Solved: WCCP web cache on ASR 1002 with SQUID Proxy

bobbydazzler · ‎11-24-2017

Bonjour!

I have been trying to set up a web proxy (squid) with an ASR 1000 using GRE Redirect/Return. The problem I am facing is that it seems that the ASR is not redirecting anything to the proxy cache server. Here is the snippet of the relevant config (when I do the same on a 7301 it works fine), is there anything I have missed?

Global config:

no ip wccp variable-timers
ip wccp check services all
ip wccp source-interface Port-channel1.589
ip wccp web-cache redirect-list 120 group-list 10

Interface connected to the proxy cache server (squid) - cache server IP is on 10.5.89.11

interface Port-channel1.589
 encapsulation dot1Q 589
 ip address 10.5.89.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
end

LAN interface:

interface Port-channel1.598
 encapsulation dot1Q 598
 ip address 100.65.0.1 255.255.0.0
 ip nat inside
 ip wccp web-cache redirect in
end

ACLs:

=> I don't see any matches for the ACL 120 :-((((

Standard IP access list 10
    10 permit 10.5.89.11 (17113 matches)

Extended IP access list 120
    10 permit tcp any any eq www

The proxy cache register :

#sh ip wccp web-cache detail  
WCCP Client information:
	WCCP Client ID:          10.5.89.11
	Protocol Version:        2.00
	State:                   Usable
	Redirection:             GRE
	Packet Return:           GRE
	Assignment:              HASH
	Connect Time:            00:39:46
	Redirected Packets:
          Process:               0
          CEF:                   0
	GRE Bypassed Packets:
          Process:               0
          CEF:                   0
	Hash Allotment:          256 of 256 (100.00%)
	Initial Hash Info:       00000000000000000000000000000000
	                         00000000000000000000000000000000
	Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

#sh ip wccp web-cache         
Global WCCP information:
    Router information:
	Router Identifier:                   10.5.89.1
        Configured source-interface:         Port-channel1.589

    Service Identifier: web-cache
	Protocol Version:                    2.00
	Number of Service Group Clients:     1
	Number of Service Group Routers:     1
	Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
          Platform:                          0
	Service mode:                        Open
	Service Access-list:                 -none-
	Total Packets Dropped Closed:        0
	Redirect access-list:                120
	Total Packets Denied Redirect:       0
	Total Packets Unassigned:            0
	Group access-list:                   10
	Total Messages Denied to Group:      0
	Total Authentication failures:       0
	Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
          Platform:                          0
	GRE tunnel interface:                Tunnel0

Any idea where/what I could be looking at?

Regards

bobbydazzler · ‎12-08-2017

Hello,

Just in case some people come across the same pb.

I fixed the problem by using l2-redirect instead of using GRE redirect/return. Using GRE wasn't working and on top of that the CPU usage went up the roof! The config on the ASR is unchanged. When possible, using l2-redirect is much better anyway as it is processed by the hardware and not the software (when using GRE it is handled by the software).

guycht01#sh ip wccp web-cache detail 
WCCP Client information:
	WCCP Client ID:          10.5.89.11
	Protocol Version:        2.00
	State:                   Usable
	Redirection:             L2
	Packet Return:           L2
	Assignment:              HASH
	Connect Time:            03:19:18
	Redirected Packets:
          Process:               0
          CEF:                   0
          Platform:              15660019
	GRE Bypassed Packets:
          Process:               0
          CEF:                   0

Here is the relevant config I did on squid:

wccp2_router 10.5.89.1
wccp_version 4
wccp2_forwarding_method l2
wccp2_return_method l2
wccp2_service standard 0

And the iptables rule:

iptables -t nat -A PREROUTING -i INTERFACE-CONNECTED-toASR -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.5.89.11:3128

This is a very useful link regarding SQUID and WCCP

https://wiki.squid-cache.org/Features/Wccp2

My set up works for HTTP with Squid Cache: Version 3.5.23 et ASR 1002 IOS 15.5(3)S2

Best regards

View solution in original post

Georg Pauwen · ‎11-24-2017

Hello,

which IOS version are you running on your ASR ?

bobbydazzler · ‎11-27-2017

Hi Georg,

We are using Version 15.5(3)S2

Best regards

paul driver · ‎11-24-2017

Hello

Have you tried applying it to redirect egress and just with the web proxy address?

ip wccp web-cache
interface port 589
ip wccp web-cache redirect out

access-list 10 permit 10.5.89.11
ip wccp web-cache group-list 10

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bobbydazzler · ‎11-27-2017

Hello Paul,

Thank for your suggestion.

I have tried what you suggested but still nothing going to the proxy :-( Just to make sure I understood correctly here is the config I did:

#sh run | i wccp
no ip wccp variable-timers
ip wccp check services all
ip wccp source-interface Port-channel1.589
ip wccp web-cache group-list 10

interface Port-channel1.598
encapsulation dot1Q 598
ip address 100.65.0.1 255.255.0.0
ip nat inside
ip wccp web-cache redirect in
end

interface Port-channel1.589
encapsulation dot1Q 589
ip address 10.5.89.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp web-cache redirect out
end

bobbydazzler · ‎12-08-2017

Hello,

Just in case some people come across the same pb.

I fixed the problem by using l2-redirect instead of using GRE redirect/return. Using GRE wasn't working and on top of that the CPU usage went up the roof! The config on the ASR is unchanged. When possible, using l2-redirect is much better anyway as it is processed by the hardware and not the software (when using GRE it is handled by the software).

guycht01#sh ip wccp web-cache detail 
WCCP Client information:
	WCCP Client ID:          10.5.89.11
	Protocol Version:        2.00
	State:                   Usable
	Redirection:             L2
	Packet Return:           L2
	Assignment:              HASH
	Connect Time:            03:19:18
	Redirected Packets:
          Process:               0
          CEF:                   0
          Platform:              15660019
	GRE Bypassed Packets:
          Process:               0
          CEF:                   0

Here is the relevant config I did on squid:

wccp2_router 10.5.89.1
wccp_version 4
wccp2_forwarding_method l2
wccp2_return_method l2
wccp2_service standard 0

And the iptables rule:

iptables -t nat -A PREROUTING -i INTERFACE-CONNECTED-toASR -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.5.89.11:3128

This is a very useful link regarding SQUID and WCCP

https://wiki.squid-cache.org/Features/Wccp2

My set up works for HTTP with Squid Cache: Version 3.5.23 et ASR 1002 IOS 15.5(3)S2

Best regards