Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
4
Helpful
1
Replies

Squid returning destination unreachable back to router

akshaycjoshi
Level 1
Level 1

‎09-07-2013 05:51 AM - edited ‎03-07-2019 03:20 PM

I am desperately trying to use Squid(3.3.3) with WCCP2 (Cisco2921).  Although it's not working right now but I think I am really close.

Router has 3 interfaces and the config is this:

!

ip wccp web-cache password 7 01100F175804

!

interface GigabitEthernet0/0

ip address 187.72.34.82 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

ip address 172.16.1.1 255.255.255.0

ip wccp web-cache redirect in

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat inside source list NATTABLE_HOSTS interface GigabitEthernet0/0 od

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

!

ip access-list standard NATTABLE_HOSTS

permit 192.168.0.0 0.0.255.255

permit 172.16.0.0 0.0.255.255

permit 10.0.0.0 0.255.255.255

Squid is compiled with following options:

configure

options: '--prefix=/usr' '--includedir=/usr/include'

'--datadir=/usr/share' '--bindir=/usr/sbin'

'--libexecdir=/usr/lib/squid' '--localstatedir=/var'

'--sysconfdir=/etc/squid3' '--enable-delay-pools' '--enable-ssl-crtd'

'--enable-linux-netfilter' '--enable-eui' '--enable-snmp'

'--enable-gnuregex' '--enable-icmp' '--with-logdir=/var/log/squid/'

'--enable-referer-log' '--enable-cache-digests' '--enable-wccp'

'--enable-wccpv2' '--enable-ssl' --enable-ltdl-convenience

Squid.conf:

http_port 192.168.1.2:3129 intercept

http_port 192.168.1.2:3128

wccp2_router 192.168.1.1

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=cisco

Cache.log is also without any errors.

On ubuntu 12.04 I have set the following rules (based on

http://wiki.squid-cache.org/Features/Wccp2

):

modprobe ip_gre

ip tunnel add wccp0 mode gre remote 187.72.34.82 local 192.168.1.2 dev eth0

ifconfig wccp0 192.168.1.2 netmask 255.255.255.255 up

echo 0>/proc/sys/net/ipv4/conf/wccp0/rp_filter

echo 0>/proc/sys/net/ipv4/conf/eth0/rp_filter

echo 1>/proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3129

iptables -t nat -A POSTROUTING -j MASQUERADE

With all this setup, client browser keeps on loading and loading and finally says server taking too long to respond etc.

On  the squid machine, via wireshark, I can see that a lot of "destination  unreachable" messages are sent from squid to router when I visit some  website on browser.

From: 192.168.1.2 to 192.168.1.1 [port unreachable]

When I manually set proxy IP in browser it works(websites open fine).I could also see HereIAm and ISeeYou messages flowing fine.

Please guide me on where am I missing. Let me know if more details are required.

Labels:
0 Helpful
1 Reply 1

Kyle McKay
Level 1
Level 1

‎09-09-2013 03:33 PM

Your WCCP packets are being sourced from the 172.16.1.1 interface and your proxy configuration is referencing the wccp router 192.168.1.1 IP address. I believe this is what is causing your issues with connectivity between Proxy and Router. The Router is sending the packets to the Proxy with a Source IP address of 172.16.1.1 and the Proxy is expecting to receive the packets with a source address of 192.168.1.1

You can change the WCCP source IP address with the following command:

ip wccp source-address 192.168.1.1

This will cause the WCCP redirection packets to be sourced from the 192.168.1.1 interface which should allow your configuration to begin working correctly.

HTH.

Kyle

Customers Also Viewed These Support Documents