11-24-2017 05:16 AM - edited 03-08-2019 12:52 PM
Bonjour!
I have been trying to set up a web proxy (squid) with an ASR 1000 using GRE Redirect/Return. The problem I am facing is that it seems that the ASR is not redirecting anything to the proxy cache server. Here is the snippet of the relevant config (when I do the same on a 7301 it works fine), is there anything I have missed?
Global config:
no ip wccp variable-timers ip wccp check services all ip wccp source-interface Port-channel1.589 ip wccp web-cache redirect-list 120 group-list 10
Interface connected to the proxy cache server (squid) - cache server IP is on 10.5.89.11
interface Port-channel1.589 encapsulation dot1Q 589 ip address 10.5.89.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp end
LAN interface:
interface Port-channel1.598 encapsulation dot1Q 598 ip address 100.65.0.1 255.255.0.0 ip nat inside ip wccp web-cache redirect in end
ACLs:
=> I don't see any matches for the ACL 120 :-((((
Standard IP access list 10 10 permit 10.5.89.11 (17113 matches) Extended IP access list 120 10 permit tcp any any eq www
The proxy cache register :
#sh ip wccp web-cache detail WCCP Client information: WCCP Client ID: 10.5.89.11 Protocol Version: 2.00 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Connect Time: 00:39:46 Redirected Packets: Process: 0 CEF: 0 GRE Bypassed Packets: Process: 0 CEF: 0 Hash Allotment: 256 of 256 (100.00%) Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
#sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: 10.5.89.1 Configured source-interface: Port-channel1.589 Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Platform: 0 Service mode: Open Service Access-list: -none- Total Packets Dropped Closed: 0 Redirect access-list: 120 Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: 10 Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 Platform: 0 GRE tunnel interface: Tunnel0
Any idea where/what I could be looking at?
Regards
Solved! Go to Solution.
12-08-2017 08:01 AM - edited 12-08-2017 08:04 AM
Hello,
Just in case some people come across the same pb.
I fixed the problem by using l2-redirect instead of using GRE redirect/return. Using GRE wasn't working and on top of that the CPU usage went up the roof! The config on the ASR is unchanged. When possible, using l2-redirect is much better anyway as it is processed by the hardware and not the software (when using GRE it is handled by the software).
guycht01#sh ip wccp web-cache detail WCCP Client information: WCCP Client ID: 10.5.89.11 Protocol Version: 2.00 State: Usable Redirection: L2 Packet Return: L2 Assignment: HASH Connect Time: 03:19:18 Redirected Packets: Process: 0 CEF: 0 Platform: 15660019 GRE Bypassed Packets: Process: 0 CEF: 0
Here is the relevant config I did on squid:
wccp2_router 10.5.89.1 wccp_version 4 wccp2_forwarding_method l2 wccp2_return_method l2 wccp2_service standard 0
And the iptables rule:
iptables -t nat -A PREROUTING -i INTERFACE-CONNECTED-toASR -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.5.89.11:3128
This is a very useful link regarding SQUID and WCCP
https://wiki.squid-cache.org/Features/Wccp2
My set up works for HTTP with Squid Cache: Version 3.5.23 et ASR 1002 IOS 15.5(3)S2
Best regards
11-24-2017 11:31 AM
Hello,
which IOS version are you running on your ASR ?
11-27-2017 05:41 AM
Hi Georg,
We are using Version 15.5(3)S2
Best regards
11-24-2017 02:29 PM
Hello
Have you tried applying it to redirect egress and just with the web proxy address?
ip wccp web-cache
interface port 589
ip wccp web-cache redirect out
access-list 10 permit 10.5.89.11
ip wccp web-cache group-list 10
res
Paul
11-27-2017 05:39 AM
Hello Paul,
Thank for your suggestion.
I have tried what you suggested but still nothing going to the proxy :-( Just to make sure I understood correctly here is the config I did:
#sh run | i wccp
no ip wccp variable-timers
ip wccp check services all
ip wccp source-interface Port-channel1.589
ip wccp web-cache group-list 10
interface Port-channel1.598
encapsulation dot1Q 598
ip address 100.65.0.1 255.255.0.0
ip nat inside
ip wccp web-cache redirect in
end
interface Port-channel1.589
encapsulation dot1Q 589
ip address 10.5.89.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp web-cache redirect out
end
12-08-2017 08:01 AM - edited 12-08-2017 08:04 AM
Hello,
Just in case some people come across the same pb.
I fixed the problem by using l2-redirect instead of using GRE redirect/return. Using GRE wasn't working and on top of that the CPU usage went up the roof! The config on the ASR is unchanged. When possible, using l2-redirect is much better anyway as it is processed by the hardware and not the software (when using GRE it is handled by the software).
guycht01#sh ip wccp web-cache detail WCCP Client information: WCCP Client ID: 10.5.89.11 Protocol Version: 2.00 State: Usable Redirection: L2 Packet Return: L2 Assignment: HASH Connect Time: 03:19:18 Redirected Packets: Process: 0 CEF: 0 Platform: 15660019 GRE Bypassed Packets: Process: 0 CEF: 0
Here is the relevant config I did on squid:
wccp2_router 10.5.89.1 wccp_version 4 wccp2_forwarding_method l2 wccp2_return_method l2 wccp2_service standard 0
And the iptables rule:
iptables -t nat -A PREROUTING -i INTERFACE-CONNECTED-toASR -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.5.89.11:3128
This is a very useful link regarding SQUID and WCCP
https://wiki.squid-cache.org/Features/Wccp2
My set up works for HTTP with Squid Cache: Version 3.5.23 et ASR 1002 IOS 15.5(3)S2
Best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide