RE: [squid-users] WCCP mask bits
No problem, I know you guys are busy and appreciate the time and effort the team(s) put into this project. It sounds like this isn't a simple switch outside of the configuration file. Should I be making a feature request or will this thread suffice? If the latter, how often should I bump this thread to keep the task alive? -- Thanks, Bryan Shoebottom Network & Systems Specialist Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 bshoebot...@fanshawec.ca -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: July-04-11 7:43 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] WCCP mask bits On 18/06/11 06:08, Shoebottom, Bryan wrote: > Amos, > > Any luck with coding the bit mask? Is there anything else you need from me? > > > No pressure, this e-mail is mainly to keep this thread on track as you > mentioned previously. > > Sorry, I got into it then found an exceptionally complicated section of code depending on the number of bits. Then go side tracked with releases :( Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.9
RE: [squid-users] WCCP mask bits
Amos, Any luck with coding the bit mask? Is there anything else you need from me? No pressure, this e-mail is mainly to keep this thread on track as you mentioned previously. -- Thanks, Bryan Shoebottom Network & Systems Specialist Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 bshoebot...@fanshawec.ca -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: June-17-11 11:29 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] WCCP mask bits On 17/06/11 18:30, Jack Falworth wrote: > Hi, > > I recently ran into a similar problem when using WCCPv2 in L2 mode and > mask assignment. I configured Squid with two dynamic services like > described in > http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#TProxy_Interception. > > The problem now is that if Squid is reconfigured during setting > changes, some of the negotiation messages between Squid and router get > lost. So after reconfiguration service 80 for traffic from clients to > squid still works whereas in many cases service 90 for traffic from > squid to the Internet got lost. This is especially bad since the > router then still thinks that the proxy is alive and thus it continues > sending traffic to it. But the responses are unfortunately not routed > back to Squid causing are total service disruption. This is completely different issue. WCCP requires the router to drop the state if HEREIAM/ISEEYOU does not succeed. Squid has a small pause on reconfigure, which can delay the HEREIAM too long. Nasty effects, but WCCP state is active again within 10sec of the reconfigure completing. > > In order to get it working again, WCCP has to be switched off and > after some seconds switched on again. NP: 15 seconds? (the 10sec HEREIAM interval, plus some wiggle room for the router to kill its state) > This problem does not occur in Hash mode, but unfortunately in Hash > mode many processing has to be done in software whereas in mask mode > nearly anything can be done in hardware which is crucial when trying > to create a high-performance setup. > > I'm currently using the latest Squid 2.7 version (because of missing > COSS/Rockstore support in the 3.x series) but I already had a look on > the WCCPv2 source in 3.1 and 3.2. It seems that there haven't been > major changes, thus I assume that this problem will also exist there. > The only patch related was some cleanup and rework of structures > (http://www.squid-cache.org/Versions/v3/3.1/changesets/b9492.patch), > but I don't think that this changed anything in this context. > > Can anybody help or did encounter the same problem? You are the first to mention that type of behaviour here. I think you may benefit from Squid sending a packet to the router detaching itself fully before a reconfigure. Then re-attaching afterwards. If you can assist by figuring out the packet content needed for the detatch it would help. The behaviour the rest of this thread is about is Squid being hard-coded with a 7-bit mask. You can set the flags to shift it around the fields, but its still the same pattern and size. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2
Re: [squid-users] WCCP mask bits
Amos, Sorry I didn't get your response to my inbox so I'm hoping my reply works properly. Here's my version/build: Squid Cache: Version 3.1.12 configure options: '--enable-async-io' '--enable-storeio=ufs,aufs,diskd' '--enable-linux-netfilter' '--enable-default-err-language=English' '--enable-wccpv2' '--with-filedescriptors=32768' '--enable-removal-policies=heap' '--enable-snmp' '--disable-ipv6' --with-squid=/root/squid-3.1.12 --enable-ltdl-convenience -- Thanks, Bryan Shoebottom Network & Systems Specialist Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 bshoebot...@fanshawec.ca
[squid-users] WCCP mask bits
Guys, I have a pair of proxies in L2 mode and have been advised by Cisco to reduce the bit mask for WCCP due to some TCAM issues I have been running into. I have searched around, and can't seem to find a way to do this. Here's some info from Cisco's WAAS product to help explain this a little better: http://docwiki.cisco.com/wiki/Cisco_WAAS_Troubleshooting_Guide_for_Release_4.1.3_and_Later_--_Troubleshooting_WCCP "Use the smallest number of mask bits possible when using WCCP redirect ACL. A smaller number of mask bits when used in conjunction with Redirect ACL results in lower TCAM utilization. If there are 1-2 WCCP clients in a cluster, use one bit. If there are 3-4 WCCP clients, use 2 bits. If there are 5-8 WCCP clients, then use 3 bits and so on." "The TCAM resources consumed by a WCCP redirect access-list is a product of the content of that ACL multiplied against the configured WCCP bit mask. Therefore, there is contention between the number of WCCP buckets (which are created based on the mask) and the number of entries in the redirect ACL. For example, a mask of 0xF (4 bits) and a 200 line redirect permit ACL may result in 3200 (2^4 x 200) TCAM entries. Reducing the mask to 0x7 (3 bits) reduces the TCAM usage by 50% (2^3 x 200 = 1600)." I do have a redirect list and try to keep it as small as possible. Here is what my bucket distribution looks like with 1 server attached (64 buckets): Switch#sho ip wcc we d WCCP Client information: WCCP Client ID: 192.168.1.1 Protocol Version: 2.0 State: Usable Redirection: L2 Packet Return: L2 Packets Redirected: 27 Connect Time: 00:28:54 Assignment: MASK Mask SrcAddr DstAddr SrcPort DstPort --- --- --- --- : 0x 0x1741 0x 0x Value SrcAddr DstAddr SrcPort DstPort CE-IP - --- --- --- --- - : 0x 0x 0x 0x 0xC0A80101 (192.168.1.1) 0001: 0x 0x0001 0x 0x 0xC0A80101 (192.168.1.1) 0002: 0x 0x0040 0x 0x 0xC0A80101 (192.168.1.1) 0003: 0x 0x0041 0x 0x 0xC0A80101 (192.168.1.1) 0004: 0x 0x0100 0x 0x 0xC0A80101 (192.168.1.1) 0005: 0x 0x0101 0x 0x 0xC0A80101 (192.168.1.1) 0006: 0x 0x0140 0x 0x 0xC0A80101 (192.168.1.1) 0007: 0x 0x0141 0x 0x 0xC0A80101 (192.168.1.1) 0008: 0x 0x0200 0x 0x 0xC0A80101 (192.168.1.1) 0009: 0x 0x0201 0x 0x 0xC0A80101 (192.168.1.1) 0010: 0x 0x0240 0x 0x 0xC0A80101 (192.168.1.1) 0011: 0x 0x0241 0x 0x 0xC0A80101 (192.168.1.1) 0012: 0x 0x0300 0x 0x 0xC0A80101 (192.168.1.1) 0013: 0x 0x0301 0x 0x 0xC0A80101 (192.168.1.1) 0014: 0x 0x0340 0x 0x 0xC0A80101 (192.168.1.1) 0015: 0x 0x0341 0x 0x 0xC0A80101 (192.168.1.1) 0016: 0x 0x0400 0x 0x 0xC0A80101 (192.168.1.1) 0017: 0x 0x0401 0x 0x 0xC0A80101 (192.168.1.1) 0018: 0x 0x0440 0x 0x 0xC0A80101 (192.168.1.1) 0019: 0x 0x0441 0x 0x 0xC0A80101 (192.168.1.1) 0020: 0x 0x0500 0x 0x 0xC0A80101 (192.168.1.1) 0021: 0x 0x0501 0x 0x 0xC0A80101 (192.168.1.1) 0022: 0x 0x0540 0x 0x 0xC0A80101 (192.168.1.1) 0023: 0x 0x0541 0x 0x 0xC0A80101 (192.168.1.1) 0024: 0x 0x0600 0x 0x 0xC0A80101 (192.168.1.1) 0025: 0x 0x0601 0x 0x 0xC0A80101 (192.168.1.1) 0026: 0x 0x0640 0x 0x 0xC0A80101 (192.168.1.1) 0027: 0x 0x0641 0x 0x 0xC0A80101 (192.168.1.1) 0028: 0x 0x0700 0x 0x 0xC0A80101 (192.168.1.1) 0029: 0x 0x0701 0x 0x 0xC0A80101 (192.168.1.1) 0030: 0x 0x0740 0x 0x 0xC0A80101 (192.168.1.1) 0031: 0x 0x0741 0x 0x 0xC0A80101 (192.168.1.1) 0032: 0x 0x1000 0x 0x 0xC0A80101 (192.168.
RE: [squid-users] client identifier in squid logs
Thanks for the confirmation Henrik. -- Thanks, Bryan Shoebottom Network & Systems Specialist Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 bshoebot...@fanshawec.ca -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Thursday, September 23, 2010 4:20 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] client identifier in squid logs ons 2010-09-22 klockan 09:03 -0400 skrev Shoebottom, Bryan: > I have an interception proxy configuration using WCCP and a Cisco > router. PAT/NAT happens on a device before the proxy, so my logs show > only the public IPs. That's because your firewall throws away the source IP without recording it anywhere outside of the firewall logs.. > Without changing the placement of the proxy or moving away from > the interception configuration, am I able to get the internal IP of the > clients added to my logs? No. You need to change how traffic gets directed to the proxy so that the traffic is NOT NAT:ed. Regards Henrik
[squid-users] client identifier in squid logs
Hello, I have an interception proxy configuration using WCCP and a Cisco router. PAT/NAT happens on a device before the proxy, so my logs show only the public IPs. *Inet* | Router---Proxy | Firewall (PAT/NAT) | *internal private network* I checked the HTTP header, but can't find any host identifier info there. Without changing the placement of the proxy or moving away from the interception configuration, am I able to get the internal IP of the clients added to my logs? I know this is a far stretch, but I'm hopeful someone else is in this predicament and has come up with a solution/workaround. -- Thanks, Bryan Shoebottom Network & Systems Specialist Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 bshoebot...@fanshawec.ca
RE: [squid-users] www.cmhc.ca site doesn't load
Adrian, Thank you for the suggestions, the problem is with timestamping and window scaling. When I disable both of these, the site works. Now I am debating whether I should do this or have this single site bypass the cache entirely. Disabling timestamping looks like it's no big deal, but disabling window scaling looks like it stops TCP negotiation of window sizes larger then 64K. I am looking at this as a big negative, but would appreciate your thoughts as you are more experienced with caching technology. -- Thanks, Bryan Shoebottom CCNA Network & Systems Analyst Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 [EMAIL PROTECTED] -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Saturday, February 16, 2008 8:13 AM To: Shoebottom, Bryan Cc: Adrian Chadd; squid-users@squid-cache.org Subject: Re: [squid-users] www.cmhc.ca site doesn't load On Sat, Feb 16, 2008, Shoebottom, Bryan wrote: > I thought of this because I've had this problem in the past with sites > like hotmail. But when I configure the browser for the cache server > itself and bypass WCCP, I have the same problem. I was hoping the > community would be able to tell me if they have any difficulties with > this site. Then I could begin to compare configurations. Various people have issues with these sorts of things. Generally its because of stuff like ECN, PMTU discovery, Window Scaling/Timestamping, etc. Adrian > > > -- > Thanks, > > Bryan Shoebottom CCNA > Network & Systems Analyst > Network Services & Computer Operations > Fanshawe College > Phone: (519) 452-4430 x4904 > Fax: (519) 453-3231 > [EMAIL PROTECTED] > > > -Original Message- > From: Adrian Chadd [mailto:[EMAIL PROTECTED] > Sent: Friday, February 15, 2008 6:17 PM > To: Shoebottom, Bryan > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] www.cmhc.ca site doesn't load > > Start by using a packet sniffer and see if you can determine why the > TCP sessions are hanging. > > It may be WCCPv2 interception. It depends on how you've set it up to the > Cat6k. > > > > Adrian > > On Fri, Feb 15, 2008, Shoebottom, Bryan wrote: > > Hello, > > > > I am having problems getting to www.cmhc.ca through our cache servers. > > We have a 2.6S4 and a 3.0S1 server running transparently with WCCPv2 > and > > Cisco cat6k equipment. I have tried to get to the site through the > > transparent configuration, and with each cache configured in my > browser, > > but the site takes a long time to come up (over 10min, I haven't > stayed > > around to watch) if it ever completes in any situation. If I bypass > the > > caches completely, I can bring up the site with no problems. > > There are no errors in cache.log and access.log only shows an entry > when > > something finally loads in the browser (i.e. when the icon shows up > > after 5min, I see the request for favicon.ico). Since the site > doesn't > > load when the browser is configured for a cache, WCCP shouldn't be the > > issue. > > > > Can anyone replicate this or have a solution? If you need any more > > info, please let me know. > > > > > > -- > > Thanks, > > > > Bryan Shoebottom CCNA > > Network & Systems Analyst > > Network Services & Computer Operations > > Fanshawe College > > Phone: (519) 452-4430 x4904 > > Fax: (519) 453-3231 > > [EMAIL PROTECTED] > > > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid > Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
RE: [squid-users] www.cmhc.ca site doesn't load
Adrian, thanks for you response, what do you suggest my best course of action is? The website works through all of our equipment, but not directly through the cache or transparently through it. -- Thanks, Bryan Shoebottom CCNA Network & Systems Analyst Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 [EMAIL PROTECTED] -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Saturday, February 16, 2008 8:13 AM To: Shoebottom, Bryan Cc: Adrian Chadd; squid-users@squid-cache.org Subject: Re: [squid-users] www.cmhc.ca site doesn't load On Sat, Feb 16, 2008, Shoebottom, Bryan wrote: > I thought of this because I've had this problem in the past with sites > like hotmail. But when I configure the browser for the cache server > itself and bypass WCCP, I have the same problem. I was hoping the > community would be able to tell me if they have any difficulties with > this site. Then I could begin to compare configurations. Various people have issues with these sorts of things. Generally its because of stuff like ECN, PMTU discovery, Window Scaling/Timestamping, etc. Adrian > > > -- > Thanks, > > Bryan Shoebottom CCNA > Network & Systems Analyst > Network Services & Computer Operations > Fanshawe College > Phone: (519) 452-4430 x4904 > Fax: (519) 453-3231 > [EMAIL PROTECTED] > > > -Original Message- > From: Adrian Chadd [mailto:[EMAIL PROTECTED] > Sent: Friday, February 15, 2008 6:17 PM > To: Shoebottom, Bryan > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] www.cmhc.ca site doesn't load > > Start by using a packet sniffer and see if you can determine why the > TCP sessions are hanging. > > It may be WCCPv2 interception. It depends on how you've set it up to the > Cat6k. > > > > Adrian > > On Fri, Feb 15, 2008, Shoebottom, Bryan wrote: > > Hello, > > > > I am having problems getting to www.cmhc.ca through our cache servers. > > We have a 2.6S4 and a 3.0S1 server running transparently with WCCPv2 > and > > Cisco cat6k equipment. I have tried to get to the site through the > > transparent configuration, and with each cache configured in my > browser, > > but the site takes a long time to come up (over 10min, I haven't > stayed > > around to watch) if it ever completes in any situation. If I bypass > the > > caches completely, I can bring up the site with no problems. > > There are no errors in cache.log and access.log only shows an entry > when > > something finally loads in the browser (i.e. when the icon shows up > > after 5min, I see the request for favicon.ico). Since the site > doesn't > > load when the browser is configured for a cache, WCCP shouldn't be the > > issue. > > > > Can anyone replicate this or have a solution? If you need any more > > info, please let me know. > > > > > > -- > > Thanks, > > > > Bryan Shoebottom CCNA > > Network & Systems Analyst > > Network Services & Computer Operations > > Fanshawe College > > Phone: (519) 452-4430 x4904 > > Fax: (519) 453-3231 > > [EMAIL PROTECTED] > > > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid > Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
RE: [squid-users] www.cmhc.ca site doesn't load
I thought of this because I've had this problem in the past with sites like hotmail. But when I configure the browser for the cache server itself and bypass WCCP, I have the same problem. I was hoping the community would be able to tell me if they have any difficulties with this site. Then I could begin to compare configurations. -- Thanks, Bryan Shoebottom CCNA Network & Systems Analyst Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 [EMAIL PROTECTED] -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 6:17 PM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] www.cmhc.ca site doesn't load Start by using a packet sniffer and see if you can determine why the TCP sessions are hanging. It may be WCCPv2 interception. It depends on how you've set it up to the Cat6k. Adrian On Fri, Feb 15, 2008, Shoebottom, Bryan wrote: > Hello, > > I am having problems getting to www.cmhc.ca through our cache servers. > We have a 2.6S4 and a 3.0S1 server running transparently with WCCPv2 and > Cisco cat6k equipment. I have tried to get to the site through the > transparent configuration, and with each cache configured in my browser, > but the site takes a long time to come up (over 10min, I haven't stayed > around to watch) if it ever completes in any situation. If I bypass the > caches completely, I can bring up the site with no problems. > There are no errors in cache.log and access.log only shows an entry when > something finally loads in the browser (i.e. when the icon shows up > after 5min, I see the request for favicon.ico). Since the site doesn't > load when the browser is configured for a cache, WCCP shouldn't be the > issue. > > Can anyone replicate this or have a solution? If you need any more > info, please let me know. > > > -- > Thanks, > > Bryan Shoebottom CCNA > Network & Systems Analyst > Network Services & Computer Operations > Fanshawe College > Phone: (519) 452-4430 x4904 > Fax: (519) 453-3231 > [EMAIL PROTECTED] > -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
[squid-users] www.cmhc.ca site doesn't load
Hello, I am having problems getting to www.cmhc.ca through our cache servers. We have a 2.6S4 and a 3.0S1 server running transparently with WCCPv2 and Cisco cat6k equipment. I have tried to get to the site through the transparent configuration, and with each cache configured in my browser, but the site takes a long time to come up (over 10min, I haven't stayed around to watch) if it ever completes in any situation. If I bypass the caches completely, I can bring up the site with no problems. There are no errors in cache.log and access.log only shows an entry when something finally loads in the browser (i.e. when the icon shows up after 5min, I see the request for favicon.ico). Since the site doesn't load when the browser is configured for a cache, WCCP shouldn't be the issue. Can anyone replicate this or have a solution? If you need any more info, please let me know. -- Thanks, Bryan Shoebottom CCNA Network & Systems Analyst Network Services & Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax: (519) 453-3231 [EMAIL PROTECTED]
RE: [squid-users] un-accessible site with version 2.6S3
Henrik, I did change it from 2 to 0 but still no luck. Is there anything else it could be that you have seen in the past? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: January 9, 2007 12:02 PM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: RE: [squid-users] un-accessible site with version 2.6S3 tis 2007-01-09 klockan 08:24 -0500 skrev Shoebottom, Bryan: > I tried this but it didn't work: > echo 0 > /proc/sys/net/ipv4/tcp_ecn Also try the tcp windows thing.. but my testing indicated the side fails on ECN if I remember correctly. Regards Henrik
RE: [squid-users] un-accessible site with version 2.6S3
Henrik, I tried this but it didn't work: echo 0 > /proc/sys/net/ipv4/tcp_ecn I'm guessing I don't need to restart squid for this to take effect. Is there anything else I can try? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: January 8, 2007 10:36 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] un-accessible site with version 2.6S3 mån 2007-01-08 klockan 08:25 -0500 skrev Shoebottom, Bryan: > Hello, > > I am having difficulty connecting to the site www.nap.edu. Our cache server > is setup with wccp but I even tried configuring it in the browser proxy > settings and still cannot connect to the site. > When I try to get to it I simply get a "waiting for www.nap.edu" in the > status bar. There are no entries in the access.log either. It's almost as > if squid can't interpret the webserver or maybe doesn't support it. Can > anyone shed any light on this issue? Broken site with a malfunctioning firewall. Squid FAQ "Can't connect to some sites through Squid" (Linux) http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-699d810035c099c8b4bff21e12bb365438a21027 Regards Henrik
[squid-users] un-accessible site with version 2.6S3
Hello, I am having difficulty connecting to the site www.nap.edu. Our cache server is setup with wccp but I even tried configuring it in the browser proxy settings and still cannot connect to the site. When I try to get to it I simply get a "waiting for www.nap.edu" in the status bar. There are no entries in the access.log either. It's almost as if squid can't interpret the webserver or maybe doesn't support it. Can anyone shed any light on this issue? Thanks, Bryan
[squid-users] COSS partition: permission denied
Hello, I am trying COSS partitions (not files) in squid version 2.6S4 and am can't get squid started. Squid has been compiled with: Squid Cache: Version 2.6.STABLE4 configure options: '--enable-async-io' '--enable-storeio=ufs,coss,diskd' '--enable-linux-netfilter' '--enable-default-err-language=English' '--enable-snmp' '--with-large-files' '--enable-wccpv2' '--disable-poll' '--disable-select' '--enable-epoll' '--with-maxfd=16384' '--enable-removal-policies=heap' '--enable-coss-aio-ops' I then created the partitions using fdisk making them 65536MB and I ran dd against them: dd if=/dev/zero bs=1048576 count=65536 of /dev/cciss/c0d2p1 dd if=/dev/zero bs=1048576 count=65536 of /dev/cciss/c0d2p2 In squid.conf I have these related directives: cache_dir coss /dev/cciss/c0d2p1 65536 block-size=8192 max-size=131072 cache_dir coss /dev/cciss/c0d2p2 65536 block-size=8192 max-size=524288 max-stripe-waste=32768 cache_dir diskd /cache1 227328 16 256 Q1=71 Q2=64 cache_swap_log /usr/local/squid/var/%s When I start squid, this is printed to the screen: 2006/10/18 12:36:28| COSS: max disk fileno is 8388608 2006/10/18 12:36:28| COSS: number of stripes: 65536 of 1048576 bytes each 2006/10/18 12:36:28| COSS: number of memory-only stripes 10 of 1048576 bytes each 2006/10/18 12:36:28| COSS: max disk fileno is 8388608 2006/10/18 12:36:28| COSS: number of stripes: 65536 of 1048576 bytes each 2006/10/18 12:36:28| COSS: number of memory-only stripes 10 of 1048576 bytes each And this is in the cache.log before it terminates: 2006/10/18 12:36:41| /dev/cciss/c0d2p1: (13) Permission denied FATAL: storeCossDirInit: Failed to open a COSS file. Squid Cache (Version 2.6.STABLE4): Terminated abnormally. The permission denied is obvious, but even if I try an run squid as root with no cache_effective_user set, I get the same result. Should these partitions be mounted? If so can someone provide an /etc/fstab line example? I thought a COSS partition would be faster then a file, am I wrong? Should I just use a file? I'm also wondering if this configuration of COSS is optimal. I also have another drive with diskd configured after these to handle the bigger files. Suggestions are welcome Thanks, Bryan
RE: [squid-users] 2.6S1 WCCP2 problems
Does anyone have this problem on 2.6S1??? With debug on on the router I get this error: Here_I_Am packet from 10.10.101.3 w/bad rcv_id Any help would be appreciated. Thanks, Bryan -Original Message- From: Shoebottom, Bryan [mailto:[EMAIL PROTECTED] Sent: July 13, 2006 1:18 PM To: squid-users@squid-cache.org Subject: [squid-users] 2.6S1 WCCP2 problems Hey, I can't seem to get wccpv2 working in squid 2.6Stable1. My wccp config is as follows: wccp2_router 10.10.101.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 My router only seems to see L2 redirection even though I have specified GRE/WCCP: ROUTER#sho ip wcc we d WCCP Cache-Engine information: Web Cache ID: 10.10.101.3 Protocol Version: 2.0 State: NOT Usable Redirection: L2 Packet Return: L2 Packets Redirected:0 Connect Time: 00:00:29 Assignment:MASK ROUTER# After 30 seconds, the connect time for the cache restarts. I am running a 2.6.17 kernel which supports WCCP in the GRE module and have this loaded as gre0. Has anyone else gotten this to work under the new 2.6 release yet? Anyone have any suggestions? Thanks, Bryan
[squid-users] 2.6S1 WCCP2 problems
Hey, I can't seem to get wccpv2 working in squid 2.6Stable1. My wccp config is as follows: wccp2_router 10.10.101.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 My router only seems to see L2 redirection even though I have specified GRE/WCCP: ROUTER#sho ip wcc we d WCCP Cache-Engine information: Web Cache ID: 10.10.101.3 Protocol Version: 2.0 State: NOT Usable Redirection: L2 Packet Return: L2 Packets Redirected:0 Connect Time: 00:00:29 Assignment:MASK ROUTER# After 30 seconds, the connect time for the cache restarts. I am running a 2.6.17 kernel which supports WCCP in the GRE module and have this loaded as gre0. Has anyone else gotten this to work under the new 2.6 release yet? Anyone have any suggestions? Thanks, Bryan
[squid-users] ACL wildcards?
Hello, Is it possible to use wildcards in an ACL? For example, currently I do this? acl restricted dstdomain .domain1.tld acl restricted dstdomain .domain2.tld acl restricted dstdomain .domain3.tld acl restricted dstdomain .domain4.tld Can I do this? acl restricted dstdomain .domain?.tld Thanks, Bryan
RE: [squid-users] I have Squid 2.5 stable 14 running on a Linux box using theWCCPv1. This setup seems to be having tr
I ended up moving to WCCPv2 and a 2.6.9 or later kernel to resolve this issue. There are some posts on changing the MTU of the GRE/ethX interface but this never worked for me. Thanks, Bryan -Original Message- From: Keith Owen [mailto:[EMAIL PROTECTED] Sent: June 13, 2006 12:42 PM To: squid-users@squid-cache.org Subject: [squid-users] I have Squid 2.5 stable 14 running on a Linux box using theWCCPv1. This setup seems to be having tr I have Squid 2.5 stable 14 running on a Linux box using the WCCPv1. This setup seems to be having troubles with e-mail website (ex mail.yahoo.com & hotmail.com) What happens is when the user name and password are entered and the login button is pressed, it will timeout on a blank page. If anyone can offer suggestions that would be appreciated.
RE: [squid-users] squid+WCCPv2+GRE
Try using an address that is not in the 127.x.x.x network for your GRE interface. I believe they get lost between lo0 and gre0 as they are both on the same subnet. I don't know for sure, but changing the address made a difference for me. Make sure you pick an address that is not used in your network at all. Thanks, Bryan -Original Message- From: Dean Albano [mailto:[EMAIL PROTECTED] Sent: June 9, 2006 2:25 PM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid+WCCPv2+GRE Ok. I took us a bit, but we are now running kernel 2.6.9-34.0.1.EL. We seem to be having the same problem in that the GRE header is not getting stripped off (squid is not getting the packets). My gre tunnel is: [EMAIL PROTECTED] squid]# iptunnel sit0: ipv6/ip remote any local any ttl 64 nopmtudisc gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 10.2.0.1 local 10.2.0.10 dev eth0 ttl inherit During a trace, I see the packets being sent from the loopback address of the router, but the proxy is not replying. Also, my gre interface shows: [EMAIL PROTECTED] squid]# ifconfig gre1 gre1 Link encap:UNSPEC HWaddr 0A-02-00-0A-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) No packets to or from the gre interface. Any ideas? Thanks Dean J. Albano Network Integration Consultant [EMAIL PROTECTED] 264 W. 40th Street 16th Fl. New York, NY 10018 tel: 646-217-0598 fax: 212 937-5237 On Jun 2, 2006, at 1:33 PM, Shoebottom, Bryan wrote: I had a lot of problems trying to use a 2.4 kernel, try a 2.6.9 or higher. Thanks, Bryan -Original Message- From: Dean Albano [mailto:[EMAIL PROTECTED] Sent: June 2, 2006 12:27 PM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid+WCCPv2+GRE Sorry, I should have stated that. We are using kernel 2.4.21-37.EL. The ip_gre module is loaded. Dean J. Albano Network Integration Consultant [EMAIL PROTECTED] 264 W. 40th Street 16th Fl. New York, NY 10018 tel: 646-217-0598 fax: 212 937-5237 On Jun 2, 2006, at 12:24 PM, Shoebottom, Bryan wrote: Do you have the ip_gre module loaded? Are you using a 2.6.9 or newer kernel? Thanks, Bryan -Original Message- From: Dean Albano [mailto:[EMAIL PROTECTED] Sent: June 2, 2006 12:14 PM To: squid-users@squid-cache.org Subject: [squid-users] squid+WCCPv2+GRE We are using squid (Version 2.5.STABLE14+module1.0) with WCCP v2 compiled in to transparently redirect http. The problem seems to be that the GRE headers are not being removed. The access log does not show incoming requests. The tcpdump trace shows that the GRE packets are being sent to the cache server, but no packets are flowing from the server. Any ideas as to what we are doing wrong? Dean J. Albano Network Integration Consultant [EMAIL PROTECTED]
RE: [squid-users] Squid in gigabit speed continuing...
RAID is more useful for high availability and is almost always slower writing as it has to calculate parity, write to multiple drives, etc. I would suggest a mirror for your system drive and a JBOD configuration for your cache drive(s). As for drive make and models, my only recommendation is to get the fastest disks and subsystem possible: SCSI 320 with 15k drives. As for an amount of storage, you need to estimate how much http traffic your network would do in a week. Another piece you have not mentioned is memory, check the FAQ specifically http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc8.11 This will help you with how much memory you need. Thanks, Bryan -Original Message- From: Pasi Pekka Leinonen [mailto:[EMAIL PROTECTED] Sent: June 9, 2006 1:01 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid in gigabit speed continuing... Very big thanks to all who replied to my earlier message! If I understand right, RAID is bad on access time and if I want fast proxy I should buy e.g. WD Raptor 1rpm. How does RAID slows down the disks speed if I have e.g. 4 pcs WD Raptor 1rpm 74Gb on hardware or software RAID? Or is it realy better to have 4 pcs WD Raptor 1rpm without RAID? Or is the gain from RAID so little it's not worth it? What would be the best amount of storage to cache 300 user network. which is most important when not using RAID: The amount of disk space or the amount of disks.
RE: [squid-users] squid+WCCPv2+GRE
Please be aware of the security implications of using the ip_wccp module. Because you can only use one or the other (gre or wccp module) you will not be able to use GRE and will accept wccp packets from any host. I also had intermittent problems with this setup, large POSTs (attaching a file to hotmail, etc.) wouldn't go through. Changing to a 2.6.9+ kernel and using the wccpv2 patch solved my problems and I've been running with this configuration for approx 2 months now with no problems. Thanks, Bryan -Original Message- From: Awie [mailto:[EMAIL PROTECTED] Sent: June 3, 2006 4:56 AM To: Shoebottom, Bryan; Dean Albano Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid+WCCPv2+GRE If you do not need WCCP v2 features, try WCCP v1 that your can use ip_wccp module. I've used v1 since 5 years ago with a very satisfied result. Thx & Rgds, Awie - Original Message - From: "Shoebottom, Bryan" <[EMAIL PROTECTED]> To: "Dean Albano" <[EMAIL PROTECTED]> Cc: Sent: Saturday, June 03, 2006 01:33 Subject: RE: [squid-users] squid+WCCPv2+GRE > I had a lot of problems trying to use a 2.4 kernel, try a 2.6.9 or > higher. > > Thanks, > Bryan > > > -Original Message- > From: Dean Albano [mailto:[EMAIL PROTECTED] > Sent: June 2, 2006 12:27 PM > To: Shoebottom, Bryan > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] squid+WCCPv2+GRE > > Sorry, I should have stated that. We are using kernel 2.4.21-37.EL. > The ip_gre module is loaded. > > Dean J. Albano > Network Integration Consultant > [EMAIL PROTECTED] > 264 W. 40th Street 16th Fl. > New York, NY 10018 > > tel: 646-217-0598 > fax: 212 937-5237 > > > > On Jun 2, 2006, at 12:24 PM, Shoebottom, Bryan wrote: > > Do you have the ip_gre module loaded? Are you using a 2.6.9 or newer > kernel? > > Thanks, > Bryan > > > -Original Message- > From: Dean Albano [mailto:[EMAIL PROTECTED] > Sent: June 2, 2006 12:14 PM > To: squid-users@squid-cache.org > Subject: [squid-users] squid+WCCPv2+GRE > > We are using squid (Version 2.5.STABLE14+module1.0) with WCCP v2 > compiled in to transparently redirect http. The problem seems to be > that the GRE headers are not being removed. The access log does not > show incoming requests. The tcpdump trace shows that the GRE packets > are being sent to the cache server, but no packets are flowing from > the server. > > Any ideas as to what we are doing wrong? > > Dean J. Albano > Network Integration Consultant > [EMAIL PROTECTED] > > > > > >
RE: [squid-users] squid+WCCPv2+GRE
I had a lot of problems trying to use a 2.4 kernel, try a 2.6.9 or higher. Thanks, Bryan -Original Message- From: Dean Albano [mailto:[EMAIL PROTECTED] Sent: June 2, 2006 12:27 PM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid+WCCPv2+GRE Sorry, I should have stated that. We are using kernel 2.4.21-37.EL. The ip_gre module is loaded. Dean J. Albano Network Integration Consultant [EMAIL PROTECTED] 264 W. 40th Street 16th Fl. New York, NY 10018 tel: 646-217-0598 fax: 212 937-5237 On Jun 2, 2006, at 12:24 PM, Shoebottom, Bryan wrote: Do you have the ip_gre module loaded? Are you using a 2.6.9 or newer kernel? Thanks, Bryan -Original Message- From: Dean Albano [mailto:[EMAIL PROTECTED] Sent: June 2, 2006 12:14 PM To: squid-users@squid-cache.org Subject: [squid-users] squid+WCCPv2+GRE We are using squid (Version 2.5.STABLE14+module1.0) with WCCP v2 compiled in to transparently redirect http. The problem seems to be that the GRE headers are not being removed. The access log does not show incoming requests. The tcpdump trace shows that the GRE packets are being sent to the cache server, but no packets are flowing from the server. Any ideas as to what we are doing wrong? Dean J. Albano Network Integration Consultant [EMAIL PROTECTED]
RE: [squid-users] squid+WCCPv2+GRE
Do you have the ip_gre module loaded? Are you using a 2.6.9 or newer kernel? Thanks, Bryan -Original Message- From: Dean Albano [mailto:[EMAIL PROTECTED] Sent: June 2, 2006 12:14 PM To: squid-users@squid-cache.org Subject: [squid-users] squid+WCCPv2+GRE We are using squid (Version 2.5.STABLE14+module1.0) with WCCP v2 compiled in to transparently redirect http. The problem seems to be that the GRE headers are not being removed. The access log does not show incoming requests. The tcpdump trace shows that the GRE packets are being sent to the cache server, but no packets are flowing from the server. Any ideas as to what we are doing wrong? Dean J. Albano Network Integration Consultant [EMAIL PROTECTED]
[squid-users] RE: SARG
I can't imagine it would make as much of a difference as you're insinuating. I wonder if it's you're name resolution that's slowing things down. In the report (topsites for example) do you see names or IPs? If you see IPs, try changing your OS configured nameserver. Thanks, Bryan -Original Message- From: nima sadeghian [mailto:[EMAIL PROTECTED] Sent: June 1, 2006 1:02 AM To: Shoebottom, Bryan Cc: Jason Gauthier; squid-users@squid-cache.org Subject: Re: SARG the cpu is 3.0 and free hard space is about 100GB. very strange. I used it in GNOME. could graphical interface effect the proficiancy? thnx nima On 5/31/06, Shoebottom, Bryan <[EMAIL PROTECTED]> wrote: > I agree, with ~5000 users we process a 1.5GB file nightly and it only > takes about 30minutes. The system is a dual 3.6GHz. > > Thanks, > Bryan > > > -Original Message- > From: Jason Gauthier [mailto:[EMAIL PROTECTED] > Sent: May 31, 2006 9:12 AM > To: squid-users@squid-cache.org > Subject: RE: [squid-users] SARG > > > Hi friends > > my SARG is too slow. I run squid for 400 users here, and a > > log file about 200MB. after one night SARG is runnig and > > donot want to give me report . is this ok? > > How can I change it more quick? > > After 1 month my access.log is 1G in size. It only takes a little while. > This may be disk or CPU based issues. But I would check with the SARG > lists/maintainers. > -- Best Regards NIMA SADEGHIAN
RE: [squid-users] SARG
I agree, with ~5000 users we process a 1.5GB file nightly and it only takes about 30minutes. The system is a dual 3.6GHz. Thanks, Bryan -Original Message- From: Jason Gauthier [mailto:[EMAIL PROTECTED] Sent: May 31, 2006 9:12 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] SARG > Hi friends > my SARG is too slow. I run squid for 400 users here, and a > log file about 200MB. after one night SARG is runnig and > donot want to give me report . is this ok? > How can I change it more quick? After 1 month my access.log is 1G in size. It only takes a little while. This may be disk or CPU based issues. But I would check with the SARG lists/maintainers.
RE: [squid-users] RE: current concurrent connections
Lokesh, You can browse the mib located in share/mib.txt under your squid root or wherever you installed "share" to. I graph requests (not connections) and hits: 1.3.6.1.4.1.3495.1.3.2.1.1 1.3.6.1.4.1.3495.1.3.2.1.2 Hope this helps! Thanks, Bryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: May 30, 2006 4:23 AM To: squid-users@squid-cache.org Subject: [squid-users] RE: current concurrent connections Hi Does anyone know how to do it? Thanks - Lokesh -Original Message- From: Lokesh Khanna Sent: Monday, May 29, 2006 10:04 AM To: squid-users@squid-cache.org Subject: current concurrent connections Hi I want to Plot Total current concurrent connections in squid using MRTG. How can I do this? Which OID do I need to poll? Thanks - Lokesh Disclaimer The information contained in this e-mail, any attached files, and response threads are confidential and may be legally privileged. It is intended solely for the use of individual(s) or entity to which it is addressed and others authorised to receive it. If you are not the intended recipient, kindly notify the sender by return mail and delete this message and any attachment(s) immediately. Save as expressly permitted by the author, any disclosure, copying, distribution or taking action in reliance on the contents of the information contained in this e-mail is strictly prohibited and may be unlawful. Unless otherwise clearly stated, and related to the official business of Accelon Nigeria Limited, opinions, conclusions, and views expressed in this message are solely personal to the author. Accelon Nigeria Limited accepts no liability whatsoever for any loss, be it direct, indirect or consequential, arising from information made available in this e-mail and actions resulting there from. For more information about Accelon Nigeria Limited, please see our website at http://www.accelonafrica.com **
RE: [squid-users] Showing squid version
Although it is a tedious process, you can add the version info to all the actual error pages in a comment and squid will not insert it by default. Add this: Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: May 19, 2006 7:13 PM To: Aguiar Magalhaes Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Showing squid version fre 2006-05-19 klockan 10:47 + skrev Aguiar Magalhaes: > Where can i disable the message showing the squid > version at the bottom of the error pages, denied pages > and others ? You can in the upcoming Squid-2.6 release, and in Squid-3. Regards Henrik
[squid-users] WCCPv2 - no load balancing
Hello,
I am using the WCCPv2 patch as it has resolved a couple issues with the
standard WCCPv1 code built-in to squid. The newest problem is that WCCP no
longer load balances my cache servers. As you can see below, the router picks
one cache server and assigns it 100% of the hash/buckets. In the past with two
cache servers, they would each receive 50% dispersing the load. Any
suggestions?
