Cisco 887 and WCCP / Squid 3.3 HTTPS ?

MarkA-007 · ‎01-15-2014

Hi all,

I can't seem to persuade the cisco to send HTTPS to the squid proxy....

HTTP is fine when I use "web-cache" but not if use service 0... what's the differance?

Here's the layout - bear with me, some squid stuff first.

I've set up squid for both HTTP and HTTPS and proved it's working. (i.e. set the proxy directly on a webrowser.)

To kep things simple I send HTTP to 3138 and HTTPS 3130, via GRE0 and then sort the port direction out via IPtables etc.

The tunnel gre0 is brought up on boot up of the nix box ready for action with all the redirects etc.

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

DNAT tcp -- anywhere anywhere tcp dpt:https to:192.x.z.a3130

DNAT tcp -- anywhere anywhere tcp dpt:http to:192.x.y.a:3128

and my squid.conf looks like this for wccp, all standard stuff.

wccp2_router 192.x.y.z

wccp2_forwarding_methord gre

wccp2_return_methord gre

wccp2_service standard 0

wccp2_service dynamic 80

wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source priority=240 ports=443

wccp2_assignment_methord hash

I then on the 877,

ip wccp source-interface Vlan1

ip wccp web-cache

ip wccp 70

and my interface ATM0.1 (outside NAT of a bridge/which is where the rest of my IP stuff is.)

ip wccp web-cache redirect out

ip wccp 70 redirect out.

The 877 is seeing the tunnel, and sends a trap to say it's up.

sh ip wccp sum shows;

WCCP version 2 enabled, 2 services

Service Clients Routers Assign Redirect Bypass

------- ------- ------- ------ -------- ------

Default routing table (Router Id: 192.x.y.z):

web-cache 1 1 HASH GRE GRE

70 1 1 HASH GRE GRE

sh ip wccp shows;

Global WCCP information:
    Router information:
        Router Identifier:                   192.x.y.z
        Configured source-interface:         Vlan1

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            2924
          Process:                           0
          CEF:                               2924
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            15
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
        GRE tunnel interface:                Tunnel0

    Service Identifier: 70
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
        GRE tunnel interface:                Tunnel1

using tcpdump I can see stuff whizzing up the gre0 interface towards the proxy. So the two are able to talk for just http.

I'm wondering if my IOS only supports web cache and not full services even tho' they are in the IOS?

(C800-UNIVERSALK9_NPE-M), Version 15.2(4)M4,

Any thoughts?

MarkA

prateeve · ‎01-16-2014

Hi,

Take the ip captures between ASA's interface and squid ip and check whether squid is sending any "HERE I AM" packet because till the time ASA would not see that packet from squid ASA would not send the traffic.

- Prateek Verma

Julio Carvajal · ‎01-16-2014

Hello Mark,

Well we can see that the GRE connection between each other is being built for both service 0 and 70.

Problem is no packets are being redirected for SSL.

Quick question you have the browser configured for implicit/transparent proxy at the moment of the issue right?

In this configuration you define service 70 for redirection (equivalent to HTTPS) but remember that the content engine is the one of letting the router know about which traffic to capture to forward using service 70.

Can you add :

ip wccp check services all

Let us know if you find something else from the Squid server

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

MarkA-007 · ‎02-08-2014

Well,

With a bit of help with the nice people at Cisco, we got there.. they did the diags and I spotted the problem.

this;

wccp2_service_info 70 protocol=

is the important bit.. - re-arrange to suit your own reciepe to get this...

WCCP service information definition:

Type: Dynamic

Id: 70

Priority: 240

Protocol: 6

Flags: 0x00000512

Hash: (ignored) DstIP

Alt Hash: (ignored) SrcIP SrcPort

Ports used: Destination

Ports: 443

MarkA