Urgent ! Router-WAAS WCCP problem
I have dot1q enabled 7507 connecting frame relay branch to data centre.
Core WAAS sits on a VLAN subinterface.
As soon as I enable "ip wcccp redirect 61 in" on VLAN trunked interface, I am loosing connection to the branch.
the config is here..
interface GigabitEthernet4/0/0
description Core Data Centre Trunk VLAN 3,120 to SWDC03 3/16
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
negotiation auto
no cdp enable
interface GigabitEthernet4/0/0.3
description Core Data Centre VLAN
encap dot1q 3
ip address xxxx
ip wccp 61 redirect in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip route-cache flow
no cdp enable
standby 3 ip 10.64.205.17
standby 3 priority 150
standby 3 preempt
interface GigabitEthernet4/0/0.120
description Core WAAS VLAN120
encap dot1q 120
ip address yyyyyyy
ip wccp redirect exclude in
no ip redirects
no ip unreachables
interface Serial0/0/3.64 point-to-point
ip wccp 62 redirect in
The IOS version is rsp-jsv-mz.123-17b and WAAS version 4.0.13.I have tested this before without VLAN trunking on another router using a seperate interface and it was working.Any idea ?
thanks
thanks guys. I will explain the problem a bit more.When WAAS sits on a seperate i/f on WAN router, it works fine. i.e "wccp redirect 61 in " on interface connecting WAN router to Data Centre and "wccp redirect 62 in" on WAN frame relay. Then I configured the i/f connecting WAN router to Data Centre as dot1q trunk and a dedicated VLAN is created for WAAS. The default gateway for WAAS is HSRP address in 6509s. The WCCP router address configured in WAAS is the loopback0 address of the WAN router. The "wccp redirect 62 in" on WAN frame relay stays same. However, " wccp redirect 61 in " carried to a new subinterface on the same access as WAAS VLAN.
All WCCP commands show that there is a connection between WAAS and WAN router, packet count goes up. However, all TCP sessions to the brach (initiated from the Data Centre) fail. I have also tested with and without "wccp redirect exclude in" on WAAS VLAN subinterface without success. Since I had to install the branch the WAAS on the weekend, I moved WAAS back to dedicated interface on WAN router. It works fine but I can not implement redundancy.
The suggestion was to make WAN router subinterface HSRP active rather than 6509 MSFCs.So WAAS talks to WAN routers loopback address and default gateway also points to the same router rather than MSFC. I have not had a chance to test this but I will test in the coming weeks. I was also suggested to use layer2 redirection on 6509 but did not have any chance to look at it closely.
thanks
Serhat
Similar Messages
-
Router IOS requirements to work with WAAS WCCP?
Can some help me with up to date switch and router IOS requirements to work with WAAS WCCP configuration? There used to be a Cisco document explaining that but I can't find it any more.
Here is out WAAS 4.2.3 deployment in the network:
Data center: Cat6500 Sup720-3B running IOS 12.2(18)SXF12a will do WCCP L2 redirection. I've seen minimum Sup720 IOS requirement of 12.2(18)SXF13 in one place and 12.2(18)SXF16 in another, but there are also examples of using 12.2 (18) SXF5. Which one is the latest Cisco recommendation?
Remote sites: 3825 and 3845 routers (some are running 12.4 T train and some are in 12.4 main line) will do WCCP GRE redirection to WAE's. One of the routers will use a WAE-NME-522 module. Others are WAE applicances. Again, what are the latest Cisco recommendations?
Another question: for an IOS release, does it matter which package to use, such as advanced IP services, enterprise services, or SP services?
Thanks a lot.Here you go.
http://www.cisco.com/en/US/partner/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
For IOS release, you will need a package that has WCCP support.
Hope this helps.
Regards.
PS: Please mark this as Answered, if this answers your question. -
How does QoS work with WAAS WCCP? What's the interaction between Router QoS Traffic Classification and WAE Traffic Application Policy?
By default, WAAS preserves the DSCP marking on intercepted packets. There is a configuration option to set/override the DSCP value at the global (device), application, and classifier levels. Currently WAAS provides marking only. There is no action taken by WAAS based on the DSCP value.
Regards,
Zach -
WAAS wccp tcp-promiscuous service-pair configuration question
I have a WAE 512 that I upgraded to 4.5.1, the WCCP configuration was automatically changed in the configuration to the following:
wccp router-list 1 192.168.20.1
wccp tcp-promiscuous service-pair 61 62 failure-detection 30
wccp tcp-promiscuous service-pair 61 62 router-list-num 1
wccp version 2
I have a WAVE-674 that I am going to replace this 512 with and I installed 5.0.1 on the 674. I went through the automatic setup process and the wccp configuration came up like this:
wccp router-list 7 192.168.20.1
wccp tcp-promiscuous service-pair 1 2
router-list-num 7
exit
And it informed me that I needed to put the wccp redirects for 61 in on LAN and 62 in on WAN, standard on the router and wccp 2, which I already have done.
My question is, should my 5.0.1 configuration look the same as my 4.5.1 configuration, or does it matter? I only found one document on the internet that had this "wccp tcp-promiscuous service-pair 1 2" in a Cisco PDF document where they were removing it to put some GRE specific configurations.hi Beau,
something went wrong with the new WAVE 674 wccp configuration, if the wccp router is the same (192.168.20.1) make sure it looks the same as in 4.5.1 version.
Also for devices with WAAS version 5.0, you must explicitly configure the egress method.
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v501/configuration/guide/traffic.html#wp1275623
if you need assistance choosing the right egress method I suggest to open a TAC case.
hope that helps! -
Hi all,
i'm trying to set up WCCP between a Cisco 1941 router and my ironport S170 appliance.
This is the WCCP configuration on router side :
ip access-list extended WCCPRedirect
permit tcp <my internal LAN> any eq www
permit tcp <my internal LAN> any eq 443
permit tcp <my internal LAN> any eq ftp
ip access-list standard IronPort
permit <IronPort IP Address>
ip wccp web-cache redirect-list WCCPRedirect group-list IronPort
ip wccp 60 redirect-list WCCPRedirect group-list IronPort
ip wccp 70 redirect-list WCCPRedirect group-list IronPort
interface GigabitEthernet0/1
ip address <my internal Address> <my Subnet Mask>
ip wccp web-cache redirect in
ip wccp 60 redirect in
ip wccp 70 redirect in
The problem is that when i set up transparent redirection in my IronPort Appliance WCCP does not work.
These are and WCCP logs of the IronPort Appliance :
Fri Feb 15 09:52:09 2013 Warning: WCCP : - : ERROR:repeated capabilities
Fri Feb 15 09:52:09 2013 Warning: WCCP : - : ERROR:ISY: cap error
Fri Feb 15 09:52:19 2013 Warning: WCCP : - : ERROR:repeated capabilities
Fri Feb 15 09:52:19 2013 Warning: WCCP : - : ERROR:ISY: cap error
Fri Feb 15 09:52:24 2013 Warning: WCCP : - : ERROR:repeated capabilities
Fri Feb 15 09:52:24 2013 Warning: WCCP : - : ERROR:ISY: cap error
Fri Feb 15 09:52:25 2013 Warning: WCCP : - : ERROR:repeated capabilities
Fri Feb 15 09:52:25 2013 Warning: WCCP : - : ERROR:ISY: cap error
So i think it's a problem about WCCP capabilities.
This is "method" configuration on IronPort side
This is output of "sh ip wccp capabilities" on router side :
Capability Setting
Supported forwarding methods GRE & L2
Supported return methods GRE & L2
Supported assignment methods Hash & Mask
Accelerated forwarding methods L2
Accelerated return methods GRE & L2
Accelerated assignment methods Mask
Accelerated Mode CLI Off, CLI Disabled
Supported redirection types Input & Output
Check Outbound ACL CLI CLI Enabled
Check All Services CLI CLI Enabled
Closed Service Suport Supported
VRF Support Supported
Supported service groups 256
There's something wrong on method configuration of IronPort appliance or in router side WCCP configuration?
IronPort appliance model is S170 with AsyncOS 7.1.3-021
Router is Cisco 1941 with IOS c1900-universalk9-mz.SPA.152-3.T.bin
Thankyou in advanceHi Erik,
i applied configuration you suggested me and modified wccp logs to trace level.
This is the output of sh ip wccp web-cache detail on ISR router :
WCCP Client information:
WCCP Client ID: 192.168.120.19
Protocol Version: 2.00
State: NOT Usable (Initializing)
Redirection: None
Packet Return: None
Assignment: None
Connect Time: 00:00:24
I also lunched debug ip wccp events and packets on ISR router and this is the output (192.168.120.19 is WSA ip address, 192.168.120.40 is ISR router ip address) :
*Feb 18 09:29:37.967: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 910)
*Feb 18 09:29:37.967: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:911
*Feb 18 09:29:37.967: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:43.015: WCCP-PKT:IPv4:S0: Sending RQ to 192.168.120.19, rcv_id:912
*Feb 18 09:29:43.015: WCCP-PKT:IPv4:S0: Sending 64 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:43.967: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 912)
*Feb 18 09:29:43.967: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:913
*Feb 18 09:29:43.967: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:44.987: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 913)
*Feb 18 09:29:44.987: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:914
*Feb 18 09:29:44.987: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:46.007: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 914)
*Feb 18 09:29:46.007: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:915
*Feb 18 09:29:46.007: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:47.979: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 915)
*Feb 18 09:29:47.979: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:916
*Feb 18 09:29:47.979: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:48.015: WCCP-EVNT:IPv4:S0: Cache removal timer expired (192.168.120.19)
*Feb 18 09:29:48.015: WCCP-EVNT:IPv4:S0: deallocated wc 192.168.120.19 orig assign info (hash)
On WSA a launched tail command on wccp subscription (30) and this is the output :
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.120.40 -- 42 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:ISY received from 192.168.120.40.(136 bytes)
Mon Feb 18 10:32:58 2013 Warning: WCCP : - : ERROR:repeated capabilities
Mon Feb 18 10:32:58 2013 Warning: WCCP : - : ERROR:ISY: cap error
Note that the ISR router ip address is 192.168.120.40. I've also WCCP service active on two other L3 switches (two Cisco 3560G-24TS-S) so in logs above you can see wccp requests come from 192.168.208.10 and 192.168.208.20. On those switches WCCP works fine.
