WCCP and Squid, and Tunnels

Question

I'm trying to configure WCCP + Squid with the following documentation: http://www.crypt.gen.nz/papers/cisco_squid_wccp.html

I have a cisco switch, a test client, and a squid proxy server. I think the switch is configured correctly, as I'm seeing GRE traffic coming across when I follow it with tcpdump. However, the traffic doesn't seem to make it to the squid server. My tunnel configuration on squid is as follows:

# cat /etc/sysconfig/network-scripts/ifcfg-tun0
DEVICE=tun0
TYPE=GRE
BOOTPROTO=none
MY_INNER_IPADDR=172.16.1.1
PEER_OUTER_IPADDR=10.1.1.1
PEER_INNER_IPADDR=172.16.1.2
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no
USERCTL=no

I think the server is failing to unencapsulate the GRE packet, and I have some confusion as to how this ifcfg file should be configured. Here, I have 10.1.1.1 as the address of the switch. The two 172.x addresses are not configured explicitly anywhere else, and I'm not sure if they need to be. When I bring up tun0, I can ping 172.16.1.1, but not .2. Since this config all exists on my squid server, I'm wondering if I need to bring up an interface with .2 on it?

Another strange thing I've noticed is that Red Hat (6) will not let me name the device gre0. I'm not sure if this could have something to do with my issue?

EDIT:

Sorry for the delay, I've been banging my head on the wall for the past few days. It's a Cisco 6509. The proxy server appears to register with the switch, but is in a state of "NOT Usable". Redirection and Packet Return are shown as "L2". I've set this to both GRE and L2 in my Squid configuration, but it doesn't seem to make a difference on the switch. I've also tried both "hash" and "mask" for assignment.

Here's the relevant switch configuration:

Standard IP access list WCCP-SQUID
10 permit 10.1.1.150 (1301 matches)

Extended IP access list WCCP-REDIRECT
10 permit tcp 10.1.1.0 0.0.0.31 10.2.1.0 0.0.255.255 eq www
20 permit tcp 10.1.1.0 0.0.0.31 10.2.1.0 0.0.255.255 eq 443

ip wccp web-cache redirect-list WCCP-REDIRECT group-list WCCP-SQUID

And here's some output I'm seeing from the debug log:

BUR-PII-CORA#show ip wccp web-cache detail
WCCP Cache-Engine information:
    Web Cache ID:          10.1.1.150
    Protocol Version:      2.0
    State:                 NOT Usable
    Redirection:           L2
    Packet Return:         L2
    Packets Redirected:    0
    Connect Time:          00:00:20
    Assignment:            MASK


BUR-PII-CORA#show ip wccp
Global WCCP information:
Router information:
    Router Identifier:                   10.1.1.1
    Protocol Version:                    2.0

Service Identifier: web-cache
    Number of Cache Engines:             0
    Number of routers:                   0
    Total Packets Redirected:            0
    Redirect access-list:                WCCP-REDIRECT
    Total Packets Denied Redirect:       0
    Total Packets Unassigned:            0
    Group access-list:                   WCCP-SQUID
    Total Messages Denied to Group:      0
    Total Authentication failures:       0

From the debug log:

May  2 12:26:10.502 PDT: WCCP-EVNT:S00: Here_I_Am packet from 10.1.1.150 w/bad rcv_id 00000000
May  2 12:26:20.502 PDT: WCCP-EVNT:S00: Here_I_Am packet from 10.1.1.150 w/bad rcv_id 00000000
May  2 12:26:20.502 PDT: WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.150 w/ rcv_id 00000017
May  2 12:26:25.502 PDT: WCCP-PKT:S00: Sending Removal_Query packet to 10.1.1.150w/ rcv_id 00000018
May  2 12:26:30.502 PDT: WCCP-EVNT:wccp_change_router_view: S00
May  2 12:26:30.502 PDT: WCCP-EVNT:wccp_change_router_view: deallocate rtr_view (24     bytes)
May  2 12:26:30.502 PDT: WCCP-EVNT:wccp_change_router_view: allocate hash rtr_view (1560 bytes)
May  2 12:26:30.502 PDT: WCCP-EVNT:wccp_change_router_view: rtr_view_size set to 24     bytes
May  2 12:26:30.502 PDT: WCCP-EVNT:S00: Built new router view: 0 routers, 0 usable web caches, change # 00000007

Post your switch configuration. What model of switch is it? Most can't do GRE but rather use L2-rewrite. Also handy to see some show wccp output from the switch as well. — Jason Seemann, Apr 29 '14 at 16:47

score 1 · Answer 1 · answered May 09 '14 at 11:22

Your redirection methods aren't matching, so there are no packets being redirected to the SQUID. You'll need to change your redirection method on the 6509 to GRE, and likewise the return method to generic GRE.

Be VERY careful with all of this, the 6500 is a complicated animal and there are a lot of pitfalls with WCCP configuration on it. Here's the bible - I'd recommend reading this through and understanding the recommended configurations - http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11-629052.html

Here's some more information on the same topic: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/12-2sy/iap-cg-12-2sy-book/iap-wccp.html

I'm assuming you have a service contract with TAC - I'd really advise you to give them a ring about this; you can absolutely overload the processor of the 6509 and cause a complete network outage if you make an error with this.

I was continuing to have issues, so I decided to go an alternate route (putting a PAC file on the client browsers). It seems like the safer/quicker thing to do. Also, even though I wasn't able to test it, it sounds like WCCP wouldn't support proxy authentication to our LDAP server (a requirement for us), or SSL connections since the proxy is acting as a man in the middle. Thanks for the help, the documents are still useful. — blindsnowmobile, May 12 '14 at 23:25

WCCP and Squid, and Tunnels

1 Answers1