Background:
I have three locations connected with T1 lines and Cisco Routers (which
I have no control over). Behind each of these Cisco routers I have a Pix
515R firewall which I fully control. These PIX's are set up in a meshed
VPN, but there are no traffic restrictions from site-to-site.
Directly behind each Pix I have a Dell 1550 server with Mandrake 8.2 and
Squid 2.4 installed, and I'm using squidGuard for content filtering. The
two ethernet interfaces (one goes to the firewall via xover cable, the
other to a Cisco 4006 switch where all my other systems are plugged
into) on each server are bridged together, and an iptables rule
redirects incoming port 80 requests to port 3128 for transparent proxying.
ALL THIS WORKS. I plug a workstation into the 4006 switch and I can
browse the internet with no problems, at each location.
Next step is to get the proxy servers to peer each other. I want each of
the servers to be a sibling for the other two, so I put this in the
squid.conf files:
server1
--------
cache_peer 10.0.0.2 sibling 3128 3130
cache_peer 10.0.0.3 sibling 3128 3130
server2
--------
cache_peer 10.0.0.1 sibling 3128 3130
cache_peer 10.0.0.3 sibling 3128 3130
server3
--------
cache_peer 10.0.0.1 sibling 3128 3130
cache_peer 10.0.0.2 sibling 3128 3130
and add a rule (for now) to each squid.conf file that allows ALL ICP
requests:
icp_access allow all
I then restart each squid process and access the cachemgr.cgi script I
installed on my web server. I open it up and point it at server #1's IP
address, and select the peer information page. It lists both the peers
in a state of "up".
Next I fire up a web browser that is behind the Proxy Server #1 and
bring up a simple page like www.yahoo.com or www.google.com. The page is
displayed fine in the browser, but the peers never respond. cache.log
shows that ICP request packets are sent to the two peers, I see port
3130 connections set up in the firewall logs, but response packets are
never received. Additionally, after the dead_peer_timeout expires
(defaults to 10 seconds, where I've left it), refreshing the
cachemgr.cgi page shows the peers are now in the "down" state, that 2
packets were sent to each and 0 ACKs were received.
Manually setting the icp_query_timeout in server1s squid.conf file to
2000 or 5000 merely results in a 2 or 5 second delay for the web page to
come up.
Any ideas?
Thanks,
Brent
Received on Mon Jun 24 2002 - 19:25:40 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:48 MST