17868 bytes, BW 100 Kbit, DLY 50000 usec,
>      reliability 255/255, txload 1/255, rxload 1/255
>   Encapsulation TUNNEL, loopback not set
>   Keepalive not set
>   Tunnel source 172.16.X.A (Loopback1), destination 172.16.C.C
>   Tunnel protocol/transport GRE/IP
>     Key disabled, sequencing disabled
>     Checksumming of packets disabled
>   Tunnel TTL 255, Fast tunneling enabled
>   Tunnel transport MTU 1476 bytes
>   Last input 00:00:00, output 00:00:00, output hang never
>   Last clearing of "show interface" counters never
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>   Queueing strategy: fifo
>   Output queue: 0/0 (size/max)
>   5 minute input rate 0 bits/sec, 0 packets/sec
>   5 minute output rate 0 bits/sec, 0 packets/sec
>   L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
>   L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
>   L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
>      226578 packets input, 47805578 bytes, 0 no buffer
>      Received 0 broadcasts (0 IP multicasts)
>      0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>      114505 packets output, 23682296 bytes, 0 underruns
>      0 output errors, 0 collisions, 0 interface resets
>      0 output buffer failures, 0 output buffers swapped out
> 
> sh log:
> Mar 11 14:58:09 172.16.X.X  1654: Mar 11 14:58:08.985 EST:
> %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
> 64.233.161.147(0), 3 packets
> Mar 11 14:58:09 172.16.X.X 1655: Mar 11 14:58:08.989 EST:
> %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
> 209.85.133.101(0), 3 packets
> Mar 11 14:59:10 172.16.X.X 1658: Mar 11 14:59:09.013 EST:
> %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
> 209.85.133.102(0), 2 packets
> 
> Squid ACL:
> Extended IP access list SquidProxy
>     10 permit tcp host 172.16.A.A any log
>     20 permit tcp host 172.16.B.B any log (1220 matches)
>     30 deny ip any any (118 matches)
> 
> 
> Thank you,
> 
> - -- Christina
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>  
> iQEVAwUBSdtNwt9pUgshfvqBAQKrnwgAh9TciUhv2kEdF8bgPJ/fzqU3gf33JD3F
> BLlHXCVOdWNz7TmcFqWc7+jkbEtkOJ89/MFH6pD7zwzwRUfauH2O66Fwg8eJVYgO
> qh4GTbwWwU0rFJ7IUhUQNDlN5Yw4zQtvMKaQmfOvNIGgp77eLj7E9PkPw0lBu7+E
> O6qt1HCjASPpUVlh6onH6sVz3gjxuhYshkN+O8qO+Bt6uSNUQKit5JqrZ4vZkVWw
> Syx/SN5DhwPpqQ5MSoyDLwvq41x8cfZ59C/+cnfNW9Sgv7XXMYJhnyO5mYBPhb8W
> y1zwNtzI19l/x9DNPQeXlvV24jACkx3YD3471CYsJL8X5smDdF28HQ==
> =XCEq
> -----END PGP SIGNATURE-----
> 

> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

More information about the cisco-nsp mailing list