Urgent ! Router-WAAS WCCP problem

I have dot1q enabled 7507 connecting frame relay branch to data centre.
Core WAAS sits on a VLAN subinterface.
As soon as I enable "ip wcccp redirect 61 in" on VLAN trunked interface, I am loosing connection to the branch.
the config is here..
interface GigabitEthernet4/0/0
description Core Data Centre Trunk VLAN 3,120 to SWDC03 3/16
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
negotiation auto
no cdp enable
interface GigabitEthernet4/0/0.3
description Core Data Centre VLAN
encap dot1q 3
ip address xxxx
ip wccp 61 redirect in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip route-cache flow
no cdp enable
standby 3 ip 10.64.205.17
standby 3 priority 150
standby 3 preempt
interface GigabitEthernet4/0/0.120
description Core WAAS VLAN120
encap dot1q 120
ip address yyyyyyy
ip wccp redirect exclude in
no ip redirects
no ip unreachables
interface Serial0/0/3.64 point-to-point
ip wccp 62 redirect in
The IOS version is rsp-jsv-mz.123-17b and WAAS version 4.0.13.I have tested this before without VLAN trunking on another router using a seperate interface and it was working.Any idea ?
thanks

thanks guys. I will explain the problem a bit more.When WAAS sits on a seperate i/f on WAN router, it works fine. i.e "wccp redirect 61 in " on interface connecting WAN router to Data Centre and "wccp redirect 62 in" on WAN frame relay. Then I configured the i/f connecting WAN router to Data Centre as dot1q trunk and a dedicated VLAN is created for WAAS. The default gateway for WAAS is HSRP address in 6509s. The WCCP router address configured in WAAS is the loopback0 address of the WAN router. The "wccp redirect 62 in" on WAN frame relay stays same. However, " wccp redirect 61 in " carried to a new subinterface on the same access as WAAS VLAN.
All WCCP commands show that there is a connection between WAAS and WAN router, packet count goes up. However, all TCP sessions to the brach (initiated from the Data Centre) fail. I have also tested with and without "wccp redirect exclude in" on WAAS VLAN subinterface without success. Since I had to install the branch the WAAS on the weekend, I moved WAAS back to dedicated interface on WAN router. It works fine but I can not implement redundancy.
The suggestion was to make WAN router subinterface HSRP active rather than 6509 MSFCs.So WAAS talks to WAN routers loopback address and default gateway also points to the same router rather than MSFC. I have not had a chance to test this but I will test in the coming weeks. I was also suggested to use layer2 redirection on 6509 but did not have any chance to look at it closely.
thanks
Serhat

Similar Messages

  • Router IOS requirements to work with WAAS WCCP?

    Can some help me with up to date switch and router IOS requirements to work with WAAS WCCP configuration? There used to be a Cisco document explaining that but I can't find it any more.
    Here is out WAAS 4.2.3 deployment in the network:
    Data center: Cat6500 Sup720-3B running IOS 12.2(18)SXF12a will do WCCP L2 redirection. I've seen minimum Sup720 IOS requirement of 12.2(18)SXF13 in one place and 12.2(18)SXF16 in another, but there are also examples of using 12.2 (18) SXF5. Which one is the latest Cisco recommendation?
    Remote sites: 3825 and 3845 routers (some are running 12.4 T train and some are in 12.4 main line) will do WCCP GRE redirection to WAE's. One of the routers will use a WAE-NME-522 module. Others are WAE applicances. Again, what are the latest Cisco recommendations?
    Another question: for an IOS release, does it matter which package to use, such as advanced IP services, enterprise services, or SP services?
    Thanks a lot.

    Here you go.
    http://www.cisco.com/en/US/partner/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
    For IOS release, you will need a package that has WCCP support.
    Hope this helps.
    Regards.
    PS: Please mark this as Answered, if this answers your question.

  • How does QoS work with WAAS WCCP? What's the interaction between QoS Traffic Classification and WAE Traffic Application Policy?

    How does QoS work with WAAS WCCP? What's the interaction between Router QoS Traffic Classification and WAE Traffic Application Policy?

    By default, WAAS preserves the DSCP marking on intercepted packets.  There is a configuration option to set/override the DSCP value at the global (device), application, and classifier levels.  Currently WAAS provides marking only.  There is no action taken by WAAS based on the DSCP value.
    Regards,
    Zach

