Re: [squid-users] CentOS/Squid/Tproxy but no transfer

From: Behnam B.Marandi <blixbox_at_gmail.com>
Date: Fri, 07 Aug 2009 23:15:03 +0430

Few days ago a friend of mine who is more experienced than me in case of
network administration and Cisco devices, helped me to configure tproxy.
We tested the configuration and it worked. The trick was separating
Inbound, Outbound and cache machine(s) subnets. I don't know it's how
the traffic has to be configured or this is just a workaround and it's
working.

But I have to say I still don't understand all of it, neither my friend.

Behnam.

Tom Penndorf wrote:

>
> Am 14.07.2009 um 06:25 schrieb Adrian Chadd:
>
>> 2009/7/14 Amos Jeffries <squid3_at_treenet.co.nz>:
>>
>>>> Do you have an example of this particular (mis) configuration? The
>>>> note in the Wiki article isn't very clear.
>>>
>>> I don't. The admin only mentioned that by adding a bypass on service
>>> group
>>> fixed the issue.
>>> I had a tcpdump of as set of requests showing pairs of seemingly
>>> identical
>>> requests arriving from the router within 1sec of each other. On deep
>>> inspection the slightly delayed one showed some minor alterations
>>> such as
>>> Squid makes from the first.
>>
>> Right. But what was the squid config, cisco config and network
>> topology for both the "doesn't work" and "works" setups?
>>
>>> If there is any way to make the wiki clearer without wholesale
>>> including of
>>> per-IOS config setting go for it.
>>
>> Well, it may boil down to per-IOS config and per-platform, per-IOS
>> config. The problem is getting some more information to at least
>> document what is needed.
>>
>>> The behavior I saw was:
>>
>>> enable wccpv2 + NAT intercept with wiki config
>>> ==> perfectly working, not a sign of any squid-sourced packets.
>>
>> Right, probably because it was using one service group and the
>> half-duplex redirection needed for normal, non-tproxy interception was
>> being done.
>>
>>> swap NAT for tproxy4 with the wiki config (no change to WCCP or links)
>>> ==> loop trace showing squid outward packets coming IN from WCCP.
>>
>> Yeah that won't work. :)
>>
>>> So I say "seems" and "appears" to be an automatic bypass in WCCP or
>>> router
>>> somewhere. No idea where. "may" need bypassing manually to fix tproxy.
>>
>> Well, the automatic bypass should be "if the router sees packets from
>> an IP address or MAC of a registered device, it should be passing it
>> through." I have no idea whether it is doing this without explicit
>> "don't further redirect" rules (eg by deny entries in the redirect
>> list, or "wccp exclude in", etc) because that may absolutely be
>> platform, IOS and WCCPv2 negotiation type dependant.
>>
>> So please, poke the admin in question to get as much information about
>> the configuration and setup of everything.
>>
>>
>>
>> Adrian
>
>
> If it's possible, the easier solution could be, to have the squid
> behind the same interface of the router with the clients.
>
>
> Tom
>
>
Received on Fri Aug 07 2009 - 18:45:15 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 08 2009 - 12:00:02 MDT