Router#sho ip wccp web-cache detail
WCCP Cache-Engine information:
Web Cache ID: x.x.x.2
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment:HASH
Initial Hash Info:
Assigned Hash Info:
Hash Allotment:0 (0.00%)
Packets Redirected:4494
Connect Time: 00:02:28
Web Cache ID: x.x.x.3
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment:HASH
Initial Hash Info:
Assigned Hash Info:
Hash Allotment:256 (100.00%)
Packets Redirected:212616
Connect Time: 00:03:00
Thanks,
Bryan
RE: [squid-users] Hotmail login issue
Henrik, After a week of testing, it appears that applying the wccpv2 patch has solved the problem. In squid 3, will this version of wccp be included? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: March 16, 2006 5:53 PM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Hotmail login issue tor 2006-03-16 klockan 14:46 -0500 skrev Shoebottom, Bryan: > Henrik, > > I'm trying with the wccpv2 patch and notice that when I logout, MSN says > it could not log me out. I got this error before with squid enable and > believe it is related to the sign-in process that I'm having problems. > As I always get this error, I was able to get tcpdump info for it > (Client IP 10.7.40.50): No obvious errors that I could see in this data.. Regards Henrik
RE: [squid-users] squid + wccp tuning
Daniel, I get a couple unsupported methods and Invalid Requests, but in the last 12 hours only 40-50 of each. Currently we are doing 30-60 requests per second with 1500-2000 unique clients, so I don't see a big concern. I've also heard that WCCP varies greatly between different IOS versions, maybe try changing that. Also make sure your router does support wccpv2. As for squid.conf, use wccp2_router instead of wccp_router, nothing else changed in my config. Thanks, Bryan -Original Message- From: Daniel EPEE LEA [mailto:[EMAIL PROTECTED] Sent: March 21, 2006 9:07 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid + wccp tuning Bryan, Thanks a lot for the hin. I appreciate that. I wanted to know if you experienced the same problems in your cache.log file, out of the "hotmail issue". Once that patch is applied, is there any change to squid.conf ? Much regards, Daniel On 3/21/06, Shoebottom, Bryan <[EMAIL PROTECTED]> wrote: > Daniel, > > I am still in the middle of testing with a hotmail problem, but what > seems to have resolved it is the wccpv2 patch, maybe it's worth trying > that? > http://devel.squid-cache.org/projects.html#visolve_wccpv2 > > cd squid-2.5.STABLExx > patch -p1 < ../patchname > > ./bootstrap.sh > > You may need autoconf/automake (or if bootstrap gives errors you may > need different versions). I used: > http://ftp.gnu.org/gnu/autoconf/autoconf-2.13.tar.gz > http://ftp.gnu.org/gnu/automake/automake-1.5.tar.gz > > A simple ./configure then make;make install will do for these. > > Thanks, > Bryan > > > -Original Message- > From: Daniel EPEE LEA [mailto:[EMAIL PROTECTED] > Sent: March 21, 2006 6:51 AM > To: squid-users@squid-cache.org > Subject: [squid-users] squid + wccp tuning > > Hi List, > > I have implemented WCCP + Squid-2.5 Stable 12 with help from list, > and it is working, But it's is so much slowing the network. > > Please can you share working configurations? > > Waiting for advice, > > Much Regards, > > Dan > > PS : My cache.log looks like: > > 2006/03/20 22:21:13| clientReadRequest: FD 1694 Invalid Request > 2006/03/20 22:21:32| parseHttpRequest: Unsupported method > 'recipientid=165&sessi > onid=9731 > > ' > 2006/03/20 22:21:32| clientReadRequest: FD 1842 Invalid Request > 2006/03/20 22:21:32| parseHttpRequest: Unsupported method > 'recipientid=165&sessi > onid=9731 > > ' > 2006/03/20 22:21:32| clientReadRequest: FD 1899 Invalid Request > 2006/03/20 22:21:33| httpReadReply: Excess data from "GET > http://www.hi5.com/fri > end/styles/style.css" > 2006/03/20 22:21:38| parseHttpRequest: Unsupported method > 'recipientid=200&sessi > onid=9913 > > ' > 2006/03/20 22:21:38| clientReadRequest: FD 1945 Invalid Request > 2006/03/20 22:21:41| clientReadRequest: FD 1909 Invalid Request > 2006/03/20 22:21:42| httpReadReply: Request not yet fully sent "POST > http://avew > ink.coconia.net/tab/index.php" > 2006/03/20 22:21:46| clientReadRequest: FD 2019 Invalid Request > 2006/03/20 22:21:50| clientReadRequest: FD 2038 Invalid Request > 2006/03/20 22:21:53| clientReadRequest: FD 733 Invalid Request > 2006/03/20 22:21:53| clientReadRequest: FD 1424 Invalid Request > 2006/03/20 22:22:02| clientReadRequest: FD 1293 Invalid Request > 2006/03/20 22:22:07| parseHttpRequest: Unsupported method > 'recipientid=105&sessi > onid=4000 > > ' > 2006/03/20 22:22:07| clientReadRequest: FD 2110 Invalid Request > 2006/03/20 22:22:08| parseHttpRequest: Unsupported method > 'recipientid=160&sessi > onid=9436 > > ' > 2006/03/20 22:22:08| clientReadRequest: FD 319 Invalid Request > 2006/03/20 22:22:08| clientReadRequest: FD 2116 Invalid Request > 2006/03/20 22:22:10| parseHttpRequest: Unsupported method > 'recipientid=127&sessi > onid=7938 > > ' > 2006/03/20 22:22:10| clientReadRequest: FD 1669 Invalid Request > 2006/03/20 22:22:16| clientReadRequest: FD 2180 Invalid Request > 2006/03/20 22:22:22| clientReadRequest: FD 1252 Invalid Request > 2006/03/20 22:22:23| clientReadRequest: FD 64 Invalid Request > 2006/03/20 22:22:25| clientReadRequest: FD 1904 Invalid Request > 2006/03/20 22:22:29| clientReadRequest: FD 2071 Invalid Request > 2006/03/20 22:22:38| clientReadRequest: FD 2207 Invalid Request > 2006/03/20 22:22:44| parseHttpRequest: Unsupported method > 'recipientid=164&sessi > onid=9832 > > ' > 2006/03/20 22:22:44| clientReadRequest: FD 2282 Invalid Request > 2006/03/20 22:22:45| clientReadRequest: FD 1244 Invalid Request > 2006/03/20 22:22:46| Request header is too
RE: [squid-users] squid + wccp tuning
Daniel, I am still in the middle of testing with a hotmail problem, but what seems to have resolved it is the wccpv2 patch, maybe it's worth trying that? http://devel.squid-cache.org/projects.html#visolve_wccpv2 cd squid-2.5.STABLExx patch -p1 < ../patchname ./bootstrap.sh You may need autoconf/automake (or if bootstrap gives errors you may need different versions). I used: http://ftp.gnu.org/gnu/autoconf/autoconf-2.13.tar.gz http://ftp.gnu.org/gnu/automake/automake-1.5.tar.gz A simple ./configure then make;make install will do for these. Thanks, Bryan -Original Message- From: Daniel EPEE LEA [mailto:[EMAIL PROTECTED] Sent: March 21, 2006 6:51 AM To: squid-users@squid-cache.org Subject: [squid-users] squid + wccp tuning Hi List, I have implemented WCCP + Squid-2.5 Stable 12 with help from list, and it is working, But it's is so much slowing the network. Please can you share working configurations? Waiting for advice, Much Regards, Dan PS : My cache.log looks like: 2006/03/20 22:21:13| clientReadRequest: FD 1694 Invalid Request 2006/03/20 22:21:32| parseHttpRequest: Unsupported method 'recipientid=165&sessi onid=9731 ' 2006/03/20 22:21:32| clientReadRequest: FD 1842 Invalid Request 2006/03/20 22:21:32| parseHttpRequest: Unsupported method 'recipientid=165&sessi onid=9731 ' 2006/03/20 22:21:32| clientReadRequest: FD 1899 Invalid Request 2006/03/20 22:21:33| httpReadReply: Excess data from "GET http://www.hi5.com/fri end/styles/style.css" 2006/03/20 22:21:38| parseHttpRequest: Unsupported method 'recipientid=200&sessi onid=9913 ' 2006/03/20 22:21:38| clientReadRequest: FD 1945 Invalid Request 2006/03/20 22:21:41| clientReadRequest: FD 1909 Invalid Request 2006/03/20 22:21:42| httpReadReply: Request not yet fully sent "POST http://avew ink.coconia.net/tab/index.php" 2006/03/20 22:21:46| clientReadRequest: FD 2019 Invalid Request 2006/03/20 22:21:50| clientReadRequest: FD 2038 Invalid Request 2006/03/20 22:21:53| clientReadRequest: FD 733 Invalid Request 2006/03/20 22:21:53| clientReadRequest: FD 1424 Invalid Request 2006/03/20 22:22:02| clientReadRequest: FD 1293 Invalid Request 2006/03/20 22:22:07| parseHttpRequest: Unsupported method 'recipientid=105&sessi onid=4000 ' 2006/03/20 22:22:07| clientReadRequest: FD 2110 Invalid Request 2006/03/20 22:22:08| parseHttpRequest: Unsupported method 'recipientid=160&sessi onid=9436 ' 2006/03/20 22:22:08| clientReadRequest: FD 319 Invalid Request 2006/03/20 22:22:08| clientReadRequest: FD 2116 Invalid Request 2006/03/20 22:22:10| parseHttpRequest: Unsupported method 'recipientid=127&sessi onid=7938 ' 2006/03/20 22:22:10| clientReadRequest: FD 1669 Invalid Request 2006/03/20 22:22:16| clientReadRequest: FD 2180 Invalid Request 2006/03/20 22:22:22| clientReadRequest: FD 1252 Invalid Request 2006/03/20 22:22:23| clientReadRequest: FD 64 Invalid Request 2006/03/20 22:22:25| clientReadRequest: FD 1904 Invalid Request 2006/03/20 22:22:29| clientReadRequest: FD 2071 Invalid Request 2006/03/20 22:22:38| clientReadRequest: FD 2207 Invalid Request 2006/03/20 22:22:44| parseHttpRequest: Unsupported method 'recipientid=164&sessi onid=9832 ' 2006/03/20 22:22:44| clientReadRequest: FD 2282 Invalid Request 2006/03/20 22:22:45| clientReadRequest: FD 1244 Invalid Request 2006/03/20 22:22:46| Request header is too large (20489 bytes) 2006/03/20 22:22:46| Config 'request_header_max_size'= 20480 bytes. 2006/03/20 22:22:52| Request header is too large (20489 bytes) 2006/03/20 22:22:52| Config 'request_header_max_size'= 20480 bytes. 2006/03/20 22:22:52| clientReadRequest: FD 2231 Invalid Request 2006/03/20 22:22:56| clientReadRequest: FD 1910 Invalid Request 2006/03/20 22:23:02| clientReadRequest: FD 2159 Invalid Request 2006/03/20 22:23:03| clientReadRequest: FD 2090 Invalid Request 2006/03/20 22:23:10| clientReadRequest: FD 769 Invalid Request 2006/03/20 22:23:12| WARNING: 1 swapin MD5 mismatches 2006/03/20 22:23:17| clientReadRequest: FD 1345 Invalid Request 2006/03/20 22:23:24| clientReadRequest: FD 578 Invalid Request -- -- Daniel Epee Lea
RE: [squid-users] Re: Help, Help, help Squid2.5-Stables13 + WCCP
Dan, When you say wccp router info, you mean a "show ip wccp webcache" on your cisco router? If that's what you mean the router ip doesn't mean anything, it can actually change and it won't affect wccp operation. Not sure about the unsupported method... Thanks, Bryan -Original Message- From: Daniel EPEE LEA [mailto:[EMAIL PROTECTED] Sent: March 20, 2006 3:58 AM To: squid-users@squid-cache.org Subject: [squid-users] Re: Help, Help, help Squid2.5-Stables13 + WCCP Hello, I have configured squid-2.5-Statble13 + WCCP + iptables DNAT But I have to many invalid request. I have noticed that the WCCP Router info shows the Router loopback interface intead of the wccp router IP address. Can that be a problem ? How do I get read of the unsupported methods issues that I have ? This is my Cache.log info 2006/03/18 22:19:54| clientReadRequest: FD 3476 Invalid Request 2006/03/18 22:19:57| parseHttpRequest: Unsupported method 'recipientid=105&sessionid=2197 ' 2006/03/18 22:19:57| clientReadRequest: FD 148 Invalid Request 2006/03/18 22:20:17| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:17| clientReadRequest: FD 3382 Invalid Request 2006/03/18 22:20:30| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:30| clientReadRequest: FD 2515 Invalid Request 2006/03/18 22:20:38| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:38| clientReadRequest: FD 1091 Invalid Request 2006/03/18 22:20:45| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:45| clientReadRequest: FD 382 Invalid Request 2006/03/18 22:20:52| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:52| clientReadRequest: FD 2548 Invalid Request 2006/03/18 22:21:12| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:12| clientReadRequest: FD 3150 Invalid Request 2006/03/18 22:21:36| parseHttpRequest: Unsupported method 'recipientid=155&sessionid=2873 ' 2006/03/18 22:21:36| clientReadRequest: FD 376 Invalid Request 2006/03/18 22:21:36| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:36| clientReadRequest: FD 460 Invalid Request 2006/03/18 22:21:38| parseHttpRequest: Unsupported method 'recipientid=155&sessionid=2873 ' 2006/03/18 22:21:38| clientReadRequest: FD 1655 Invalid Request 2006/03/18 22:21:39| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:39| clientReadRequest: FD 1655 Invalid Request 2006/03/18 22:22:10| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:10| clientReadRequest: FD 2515 Invalid Request 2006/03/18 22:22:27| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:27| clientReadRequest: FD 251 Invalid Request 2006/03/18 22:22:44| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:44| clientReadRequest: FD 776 Invalid Request 2006/03/18 22:22:51| parseHttpRequest: Unsupported method 'recipientid=114&sessionid=914 2006/03/18 22:22:51| clientReadRequest: FD 1490 Invalid Request 2006/03/18 22:22:55| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:55| clientReadRequest: FD 2858 Invalid Request 2006/03/18 22:23:02| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:23:02| clientReadRequest: FD 674 Invalid Request 2006/03/18 22:23:16| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:23:16| clientReadRequest: FD 45 Invalid Request Much Regards Daniel On 3/18/06, Daniel EPEE LEA <[EMAIL PROTECTED]> wrote: > Hi, > > Squid-2.5-STABLE13 + ip_gre WCCP + RHEL v4 U2 + 4Gigs RAM + Cache > Dir to be 45 Gigs, but only 20Gigs now > > I have a high volume network ( /19) > I had to increase the number of file descriptors and rebuild squid. > Now it works Ok, > > But I notice a major slowness in browsing the internet. Plus site > with streaming media take too much time to load. From some parts of my > network, I get "Unable to reach Website answer" > > This is my config, > --- > iptables -nL -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- [MyNet]/19 ![MyNet]/19 tcp dpt:80 to:[Cache IP]:3128 > > --- > http_port [Cache IP]:3128 > icp_port 3130 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_mem 256 MB > cache_swap_low 90 > cache_swap_high 95 > maximum_object_size 4096 KB > minimum_object_size 0 KB > maximum_object_size_in_memory 8 KB > cache_dir ufs /usr/local/squid/var/cache 20240 16 256 > cache_access_log /var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_store_log /var/log/squid/store.log > mime_table /usr/local/squid/etc/mime.conf > pid_filename /var/run/squid.pid > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > r
