2

So I have begun the awful adventure of getting Squid 3.3.8 working with my Cisco ASA 5520 (9.1(5)). I think the problem is that the traffic is getting to the squid box but it is either not getting to the actual daemon or it's not sending out (I think it's not getting to the daemon)

ASA sh wccp

Global WCCP information:
    Router information:
    Router Identifier:                   192.168.1.1
    Protocol Version:                    2.0

    Service Identifier: web-cache
    Number of Cache Engines:             1
    Number of routers:                   1
    Total Packets Redirected:            1049
    Redirect access-list:                wccp-traffic
    Total Connections Denied Redirect:   0
    Total Packets Unassigned:            1
    Group access-list:                   wccp-servers
    Total Messages Denied to Group:      1
    Total Authentication failures:       0
    Total Bypassed Packets Received:     0

I am sure the ASA is redirecting the traffic because every time I enable it, the Total Packets Redirected goes up.

I followed this guide: http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 to setup the interface for squid. Since it comes from squid I was hoping it would work out of the box, but apparently not.

So I entered all the commands:

modprobe ip_gre
ip tunnel add wccp0 mode gre remote 192.168.1.1 local 10.10.1.63  dev eth0                   ifconfig wccp0 10.10.1.63 netmask 255.255.255.255 up
echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE

So here is where my mad debugging skills come into play. I know I only have it to redirect HTTP traffic so I went to homedepot.com because I new they didn't support ssl.

Global WCCP information:
    Router information:
    Router Identifier:                   192.168.1.1
    Protocol Version:                    2.0

    Service Identifier: web-cache
    Number of Cache Engines:             1
    Number of routers:                   1
    Total Packets Redirected:            1182
    Redirect access-list:                wccp-traffic
    Total Connections Denied Redirect:   0
    Total Packets Unassigned:            1
    Group access-list:                   wccp-servers
    Total Messages Denied to Group:      1
    Total Authentication failures:       0
    Total Bypassed Packets Received:     0

And tada! My Total Packets Redirected went up. So I know that the packets are hitting the ASA and then the ASA is redirecting them to the squid box.

Next I let tcpdump run on the squidbox while I tried to load homedepot.com. I cut out the useless things and put the relevant info below

04:03:35.448210 IP 192.168.1.1 > 10.10.1.63: GREv0, length 60: gre-proto-0x883e

So this tells me that the packet is hitting the squid box.

I also did some debugging on the wccp0 interface.

Before:

wccp0     Link encap:UNSPEC  HWaddr XXX
          inet addr:10.10.1.63  P-t-P:10.10.1.63  Mask:255.255.255.255
          inet6 addr: fe80::5efe:a0a:13f/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:159 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8592 (8.5 KB)  TX bytes:180 (180.0 B)

After:

wccp0     Link encap:UNSPEC  HWaddr XXX              
          inet addr:10.10.1.63  P-t-P:10.10.1.63  Mask:255.255.255.255
          inet6 addr: fe80::5efe:a0a:13f/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8848 (8.8 KB)  TX bytes:180 (180.0 B)

It's not transmitting any packets so I think it's not hitting the squid daemon (access.log doesn't show anything either)

Squid config:

http_access allow all
http_port 3129 intercept
wccp2_router 10.10.1.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

Any help is much appreciated!!! <33

user298329
  • 21
  • 2
  • Does the Squidbox have a route back to the 192.168.1.1 network without going through the ASA? WCCP on an ASA has [specific requirements](https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration). One of which takes into account the fact that the original SYN does not create a state entry on the ASA so the Squid Box cannot send a SYN/ACK response back through the ASA. – Mark Riddell Jul 13 '16 at 15:58
  • @MarkoPolo The squid box can't communicate with 192.168.1.1 because it is the management network of the ASA which isn't even hooked up – user298329 Jul 13 '16 at 21:20
  • Sorry, I should reclarify. Can the Squid Box talk back to the actual client device without having to be routed via the ASA? – Mark Riddell Jul 14 '16 at 06:42
  • @MarkoPolo Yes, the configuration goes ASA->5 port switch-> WiFi Access point From the 5 port switch I have a cable to the squid server – user298329 Jul 15 '16 at 05:33
  • So assuming that everything is in the same subnet, can you run a tcpdump on the squidbox (all interfaces) and on the client device. Should be able to find out where the traffic is going. – Mark Riddell Jul 15 '16 at 12:24
  • @MarkoPolo I was going to do the TCPDump and I re-enabled WCCP on the ASA, npw 'Total Messages Denied to Group' is increasing (and with WCCP enabled I can view any site) – user298329 Jul 16 '16 at 01:38

0 Answers0