01-15-2014 05:01 PM - edited 03-11-2019 08:30 PM
Hi all,
I can't seem to persuade the cisco to send HTTPS to the squid proxy....
HTTP is fine when I use "web-cache" but not if use service 0... what's the differance?
Here's the layout - bear with me, some squid stuff first.
I've set up squid for both HTTP and HTTPS and proved it's working. (i.e. set the proxy directly on a webrowser.)
To kep things simple I send HTTP to 3138 and HTTPS 3130, via GRE0 and then sort the port direction out via IPtables etc.
The tunnel gre0 is brought up on boot up of the nix box ready for action with all the redirects etc.
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:https to:192.x.z.a3130
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.x.y.a:3128
and my squid.conf looks like this for wccp, all standard stuff.
wccp2_router 192.x.y.z
wccp2_forwarding_methord gre
wccp2_return_methord gre
wccp2_service standard 0
wccp2_service dynamic 80
wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source priority=240 ports=443
wccp2_assignment_methord hash
I then on the 877,
ip wccp source-interface Vlan1
ip wccp web-cache
ip wccp 70
and my interface ATM0.1 (outside NAT of a bridge/which is where the rest of my IP stuff is.)
ip wccp web-cache redirect out
ip wccp 70 redirect out.
The 877 is seeing the tunnel, and sends a trap to say it's up.
sh ip wccp sum shows;
WCCP version 2 enabled, 2 services
Service Clients Routers Assign Redirect Bypass
------- ------- ------- ------ -------- ------
Default routing table (Router Id: 192.x.y.z):
web-cache 1 1 HASH GRE GRE
70 1 1 HASH GRE GRE
sh ip wccp shows;
Global WCCP information:
Router information:
Router Identifier: 192.x.y.z
Configured source-interface: Vlan1
Service Identifier: web-cache
Protocol Version: 2.00
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 2924
Process: 0
CEF: 2924
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 15
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
GRE tunnel interface: Tunnel0
Service Identifier: 70
Protocol Version: 2.00
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 0
Process: 0
CEF: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
GRE tunnel interface: Tunnel1
using tcpdump I can see stuff whizzing up the gre0 interface towards the proxy. So the two are able to talk for just http.
I'm wondering if my IOS only supports web cache and not full services even tho' they are in the IOS?
(C800-UNIVERSALK9_NPE-M), Version 15.2(4)M4,
Any thoughts?
MarkA
01-16-2014 12:04 PM
Hi,
Take the ip captures between ASA's interface and squid ip and check whether squid is sending any "HERE I AM" packet because till the time ASA would not see that packet from squid ASA would not send the traffic.
- Prateek Verma
01-16-2014 06:16 PM
Hello Mark,
Well we can see that the GRE connection between each other is being built for both service 0 and 70.
Problem is no packets are being redirected for SSL.
Quick question you have the browser configured for implicit/transparent proxy at the moment of the issue right?
In this configuration you define service 70 for redirection (equivalent to HTTPS) but remember that the content engine is the one of letting the router know about which traffic to capture to forward using service 70.
Can you add :
ip wccp check services all
Let us know if you find something else from the Squid server
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-08-2014 05:24 PM
Well,
With a bit of help with the nice people at Cisco, we got there.. they did the diags and I spotted the problem.
this;
wccp2_service_info 70 protocol=
is the important bit.. - re-arrange to suit your own reciepe to get this...
WCCP service information definition:
Type: Dynamic
Id: 70
Priority: 240
Protocol: 6
Flags: 0x00000512
Hash: (ignored) DstIP
Alt Hash: (ignored) SrcIP SrcPort
Ports used: Destination
Ports: 443
MarkA
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: