Re: [squid-users] WCCP / no return traffic on gre interface from Henrik Nordstrom on 2007-05-10 (squid-users)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 10 May 2007 23:58:01 +0200

tor 2007-05-10 klockan 13:10 -0400 skrev Chad Harrelson:

> Can you think of anything else?

Check your firewall rules on the Squid server. The message suggests that
the "I_SEE_YOU" messages isn't reaching your Squid.

> Like I said, this work with protocol
> 1. Also, the only other strange config I have is that my GRE
> interface is a real routable IP (150.125.125.187/29). Most of the
> documents I see say to use the same IP as eth0 but with a 32 bit mask.
> When I do this I get the protocol 47 ICMP unreachable error in
> tcpdump.

Below is assuming you are using Linux. Think you said you are, but not
sure...

GRE has two sets of addresses.

a) The tunnel endpoint addresses (local & remote). These MUST match the
traffic sent by the router. Also known as link addresses. Use tcpdump on
the ethernet interface if you are unsure how the router encapsulates the
traffic.

b) Local interface address. Doesn't really matter what it's set to, but
should be set to an IP address usable on your network.

And the interface must be UP.

It's hard to see all of these using the obsolete ifconfig command, but
if you use the modern ip command then everything is shown nicely.

ip addr show wccp0

5: wccp0@eth0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
link/gre 1.2.3.4 peer 5.6.7.8
inet 10.20.30.40/32 scope global wccp0

The device @eth0 must be the physical device where the GRE packets is
being received.

The link/gre line must match the addresses used by the router on the
intercepted traffic. 1.2.3.4 is the router IP (source), 5.6.7.8 is the
server IP (destination).

The inet line should list an IP which is usable on your network and
identifying the server. But it's not very important here as no traffic
is going out via this GRE tunnel. For simplicity I recommend using the
same IP as the ethernet inteface matching the local GRE endpoint.

As no traffic should be routed out this WCCP GRE interface I recommend
using a /32 address. The only practical difference is that if you use a
full network then you automatically get a route for that network via the
GRE interface..

Regards
Henrik

application/pgp-signature attachment: Detta är en digitalt signerad meddelandedel

Received on Thu May 10 2007 - 15:58:06 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT