Quantcast

WCCPV2 Proxy failed to reach router

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

WCCPV2 Proxy failed to reach router

niknok236
This post has NOT been accepted by the mailing list yet.
This post was updated on .
All, I need assistance in WCCPv2 Proxy; no traffic seen in tunnel. Below is the current configuration.
Thanks in advance,

No traffic seen in gre1 (tcpdump -i gre1)
-------------
Given:
-----------------------------------
Cisco 1800  
interface facing Internet: Fa0
Proxy Server: CentOS 7
Router IP: 192.168.2.1
Squid proxy IP: 19.168.2.13 on ensp0s3
Tunnel Interface: gre1
gre1 assigned IP: 10.10.10.1
local network: 192.168.2.0/24 and 192.168.3.0/24
-------------------------------------------------------------------
/etc/sysconfig/selinux
SELINUX=disabled
------------------------
/etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Wed Mar 29 18:03:32 2017
*filter
:INPUT ACCEPT [19:1702]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:1532]
-A INPUT -i gre1 -j ACCEPT
-A INPUT -i gre -j ACCEPT
-A INPUT -i gre -j ACCEPT
-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.2.1 -d 192.168.2.13 -p gre -j ACCEPT
COMMIT
# Completed on Wed Mar 29 18:03:32 2017
*nat
:PREROUTING ACCEPT [35:3958]
:INPUT ACCEPT [34:3721]
:OUTPUT ACCEPT [5:380]
:POSTROUTING ACCEPT [5:380]
-A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
--------------------------------------------------------------------------
/etc/squid/squid.conf
# Transparent proxy via WCCPv2
visible_hostname CENTOS7_WCCP
http_port 3128 transparent
wccp2_router 192.168.2.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
--------------------------------------------------------
 /etc/sysctl.conf
net.ipv4.ip_forward = 1 #set to 1 for enable the packet forwarding feature
net.ipv4.conf.default.rp_filter = 0 # set to 0 for disable the reverse path filter behavior
---------------------------------------------------------
$ sudo modprobe ip_gre
$ lsmod | grep gre
------------------------------------------------
 sudo ip tunnel add gre1 mode gre remote 192.168.2.1 local 192.168.2.13 ttl 255
$ sudo ip link set gre1 up
$ sudo ip addr add 10.10.10.1/24 dev gre1
----------------------------------------------
ip route show
iptables -F -t nat
#The following line redirects all http packets which exit gre0 to port 3128 on the local Squid server.
iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.13:3128

#enable IP forwarding, disable route packet filters between interfaces
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
 echo 0 > /proc/sys/net/ipv4/conf/enp0s3/rp_filter
 echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
 echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
---------------------------------------------------
WCCPv2 configuration on 1800
    !Set WCCP to version 2
        ip wccp version 2
   ! Create an access list to define the proxy server(s) on your network:
        access-list 20 permit 192.168.2.13
        ip wccp web-cache group-list 20
    !Create another access list to define which hosts are subject to proxy and which hosts are denied/bypass (the proxy server(s) and any other clients you want to access the Internet w/o proxy.
sh run | i access-list 120
access-list 120 deny   ip host 192.168.1.13 any
access-list 120 remark ACL for WCCP proxy access
access-list 120 remark Squid proxies bypass WCCP
access-list 120 remark LAN clients proxy port 80 only
access-list 120 permit tcp 192.168.2.0 0.0.0.255 any eq www
access-list 120 permit tcp 192.168.3.0 0.0.0.255 any eq www
access-list 120 remark all others bypass WCCP
access-list 120 deny   ip any any
!Apply the ACLs to WCCP
    ip wccp web-cache redirect-list 120
--------------------------------------------------
Fa0: WCCP Redirect inbound is enabled

    !Verify configuration:
    sh ip wccp
----------------------------------------------------
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.2.1
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        0
          Process:                           0
          CEF:                               0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect Access-list:                120
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group Access-list:                   -none-
        Total Messages Denied to Group:      8
        Total Authentication failures:       40
        Total GRE Bypassed Packets Received: 0
-----------------------------------------------------------------------
sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.2.1
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Service Group Clients:     2
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        0
          Process:                           0
          CEF:                               0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect Access-list:                120
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group Access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0

Plutus#sh adjacency tunnel 0 detail
IP       Tunnel0                   192.168.2.13(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 69
                                   Encap length 28
                                   4500000000000000FF2F3670C0A80201
                                   C0A8020D0000883E00000000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of Vlan10, addr 192.168.2.13
Plutus#sh ip wccp summary
WCCP version 2 enabled, 1 service

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: 192.168.2.1):
web-cache   2         1         HASH        GRE        GRE

#sh ip wccp interfaces cef
WCCP/CEF interface configuration:
    FastEthernet0
        Output services: 0
        Input services:  1
            Static:      web-cache
        Mcast services:  0
        Exclude In:      FALSE
        Output count:    0
        Input count      0

#sh ip wccp interfaces counts
WCCP interface counts:
    FastEthernet0
        Output packets redirected
            Process: 0
            CEF:     0
        Input packets redirected
            Process: 0
            CEF:     0
Loading...