Questions

Squid cache with Juniper Firewall

+
0 Votes
Locked

Squid cache with Juniper Firewall

dkline
I have encountered a situation with an installation where a client is using WCCP on a C3640 router to redirect and load balance web requestes to a Squid server farm. The client replaced their PIX 515 firewall with a Juniper SSG550(running ScreenOS 5.4) and web requests were adversely affected.

With the PIX firewall in place, web requests function normally. When the PIX is replaced with a Juniper SSG550 some Web requests suffer a 10-15 second delay when first loading.

After the initial load traffic seems to flow normally.

Does anybody have any experience with this type of situation? I have packet traces of the communications between the client, router, Squid server, and Internet server with the Juniper firewall. I am trying to get a similar trace with the PIX in place.

Any information or reference material would be greatly appreciated.

Regards,
dk
  • +
    0 Votes

    Why

    robert_ireland

    Why did you change firewalls? And did you configure both bits of kit? Are there any differences in the running config?

    +
    0 Votes
    dkline

    The PIX firewalls were replaced as part of a network upgrade. the Cisco configuration was translated to Juniper-speak on the SSG550s.

    I'm not quite sure I know what you mean by "both bits of kit".

    I do network engineering, and I have Juniper's TAC looking at the issue as well as a Squid consultant who built these servers. It appears as though soething strange is occuring with the way that WCCP interacts with Squid. I'm not sure I understand why this would be affected by what brand of firewall is being used as the default gateway.

    dk

    +
    0 Votes
    robert_ireland

    the different brands of firewalls are a consideration as these companies will be writing their own os software to run on these. What I meant by both bits of kit is both firewalls. Did you not consider a "Bigger Pix" as oppossed to a complete change. I would give it some thought as the pix in place originally produced the required effects and the juniper doesn't.

    +
    0 Votes
    lbickley

    We have a client with an identical issue - after replacing a Cisco PIX with a Juniper SSG550. We have been working on this for several weeks with no resolution as of yet.

    Have you resolved this issue?

    Regards,
    Lyle

    +
    0 Votes
    omcdr7

    Can you explain how to configure pix/router with WCCP to redirect and load balance web requestes to a Squid server farm ?

    With one squid works fine, but how to configure it with multiple squid servers ?

    Thanks

    +
    0 Votes
    5todd

    I am having a similar problem. Juniper recommends upgrading ScreeenOS to 5.4.r8. This version includess a rollup of all of their incremental fixes back to version 5.0.

    I am skeptical as the bug fixes really do not address our specific issue. The fixes increase the timeout on initial connection for 30 seconds to 1 minute, and service timeout increase from 30 minutes (ScreenOS default) to 200 minutes.

    I've got this setup in a lab. We'll see how it goes. I think it has something to do with either calendering or shared folders. I guess we'll see.

  • +
    0 Votes

    Why

    robert_ireland

    Why did you change firewalls? And did you configure both bits of kit? Are there any differences in the running config?

    +
    0 Votes
    dkline

    The PIX firewalls were replaced as part of a network upgrade. the Cisco configuration was translated to Juniper-speak on the SSG550s.

    I'm not quite sure I know what you mean by "both bits of kit".

    I do network engineering, and I have Juniper's TAC looking at the issue as well as a Squid consultant who built these servers. It appears as though soething strange is occuring with the way that WCCP interacts with Squid. I'm not sure I understand why this would be affected by what brand of firewall is being used as the default gateway.

    dk

    +
    0 Votes
    robert_ireland

    the different brands of firewalls are a consideration as these companies will be writing their own os software to run on these. What I meant by both bits of kit is both firewalls. Did you not consider a "Bigger Pix" as oppossed to a complete change. I would give it some thought as the pix in place originally produced the required effects and the juniper doesn't.

    +
    0 Votes
    lbickley

    We have a client with an identical issue - after replacing a Cisco PIX with a Juniper SSG550. We have been working on this for several weeks with no resolution as of yet.

    Have you resolved this issue?

    Regards,
    Lyle

    +
    0 Votes
    omcdr7

    Can you explain how to configure pix/router with WCCP to redirect and load balance web requestes to a Squid server farm ?

    With one squid works fine, but how to configure it with multiple squid servers ?

    Thanks

    +
    0 Votes
    5todd

    I am having a similar problem. Juniper recommends upgrading ScreeenOS to 5.4.r8. This version includess a rollup of all of their incremental fixes back to version 5.0.

    I am skeptical as the bug fixes really do not address our specific issue. The fixes increase the timeout on initial connection for 30 seconds to 1 minute, and service timeout increase from 30 minutes (ScreenOS default) to 200 minutes.

    I've got this setup in a lab. We'll see how it goes. I think it has something to do with either calendering or shared folders. I guess we'll see.