I noticed that ther's a difference on time settings between WSA and ISR router, can this be cause of malfunction?
Thankyou so much.
Best Regards.
Alessandro -
Airport Utility cannot find base station. The AirPort Status Icon is showing on my iMac's menu bar, but when I click on it I do not see an AirPort option in the list --- only the various networks that are within range and the options to Create or Join a network. I have a 1st generation Airport Express (Moded A1264) and recently installed a new router, Linksys E1500. Could the router be the problem? Another computer in the house had to be set up on the router using Cisco Connect on my husband's Window's 7 computer. This was also necessary for our Wii console. When I try to use Cisco Connect to see if it needs to recognize the AirPort device, it gives me certain wireless settings necessary to connect the device (Network Name (SSID), Security key and Security Type (WPA2 or WAP). looked on the site but didn't see an option for setting up Airport Express. I also upgraded from Snow Leopard OS to Lion shortly before adding the new router. I use the Airport Express to play our Tune music on powered speakers in our kitchen and did not think to see if it was operating between the time I upgraded the operating system and the time I installed a new router. I have two different versions of AirPort Utility on the computer 6.0 and 5.6. Any suggestions?
Just spoke with Cisco about the router. They said the router is compatible with the E1500. They suggested that I contact Apple to see if their default IP address was that same as the router (192.168.1.1). They told me I would have to change it if that was the case. How would I do that?
-
Hi Everyone,
We have an ASA 5540 at our data center, with ASA 5505's at most remote sites.
At the sites without layer 3 switches behind the ASA 5505's, we can't reach the data center internal network through the ASA for flow-export, etc.
So, what I'm basically saying is, even though the tunnel is up and everything behind the branch ASA can reach the data center networks fine, the ASA itself cannot reach hosts on the data center network.
I'm hoping to configure these ASA 5505's so I can do flow export and SNMP logging from them, but without this routing or nat problem resolved, they just won't do it.
Doing a packet tracer from the ASA 5505 to the data center server I'm most focused on, reveals this:
BRANCH5505f01# packet input inside icmp 10.15.16.1 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1004755, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.1.15 255.255.255.255 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
I am thinking the problem is NAT related, but with the new ASA NAT rule format due to v9.1... struggling to get a grip on where it is... any thoughts/help are appreciated.
Ken
Here is the relevant config for the Branch ASA and also the relevant config from the data center ASA:
Branch ASA Config Parts:
: Saved
ASA Version 9.1(2)
hostname BRANCHASA5505
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description LAN_NETWORK
nameif inside
security-level 100
ip address 10.15.6.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network BRANCH_NETWORKS
description BRANCH LOCAL NETWORKS
network-object 10.15.6.0 255.255.254.0
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network NETWORK_MGMT
network-object 10.0.0.0 255.0.0.0
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL remark * FOR VPN CONNECTION TO DATACENTER/VEYANCE NETWORKS *
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL extended permit ip host <outside ip> host <outside ip datacenter asa>
access-list DATACENTER_VPN_ACL extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_NONAT extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_FILTER extended permit tcp any4 any4 eq www
access-list INSIDE_FILTER extended permit tcp any4 any4 eq 8080
logging host inside 10.1.1.15
flow-export destination inside 10.1.1.15 2055
ip verify reverse-path interface inside
ip verify reverse-path interface outside
nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group FROM_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 <outside ip gateway> 1
route outside 10.1.1.15 255.255.255.255 <outside ip datacenter asa> 1
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group <outside ip datacenter asa> type ipsec-l2l
tunnel-group <outside ip datacenter asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map type regex match-any DomainBlockList
match regex DomainList-Netflix
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list INSIDE_FILTER
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action log
class BlockDomainsClass
reset log
policy-map URL-filter-policy
class httptraffic
inspect http http_inspection_policy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
class class-default
flow-export event-type all destination 10.1.1.15
service-policy URL-filter-policy interface inside
prompt hostname context
Datacenter ASA Config Parts:
ASA Version 9.0(1)
hostname DATACENTERASA5540
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface GigabitEthernet0/0
description *** TO OUTSIDE NETWORK AT DATACENTER ***
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address <outside ip>
interface GigabitEthernet0/1
description *** TO INSIDE NETWORK ***
nameif INSIDE
security-level 100
ip address 10.1.3.2 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network DATACENTER_NETWORKS
network-object 10.1.0.0 255.255.0.0
object-group network BRANCH_NETWORKS
network-object 10.15.6.0 255.255.254.0
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL remark * FOR SITE TO SITE VPN TO BRANCH WV USA *
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL extended permit ip host <outside ip> host <outside ip branch asa>
access-list BRANCH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group BRANCH_NETWORKS
flow-export destination INSIDE 10.1.1.15 2055
flow-export template timeout-rate 1
