[squid-users] WCCP: duplicate security definition

Thu Jul 10 16:16:51 UTC 2025

On 2025-07-10 06:39, MAB IT System wrote:
> Dear Squid team,
> 
> I’m currently working on deploying Squid as a transparent proxy using 
> WCCPv2 with a Cisco ASA firewall.
> 
> The ASA selects a router ID x.x.x.x automatically and uses GRE 
> encapsulation. However, in my Squid configuration, I’m using 
> wccp2_forwarding_method gre.
> 
> I’ve confirmed that:
> - UDP traffic on port 2048 between Squid and the ASA is working correctly.
> - Squid receives WCCP messages (`HERE_I_AM`, `I_SEE_YOU`) but logs 
> errors like:
>    `ERROR: Ignoring WCCPv2 message: check failed: duplicate security 
> definition`

You are probably suffering from Squid Bug 5179:
https://bugs.squid-cache.org/show_bug.cgi?id=5179

FWIW, there is a (currently dorman) PR with a proposed fix draft:
https://github.com/squid-cache/squid/pull/970

> Any insights, suggestions, or recommended configuration would be greatly 
> appreciated.

Squid WCCP code has many problems. AFAICT, no Squid developer is 
currently focusing on addressing them.

HTH,

Alex.

> - ASA logs show that Squid is visible but marked as “NOT Usable” and 
> gets 0% hash allocation.
> - I’m running Squid version 5.9 on Linux Ubuntu.
> 
> Questions:
> 1. Is there a known issue when using `wccp2_forwarding_method gre` with 
> devices that support GRE?
> 2. Could Squid gracefully fallback or detect ASA’s redirect mode 
> automatically?
> 3. Is there a specific Squid version better suited for WCCPv2 with GRE only?
> 
> Any insights, suggestions, or recommended configuration would be greatly 
> appreciated.
> 
> Thank you for your support and great work on Squid.
> 
> Best regards,
> Assoham AWOUTOU
> MACHAERO
> 
> 
> ******************************************************************************
> The information contained herein may be company confidential and 
> proprietary. The information is intended only for the use of the named 
> individual or entity. If you are not the intended recipient, the 
> employee or agent responsible for delivering it to the intended 
> recipient, you are hereby notified that any use, dissemination, 
> distribution or copying of this communication is strictly prohibited. If 
> you have received this communication in error, please notify the sender 
> (and delete it from your systems) immediately. The information herein is 
> not warranted to be free of virus or any other defect that may affect 
> the recipient's computer system and it is your responsibility to carry 
> out appropriate virus checks of this email and attachments (if any).
> ******************************************************************************
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users