RE: [squid-users] Hotmail login issue
ck 2771 win 3056 19:38:49.292880 IP 65.54.179.198.http > 10.7.40.50.49322: P 558:783(225) ack 880 win 1984 19:38:49.293130 IP 65.54.179.198.http > 10.7.40.50.49322: F 783:783(0) ack 880 win 1984 19:38:49.294899 IP 65.54.179.198.http > 10.7.40.50.49322: . ack 881 win 1984 19:38:49.342677 IP 65.54.183.195.http > 10.7.40.50.49324: . ack 963 win 1984 19:38:49.356165 IP 65.54.183.195.http > 10.7.40.50.49318: . 24239:25687(1448) ack 2771 win 3056 19:38:49.356179 IP 65.54.183.195.http > 10.7.40.50.49318: . 25687:27135(1448) ack 2771 win 3056 19:38:49.356189 IP 65.54.183.195.http > 10.7.40.50.49318: P 27135:28335(1200) ack 2771 win 3056 19:38:49.357327 IP 65.54.183.195.http > 10.7.40.50.49318: P 28335:29557(1222) ack 2771 win 3056 19:38:49.503832 IP 65.54.183.195.http > 10.7.40.50.49324: . 4190:5638(1448) ack 963 win 1984 19:38:49.503843 IP 65.54.183.195.http > 10.7.40.50.49324: P 5638:5878(240) ack 963 win 1984 19:38:49.504676 IP 65.54.183.195.http > 10.7.40.50.49318: . ack 3209 win 3324 19:38:49.665590 IP 65.54.183.195.http > 10.7.40.50.49318: P 29557:30960(1403) ack 3209 win 3324 I'm not too sure what to make of it... Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: March 16, 2006 11:10 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Hotmail login issue tor 2006-03-16 klockan 10:16 -0500 skrev Shoebottom, Bryan: > Thanks for the info, but I don't understand why this would be an > intermittent issue? How come sometimes a client can login to hotmail, > and other times it can't. Can be many reasons. What does the replies from hotmail look like for the troublesome clients? Any hints if looking at the traffic with tcpdump? > I've had a couple client point directly to the cache and so far they > haven't had any problems. They are point to port 80 and are going > through the iptables redirect rule. With this information, it would > seem that the error lies around the GRE/WCCP portion of the setup. > Could it be possible that WCCP is causing these errors? WCCP (and transparent interception in general) is a hack, violating fundamentals of TCP/IP, and as such do cause problems, but usually not this kind of problems.. Regards Henrik
RE: [squid-users] Hotmail login issue
Henrik, Thanks for the info, but I don't understand why this would be an intermittent issue? How come sometimes a client can login to hotmail, and other times it can't. I've had a couple client point directly to the cache and so far they haven't had any problems. They are point to port 80 and are going through the iptables redirect rule. With this information, it would seem that the error lies around the GRE/WCCP portion of the setup. Could it be possible that WCCP is causing these errors? Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: March 16, 2006 8:39 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Hotmail login issue tor 2006-03-16 klockan 08:02 -0500 skrev Shoebottom, Bryan: > Henrik, > > If I understand properly (http://www.httpsniffer.com/http/1441.htm) the > issue is with squid because it doesn't know the length of the document > requested, or it only receives half of the document and therefore can't > cache and relay it back to the client? > > I guess this is a feature of HTTP 1.1 of which squid is non-compliant. > Am I understanding this correctly? If so, will this be fixed/added to > squid 2.5 or 3.0? If I'm not interpreting this correctly, is there > another workaround? Squid is still HTTP/1.0. Even Squid-3.0 is and will be HTTP/1.0. Transfer-Encoding is the main obstacle why Squid is still HTTP/1.0 but there is many other small pieces as well. If you find a server sending chunked encoding to Squid then this server is NOT HTTP COMPLIANT. The RFC 2616 HTTP/1.1 standard has the following to say about when to use chunked encoding: final paragraph of 3.6 Transfer Codings: A server which receives an entity-body with a transfer-coding it does not understand SHOULD return 501 (Unimplemented), and close the connection. A server MUST NOT send transfer-codings to an HTTP/1.0 client. pay special attention to the last sentence.. Definition of "MUST NOT": 1.2 Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [34]. An implementation is not compliant if it fails to satisfy one or more of the MUST or REQUIRED level requirements for the protocols it implements. An implementation that satisfies all the MUST or REQUIRED [...] And further clarified in RFC 2119: 2. MUST NOT This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification. Regards Henrik
RE: [squid-users] Hotmail login issue
Henrik, If I understand properly (http://www.httpsniffer.com/http/1441.htm) the issue is with squid because it doesn't know the length of the document requested, or it only receives half of the document and therefore can't cache and relay it back to the client? I guess this is a feature of HTTP 1.1 of which squid is non-compliant. Am I understanding this correctly? If so, will this be fixed/added to squid 2.5 or 3.0? If I'm not interpreting this correctly, is there another workaround? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: March 15, 2006 4:07 PM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Hotmail login issue ons 2006-03-15 klockan 15:56 -0500 skrev Shoebottom, Bryan: > I believe so, but am not 100% sure as it is intermittent when configured > transparently. > I plan to do some packet captures tomorrow to see if that will help, but > I don't entirely know what I'm looking for. Any suggestions would be > greatly appreciated. "transfer-encoding: chunked" is a priority guess.. this seems to be infecting more and more servers and produces very strange results when given to Squid. Regards Henrik
RE: [squid-users] Hotmail login issue
I believe so, but am not 100% sure as it is intermittent when configured transparently. I plan to do some packet captures tomorrow to see if that will help, but I don't entirely know what I'm looking for. Any suggestions would be greatly appreciated. Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: March 15, 2006 3:53 PM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Hotmail login issue ons 2006-03-15 klockan 15:10 -0500 skrev Shoebottom, Bryan: > Sad news, I spoke too soon. Our hotmail issues are very intermittent > and unfortunately most of the time, after trying to login, a blank page > is received. > I am using a GRE tunnel, I have tried this iptables command: > /sbin/iptables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j > TCPMSS --set-mss 1476 > > I have also tried Mark's suggestion: > acl hotmail_domains dstdomain .hotmail.msn.com > header_access Accept-Encoding deny hotmail_domains > > It looks as if the packets are not being seen by squid, but I need to do > more tests. Does anyone else have any other suggestions? Does it work if you have the browser configured to use the proxy? Regards Henrik
RE: [squid-users] Hotmail login issue
Sad news, I spoke too soon. Our hotmail issues are very intermittent and unfortunately most of the time, after trying to login, a blank page is received. I am using a GRE tunnel, I have tried this iptables command: /sbin/iptables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1476 I have also tried Mark's suggestion: acl hotmail_domains dstdomain .hotmail.msn.com header_access Accept-Encoding deny hotmail_domains It looks as if the packets are not being seen by squid, but I need to do more tests. Does anyone else have any other suggestions? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: March 14, 2006 9:31 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Hotmail login issue tis 2006-03-14 klockan 08:59 -0500 skrev Shoebottom, Bryan: > command fixed that issue. I tested hotmail and it works! So the gre > module seems to be a fix for this issue, is there a fix for the wccp > module? The ip_wccp module hack is no longer maintained as the standard ip_gre module works better, is more secure and generally better done and does not disturb normal network operations. The only benefit provided by ip_wccp compared to ip_gre is that there is no configuration involved, but this is also the same reasons to why it is much less secure. Regards Henrik
RE: [squid-users] Transparent caching problem
Henrik, This would work, but will give you some errors on boot as the gre module won't be loaded before you start the network. What worked for me is to add this line to /etc/modprobe.conf: alias gre0 ip_gre This is assuming that you use Daniel's interface config below. Another note, contrary to the FAQ, I could not use an address in the 127.0.0.0/8 range, squid never saw any packets. I had to use an address on a network that no other interfaces were configured for. Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: March 15, 2006 5:31 AM To: Daniel EPEE LEA Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Transparent caching problem tis 2006-03-14 klockan 23:26 -0800 skrev Daniel EPEE LEA: > [EMAIL PROTECTED] network-scripts]# cat ifcfg-gre0 > DEVICE=gre0 > BOOTPROTO=static > IPADDR=172.16.1.6 > NETMASK=255.255.255.252 > ONBOOT=yes > IPV6INIT=no Eum.. for security reasons it's recommended to make the WCCP GRE interface a point-to-point GRE with the router. You should be careful with from who you accept WCCP/GRE packets.. >From what I can tell the GRE support in the RedHat init scripts is non-existant, so I would recommend to simply add the required commands in /etc/rc.local for brining up the tunnel proper. Regards Henrik
RE: [squid-users] Transparent caching problem
Hey, I use redirect as opposed to dnat: /sbin/iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 Thanks, Bryan -Original Message- From: arabinda [mailto:[EMAIL PROTECTED] Sent: March 15, 2006 6:12 AM To: 'Daniel EPEE LEA'; squid-users@squid-cache.org Subject: RE: [squid-users] Transparent caching problem Hello Daniel Epee Lea, Regarding: 2- for ip tables -A PREROUTING -s My_Network/20 -d ! My_Network/20 - i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination my_cache_server_IP:3128 If the http traffic is very high, is it possible that DNAT can be a bottle neck? Coz I have tried something like this and I could not find any performance improvement by using proxy. Rather the performance degraded. May be something in squid configuration is wrong. Please suggest. Thanks. Regards Devel. -Original Message- From: Daniel EPEE LEA [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 15, 2006 1:11 PM To: Ryan Sumida Cc: Kamel A. Baba; squid-users@squid-cache.org Subject: Re: [squid-users] Transparent caching problem Kamel, I used 1- For gre tunned, after loading ip_gre module at startup, I have this gre interface. You can copie it exactly the IP address in there doesn't matter. [EMAIL PROTECTED] network-scripts]# cat ifcfg-gre0 DEVICE=gre0 BOOTPROTO=static IPADDR=172.16.1.6 NETMASK=255.255.255.252 ONBOOT=yes IPV6INIT=no and 2- for ip tables -A PREROUTING -s My_Network/20 -d ! My_Network/20 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination my_cache_server_IP:3128 This is where I was mistaken, after doing this it worked!! 3- Make sure your /etc/sysctl.conf is allright too # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 For more details on IP tables and GRE, please check these links ;) http://www.reub.net/node/3 http://www.squid-cache.org/mail-archive/squid-users/200510/0027.html Hope this helps, -- -- Daniel Epee Lea -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.2.3/281 - Release Date: 3/14/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.2.3/281 - Release Date: 3/14/2006
RE: [squid-users] Squid go down by itself
Damian, I rotate my logs every night. When they hit 2GB squid will crash. It did for me anyway. Thanks, Bryan -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: March 14, 2006 8:54 AM To: Damian Mantelli (A.C.A.R.A) Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid go down by itself > Hi I have a problem, everything go Ok, on my SQUID Server, but today I had a > error. The Squid daemon go down by itself and I don't know why. > I suspect of the logs files, by example store.log came to 2048 Mbytes. > > Can the Log files make that my Squid Server fault down? > > Possibly, check squid's : cache.log for any further info. M.