flow-export delay flow-create 180
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
nat (INSIDE,OUTSIDE) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
access-group FROM_OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 <outside ip> 1
route INSIDE 10.0.0.0 255.0.0.0 10.1.3.1 1
route OUTSIDE 10.15.6.0 255.255.254.0 <outside ip branch asa> 1
crypto map OUTSIDE-MAP 156 match address BRANCH_VPN_ACL
crypto map OUTSIDE-MAP 156 set pfs
crypto map OUTSIDE-MAP 156 set peer <outside ip branch asa>
crypto map OUTSIDE-MAP 156 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
tunnel-group <outside ip branch asa> type ipsec-l2l
tunnel-group <outside ip branch asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
flow-export event-type all destination 10.1.1.15
user-statistics accounting
service-policy global_policy global
smtp-server 172.19.1.137
prompt hostname context
call-home reporting anonymous
Again, any help you can provide is appreciated... will vote for best...I ran it, with the source IP corrected (it is 10.15.6.2):
BRANCHASA# packet input inside icmp 10.15.6.2 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1203279, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.15/0 to 10.1.1.15/0
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.15.6.0 255.255.254.0 inside
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Static translate 10.15.6.2/0 to 10.15.6.2/0
Forward Flow based lookup yields rule:
in id=0xcb12f2f0, priority=6, domain=nat, deny=false
hits=15824, user_data=0xcb0fdef8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaa712e0, priority=0, domain=nat-per-session, deny=true
hits=77610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bc128, priority=0, domain=inspect-ip-options, deny=true
hits=91404, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bbc28, priority=66, domain=inspect-icmp-error, deny=false
hits=4585, user_data=0xcb0bb238, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb0c1218, priority=70, domain=encrypt, deny=false
hits=708, user_data=0xbf63c, cs_id=0xcb9ad918, reverse, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb12fb00, priority=6, domain=nat-reverse, deny=false
hits=15837, user_data=0xcb124438, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 143081, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow -
RG54G2 Wireless Router Internet Connection Problem
Hi,
(apologies for the long message - trying to cover all details - summary: wireless router often drops internet connection)
I recently bought an RG54G2 Wireless Router, a CB54G2 PCMCIA Wireless card and a D-Link GWL-630 PCMCIA Wireless card. In addition to two laptops connected to the wireless router WLAN, I have two PCs (one Win WP Pro SP 1 and one Win98SE) connected to the router via wired LAN. I also have a SurfBoard SB3100 Cable Modem connected to the WAN port (this connects to my ISP - Optusnet (Australia) via DHCP).
The problem I have is that the internet connection is disconnected many times a day (often every few minutes, sometimes an hour or so). I am able to reconnect by resetting the wireless router via the wireless router configuration page. When the internet is disconnected I am still able to access the computers on the LAN/WLAN (via Windows Explorer and Ping), I am also able to ping the router and the Cable Modem, but nothing outside of the cable modem.
Also, when the internet is disconnected the System Status page indicates that the router is still connected to the internet, and the Diagnostics page passes the Test Connection test, though no external pings work.
I did not have this problem when the cable modem was connected directly to the Win98SE PC (and other PCs via ICS).
I have disabled the WLAN and the problem still exists with only the wired LAN.
I have changed numerous settings in the wireless router config page with no success (eg disabling DHCP and setting each IP address, minimising LAN and WLAN speeds to 10 and 11MBps plus others).
I have upgraded the wireless router firmware to R1.0.6.0 (no change to the problem).
Searching on Google I have found several other cases of routers with unstable internet connections (none refering to the MSI routers), but none had solutions that helped my situation (most replies suggested updating the firmware).
Any suggestions of how to make the router internet connection stable?
Thanks,
Mikemaybe this is the FIX 4 wireles router internet connection problem
please let me know if any one fix the problem with this tips
thankz
M. B. Feb 6 2004, 8:20 am hide options
Newsgroups: comp.os.ms-windows.networking.windows
From: "M. B." - Find messages by this author
Date: Fri, 06 Feb 2004 16:20:48 GMT
Local: Fri, Feb 6 2004 8:20 am
Subject: SOLUTION to my router loosing connection to Windows XP
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse
I am happy to report that after 8 days of constant battles, reboots, phone
calls, cable pulling, router changing, it seems that I finally have found a
combination that has had me using Verizon DSL account for over 12 hours so
far without any kind of interruptions.
Since so many of you tried giving me comments and suggestions, I felt that
it is necessary for me to post this here so that the next person will not
(hopefully) need to go through this hell as I did!
My original problem was that when after I purchased a D-Link Wireless Router
DI-624, I would get disconnected from Verizon DSL at least once every 2
hours or so. My internet access would "freeze" and then a little popup box
at the bottom right system tray would tell me that the "LAN cable has been
unplugged". After about a minute or so, my internet connection would be
back working This was NEVER happening during the 2+ years I was using my
Westell modem alone (running in router mode).
Please keep in mind: The problem I was having was not wireless related as
it was happening to the desktop computer to which the router/westell was
connected to!
