[c-nsp] RES: Squid cannot see wccp traffic through GRE Tunnel

Juliano Luz - Sicredi juliano_luz at sicredi.com.br
Tue Apr 7 09:55:01 EDT 2009 

Maybe a problem related to MTU size? 

Check
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080
093f1f.shtml




-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Christina Klam
Enviada em: terça-feira, 7 de abril de 2009 09:58
Para: cisco-nsp at puck.nether.net
Assunto: [c-nsp] Squid cannot see wccp traffic through GRE Tunnel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
All,

We have been having some problems with wccpv2 working through a GRE tunnel
between a 6504e (version
s3223-ipservicesk9_wan-mz.122-33.SXI.bin) and a Squid server (RHEL5).
The tunnel is up; and we an see GRE traffic on both sides.  WCCP is up as
well.  But, when we try to redirect wccp traffic to the Squid server, the
Squid server never receives it.  We are not having this problem on a
separate network where we are using wccp but not though a GRE tunnel.  Any
ideas?

interface Tunnel2
 description GRE_Squid
 ip address 172.16.X.Y 255.255.255.252
 ip wccp web-cache redirect out
 tunnel source Loopback1
 tunnel destination 172.16.C.C
end

interface Loopback1
 ip address 172.16.X.A 255.255.255.255
 ip wccp web-cache redirect out
 ip flow ingress

Internet facing interface:
interface Vlan3
 description #Uplink_Packeteer_Nitroguard_FW#  ip address 172.16.X.X
255.255.255.0  ip wccp web-cache redirect out  ip wccp web-cache redirect in
ip flow ingress

gateway-resnet#sh ip wccp web-cache detail WCCP Client information:
        WCCP Client ID:          172.16.X.Z
        Protocol Version:        2.0
        State:                   Usable
        Redirection:             GRE
        Packet Return:           GRE
        Assignment:              HASH
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:          256 (100.00%)
        Packets s/w Redirected:  0
        Connect Time:            01:21:48
        Bypassed Packets
          Process:               0
          CEF:                   0
          Errors:                0

gateway-resnet#sh int tunn 2
Tunnel2 is up, line protocol is up
  Hardware is Tunnel
  Description: GRE_Squid
  Internet address is 172.16.X.Y/30
  MTU 17868 bytes, BW 100 Kbit, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.16.X.A (Loopback1), destination 172.16.C.C
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     226578 packets input, 47805578 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     114505 packets output, 23682296 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

sh log:
Mar 11 14:58:09 172.16.X.X  1654: Mar 11 14:58:08.985 EST:
%SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
64.233.161.147(0), 3 packets Mar 11 14:58:09 172.16.X.X 1655: Mar 11
14:58:08.989 EST:
%SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
209.85.133.101(0), 3 packets Mar 11 14:59:10 172.16.X.X 1658: Mar 11
14:59:09.013 EST:
%SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) ->
209.85.133.102(0), 2 packets

Squid ACL:
Extended IP access list SquidProxy
    10 permit tcp host 172.16.A.A any log
    20 permit tcp host 172.16.B.B any log (1220 matches)
    30 deny ip any any (118 matches)


Thank you,

- -- Christina




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQEVAwUBSdtNwt9pUgshfvqBAQKrnwgAh9TciUhv2kEdF8bgPJ/fzqU3gf33JD3F
BLlHXCVOdWNz7TmcFqWc7+jkbEtkOJ89/MFH6pD7zwzwRUfauH2O66Fwg8eJVYgO
qh4GTbwWwU0rFJ7IUhUQNDlN5Yw4zQtvMKaQmfOvNIGgp77eLj7E9PkPw0lBu7+E
O6qt1HCjASPpUVlh6onH6sVz3gjxuhYshkN+O8qO+Bt6uSNUQKit5JqrZ4vZkVWw
Syx/SN5DhwPpqQ5MSoyDLwvq41x8cfZ59C/+cnfNW9Sgv7XXMYJhnyO5mYBPhb8W
y1zwNtzI19l/x9DNPQeXlvV24jACkx3YD3471CYsJL8X5smDdF28HQ==
=XCEq
-----END PGP SIGNATURE-----



As informacoes contidas neste e-mail e anexos podem ser confidenciais e privilegiadas, protegidas por sigilo legal. Qualquer forma de utilizacao deste documento depende de autorizacao do emissor, sujeito as penalidades cabiveis. O emissor utiliza o recurso somente para fins profissionais, eximindo o empregador de responsabilidades por uso pessoal ou improprio. Se esta mensagem foi recebida por engano, o conteudo deve ser apagado e o remetente avisado imediatamente, atraves de resposta a este e-mail.

More information about the cisco-nsp mailing list