RE: [squid-users] FW: Hotmail login issue
Mark, everyone, I got the gre module to work, it was an iptables issue. In using fedora core 4 for the first time, I didn't check the rules ahead of time. Upon trying to hit the cache directly and failing, I went back step by step and found the issue. A simple iptables -F and reissuing my redirect command fixed that issue. I tested hotmail and it works! So the gre module seems to be a fix for this issue, is there a fix for the wccp module? Thanks, Bryan -Original Message- From: Shoebottom, Bryan [mailto:[EMAIL PROTECTED] Sent: March 14, 2006 8:14 AM To: Mark Elsen Cc: squid-users@squid-cache.org; Daniel EPEE LEA; Henrik Nordstrom Subject: RE: [squid-users] FW: Hotmail login issue Mark, Is there a known workaround? I've tried your suggestion and also tried changing the MTU via iptables to allow for the GRE header, but nothing has worked. I am using the wccp module as I can't get the GRE module to work. When I do a tcpdump I only see packets coming from the WCCP router, from Henrik's post http://www.squid-cache.org/mail-archive/squid-users/200510/0027.html i should see client IPs. /sbin/iptables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j \ TCPMSS --set-mss 1476 Thanks, Bryan -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: March 13, 2006 11:48 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org; Daniel EPEE LEA Subject: Re: [squid-users] FW: Hotmail login issue > This hasn't worked. I think I will try a system with a 2.6 kernel next. > Most posts point to the MTU needing to be reduced, and although I have > done that, I am still encountering the problem. Currently I use the > wccp module, I understand that the gre module already has the reduced > MTU size configured and will hopefully work right out of the box. > - Yes note that this is one of the main issues argumenting against transp. proxy-ing (MTU), there are others too : http://squidwiki.kinkie.it/SquidFaq/InterceptionProxy?highlight=%28inter cept%29#head-1cf13b27d5a6f8c523a4582d38a8cfaaacafb896 M.
RE: [squid-users] FW: Hotmail login issue
Mark, Is there a known workaround? I've tried your suggestion and also tried changing the MTU via iptables to allow for the GRE header, but nothing has worked. I am using the wccp module as I can't get the GRE module to work. When I do a tcpdump I only see packets coming from the WCCP router, from Henrik's post http://www.squid-cache.org/mail-archive/squid-users/200510/0027.html i should see client IPs. /sbin/iptables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j \ TCPMSS --set-mss 1476 Thanks, Bryan -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: March 13, 2006 11:48 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org; Daniel EPEE LEA Subject: Re: [squid-users] FW: Hotmail login issue > This hasn't worked. I think I will try a system with a 2.6 kernel next. > Most posts point to the MTU needing to be reduced, and although I have > done that, I am still encountering the problem. Currently I use the > wccp module, I understand that the gre module already has the reduced > MTU size configured and will hopefully work right out of the box. > - Yes note that this is one of the main issues argumenting against transp. proxy-ing (MTU), there are others too : http://squidwiki.kinkie.it/SquidFaq/InterceptionProxy?highlight=%28inter cept%29#head-1cf13b27d5a6f8c523a4582d38a8cfaaacafb896 M.
RE: [squid-users] FW: Hotmail login issue
Mark, This hasn't worked. I think I will try a system with a 2.6 kernel next. Most posts point to the MTU needing to be reduced, and although I have done that, I am still encountering the problem. Currently I use the wccp module, I understand that the gre module already has the reduced MTU size configured and will hopefully work right out of the box. Thanks, Bryan -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: March 13, 2006 8:58 AM To: Shoebottom, Bryan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] FW: Hotmail login issue > > I have read a number of posts on how to resolve the hotmail login issues > with an interception web cache but nothing has worked. I have tried the > following 3 configurations in squid.conf, but after you enter your > username and password then select sign-in, it goes to a blank page. > > header_access Accept-Encoding deny all What worked for us is : acl hotmail_domains dstdomain .hotmail.msn.com header_access Accept-Encoding deny hotmail_domains Please try, this; literally in squid.conf. Don't forget : % squid -k reconfigure afterwards. And or first check squid.conf with : % squid -k parse (too). (before reconfigure) > > > acl hotmail_domains dstdomain .hotmail.msn.com .hotmail.com > acl ie6 browser MSIE[[:space:]]6 > header_access Accept-Encoding deny ie6 hotmail_domains > > > acl hotmail dstdomain .hotmail.com > always_direct allow hotmail > This is probably meaningless; it is only valid when parent and or peers are being used. > I have also tried the iptables command to change the MTU size: > /sbin/iptables -t nat -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST > SYN -j TCPMSS --set-mss 1476 > > When I direct the browser to the proxy it works fine, but I > unfortunately must use an interception proxy. Has anyone got this > fixed? > > > Thanks, > Bryan >
RE: [squid-users] HTTP & transparent proxy -- It'sworkinnnnnnnnnnnnggggggggggggg
Daniel, What commands did you use for the GRE configuration and for iptables? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: March 11, 2006 5:38 PM To: Daniel EPEE LEA Cc: Squid Users Subject: Re: [squid-users] HTTP & transparent proxy -- It'sworkig lör 2006-03-11 klockan 11:37 -0800 skrev Daniel EPEE LEA: > I have taken out the second gre tunnel and tune Iptables, and it's > working. now. Great! > But I have some concern tuning squid, monitoring and getting all the > services through with the best performance. Just keep asking questions on squid-users ;-) Regards Henrik
[squid-users] FW: Hotmail login issue
Hello, I have read a number of posts on how to resolve the hotmail login issues with an interception web cache but nothing has worked. I have tried the following 3 configurations in squid.conf, but after you enter your username and password then select sign-in, it goes to a blank page. header_access Accept-Encoding deny all acl hotmail_domains dstdomain .hotmail.msn.com .hotmail.com acl ie6 browser MSIE[[:space:]]6 header_access Accept-Encoding deny ie6 hotmail_domains acl hotmail dstdomain .hotmail.com always_direct allow hotmail I have also tried the iptables command to change the MTU size: /sbin/iptables -t nat -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1476 When I direct the browser to the proxy it works fine, but I unfortunately must use an interception proxy. Has anyone got this fixed? Thanks, Bryan
RE: [squid-users] Hardware requirements
Gregori, Can you give me the details on your entire setup? I have a 3.4GHz Xeon with 2GB memory and 100GB cache and with 200+ req/s my CPU is pinned. I have a transparent cache with WCCP and don't use any ACLs except for SNMP. Thanks, Bryan -Original Message- From: Gregori Parker [mailto:[EMAIL PROTECTED] Sent: March 6, 2006 1:16 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] Hardware requirements That should be fine, however I would recommend a lot more diskspace for the cache. Each of our servers are 3GHz Xeon, 2GB RAM and 1TB of diskspace - they each push 130mbps of flow without any problems. -Original Message- From: Ilja Marchew [mailto:[EMAIL PROTECTED] Sent: Monday, March 06, 2006 4:01 AM To: squid-users@squid-cache.org Subject: [squid-users] Hardware requirements We have 2-12 mbits of traffic flow. Is scsi320 72MB + RAM 1GB + Xeon 2.0GHz server enough to proxificate it transparently? Or we need more processor/RAM? Or we need to balance flow between 2-3 servers (because of non-SMP architecture of squid)? Thanks. .
RE: [squid-users] squid cannot resolve non-fqdn names
Excellent append_domain .domain.tld Worked! I also read that I should possible compile squid with --disable-internal-dns and configuring "dns_defnames on" in squid.conf. Would this be faster then using the internal dns resolver? Thanks, Bryan -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: March 3, 2006 5:49 PM To: Shoebottom, Bryan Cc: Squid Users Subject: Re: [squid-users] squid cannot resolve non-fqdn names > Hello, > > In my browser, if I simply put a hostname (webserver) in the address bar without the top level domain and subdomain (webserver.domain.tld), I get an "Unable to determine IP address from host name for hostname". If I put the fqdn in, it works fine. Is there any way to rectify this in the squid configuration? Squid uses the contents of /etc/resolv.conf for resolving names and this file includes the search and domain directives. > Check the : append_domain directive in squid.conf.default ; read all the comments. M.
[squid-users] squid cannot resolve non-fqdn names
Hello, In my browser, if I simply put a hostname (webserver) in the address bar without the top level domain and subdomain (webserver.domain.tld), I get an "Unable to determine IP address from host name for hostname". If I put the fqdn in, it works fine. Is there any way to rectify this in the squid configuration? Squid uses the contents of /etc/resolv.conf for resolving names and this file includes the search and domain directives. Thanks, Bryan
RE: [squid-users] Interception proxy: disable errors
Henrik, Is there a way to disable the squid signature that is inserted at the bottom of each error page so the user won't know what version of squid, the hostname, etc, etc. Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: February 23, 2006 4:16 PM To: Shoebottom, Bryan Cc: Squid Users Subject: RE: [squid-users] Interception proxy: disable errors tor 2006-02-23 klockan 11:20 -0500 skrev Shoebottom, Bryan: > I realize I can do this, but the user will still receive a page. Is > there a way to have the client act as though it weren't going through a > cache? Nope. Regards Henrik
[squid-users] FW: WCCP: Web Cache ID 0.0.0.0
Ryan, I ended up opening a ticket with Cisco regarding the issue and it is a bug with WCCPv1, if you do a show ip wccp web-cache view you will see the IPs of you cache(s) although the show ip wccp web-cache detail will show the 0.0.0.0 for any connected cache. This will not be fixed; their solution is to use WCCPv2. Keep in mind that there is no performance issue here, it is simply cosmetic. I posted this to the group just in case anyone else is looking for more info on WCCP and squid. Thanks, Bryan Shoebottom From: Ryan Sumida [mailto:[EMAIL PROTECTED] Sent: February 24, 2006 3:35 PM To: Shoebottom, Bryan Subject: WCCP: Web Cache ID 0.0.0.0 Hi Bryan, I read your posts on the Squid-Users list and was wondering if you fixed the problem with WCCP web cache IP showing 0.0.0.0. I'm having the exact same problems as you posted with a very similar setup. I've been stuck with this problem for almost 2 weeks now and it's driving me nuts. =[ Any advice would help. Thank you, Ryan Sumida Network Engineer, Network Services Information Technology Services California State University, Long Beach
RE: [squid-users] Interception proxy: disable errors
Henrik, I realize I can do this, but the user will still receive a page. Is there a way to have the client act as though it weren't going through a cache? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: February 23, 2006 9:52 AM To: Shoebottom, Bryan Cc: Squid Users Subject: Re: [squid-users] Interception proxy: disable errors tis 2006-02-21 klockan 09:55 -0500 skrev Shoebottom, Bryan: > Hello, > > I am running a WCCP enabled interception proxy and want the users to be completely unaware that they are going through a proxy. I tried using the following directive, but when trying to get to a website that doesn't respond, I get a squid error on the client. > deny_info TCP_RESET all > > How can I disable all errors presented to the client? Edit the error pages to your liking. Regards Henrik
[squid-users] Interception proxy: disable errors
Hello, I am running a WCCP enabled interception proxy and want the users to be completely unaware that they are going through a proxy. I tried using the following directive, but when trying to get to a website that doesn't respond, I get a squid error on the client. deny_info TCP_RESET all How can I disable all errors presented to the client? Thanks, Bryan Shoebottom
RE: [squid-users] RHEL v4 + Squid + wccp
Hello, I have not been able to get the ip_gre module and tunnel to work. I currently use the ip_wccp module (http://www.squid-cache.org/WCCP-support/Linux/) and no configured tunnel on the linux box. Thanks, Bryan -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: February 8, 2006 9:22 AM To: [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Subject: Re: [squid-users] RHEL v4 + Squid + wccp : > hello, > > I have implemented WCCP on a cisco router, IOS (Cisco > IOS Software, C1700 Software (C1700-K9O3SY7-M), > Version 12.3(14)T2, RELEASE SOFTWARE (fc4)) > Linux sever : Registered RHEL ES v4 Update 2 > > Since my CISCO router sends packets through an ip_gre > tunnel, and when I load the ip_wccp module into the > linux kernel, I cannot push the ip_gre module in the > kernel as well. Therefore I cannot created a gre tunel > or better a secure gre tunnel for my linux - router > communication. > http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.13 (checkout all sections) M.