During these last 8 days, I tried: one DI-624 wireless router, two Netgear
614v3 routers and two Linksys WRT54G v.2 routers. In addition, I received a
brand new Westell 2200 modem from Verizon. I also tried about four
different CAT-5 cables. Here is the final outcome:
I have the Linksys WRT54G (version 2) wireless router connected to the
Netgear Fast Ethernet FA310TX network card in Auto-Sense mode (using the
built-in XP drivers, as Netgear told me that there was never a newer
revision released). I have DISABLED the built-in 3Com Gigabit LOM (3C940)
network card (via the ASUS P4C800 Deluxe motherboard BIOS), DISABLED the
Zero Wireless Configuration service, and have put in the IP/Gateway/DNS
address numbers inside my Windows XP Network Connections | LAN setup. My
operating system is Windows XP Pro SP1 and the modem is a Westell 2200
configured as bridge only.
If my situation continues to be stable, I *might* try to go back to the 3Com
built-in card (disable any power management) and then re-enabling the Zero
Wireless Configuration services. But in reality, I am happy with the way
things are and have already spent enough time trying to get my router to
work with Verizon DSL without having it drop connections!
Now, the next step will be setting up the WIRELESS part of this. I don't
even yet have a laptop with me on the premises, but the 802.11g card that I
already have is the D-Link DWL-G650. I hope and assume that this will work
okay with the Linksys...
One thing I must say is that I never realized that how many problems other
users are having. I would have thought that since 802.11x has been around
in the mainstream by now 2+ years, that things would have been much more
"system friendlier". And again, my issues were not even WIRELESS related.
All 3 tech supports were not really helpful, as none of them realized that
the problem is somehow between the router and Windows XP (Ethernet card?)
loosing a connection, which of course results in Verizon DSL loosing the
connection also.
One other comment about the Netgear 614 v.3 router: A number of people have
responded to tell me that they have had this random "router resetting"
happen to them (where the routers behaves as if someone turned the power off
and then back on, and the lights flash) just as if you first turn it on). I
was lucky to witness it myself during one of the "disconnects" that I had.
This was actually the reason why I went back to try the Linksys one more
time. So, I would definitely recommend staying way from this 614 (version
3) model.
Once again - THANK YOU everyone! -
Hi,
We have two datacenters same logical LAN.
Two ISP routers and two WAE 674 and using WCCP "egress-method negotiated-return intercept-method wccp"
See attached file.
The problem is when one of the "line" WAN interface goes down, some of the network are not reach from the LAN side and some are.
We are using BGP as routing protocol in the ISP routers.
Any suggestion for the problem?
JanHello I am from the ISP and wanted to address these issues
2. When WAN goes down and LAN remains up, your WCCP is still UP and hence, it continues to forward packets out of same WAN interface but because that interface is down, packets ultimately die / gets blackholed.
3. Another speculation is: Asymmetric routing. When WAN is down but LAN is up, you are forwarding soem traffic out of LAN but as WAN goes down, the return packets then come up on different interface and creates asymmetric routing.
On question 2 with WCCP the router would still try to send packets out the wan interface even though its down? Wouldn't the router be able to tell that routing changed to the source/dest subnets and not blindly send packets to a down interface? If not then this most likely is what happened.
Here is the WAN interface config WCCP is enabled for inbound redirection but the same for the actual data LAN interface
interface GigabitEthernet0/0
description link to PE
bandwidth 9000
no ip address
ip route-cache flow
duplex full
speed 10
media-type rj45
no cdp enable
interface GigabitEthernet0/0.22
encapsulation dot1Q 22
ip address **********omit ****** 255.255.255.252
ip wccp 62 redirect in
no cdp enable
and here is the LAN side
interface GigabitEthernet0/1
no ip address
ip access-group 113 in
ip route-cache flow
duplex full
speed 100
media-type rj45
service-policy output CE_OUT_MARK_0
interface GigabitEthernet0/1.2450
description Customer LAN
encapsulation dot1Q 2450
ip address ********* 255.255.255.224
ip wccp 61 redirect in
no cdp enable
interface GigabitEthernet0/1.2459
description Connection to customer-managed WAE Device For WCCP
encapsulation dot1Q 2459
ip address ******** 255.255.255.224
ip wccp redirect exclude in
no cdp enable
interface GigabitEthernet0/1.2460
encapsulation dot1Q 2460
ip address ******* 255.255.255.224
ip wccp redirect exclude in
no cdp enable
The sister router is configured in much the same way.
On question 3
3. Another speculation is: Asymmetric routing. When WAN is down but LAN is up, you are forwarding soem traffic out of LAN but as WAN goes down, the return packets then come up on different interface and creates asymmetric routing.
Wouldn't Asymetric routing just result in non optimized connections as it would never see the tcp option set for optimization?
We are going to run this same test this weekend and I will look at all these things but it seems as though asymetric routing would result in no optimization but not packet blockage. Regarding question 2 if wccp remains up and is black holing traffic I can see this as an issue for sure.
