[c-nsp] WCCP2 VRF Aware
Jeff Orr
jeffborr at gmail.com
Tue Apr 26 22:27:52 EDT 2016
WCCP can give you fits, we have 54 proxies our team manage and ran into an
issue similar to what you mentioned not that long ago.
First thing, I see you specified a redirect-list, but it was not included.
Can you post it? Also, I have run into issues (more in the WAAS space) with
having the WCCP device and clients on the same subnet. I suggest having the
SQUID server on a separate SVI.
Finally, what hardware platform is this on? Try using ingress redirect on
the seperate client SVI.
Good luck!
On Tue, Apr 26, 2016 at 5:26 PM Maile Halatuituia <maile.halatuituia at tcc.to>
wrote:
> Hi
> Here is my router wccp config
> In global config i enable ip wccp
> #ip wccp web-cache redirect-list WCCP_HTTP
> #ip wccp 70 redirect-list WCCP_HTTPS
> Interface facing my Clients and also Squid is in the same subnet
>
> int g0/0.904
> ip wccp web-cache redirect out
> ip wccp 70 redirect out.
>
> Verification
>
> #sh ip wccp sum
> WCCP version 2 enabled, 2 services
>
> Service Clients Routers Assign Redirect Bypass
> ------- ------- ------- ------ -------- ------
> Default routing table (Router Id: x.x.x.x):
> web-cache 1 1 HASH GRE GRE
> 70 1 1 HASH GRE GRE
>
> #sh tunnel groups wccp
> WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
> intf: Tunnel2, locally sourced
> WCCP : service group 326 in "Default", ver v2, assgnmnt: hash-table
> intf: Tunnel0, locally sourced
>
> #sh adjacency tunnel 0 detail
> Protocol Interface Address
> IP Tunnel0 10.240.0.30(3)
> connectionid 1
> 0 packets, 0 bytes
> epoch 0
> sourced in sev-epoch 31
> Encap length 28
> 4500000000000000FF2FC732CA861F08
> 0AF0001E0000883E01460000
> Tun endpt
> Next chain element:
> IP adj out of GigabitEthernet0/0.904,
> addr 10.240.0.30
> #sh adjacency tunnel 2 detail
> Protocol Interface Address
> IP Tunnel2 10.240.0.30(3)
> connectionid 1
> 0 packets, 0 bytes
> epoch 0
> sourced in sev-epoch 32
> Encap length 28
> 4500000000000000FF2FC732CA861F08
> 0AF0001E0000883E00000000
> Tun endpt
> Next chain element:
> IP adj out of GigabitEthernet0/0.904,
> addr 10.240.0.30
> #sh ip wccp web-cache detail
> WCCP Client information:
> WCCP Client ID: 10.240.0.30
> Protocol Version: 2.0
> State: Usable
> Redirection: GRE
> Packet Return: GRE
> Assignment: HASH
> Initial Hash Info: 00000000000000000000000000000000
> 00000000000000000000000000000000
> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> Hash Allotment: 256 (100.00%)
> Packets s/w Redirected: 0
> Connect Time: 00:08:42
> GRE Bypassed Packets
> Process: 0
> CEF: 0
> Errors: 0
> If you can see all seems to be established between the router and squid
> box but no PACKET has been redirected.
> For my IOS
> ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
>
> It's been over two weeks now and i seems to looking everywhere but no luck.
> Also here is my iptables rules for you info whch run on ubuntu 14.04 with
> squid
>
> # squid -v
> Squid Cache: Version 3.5.16
> Service Name: squid
> Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production
> configure options: '--prefix=/usr/local' '--enable-translation'
> '--enable-external-acl-helpers=none' '--enable-storeio=ufs,aufs,diskd,rock'
> '--enable-removal-policies=lru,heap' '--enable-wccp2'
> '--enable-follow-x-forwarded-for' '--enable-cache-digests'
> '--enable-auth-negotiate=none' '--disable-auth-digest'
> '--disable-auth-ntlm' '--disable-url-rewrite-helpers'
> '--enable-storeid-rewrite-helpers=file' '--enable-log-daemon-helpers=file'
> '--with-openssl=/usr/local' '--enable-ssl' '--enable-ssl-crtd'
> '--enable-zph-qos' '--enable-snmp' '--enable-inline' '--with-dl'
> '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -pipe'
> 'CXXFLAGS=-O3 -m64 -pipe' 'LIBOPENSSL_CFLAGS=-I/usr/local/include'
> 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
> '--disable-strict-error-checking'
> '--enable-build-info=Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC
> Production'
> IPtables Rules for redirection to squid ports
> -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127
> -A PREROUTING -i wccp0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
> 3129
> -A POSTROUTING -j MASQUERADE
>
>
> Appreciate you kind asistance ....
> hanks in advance
> Maile
>
>
>
> ________________________________________
> From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Maile
> Halatuituia <maile.halatuituia at tcc.to>
> Sent: Monday, April 25, 2016 9:00 PM
> To: Jeff Orr; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] WCCP2 VRF Aware
>
> ?Thanks Jeff
>
> Can you elaborate on what you refer to as subset specifically ???
>
> Thanks in advance
>
> ________________________________
> From: Jeff Orr <jeffborr at gmail.com>
> Sent: Monday, April 25, 2016 12:12 PM
> To: Maile Halatuituia; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] WCCP2 VRF Aware
>
> Check your WCCP settings relating to redirect method. L2 or GRE and hash
> vs mask. Some devices only support a subset.
> On Sun, Apr 17, 2016 at 11:21 PM Maile Halatuituia <
> maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
>
> Hi
>
> i am trying to setup transparent proxy for a Test Lab with cisco 15.0 IOS.
> If i manually input my proxy setting on my browser, i can see the client
> access with no problem, however if i remove that proxy setting then it
> still access but seems it bypass the proxy.
>
> i check wccp2 detail on the router sides and it all looks OK such as the
> ip wccp vrf XXX detail and view,
>
> also i check using the sh adjacency tunnel X encap etc etc it lokks fine
> for me, but seems packet is not intercept and forward through the gre
> tunnel to the proxy .... any word would be help .... thanks
>
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:
> cisco-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
>
More information about the cisco-nsp
mailing list