rsp_it
asked on
Ubuntu 18.04 squid wccp issue
Hi all,
We have squid proxy server on Ubuntu 16.04 in our company and use Cisco ASA redirects the Internet traffic through wccp tunnel. We planed to upgrade the Ubuntu to 18.04 recently.
I setup the new proxy server on Ubuntu 18.04 in a test environment, but the wccp didn't work.
Here are the configurations and some troubleshooting steps I have taken:
### Squid config
---
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all # allow all for test
http_port 3128 intercept
http_port 3127
cache_store_log daemon:/var/log/squid/stor
coredump_dir /var/spool/squid
#url_rewrite_program /usr/sbin/ufdbgclient -m 4 -l /var/log/squid
#url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
wccp2_router x.x.x.x
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_assignment_method hash
wccp2_service standard 0 password=test123 #set password on firewall to make sure only this proxy is usable
---
- I have checked the route and firewall ACL, the network part is ok.
- Specify the proxy and port in the browser's setting, the traffic can be proxied.
- Tcpdump the wccp gre tunnel, I can see the http request was redirected to the proxy server.
- No access log for the redirected traffic.
- I tried both the squid from the official repository and build script, neither worked.
- I tried replacing the ubuntu default network manager netplan with the old ifup/ifdown, not work.
- I setup the proxy on debian 10 with the exact same configuration, everything works fine.
Based on the above information, I want to know did I misconfigured something on Ubuntu1804? or it's a bug?
We have squid proxy server on Ubuntu 16.04 in our company and use Cisco ASA redirects the Internet traffic through wccp tunnel. We planed to upgrade the Ubuntu to 18.04 recently.
I setup the new proxy server on Ubuntu 18.04 in a test environment, but the wccp didn't work.
Here are the configurations and some troubleshooting steps I have taken:
### Squid config
---
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all # allow all for test
http_port 3128 intercept
http_port 3127
cache_store_log daemon:/var/log/squid/stor
coredump_dir /var/spool/squid
#url_rewrite_program /usr/sbin/ufdbgclient -m 4 -l /var/log/squid
#url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
wccp2_router x.x.x.x
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_assignment_method hash
wccp2_service standard 0 password=test123 #set password on firewall to make sure only this proxy is usable
---
- I have checked the route and firewall ACL, the network part is ok.
- Specify the proxy and port in the browser's setting, the traffic can be proxied.
- Tcpdump the wccp gre tunnel, I can see the http request was redirected to the proxy server.
- No access log for the redirected traffic.
- I tried both the squid from the official repository and build script, neither worked.
- I tried replacing the ubuntu default network manager netplan with the old ifup/ifdown, not work.
- I setup the proxy on debian 10 with the exact same configuration, everything works fine.
Based on the above information, I want to know did I misconfigured something on Ubuntu1804? or it's a bug?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, the issue was solved by disabling the rp_filter.
Are you allowing gre traffic through the Ubuntu firewall?
Protocol 47? Cisco initiates the gre tunnel.
Ubuntu firewall?