One last question also regarding the loopbacks and GRE return. There are distribute lists that block each router from learning the others loopback when the WAN is down. Do you think this would matter? Reason I ask is because on the Asymetric side again lets say a packet comes into router #1 via the lan and gets redirected to the WAE with source ip of the Loopback. When the Was returns the packet to the router I would think it would not need routing to the #2 routers loopback as the destination at this point would be back to the client/server. Also when the router forwards to the WAE what ip on the WAE does it use? -
Hello experts,
I have a problem about the WAAS optimization.
The topology is...
Center: 7200 Router working with WCCP (512 WAE)
Edge: 2800 Router working with WCCP (612 WAE)
When i tried to reach the Database (behind the 7200 Router) from the Edge site. its working! but during this time, when i look the Current Connection status, there is no optimization traffic(you can see the attach file).
I have done this setup, demo etc. too many times, but the first time i encountered such a problem.
you can see the configuration at the below.
By the way, when i look the "show ip wccp" command output. there is no traffic on Service identifier 62. Do we need to see increased this traffic?
Thanks in advance for your help.
BM-7206-METRO#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 10.200.200.193
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 37207
Process: 0
Fast: 0
CEF: 37207
Service mode: Open
Service access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: 199
Total Packets Denied Redirect: 1074214
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Service mode: Open
Service access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
CORE_WAE
configure terminal
primary-interface gigabitEthernet 1/0
device mode application-accelerator
central-manager address 10.10.10.10
cms enable
wccp version 2
wccp router-list 1 2.2.2.1 (ROUTER IP add)
wccp tcp-promiscuous router-list-num 1
EDGE_WAE
configure terminal
primary-interface gigabitEthernet 1/0
device mode application-accelerator
central-manager address 10.10.10.10
cms enable
wccp version 2
wccp router-list 1 1.1.1.1
wccp tcp-promiscuous router-list-num 1
CORE_ROUTER
ip wccp version 2
ip wccp 61
ip wccp 62
interface gi 2/0 (LAN)
ip wccp 61 redirect in
interface gi 3/0.26 (WAN) (Note: also this interface have a Tunnel int. connect to edge router tunnel int.)
ip wccp 62 redirect in
interface gi 1/0 (WAE LAN)
ip wccp redirect exclude in
ip cef
EDGE_ROUTER
ip wccp version 2
ip wccp 61
ip wccp 62
interface gi 1/0 (LAN)
ip wccp 61 redirect in
interface ATM 2/0.1 (WAN) (Note: also this interface have a Tunnel int. connect to central router tunnel int.)
ip wccp 62 redirect in
interface gi 2/0 (WAE LAN)
ip wccp redirect exclude in
ip cefHi Zach
Center router IOS version is c7200-advipservicesk9_li-mz.124-11.T.bin
Edge router IOS version is c2800nm-adventerprisek9-mz.124-9.T2.bin
Also you can see the configurations at the attach
Thanks,
My best.
CORE WAE CONFIG:
Based on the input, the following configurations will be done:
central-manager address 10.166.0.10
interface GigabitEthernet 1/0
ip address 10.166.0.20 255.255.0.0
autosense
exit
ip default-gateway 10.166.0.1
ip name-server 10.201.0.201
ip domain-name tcmb.gov.tr
primary-interface GigabitEthernet 1/0
hostname CORE
clock timezone UTC 0 0
wccp version 2
wccp router-list 8 10.166.0.1
wccp tcp-promiscuous router-list 8
cms enable
EDGE WAE CONFIG:
Based on the input, the following configurations will be done:
central-manager address 10.166.0.10
interface GigabitEthernet 1/0
ip address 10.126.2.20 255.255.255.0
autosense
exit
ip default-gateway 10.126.2.1
ip name-server 10.201.0.201
ip domain-name tcmb.gov.tr
primary-interface GigabitEthernet 1/0
hostname EDGE
clock timezone UTC 0 0
wccp version 2
wccp router-list 8 10.126.2.1
wccp tcp-promiscuous router-list 8
cms enable -
WAAS - WCCP L2-redirection in WS-C6509-E
Hi,
I have a costumer with three offices, one is the data center. The other two offices get information from the data center and between them.
Each one of these remotes offices go through two different SP to the data center, and each one is received in his own router. The core of the data center is a switch WS-C6509-E (IOS s72033-entservicesk9_wan-vz.122-18.SXF7.bin).
Because there are two different SP in the data center, the traffic redirection must be done in the switch c6500. I think that the following configuration is the correct one:
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Vlan1
description *** WAN routers and users ***
ip address 10.0.16.1 255.255.240.0
ip wccp 62 redirect out
ip wccp 61 redirect in
interface Vlan 200
description *** WAEs ***
ip address 10.34.114.65 255.255.255.252
ip wccp redirect exclude in
interface Vlan201
description *** Servers and Users 1 ***
ip address 10.15.240.1 255.255.240.0
ip wccp 61 redirect in
interface Vlan202
description *** Servers and Users 2 ***
ip address 10.16.128.1 255.255.240.0
ip wccp 61 redirect in
But now I read about the problems using GRE redirection in the switch c6500. I read too that the best way to do this is using L2-redirection, but I don't have any idea of how to do this. I am using the WAAS version 4.1.1.
Can anybody help me with explaining me the way to configure that?Dan,
I think that the best option for this network is number one, use WCCP on the two 7206VXRs, and redirect the traffic to a single WAE in the same subnet of the hosts.
But now, I don't understand the implications of use the command âegress-method negotiated-return intercept-method wccpâ. What else should I consider or configure (in the router or in the WAE) to make this interception works?
I think that the configuration on the routers and in the WAE should be something like this:
--- Router 1
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Serial3/3:1
ip address 10.34.113.213 255.255.255.252
ip wccp 61 redirect in
ip wccp 62 redirect in
interface GigabitEthernet0/1
ip address 10.0.16.2 255.255.240.0
ip wccp redirect exclude in
--- Router 2
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Serial3/3:1
ip address 10.134.143.217 255.255.255.252
ip wccp 61 redirect in
ip wccp 62 redirect in
interface GigabitEthernet0/1
ip address 10.0.16.3 255.255.240.0
ip wccp redirect exclude in
--- WAE
interface GigabitEthernet 1/0
ip address 10.0.16.4 255.255.255.0
exit
egress-method negotiated-return intercept-method wccp
wccp router-list 1 10.0.16.2 10.0.16.3
wccp tcp-promiscuous router-list-num 1
Thanks and Regards,
Pablo -
WAAS / WCCP service groups / L2 adjacencies
Hi all,
I'm having trouble finding a definitive answer on this one. I'm working on a WAAS deployment in a network with asymmetric routing. I want to deploy WAAS accelerators at two geographically dispersed data centre sites (head end). Do the WAAS boxes themselves need to be L2 adjacent with each other in this configuration? i.e. can the service group consist of two routers (one at each DC) and two WAEs (one at each site), with routed links between the DCs (WAEs in separate IP subnets)?
Something like:
- two routers (rtr-A, rtr-B)
- two WAAS accelerators (waas-A, waas-B)
- rtr-A and waas-A are L2 adjacent and use WCCP w/L2 redirection
- rtr-B and waas-B are L2 adjacent and use WCCP w/L2 redirection
- rtr-A and waas-B are not L2 adjacent and use WCCP w/GRE redirection
- rtr-B and waas-A are not L2 adjacent and use WCCP w/GRE redirection
Here's a quick diagram:
http://i4.tinypic.com/62nhf5u.jpg
(all links are L3/routed)
cheers!Dale,
There is no requirement for the WAE's to be L2 adjacent to each other. Note that the WCCP Forwarding Method is negotiated per Service Group -- so it can either be L2 or GRE. Based on your description, you would want to use GRE Forwarding.
Regards,
Zach -
Hi guys,
Please have a look at my topology attached.Right now this is what I have configured on the core:
ip wccp 61
ip wccp 62
int vlan 151
ip wccp 61 redirect in
int vlan 173
ip wccp 62 redirect in
The same is configured on the branch office with the appropriate vlans.
Whatever I do, the "total packets redirected" count never seems to increase. I tried turning on ip wccp 62 redirect out on vlan 173, and ip wccp 61 redirect in on the same vlan, but then only the count for service 61 goes up.
Also, should I use access-lists to permit redirection only to branch offices that have a WAE? If I don't use a redirect-list, shouldn't all packets be redirected to the WAE, and then the WAE would decide whether to optimize or not based on if there's another WAE at the endpoint location?
Here's an output of "sh ip wccp 61 detail"
WCCP Cache-Engine information:
Web Cache ID: x.x.x.x
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:51:22
Assignment: MASK
Any help is greatly appreciated.Since you are performing L2 rewrite under WCCP, you will not see the packets redirected increase. The redirection is handled by hardware instead of software. If redirection was done on a router, you would see packet increases.
I have had WAAS in place for about a year now and you can see below that I have only redirected 2 packets. I am redirecting on a 6509 as well.
mp1swcr01#show ip wccp 61
Global WCCP information:
Router information:
Router Identifier:
Protocol Version: 2.0
Service Identifier: 61
Number of Cache Engines: 2
Number of routers: 2
Total Packets Redirected: 2
Redirect access-list: WAAS_61
Total Packets Denied Redirect: 9179
Total Packets Unassigned: 186
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0 -
WAAS: WCCP Mask or Hash on Routers?
I'm starting thinking about using mask assign on an ISR router running 12:4(24)T with GRE/GRE. Has anyone done this before and can you use mask assign with GRE/GRE? We need to use it with GRE/GRE because our egress method has to be WCCP return. My thought was mask assign will be much better at load balancing across multiple WAEs in a cluster than hash because you can specify a long mask assignment. Right now, see more load on WAE than the other and are sometimes getting TFO overload.
The page you linked contains recommendations (in bold) for each platform. On the ISR G2 specifically, you should be able to use any combination of GRE/L2 and MASK/HASH assignment. Some other platforms require specific disribution and redirection methods to maintain the hardware acceleration of WCCP traffic. However, the ISR G2 does not have this requirement.