RE: [squid-users] How can install a patch
Where did you get the patch? Thanks, Bryan -Original Message- From: Ahmed Eissa [mailto:[EMAIL PROTECTED] Sent: January 11, 2006 3:47 AM To: squid-users@squid-cache.org Subject: [squid-users] How can install a patch Hi, I got a patch for squid2.5-stable12 that enables it to support WCCP v2. Would u tell me please how can I install it on my running Squid. The patch file extension is .patch . Please advise. Thanks --Eissa--
RE: [squid-users] squid + wccp problem
Henrik, In a redundant and load-balanced environment, could a squid cache be connected to two routers? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: November 5, 2005 4:41 PM To: Senthil Murugan Cc: Squid Users Subject: Re: [squid-users] squid + wccp problem On Sat, 5 Nov 2005, Senthil Murugan wrote: > Is it necessary that the router and squid machine needs to be in the same > network or the squid server can be beyond another router in a different n/w. With GRE encapsulation there may be any number of hops between the cache server and the router. They do not need to be in the same network. Regards Henrik
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Henrik, One question I'd like a firm answer to, I have heard to install the ip_wccp module and not to. Which should I be doing? My understand is that the 2.6 kernel includes WCCP in the gre module. I also understand that the 2.4 kernel started to include it, but I'm not sure when. With all of my testing, I have only been using the ip_gre module included in the kernel source. Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: October 21, 2005 12:42 PM To: Shoebottom, Bryan Cc: Henrik Nordstrom; James Masson; squid-users@squid-cache.org Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 On Fri, 21 Oct 2005, Shoebottom, Bryan wrote: > Yes I do, plus the WCCP packets. In comparing these redirected packets > to a working WCCPv2 third party cache I can see in the GRE header the > third party cache has a redirect header, where my non-working squid does > not have this header. Then your IOS is running some hybrid between WCCPv1 and WCCPv2... WCCPv1 only has GRE encapsulation mode, while WCCPv2 can negotiate to use direct routing instead.. If the packets are otherwise fine you should only need the normal transparent proxy firewalling rules to have these packets delivered to Squid. Regards Henrik
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Yes I do, plus the WCCP packets. In comparing these redirected packets to a working WCCPv2 third party cache I can see in the GRE header the third party cache has a redirect header, where my non-working squid does not have this header. Any reason why I would have this in my squid configuration? Or is this a part of WCCPv2 and I should not see this? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: October 20, 2005 4:33 PM To: Shoebottom, Bryan Cc: James Masson; squid-users@squid-cache.org Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 On Thu, 20 Oct 2005, Shoebottom, Bryan wrote: > Thanks for the info James. Henrik, I have upgraded the IOS to 12.2.18 > and I am forwarding packets. A packet capture shows WCCP and the > redirected packets, but no GRE. So you see redirected packets now? Regards Henrik
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Thanks for the info James. Henrik, I have upgraded the IOS to 12.2.18 and I am forwarding packets. A packet capture shows WCCP and the redirected packets, but no GRE. I have setup GRE as stated in the FAQ: Modprobe ip_gre iptunnel add gre1 mode gre remote local dev ifconfig gre1 127.0.0.2 up is there something that needs to be setup on the Cisco side? Or am I missing something on the linux/freebsd side? Thanks, Bryan -Original Message- From: James Masson [mailto:[EMAIL PROTECTED] Sent: October 20, 2005 9:11 AM To: Shoebottom, Bryan; squid-users@squid-cache.org Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 Hi Bryan, My working systems are... Gentoo-sources-2.6.10-r6 Squid 2.5.10-r2 IOS 12.0(7)Tfc2 Regards James Masson > -Original Message- > From: Shoebottom, Bryan [mailto:[EMAIL PROTECTED] > Sent: 20 October 2005 13:10 > To: Henrik Nordstrom > Cc: Squid Users > Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 > > Henrik, > > Thanks for the info, I will follow up with Cisco to see what they have > to say. When I get an anser I will post it to the list. In the > meantime, is there anyone out there running squid with WCCP that can > recommend an IOS & squid combination (versions)? > > Thanks, > Bryan > > > > -Original Message- > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] > Sent: October 19, 2005 3:54 PM > To: Shoebottom, Bryan > Cc: Henrik Nordstrom; Squid Users > Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 > > On Wed, 19 Oct 2005, Shoebottom, Bryan wrote: > > > Where should I be going from here? Is this a GRE/kernel config > problem? > > Seems to be an IOS version or configuration issue to me as > your router > tells that the buckets have been assigned to the cache but no GRE > packets > is seen by tcpdump at the cache server. > > That "Web Cache ID" field is maintained by the router and should > probably > indicate the sender address of the WCCP control packets if it has any > meaning. It is not something carried within the WCCP messages sent by > Squid. > > But it could also be your IOS version being more picky about the WCCP > control messages than the tested versions. But if this was > the case it > should not indicate that the buckets have been assigned to > the cache, or > > should at least indicate the cache is not yet useable. > > Regards > Henrik > >
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Henrik, Thanks for the info, I will follow up with Cisco to see what they have to say. When I get an anser I will post it to the list. In the meantime, is there anyone out there running squid with WCCP that can recommend an IOS & squid combination (versions)? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: October 19, 2005 3:54 PM To: Shoebottom, Bryan Cc: Henrik Nordstrom; Squid Users Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 On Wed, 19 Oct 2005, Shoebottom, Bryan wrote: > Where should I be going from here? Is this a GRE/kernel config problem? Seems to be an IOS version or configuration issue to me as your router tells that the buckets have been assigned to the cache but no GRE packets is seen by tcpdump at the cache server. That "Web Cache ID" field is maintained by the router and should probably indicate the sender address of the WCCP control packets if it has any meaning. It is not something carried within the WCCP messages sent by Squid. But it could also be your IOS version being more picky about the WCCP control messages than the tested versions. But if this was the case it should not indicate that the buckets have been assigned to the cache, or should at least indicate the cache is not yet useable. Regards Henrik
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Henrik, Where should I be going from here? Is this a GRE/kernel config problem? Thanks, Bryan -Original Message- From: Shoebottom, Bryan [mailto:[EMAIL PROTECTED] Sent: October 14, 2005 8:25 AM To: Henrik Nordstrom Cc: Squid Users Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 Henrik, 1. I can't confirm this for sure, from the router's point of view all buckets are assigned to the only cache, but the web cache id is 0.0.0.0. Using a packet sniffer I can see that the router sends the WCCP packets with all buckets and the cache immediately responds with no buckets assigned. 2. For testing, I have this configuration: Ip wccp version 1 Ip wccp web-cache On the interface we are testing (VlanX) Ip wccp web-cache redirect in 3. There are no ACL's applied to WCCP, or the incoming interface. The outgoing interface (INet) only allows traffic from the network the cache and WCCP router is on, not VLanX. Would it matter beyond that? 4. The router properly supports WCCP version 1 and 2. I have been working with Cisco on this and they are saying, of course, that the cache is at fault because it is sending something to the router that it doesn't like. What's next? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: October 14, 2005 5:39 AM To: Shoebottom, Bryan Cc: Squid Users Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 On Thu, 13 Oct 2005, Shoebottom, Bryan wrote: > What do I do when the router is not forwarding packets, but all buckets > are assigned to that cache? Look into your acls on the router, and which router interface(s) is running WCCP. For the router to redirect the following needs to be fulfilled: 1. The cache and router must have agreed on the cache being used (OK). 2. The correct interface on the router must have WCCP enabled 3. The acls on the router must not prevent WCCP from being used on the traffic in question. 4. The router firmware must properly support WCCP (v1). For authorative answers on 2 & 3 see the manual to your router on how to configure your router for WCCP use. Hints can be found in the Squid FAQ. Regards Henrik
RE: [squid-users] wccp
Ben, I have followed the FAQ (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.13) but have been unsuccessful in getting WCCP to talk to the cache properly. Please let me know how you make out, I may need to ask you questions. Thanks, Bryan -Original Message- From: Ben [mailto:[EMAIL PROTECTED] Sent: October 18, 2005 12:15 PM To: squid-users@squid-cache.org Subject: [squid-users] wccp Hello Squid Users, I am planning to implement wccp with squid, using the following: 1- WBEL 4.0 2- Version 2.5.STABLE3 3- Cisco 7206 IOS 12.2 I would like to know if any body have any experience with this setup to guide me with resources or URLS dealing with this case plus his own experience. I would like also to know which is better to use, ip filter or ipchains or any other alternative. Thanks in advance for any help Best Regards,
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
James, If I understand you correctly, you currently have a working system with WCCP, you are now trying to maintain the system and router with updates and WCCP now fails? Interesting... Henrik? Thanks, Bryan -Original Message- From: James Masson [mailto:[EMAIL PROTECTED] Sent: October 14, 2005 8:07 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 I'm having exactly the same problem as Bryan on a new squid wccp system. I have a working set too, so I'm 95% certain it's not user error. The symptoms are exactly the same. Everything looks peachy in IOS, except the cache IP is listed as 0.0.0.0 - state Usable. According to the router, packets are being redirected. Squid works fine as a normal cache, the iptables redirect works OK, the Cisco 2600 sees the here_i_am, and replies with an I_see_you I'm using the same syntax to create the gre tunnel, as per the faq. The only thing that differs between the working and broken setups are kernel and IOS versions, I'm working to remove the differences and hopefully see where it breaks. Another similarity to Brian's setup, is that the broken version is on a VLAN, while the working one isn't. Working systems Gentoo-sources-2.6.10-r6 Squid 2.5.10-r2 IOS 12.0(7)Tfc2 Broken Systems Gentoo-sources-2.6.12-r10 Squid 2.5.10-r2 IOS 12.1(20)fc2 James Masson > -Original Message- > From: Shoebottom, Bryan [mailto:[EMAIL PROTECTED] > Sent: 14 October 2005 05:25 > To: Henrik Nordstrom > Cc: Squid Users > Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 > > Henrik, > > 1.I can't confirm this for sure, from the router's point of view > all buckets are assigned to the only cache, but the web cache id is > 0.0.0.0. Using a packet sniffer I can see that the router sends the > WCCP packets with all buckets and the cache immediately > responds with no > buckets assigned. > > 2.For testing, I have this configuration: > Ip wccp version 1 > Ip wccp web-cache > > On the interface we are testing (VlanX) > Ip wccp web-cache redirect in > > 3.There are no ACL's applied to WCCP, or the incoming interface. > The outgoing interface (INet) only allows traffic from the network the > cache and WCCP router is on, not VLanX. Would it matter beyond that? > > 4.The router properly supports WCCP version 1 and 2. > > > I have been working with Cisco on this and they are saying, of course, > that the cache is at fault because it is sending something to > the router > that it doesn't like. What's next? > > Thanks, > Bryan > > > > > -Original Message- > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] > Sent: October 14, 2005 5:39 AM > To: Shoebottom, Bryan > Cc: Squid Users > Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 > > On the, 13 Oct 2005, Shoebottom, Bryan wrote: > > > What do I do when the router is not forwarding packets, but all > buckets > > are assigned to that cache? > > Look into your acls on the router, and which router interface(s) is > running WCCP. > > For the router to redirect the following needs to be fulfilled: > >1. The cache and router must have agreed on the cache being used > (OK). > >2. The correct interface on the router must have WCCP enabled > >3. The acls on the router must not prevent WCCP from being used on > the > traffic in question. > >4. The router firmware must properly support WCCP (v1). > > For authorative answers on 2 & 3 see the manual to your > router on how to > > configure your router for WCCP use. Hints can be found in the > Squid FAQ. > > Regards > Henrik > >
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Henrik, 1. I can't confirm this for sure, from the router's point of view all buckets are assigned to the only cache, but the web cache id is 0.0.0.0. Using a packet sniffer I can see that the router sends the WCCP packets with all buckets and the cache immediately responds with no buckets assigned. 2. For testing, I have this configuration: Ip wccp version 1 Ip wccp web-cache On the interface we are testing (VlanX) Ip wccp web-cache redirect in 3. There are no ACL's applied to WCCP, or the incoming interface. The outgoing interface (INet) only allows traffic from the network the cache and WCCP router is on, not VLanX. Would it matter beyond that? 4. The router properly supports WCCP version 1 and 2. I have been working with Cisco on this and they are saying, of course, that the cache is at fault because it is sending something to the router that it doesn't like. What's next? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: October 14, 2005 5:39 AM To: Shoebottom, Bryan Cc: Squid Users Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 On Thu, 13 Oct 2005, Shoebottom, Bryan wrote: > What do I do when the router is not forwarding packets, but all buckets > are assigned to that cache? Look into your acls on the router, and which router interface(s) is running WCCP. For the router to redirect the following needs to be fulfilled: 1. The cache and router must have agreed on the cache being used (OK). 2. The correct interface on the router must have WCCP enabled 3. The acls on the router must not prevent WCCP from being used on the traffic in question. 4. The router firmware must properly support WCCP (v1). For authorative answers on 2 & 3 see the manual to your router on how to configure your router for WCCP use. Hints can be found in the Squid FAQ. Regards Henrik
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Henrik, What do I do when the router is not forwarding packets, but all buckets are assigned to that cache? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: October 12, 2005 6:08 PM To: Shoebottom, Bryan Cc: Henrik Nordstrom; Squid Users Subject: RE: [squid-users] WCCP: Web Cache ID 0.0.0.0 On Wed, 12 Oct 2005, Shoebottom, Bryan wrote: > I am not sure how to tell if the GRE decapsulation is working properly. > Running the tcpdump I can see: > I can see the cache sending a 52 (length) udp port 2048 to the router on > udp 2048, and immediately after the exact opposite, except the length is > 64. > This happens every 10-11 seconds. > How can I tell if the GRE decapsulation is working properly? If the router is redirecting packets properly you should see GRE packets in your tcpdump whenever there is client traffic, not only the WCCP UDP control channel packets. Regards Henrik
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Henrik, My mistake, the http packets are NOT being forwarded, the router shows that all buckets are assigned to this single cache. I am not sure how to tell if the GRE decapsulation is working properly. Running the tcpdump I can see: I can see the cache sending a 52 (length) udp port 2048 to the router on udp 2048, and immediately after the exact opposite, except the length is 64. This happens every 10-11 seconds. How can I tell if the GRE decapsulation is working properly? Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: October 3, 2005 5:27 PM To: Shoebottom, Bryan Cc: Squid Users Subject: Re: [squid-users] WCCP: Web Cache ID 0.0.0.0 On Mon, 3 Oct 2005, Shoebottom, Bryan wrote: > Yes. It assigns the buckets and starts forwarding http packets but the > proxy doesn't seem to respond. Then the next is to verify the WCCP/GRE decapsulation. This is done by running tcpdump. With tcpdump you should see both a) The GRE packets coming from the router b) The decapsulated TCP/IP packets with the source of the clients tcpdump -i any -n If you only see 'a' then the GRE decapsulation is not configured proper. If you see 'b' but the packets seems to be completely ignored then the problem is your firewall/nat rules for intercepting port 80 traffic on the proxy, or perhaps routing policy if running Linux (rp_filter needs to be disabled when using GRE). If you see 'b' and also response packets then all the networking is set up proper, and your problem is within the proxy config. Regards Henrik
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
Henrik, The WCCP router is actually on that vlan, and there are no ACLs or VACLs. As for interception, if I telnet to the proxy on port 80, I get redirected to squid on port 3128. Is there something that is supposed to be done with GRE? I'm not sure how to test that. Also, for testing purposes, I have configured the firewall as default to accept, so the proxy shouldn't be denying any packets. Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: October 1, 2005 11:02 PM To: Shoebottom, Bryan Cc: Squid Users Subject: Re: [squid-users] WCCP: Web Cache ID 0.0.0.0 On Sat, 1 Oct 2005, Shoebottom, Bryan wrote: > I completed the entire part on wccp. The result is the web cache ID. Any ideas? Does the router redirect any packets to the proxy server? Is the firewall interception rules tested and working proper? Regards Henrik
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
This is the FAQ I have already followed... What is an MuA? Thanks, Bryan -Original Message- From: Odhiambo Washington [mailto:[EMAIL PROTECTED] Sent: September 30, 2005 4:06 PM To: Shoebottom, Bryan Subject: Re: [squid-users] WCCP: Web Cache ID 0.0.0.0 * On 30/09/05 15:21 -0400, Shoebottom, Bryan wrote: > Hello, > > I have been trying to get wccp and squid to work and have been unsuccessful so far. > I have followed the FAQ at > http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.13 with the > following configurations Man, you need a sane MuA! Anyway, we once tried out this howto and it worked neatly: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.13 See if you can get some ideas out of it while you also look for a MuA that can wrap characters at around 74. -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ If you are a fatalist, what can you do about it? -- Ann Edwards-Duff
[squid-users] WCCP: Web Cache ID 0.0.0.0
Hello, I have been trying to get wccp and squid to work and have been unsuccessful so far. I have followed the FAQ at http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.13 with the following configurations Trustix 2.4.31 squid 2.5S10 Slackware 2.4.31squid 2.5S10 Slackware 2.6.10squid 2.5S10 Slackware 2.6.10squid 2.5S11 FreeBSD 5.4 Squid 2.5S10 I have tried these combinations with IOS version 12.1.26E and 12.2.18SXD6 and still not solution. I have tried setting the wccp_incoming_address and wccp_outgoing_address to the IP of my only network card, but still nothing works. The following is what i see from my router: MDIST#sho ip wcc we det WCCP Cache-Engine information: Web Cache ID: 0.0.0.0 Protocol Version: 0.4 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: Assigned Hash Info: Hash Allotment: 256 (100.00%) Packets Redirected: 15 Connect Time: 03:16:30 MDIST#sho ip wcc we view WCCP Routers Informed of: -none- WCCP Cache Engines Visible: 10.10.144.2 WCCP Cache Engines NOT Visible: -none- MDIST# Running WCCP packet debug, i can see that the received a Here I am packet and then responds with an I See You packet. The router then assigns the complete hash to the squid server, but the servers responds with no hash assigned. Could it be my gre is setup improperly? It seems as if the squid server doesn't receive/understand anything that is coming from the router. In FreeBSD i have: # Kernel settings options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD device gre # GRE tunnel settings ifconfig gre0 create ifconfig gre0 10.10.144.2 10.10.144.1 netmask 255.255.255.255 up ifconfig gre0 tunnel 10.10.144.2 10.10.144.1 route delete 10.10.144.1 # Firewall settings ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in Thanks, Bryan
RE: [squid-users] Squid disconnects internet...
Hello, This is off topic, but do you need this compile time option for WCCP transparent caches? Thanks, Bryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: September 20, 2005 2:29 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid disconnects internet... Jorge, Squid requires specific compilation paramaters if you plan to run the cache as transparent: --enable-ipf-transparent or --enable-pf-transparent Respectively... Did you use either of these? Tim Rainier Information Services, Kalsec, INC [EMAIL PROTECTED] "Jorge A. Rodriguez" <[EMAIL PROTECTED]> 09/20/2005 02:10 PM To squid-users@squid-cache.org cc Subject [squid-users] Squid disconnects internet... Hi, I am having a strange problem, my sarge (debian) box uses squid 2.5 stable 9, if I use the box to share internet it works fine, but if I add squid (as transparent proxy) it works for a little while then everything gets disconnected after 2 minutes(more or less...) and then after some other time it gets connected again (I dont get response from internet, msn disconnects, telnet connections hangs...) all I get from cache.log is CACHEMGR: @127.0.0.1 requesting 'storedir' CACHEMGR: @127.0.0.1 requesting 'counters' httpReadReply: Excess data from "GET From Access.log I get TCP MISS/(with different numbers 200, 0, 304) Thank you. NOTICE: This electronic transmission contains information from GlobalVantage Design Source, which may be confidential or privileged. This information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please notify GlobalVantage immediately of your receipt of this transmission, delete it, and be aware that any disclosure, copying, distribution or use of the contents of this transmission is prohibited.
RE: [squid-users] WCCP and iptables
Kumar, The commands on the router are: Ip wccp version 1 Ip wccp web cache There are no other rules in iptables, I am trying to create a transparent proxy from scratch so this is the only project for this box. Thanks, Bryan -Original Message- From: Raj Kumar Gurung [mailto:[EMAIL PROTECTED] Sent: September 15, 2005 10:56 PM To: Shoebottom, Bryan Subject: Re: [squid-users] WCCP and iptables Do you have other IPTABLES rules in your box ? And whats your cisco command there ? uglyjoe79 Shoebottom, Bryan wrote: >Kumar, > >Thanks for the info. These are the commands I have been using to try to >get this working, but have not been successful. I rebooted the box and >started the network config from scratch copying and pasting your >commands, replacing the appropriate values of course. But still on the >cisco router I get the same info from the "show ip wccp web-cache >detail" command. > >When I do a packet capture, I can see that the router hands the cache >server all the buckets, but when the cache server replies it shows all >buckets as unassigned. > >Also, with this command in iptables, should I not be able to telnet to >port 80 on the box and be redirected to port 3128? When I try this >"telnet localhost 80" I get a connection refused. > >Thanks, >Bryan > > > >-Original Message- >From: Raj Kumar Gurung [mailto:[EMAIL PROTECTED] >Sent: September 15, 2005 2:05 AM >To: Shoebottom, Bryan >Subject: Re: [squid-users] WCCP and iptables > >For GRE interception , i have used : >insmod ip_gre >iptunnel add gre1 mode gre remote* router-IP* local *squid-box-IP* dev >eth*X* >ifconfig gre1 127.0.0.2 up > >Also check it the the traffic to port 80 is redirected to the squid >port.You can try iptables itself for that... >iptables -A PREROUTING -i eth*X* -p tcp -m tcp --dport 80 -j REDIRECT >--to-ports 3128 > >I hope it works.. > >uglyjoe79 > >Shoebottom, Bryan wrote: > > > >>Hello, >> >>I am using linux 2.4.31 with ip_gre and cannot seem to get the wccp v1 >> >> >connection to work completely between my router and the squid cache. >Here is what I am getting on the router: > > >>MDIST#sho ip wcc we det >>WCCP Cache-Engine information: >> Web Cache ID: 0.0.0.0 >> Protocol Version: 0.4 >> State: Usable >> Redirection: GRE >> Packet Return: GRE >> Assignment:HASH >> Initial Hash Info: >> >> Assigned Hash Info: >> >> Hash Allotment:256 (100.00%) >> Packets Redirected:15 >> Connect Time: 03:16:30 >> >>MDIST#sho ip wcc we view >> WCCP Routers Informed of: >> -none- >> >> WCCP Cache Engines Visible: >> 10.10.144.2 >> >> WCCP Cache Engines NOT Visible: >> -none- >> >>MDIST# >> >>Even though it is redirecting traffic, the cache can't/doesn't >> >> >acknowledge it. I am sure this is a problem with my gre tunnel (if I >even need one) and my firewall configuration. Can someone send me their >firewall and gre tunnel config? > > >>Thanks, >>Bryan >> >> >> >> >> >> >> > > > > >
RE: [squid-users] WCCP and iptables
Kumar, Thanks for the info. These are the commands I have been using to try to get this working, but have not been successful. I rebooted the box and started the network config from scratch copying and pasting your commands, replacing the appropriate values of course. But still on the cisco router I get the same info from the "show ip wccp web-cache detail" command. When I do a packet capture, I can see that the router hands the cache server all the buckets, but when the cache server replies it shows all buckets as unassigned. Also, with this command in iptables, should I not be able to telnet to port 80 on the box and be redirected to port 3128? When I try this "telnet localhost 80" I get a connection refused. Thanks, Bryan -Original Message- From: Raj Kumar Gurung [mailto:[EMAIL PROTECTED] Sent: September 15, 2005 2:05 AM To: Shoebottom, Bryan Subject: Re: [squid-users] WCCP and iptables For GRE interception , i have used : insmod ip_gre iptunnel add gre1 mode gre remote* router-IP* local *squid-box-IP* dev eth*X* ifconfig gre1 127.0.0.2 up Also check it the the traffic to port 80 is redirected to the squid port.You can try iptables itself for that... iptables -A PREROUTING -i eth*X* -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 I hope it works.. uglyjoe79 Shoebottom, Bryan wrote: >Hello, > >I am using linux 2.4.31 with ip_gre and cannot seem to get the wccp v1 connection to work completely between my router and the squid cache. Here is what I am getting on the router: > >MDIST#sho ip wcc we det >WCCP Cache-Engine information: >Web Cache ID: 0.0.0.0 >Protocol Version: 0.4 >State: Usable >Redirection: GRE >Packet Return: GRE >Assignment:HASH >Initial Hash Info: > >Assigned Hash Info: > >Hash Allotment:256 (100.00%) >Packets Redirected:15 >Connect Time: 03:16:30 > >MDIST#sho ip wcc we view >WCCP Routers Informed of: >-none- > >WCCP Cache Engines Visible: >10.10.144.2 > >WCCP Cache Engines NOT Visible: >-none- > >MDIST# > >Even though it is redirecting traffic, the cache can't/doesn't acknowledge it. I am sure this is a problem with my gre tunnel (if I even need one) and my firewall configuration. Can someone send me their firewall and gre tunnel config? > >Thanks, >Bryan > > > > >
[squid-users] WCCP and iptables
Hello, I am using linux 2.4.31 with ip_gre and cannot seem to get the wccp v1 connection to work completely between my router and the squid cache. Here is what I am getting on the router: MDIST#sho ip wcc we det WCCP Cache-Engine information: Web Cache ID: 0.0.0.0 Protocol Version: 0.4 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: Assigned Hash Info: Hash Allotment: 256 (100.00%) Packets Redirected: 15 Connect Time: 03:16:30 MDIST#sho ip wcc we view WCCP Routers Informed of: -none- WCCP Cache Engines Visible: 10.10.144.2 WCCP Cache Engines NOT Visible: -none- MDIST# Even though it is redirecting traffic, the cache can't/doesn't acknowledge it. I am sure this is a problem with my gre tunnel (if I even need one) and my firewall configuration. Can someone send me their firewall and gre tunnel config? Thanks, Bryan
