WCCP + SQUID = navegador do cliente “Esta página não pode ser exibida”

1

Eu implemento este cenário:

ISP <==> ASA <==> SWITCH <==> LAN + SQUID

O servidor Squid está dentro da mesma Interface INSIDE ASA, mas com uma VLAN diferente.

tcpdump -nni wccp0 -p tcp and port 80

09:59:10.013059 IP 10.30.0.104.43210 > 134.170.58.121.80: Flags [S],
   seq 28582661, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale
   7], length 0 
09:59:18.127053 IP 10.30.0.104.56278 >
   45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 
09:59:18.641802 IP
   192.168.192.2.56099 > 140.108.21.70.80: Flags [R], seq 1167442925, win 0, length 0 09:59:19.126040 IP 10.30.0.104.56278 >
   45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:59:21.130148 IP
   10.30.0.104.56278 > 45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
   09:59:25.134761 IP 10.30.0.104.56278 > 45.121.219.210.80: Flags [S],
   seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale
   7], length 0*

root@proxy-bsn:/home/test-proxy# iptables -S -t nat -v

-P PREROUTING ACCEPT -c 218 29419
-P INPUT ACCEPT -c 330 35243
-P OUTPUT ACCEPT -c 121 7535
-P POSTROUTING ACCEPT -c 121 7535
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -c **112 5824** -j DNAT --to-destination 10.30.0.120:3129

tcpdump mostra que a caixa WCCP entre ASA e Proxy está funcionando bem, mas na perspectiva do cliente o erro do navegador é

This page can’t be displayed

assuma que o firewall está causando isso, então eu verifiquei e comprei:

$ sysctl -a | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.em1.arp_filter = 0
net.ipv4.conf.em1.rp_filter = 0
net.ipv4.conf.em2.arp_filter = 0
net.ipv4.conf.em2.rp_filter = 0
net.ipv4.conf.em3.arp_filter = 0
net.ipv4.conf.em3.rp_filter = 0
net.ipv4.conf.em4.arp_filter = 0
net.ipv4.conf.em4.rp_filter = 0
net.ipv4.conf.em49.arp_filter = 0
net.ipv4.conf.em49.rp_filter = 0
net.ipv4.conf.em50.arp_filter = 0
net.ipv4.conf.em50.rp_filter = 0
net.ipv4.conf.gre0.arp_filter = 0
net.ipv4.conf.gre0.rp_filter = 0
net.ipv4.conf.gretap0.arp_filter = 0
net.ipv4.conf.gretap0.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.wccp0.arp_filter = 0
net.ipv4.conf.wccp0.rp_filter = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.em1.stable_secret"
sysctl: reading key "net.ipv6.conf.em2.stable_secret"
sysctl: reading key "net.ipv6.conf.em3.stable_secret"
sysctl: reading key "net.ipv6.conf.em4.stable_secret"
sysctl: reading key "net.ipv6.conf.em49.stable_secret"
sysctl: reading key "net.ipv6.conf.em50.stable_secret"
sysctl: reading key "net.ipv6.conf.gre0.stable_secret"
sysctl: reading key "net.ipv6.conf.gretap0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.wccp0.stable_secret"

$ sysctl -a | grep forwarding
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.em1.forwarding = 1
net.ipv4.conf.em1.mc_forwarding = 0
net.ipv4.conf.em2.forwarding = 1
net.ipv4.conf.em2.mc_forwarding = 0
net.ipv4.conf.em3.forwarding = 1
net.ipv4.conf.em3.mc_forwarding = 0
net.ipv4.conf.em4.forwarding = 1
net.ipv4.conf.em4.mc_forwarding = 0
net.ipv4.conf.em49.forwarding = 1
net.ipv4.conf.em49.mc_forwarding = 0
net.ipv4.conf.em50.forwarding = 1
net.ipv4.conf.em50.mc_forwarding = 0
net.ipv4.conf.gre0.forwarding = 1
net.ipv4.conf.gre0.mc_forwarding = 0
net.ipv4.conf.gretap0.forwarding = 1
net.ipv4.conf.gretap0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wccp0.forwarding = 1
net.ipv4.conf.wccp0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em1.stable_secret"
net.ipv6.conf.em1.forwarding = 1
net.ipv6.conf.em1.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em2.stable_secret"
net.ipv6.conf.em2.forwarding = 1
net.ipv6.conf.em2.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em3.stable_secret"
net.ipv6.conf.em3.forwarding = 1
net.ipv6.conf.em3.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em4.stable_secret"
net.ipv6.conf.em4.forwarding = 1
net.ipv6.conf.em4.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em49.stable_secret"
net.ipv6.conf.em49.forwarding = 1
net.ipv6.conf.em49.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em50.stable_secret"
net.ipv6.conf.em50.forwarding = 1
net.ipv6.conf.em50.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.gre0.stable_secret"
net.ipv6.conf.gre0.forwarding = 1
net.ipv6.conf.gre0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.gretap0.stable_secret"
net.ipv6.conf.gretap0.forwarding = 1
net.ipv6.conf.gretap0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.wccp0.stable_secret"
net.ipv6.conf.wccp0.forwarding = 1
net.ipv6.conf.wccp0.mc_forwarding = 0

Não vejo nenhum problema. Há um artigo dizendo que a implantação do wccp com o ASA + Squid deve estar na mesma sub-rede. Bem, eu tentei isso e também falhou.

esta é minha caixa de proxy uname:

$ uname -a
Linux proxy-bsn 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ squid3 -v
Squid Cache: Version 3.3.8
http_port 3128
http_port 3129 intercept
wccp_version 4
wccp2_router 192.192.168.254
wccp2_forwarding_method gre
wccp2_return_method gre

Por fim, tento tocar o tcpdump na porta 3129 ... nada acontece.

    
por Dian Andriani 23.01.2017 / 11:11

0 respostas