WCCP GRE and HASH distribution on ISR G2 is typically recommended to make deployment easier. With GRE, content devices can be an L3 hop away (if needed), and it reduces the chance of customers accidentally creating a WCCP redirect loop.
L2 distribution and HASH redirection method should typically require the least CPU and memory load on the ISR. These should perform the best in most cases.
The MASK distribution method gives better controls on how load is divided between multiple content devices, typically at the cost of more CPU and memory utilization. If you have only one or two content devices in your cluster, typically HASH will meet the need for slightly less CPU. As Zach said, most times MASK is used on the Datacenter side to give the ability to 'tweak' how the load is distributed across multiple devices.
Thanks,
Aaron -
Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
Transparent GRE packets received: 0
Transparent non-GRE packets received: 1940435323
Transparent non-GRE non-WCCP packets received: 0
Total packets accepted: 461319375
Invalid packets received: 731
Packets received with invalid service: 0
Packets received on a disabled service: 0
Packets received too small: 0
Packets dropped due to zero TTL: 0
Packets dropped due to bad buckets: 617
Packets dropped due to no redirect address: 0
Packets dropped due to loopback redirect: 227
Pass-through pkts dropped on assignment update:61
Connections bypassed due to load: 0
Packets sent back to router: 1829
GRE packets sent to router (not bypass): 0
Packets sent to another WAE: 63037
GRE fragments redirected: 1116193
GRE encapsulated fragments received: 0
Packets failed encapsulated reassembly: 0
Packets failed GRE encapsulation: 0
Packets dropped due to invalid fwd method: 0
Packets dropped due to insufficient memory: 0
Packets bypassed, no conn at all: 0
Packets bypassed, no pending connection: 0
Packets due to clean wccp shutdown: 0
Packets bypassed due to bypass-list lookup: 166
Packets received with client IP addresses: 460833489
Spoofed packets dropped: 57416
Conditionally Accepted connections: 0
Conditionally Bypassed connections: 0
L2 Bypass packets destined for loopback: 0
Packets w/WCCP GRE received too small: 0
Packets dropped due to received on loopback: 219
Packets dropped due to IP access-list deny: 0
Packets fragmented for bypass: 0
Packets fragmented for egress: 0
Packet pullups needed: 5484
Packets dropped due to no route found: 0Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
Transparent GRE packets received: 0
Transparent non-GRE packets received: 1940435323
Transparent non-GRE non-WCCP packets received: 0
Total packets accepted: 461319375
Invalid packets received: 731
Packets received with invalid service: 0
Packets received on a disabled service: 0
Packets received too small: 0
Packets dropped due to zero TTL: 0
Packets dropped due to bad buckets: 617
Packets dropped due to no redirect address: 0
Packets dropped due to loopback redirect: 227
Pass-through pkts dropped on assignment update:61
Connections bypassed due to load: 0
Packets sent back to router: 1829
GRE packets sent to router (not bypass): 0
Packets sent to another WAE: 63037
GRE fragments redirected: 1116193
GRE encapsulated fragments received: 0
Packets failed encapsulated reassembly: 0
Packets failed GRE encapsulation: 0
Packets dropped due to invalid fwd method: 0
Packets dropped due to insufficient memory: 0
Packets bypassed, no conn at all: 0
Packets bypassed, no pending connection: 0
Packets due to clean wccp shutdown: 0
Packets bypassed due to bypass-list lookup: 166
Packets received with client IP addresses: 460833489
Spoofed packets dropped: 57416
Conditionally Accepted connections: 0
Conditionally Bypassed connections: 0
L2 Bypass packets destined for loopback: 0
Packets w/WCCP GRE received too small: 0
Packets dropped due to received on loopback: 219
Packets dropped due to IP access-list deny: 0
Packets fragmented for bypass: 0
Packets fragmented for egress: 0
Packet pullups needed: 5484
Packets dropped due to no route found: 0
Maybe you are looking for
-
How do I include XSD definition inside WSDL?
Hello, I am pasting the WSDL and XSD (They were sent as a seperate files) The Name space that was mentioned in the WSDL is different from where I am currently developing . I would like to do the following 3 things 1. Include XSD inside WSDL definitio
-
Optical out/internal speakers no longer work
Hello, I was wondering if anyone could help, my macbook now believes that there is an opitcal lead in the jack all the time - and so the internal speakers no longer work, i can plug in headphones and the optical but when everything is removed then no
-
Diff between two timestamp in minutes on case condition
Hi Gurus, I wanted to find the diff between two timestamp in minutes on case condition when type=1 then min(col2) and type=2 then max(col2) type-(datatype-numeric) col2-(datatype-timestamp) how can i do this Thanks
-
Hi All, I know most of you have experienced in production implem of standby and dataguard. For me I only done it on test theory and not yet on production becuase it generats lots of logs and also affects performance. Also For me I only do shutdown an
-
AD Network, clients receiving DHCP config from standalone routers - possible?
A local Active Directory network is broken into multiple subnets, each behind a stand-alone router (not a Windows server) that also distributes DHCP configuration to its own client computers. Is it going to work? Are there any problems to expect?