Hrmm... finding/understanding the Squid configuration side of the house is going to take a bit of a learning curve for me... I have to get ready for work but have you checked out:

http://parvinderbhasin.blogspot.com/200 ... setup.html

Maybe that will help, and maybe you can use web-cache - I'm just not used to it. If you do use web-cache which it looks like in your pcap... then I can see one problem: You need to get rid of the service ID 0 stuff. According to your config, you've set up two service groups (web-cache and service ID 0), but have only tied one of those service groups to an interface - service ID 0. According to the WCCP comms in the pcap, it's only using web-cache, and you haven't set a redirect statement for that on an interface, so of course it's not going to redirect anything.

Your config should look something like this:



EDIT - Verification commands: sh ip wccp web-cache, sh ip wccp web-cache detail, debug ip wccp packets, debug ip wccp events

"web-cache" is what is known as a well-known service. Using a numbered service like 0-whatever, is called a dynamic service. You can tie whatever ports you want to it - even multiple ports. For example, when I worked at Websense with their proxy, we used service ID 0 for both HTTP and HTTPS.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

This isn't the behavior I've seen. Can you post some links describing this?

Sent from my EVO using Tapatalk 2

_________________
http://blog.alwaysthenetwork.com

The bug I'm referring to that I've run into is somewhat described here:

http://doublef.org/archives/be-transparent-with-wccp

Generally, whenever I was troubleshooting a WCCP deployment with an ASA while working at Websense, if all other configuration was correct and they were using simple IP statements, such as permit ip any any, changing the format to read permit tcp any any eq www fixed most quirky problems. I didn't take note of what versions they were running. Despite a conference call where a TAC said to not do this, I told all of the customers I worked with to configure it that way, just for ASAs.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

Nah, I'm asking about the router not sending packets to the WCCP device. I don't believe this is true. I believe it's sent, then the WCCP device returns it.

_________________
http://blog.alwaysthenetwork.com

I see. I don't have links. I was the WCCP SME at Websense in Technical Support. I've just done pcaps... and pcaps.. and pcaps... cross referenced the RFC... troubleshot customer environments, etc etc.

It's easy to test this yourself:

1. Configure your redirect list to redirect everything, or don't use one at all.
2. Configure your dynamic service group for dest port 80.
3. Start throwing https traffic at the switch/router while doing a tcpdump/pcap on the proxy. I'll bet my paycheck that HTTP traffic will hit your proxy, but HTTPS will not.

I mean think about it; some switch platforms don't even allow a redirect list - do you honestly think it's going to redirect ALL of your enterprise traffic to the proxy for the proxy to return what's not used? That would be extremely inefficient.

If you notice, you don't specify source or dest port in the redirect list ACL either, it's the characteristics of the service group that knows to only redirect traffic destined for port 80, not sourced from. If you pcap the WCCP traffic and look in the appropriate field, you'll see that the "dest port" bit is turned on. In a "reverse service group" like you would use for IP spoofing to control traffic flow in both directions, the "source port" bit is turned on.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

I forgot about the pcap that the OP included. Seeing this I have to say I'm not that familiar with web-cache as we used dynamic service IDs, but this section of the WCCP comms is what I'm referring to:



In a dynamic service group, it's in this section where the characteristics of the service group are defined. That's why you can configure service ID.... "5" for example, but the device has no idea what that means until the proxy defines what exactly makes up service ID 5.. such as destination port 80 via the HIA messages it sends..

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

Hmm. Wish I had something to test this on.

_________________
http://blog.alwaysthenetwork.com

I just noticed how often I threw the Websense card.. and I have to say I'm a little ashamed.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

I'm looking at the capture from this link:

http://mccltd.net/blog/?p=1266

When I look at the Service ID, I see Dynamic? It doesn't say anything about which ports/services to redirect. Am I missing something in this capture. It appears to me that the router is going to send whatever is in the redirect list.

_________________
http://blog.alwaysthenetwork.com

I've answered a lot of stupid WCCP questions you asked in the past, so I'm not willing to take your word for it, lol.

_________________
http://blog.alwaysthenetwork.com

Yep, there was definitely a learning curve when I first started... considering I had to do it all myself with no training.

However, I don't remember "a lot of stupid WCCP questions". Thanks though....

So, it looks like the way the ports are defined can differ, but still, even in that article it says:
"Lead WCCP client (lowest IP address) instructs routers on protocol/port, assignment, forwarding, and return methods"

So basically:
1. HIA and ISU messages are sent back and forth (Negotiation)
2. After service group stabilizes, a "designated web cache" is elected (Lead WCCP Client)
3. The "lead WCCP client" sends a redirect assign that defines the service group, methods, etc.
4. Whenever there is a change in service group membership (Loss of a proxy, etc.), another redirect assign is sent to properly redistribute traffic among the remaining members of the service group.

Here's an example from the BlueCoat side of the house where the dynamic service group is configured:
https://hypersonic.bluecoat.com/doc/435
*Reference the "Redirect HTTP and Streaming" section.

And actually, I found a screenshot of a pcap from one of the docs I did:


There you can clearly see what's defined.. again though, I guess different WCCP clients do this in different ways.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

So I just read the RFC and it SEEMS to say what you're saying. I'm wondering if the issue is that the capture I'm looking at is from a Riverbed, which will accept/optimize pretty much anything TCP and it's saying send me whatever as long as it's TCP. I need a capture from a proxy.

_________________
http://blog.alwaysthenetwork.com

Want me to link them for you?

_________________
http://blog.alwaysthenetwork.com

Instead of arguing.... test it yourself and find out. Besides your opinion, do you have any proof debunking what I'm saying? I bet when you look for it, you'll find the info that what I'm saying is correct.

If I'm wrong, I'll look like an even bigger douche, and I'll admit it.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

I posted the info. That capture above has no port information. As I said, it looks like proxies will behave differently than wan optimization devices. I've never used WCCP with a proxy, only WAAS and Riverbed.

I can't test it myself, I have nothing to test with.

_________________
http://blog.alwaysthenetwork.com

Gotcha, I can say the same for WAAS - no idea how that works. I did buy a book on WAAS though to try to learn more about WCCP and I remember there are some distinct differences in WAAS implementations than proxies IIRC... a big one for example is I think with proxies, WCCP is not stateful but with WAAS it is?

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

I don't remember. It's been awhile.

_________________
http://blog.alwaysthenetwork.com

Finally, working!

- The custom service group did not work, I had to use standard web-cache.
- I'm not sure how as I didn't see anything related to it on my Wireshark captures, but without a working default gateway, Squid doesn't do anything. It had a gateway defined but upon closer examination it never passed any data to the internet.
- I had to use a separate subnet for the proxy, apart from the clients.
- The ACL-PROXY as an extended access list did not work. As a standard ACL it did.

It's great, I see layer 4 redirects working, everything coming in over layer 2.

Thanks to all of you for the assistance!

_________________
http://reggle.wordpress.com

Outstanding - glad it works. Were you using L2 or GRE for the redirect? When using L2, I think your proxy always has to reside on a separate subnet from the clients, IIRC. I can't remember the explanation why.... something to do with how L2 only re-writes the dest MAC address and doesn't add an additional L3 header like it would with GRE... bah anyways.... good job.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

Thanks! The switch only supported layer 2.

_________________
http://reggle.wordpress.com