Question

Locked

Squid cache with Juniper Firewall

By dkline ·
I have encountered a situation with an installation where a client is using WCCP on a C3640 router to redirect and load balance web requestes to a Squid server farm. The client replaced their PIX 515 firewall with a Juniper SSG550(running ScreenOS 5.4) and web requests were adversely affected.

With the PIX firewall in place, web requests function normally. When the PIX is replaced with a Juniper SSG550 some Web requests suffer a 10-15 second delay when first loading.

After the initial load traffic seems to flow normally.

Does anybody have any experience with this type of situation? I have packet traces of the communications between the client, router, Squid server, and Internet server with the Juniper firewall. I am trying to get a similar trace with the PIX in place.

Any information or reference material would be greatly appreciated.

Regards,
dk

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Why

by robert_ireland In reply to Squid cache with Juniper ...

Why did you change firewalls? And did you configure both bits of kit? Are there any differences in the running config?

Collapse -

Configurations are Identical

by dkline In reply to Why

The PIX firewalls were replaced as part of a network upgrade. the Cisco configuration was translated to Juniper-speak on the SSG550s.

I'm not quite sure I know what you mean by "both bits of kit".

I do network engineering, and I have Juniper's TAC looking at the issue as well as a Squid consultant who built these servers. It appears as though soething strange is occuring with the way that WCCP interacts with Squid. I'm not sure I understand why this would be affected by what brand of firewall is being used as the default gateway.

dk

Collapse -

A Consideration

by robert_ireland In reply to Configurations are Identi ...

the different brands of firewalls are a consideration as these companies will be writing their own os software to run on these. What I meant by both bits of kit is both firewalls. Did you not consider a "Bigger Pix" as oppossed to a complete change. I would give it some thought as the pix in place originally produced the required effects and the juniper doesn't.

Collapse -

Similar Issue...

by lbickley In reply to Squid cache with Juniper ...

We have a client with an identical issue - after replacing a Cisco PIX with a Juniper SSG550. We have been working on this for several weeks with no resolution as of yet.

Have you resolved this issue?

Regards,
Lyle

Collapse -

wccp and squid server farm ?

by omcdr7 In reply to Squid cache with Juniper ...

Can you explain how to configure pix/router with WCCP to redirect and load balance web requestes to a Squid server farm ?

With one squid works fine, but how to configure it with multiple squid servers ?

Thanks

Collapse -

Outlook and Juniper SSG550

by 5todd In reply to Squid cache with Juniper ...

I am having a similar problem. Juniper recommends upgrading ScreeenOS to 5.4.r8. This version includess a rollup of all of their incremental fixes back to version 5.0.

I am skeptical as the bug fixes really do not address our specific issue. The fixes increase the timeout on initial connection for 30 seconds to 1 minute, and service timeout increase from 30 minutes (ScreenOS default) to 200 minutes.

I've got this setup in a lab. We'll see how it goes. I think it has something to do with either calendering or shared folders. I guess we'll see.

Back to Networks Forum
7 total posts (Page 1 of 1)  

Hardware Forums