Before saying this or that, did you had the chance of looking at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
??
What version of IOS the 2901 has on it?
Eliezer
On 09/24/2013 02:31 AM, Jordan Dalley wrote:
> Thanks for your reply Bob,
>
> I tried what you said - completely removed any ifcfg-gre0 config and simply ran the commands:
>
> ifconfig gre0 inet 1.1.1.1 netmask 255.255.255.0 up
> iptables -F -t nat
> iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.112.4.4:3127
>
> On the router side (I had to modify your acl's a bit)
>
> ip access-list standard wccp-servers
> permit host 10.112.4.4
> ip access-list extended wccp-traffic
> permit tcp 10.114.32.0 0.0.7.255 any eq www
>
> ip wccp web-cache redirect-list wccp-traffic group-list wccp-servers
>
> Upon inspection, I can see the router forwarding packets through the gre tunnel:
>
> [root_at_tsv-squid1 ~]# tcpdump -i gre0
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on gre0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
> 20:40:04.370754 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq 2779756886, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
> 20:40:04.370861 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq 1665803222, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
> 20:40:07.381696 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq 2779756886, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
> 20:40:07.381779 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq 1665803222, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
> 20:40:13.387792 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq 2779756886, win 8192, options [mss 1460,nop,nop,sackOK], length 0
> 20:40:13.387812 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq 1665803222, win 8192, options [mss 1460,nop,nop,sackOK], length 0
>
> Here's the weird thing..
>
> [root_at_tsv-squid1 ~]# ifconfig gre0
> gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-82-12-00-00-00-00-00-00-00-00
> inet addr:1.1.1.1 Mask:255.255.255.0
> UP RUNNING NOARP MTU:1476 Metric:1
> RX packets:143 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:7136 (6.9 KiB) TX bytes:0 (0.0 b)
>
> Note my GRE tunnel is not transmitting, only receiving.
>
> I can confirm, ip forwarding is enabled.
>
> [root_at_tsv-squid1 ~]# cat /proc/sys/net/ipv4/ip_forward
> 1
> [root_at_tsv-squid1 ~]#
>
> Cheers,
> J.
>
> -----Original Message-----
> From: Luderitz Bob [mailto:Bob.Luderitz_at_NiproGlassAmericas.com]
> Sent: Tuesday, 24 September 2013 1:38 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] RE: WCCP issues with Centos 6.3 and Cisco 2901
>
> Hey Jordan, I am running a similar config with wccp and CentOS 6.3 with Cisco routers.
>
> Your config looks close to what I have but I use the built-in gre0 tunnel so don't have the interface explicitly setup just have it in rc.local like this:
> ifconfig gre0 inet 1.2.3.4 netmask 255.255.255.0 up
> echo 1 > /proc/sys/net/ipv4/ip_forward
> (same iptables statement as you have)
> iptables -F -t nat
> iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.80.166.227:3127
>
> From the router - I did not set the config up but have to documentation and have these additional statements defined to force http traffic to the squid - 166.227)
> access-list wccp-servers extended permit ip host 10.80.166.227 any
> access-list wccp-traffic extended permit tcp object-group DM_INLINE_NETWORK_7 any eq www
> wccp web-cache redirect-list wccp-traffic group-list wccp-servers
>
> hope this helps....
>
> -----Original Message-----
> From: Jordan Dalley [mailto:jdalley_at_tsv.catholic.edu.au]
> Sent: Monday, September 23, 2013 6:17 AM
> To:
> Subject: [squid-users] WCCP issues with Centos 6.3 and Cisco 2901
>
> Hi Squid community,
>
> I have an issue whereby I am just struggling to find out why it wont work.
>
> I have trawled through multiple forums, howto's, faq's etc but no matter what I do, I cannot get it to work properly.
>
> Here is what I have done so far:
>
> Router IP: 10.114.3.34
> Squid IP: 10.112.4.4
> WAN Subnet: 10.112.0.0 / 255.252.0.0
>
> Squid Config:
>
> http_port 3127 intercept
> wccp2_router 10.114.3.34
> wccp2_forwarding_method gre
> wccp2_return_method gre
> wccp2_service standard 0
>
> Confirm I can access and use port 3127 directly without issue from any location in the WAN.
>
> Router Config:
>
> ip wccp web-cache
> interface G0/1
> !Inside interface
> ip wccp web-cache redirect in
>
> Added to sysctl.conf:
>
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
>
> # Controls source route verification
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.eth0.rp_filter = 0
> net.ipv4.conf.eth0.ip_filter = 0
> net.ipv4.conf.gre0.rp_filter = 0
> net.ipv4.conf.gre0.ip_filter = 0
>
> Added to /etc/sysconfig/network-scripts/ifcfg-gre0
>
> DEVICE=gre0
> BOOTPROTO=static
> IPADDR=127.0.0.2
> NETMASK=255.255.255.0
> ONBOOT=YES
> IPV6INIT=NO
>
> Linux Configuration:
>
> modprobe ip_gre
> ifup gre0
> iptables -t nat -F
> iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.112.4.4:3127
>
> If, I then do a tcpdump -i gre0 I can see packets flowing through this interface with destination port 80. Unfortunately it seems as if they are somehow not being natted to the squid server.
>
> I've tried different varying methods of doing this, but none of them seem to work.
>
> Does anyone have any ideas?
>
> Regards,
> Jordan.
>
> ______________________________________________________
>
> NIPRO GLASS
> ______________________________________________________
>
> CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify NIPRO GLASS immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of NIPRO GLASS.
>
>
Received on Tue Sep 24 2013 - 05:30:19 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 24 2013 - 12:00:04 MDT