Cisco ASA 5510 and Squid via WCCP2
25 06 2008Had this mix working smoothly for couple of years. But recent migration of proxy server to the virtualized Ubuntu server caused strange behavior – sites which are using advanced web techniques (gmail, hotmail etc.) started to show empty pages without any tracks in log files. After some research I had to shoot down TCP window scaling which is enabled by default and decrease mtu to 1400. Full configuration after the break.
linux box running Squid
modprobe ip_gre
iptunnel add gre0 mode gre remote $ASA_IP local $LOCAL_IP dev eth0
ifconfig gre0 inet 1.2.3.4 netmask 255.255.255.0 up
ip link set eth0 mtu 1400
ip link set gre0 mtu 1400
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
WCCP related part of squid.conf:
http_port 3128 transparent
wccp2_router ASA_IP
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
httpd_accel_no_pmtu_disc on
WCCP related part of Cisco ASA 5510 config:
wccp web-cache
wccp interface inside web-cache redirect in
What about SSL 443 traffic? How do you get that to go through gre tunnel? Otherwise you can’t browse sites that require SSL…
We’re doing the same thing, only with a 5520 running IOS 8.0(4).
Do you have the Squid Proxy on the same subnet as the clients?
The ASA returns “no matching connection for ICMP error message: icmp src inside:proxyserver dest identity:ASA’s address on inside interface.
I’ve been trying to get this working for days! Your writeup is the best on the net right now. You would think others would reference it more! Many google searches never paid off until I found your site! Thanks!!!
Try it with MTU 1514 only for the gre interface and leave eth at 1500. It should work and keep things in your network normal.
Example of /etc/network/interfaces for ubuntu:
auto gre0
iface gre0 inet static
address 132.39.167.241
netmask 255.255.255.192
remote 132.39.167.254
local 132.39.167.241
mtu 1514
then use:
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp –dport 80 -j REDIRECT –to-port 3128
and save with iptables-save and you are done.
Thanks alot for your configuration example!!
But I must be doing something wrong, on the ASA i get the same error message as Frank in his posting describes. And also the router identifier is not correct in my configuration, the ASA is using the ip of the outside interface. The squid proxy is in the inside network, why the ASA uses the wrong ip?
Thanks for the how to!!
Another question, what about if I have multiple networks on my ASA and I want to manage only one proxy. I need to bind squid on all interfaces?
If I do:
wccp interface inside web-cache redirect in
wccp interface inside2 web-cache redirect in
wccp interface inside3 web-cache redirect in
it doesn’t work.
Thanks
looks like reach-ability issue, check if your squid server is able to see packets coming to and from thees interfaces over gre tunnels
Hi,
how did you tell your ASA what proxy server to use for wccp? I only see 2 wccp related commands and none has any ip/object in it for the proxy server.
Did I miss something?
thx
it works the other way – squid registers itself with ASA, ASA is just told to use it, whenever it’s available (when squid is down traffic goes directly)