As first step, I reccomend you check GRE. Turn off wccp on your router,
configure and test GRE tunnel interface between cisco and squid box.
I heard, that FreeBSD 4.9 and 5.1 has broken GRE.

> On Mon, Jan 26, 2004 at 01:42:30PM +1030, Adam Smith said:
> > On Sun, Jan 25, 2004 at 11:46:34PM +0200, Roman Synyuk said:
> > > Hello.
> > >
> > > You need to configure forwarding incoming packets from GRE interface
> > > to squid process:
> > >
> > > # ipfw add fwd 127.0.0.1,3128 ip from any to any via gre0 in
> > > # ipfw add permit ip from any to any

> >
> > I tried this, however I'm still not seeing it work, and now I have more
> > questions!
> >
> > IPFW:
> >
> > I am now counting any packets on my GRE rule:

>
> Sorry, "now" should read "not".
>
> > 01300 0 0 fwd 127.0.0.1,3128 ip from any to any via gre0 in
> >
> > I'm also not entirely sure at which level of my firewall rules I should be
> > inserting this rule. I've tried just before "allow ip from me to any" and
> > I've tried right at the very start but still, no packets are counted.
> >
> > CISCO 837:
> >
> > Which interface am I actually supposed to be running the WCCP redirect on?
> > I'm starting to think it should be on my Ethernet0 interface, as this is
> > where the GRE tunnel ends. It sorta makes better sense. Adding the
> > wccp-redirect lines to it doesn't make any difference though -- users can
> > still get out without anything going back to the proxy.
> >
> > If users are getting through, does this mean the wccp redirect is failing
> > at the router end?
> >
> > Thanks for any pointers.
> >