  • WAAS wccp tcp-promiscuous service-pair configuration question

    I have a WAE 512 that I upgraded to 4.5.1, the WCCP configuration was automatically changed in the configuration to the following:
    wccp router-list 1 192.168.20.1
    wccp tcp-promiscuous service-pair 61 62 failure-detection 30
    wccp tcp-promiscuous service-pair 61 62 router-list-num 1
    wccp version 2
    I have a WAVE-674 that I am going to replace this 512 with and I installed 5.0.1 on the 674.  I went through the automatic setup process and the wccp configuration came up like this:
    wccp router-list 7 192.168.20.1
    wccp tcp-promiscuous service-pair 1 2
    router-list-num 7
    exit
    And it informed me that I needed to put the wccp redirects for 61 in on LAN and 62 in on WAN, standard on the router and wccp 2, which I already have done.
    My question is, should my 5.0.1 configuration look the same as my 4.5.1 configuration, or does it matter?  I only found one document on the internet that had this "wccp tcp-promiscuous service-pair 1 2" in a Cisco PDF document where they were removing it to put some GRE specific configurations. 

    hi Beau,
    something went wrong with the new WAVE 674 wccp configuration,  if the wccp router is the same (192.168.20.1) make sure it looks the same as in 4.5.1 version.
    Also for devices with WAAS version 5.0, you must explicitly configure the egress method.
    http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v501/configuration/guide/traffic.html#wp1275623
    if you need assistance choosing the right egress method I suggest to open a TAC case.
    hope that helps!

  • WCCP Problem

    Hi all,
    i'm trying to set up WCCP between a Cisco 1941 router  and my ironport S170 appliance.
    This is the WCCP configuration on router side :
    ip access-list extended WCCPRedirect
    permit tcp <my internal LAN> any eq www
    permit tcp <my internal LAN> any eq 443
    permit tcp <my internal LAN> any eq ftp
    ip access-list standard IronPort
    permit <IronPort IP Address>
    ip wccp web-cache redirect-list WCCPRedirect group-list IronPort
    ip wccp 60 redirect-list WCCPRedirect group-list IronPort
    ip wccp 70 redirect-list WCCPRedirect group-list IronPort
    interface GigabitEthernet0/1
    ip address <my internal Address> <my Subnet Mask>
    ip wccp web-cache redirect in
    ip wccp 60 redirect in
    ip wccp 70 redirect in
    The problem is that when i set up transparent redirection in my IronPort Appliance WCCP does not work.
    These are and WCCP logs of the IronPort Appliance :
    Fri Feb 15 09:52:09 2013 Warning: WCCP : - : ERROR:repeated capabilities
    Fri Feb 15 09:52:09 2013 Warning: WCCP : - : ERROR:ISY: cap error
    Fri Feb 15 09:52:19 2013 Warning: WCCP : - : ERROR:repeated capabilities
    Fri Feb 15 09:52:19 2013 Warning: WCCP : - : ERROR:ISY: cap error
    Fri Feb 15 09:52:24 2013 Warning: WCCP : - : ERROR:repeated capabilities
    Fri Feb 15 09:52:24 2013 Warning: WCCP : - : ERROR:ISY: cap error
    Fri Feb 15 09:52:25 2013 Warning: WCCP : - : ERROR:repeated capabilities
    Fri Feb 15 09:52:25 2013 Warning: WCCP : - : ERROR:ISY: cap error
    So i think it's a problem about WCCP capabilities.
    This is "method" configuration on IronPort side
    This is output of "sh ip wccp capabilities" on router side :
    Capability                          Setting
    Supported forwarding methods        GRE & L2
    Supported return methods            GRE & L2
    Supported assignment methods        Hash & Mask
    Accelerated forwarding methods      L2
    Accelerated return methods          GRE & L2
    Accelerated assignment methods      Mask
    Accelerated Mode CLI                Off, CLI Disabled
    Supported redirection types         Input & Output
    Check Outbound ACL CLI              CLI Enabled
    Check All Services CLI              CLI Enabled
    Closed Service Suport               Supported
    VRF Support                         Supported
    Supported service groups            256
    There's something wrong on method configuration of IronPort appliance or in router side WCCP configuration?
    IronPort appliance model is S170 with AsyncOS 7.1.3-021
    Router is Cisco 1941 with IOS c1900-universalk9-mz.SPA.152-3.T.bin
    Thankyou in advance

    Hi Erik,
    i applied configuration you suggested me and modified wccp logs to trace level.
    This is the output of sh ip wccp web-cache detail on ISR router :
    WCCP Client information:
            WCCP Client ID:          192.168.120.19
            Protocol Version:        2.00
            State:                   NOT Usable (Initializing)
            Redirection:             None
            Packet Return:           None
            Assignment:              None
            Connect Time:            00:00:24
    I also lunched debug ip wccp events and packets on ISR router and this is the output (192.168.120.19 is WSA ip address, 192.168.120.40 is ISR router ip address) :
    *Feb 18 09:29:37.967: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 910)
    *Feb 18 09:29:37.967: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:911
    *Feb 18 09:29:37.967: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
    *Feb 18 09:29:43.015: WCCP-PKT:IPv4:S0: Sending RQ to 192.168.120.19, rcv_id:912
    *Feb 18 09:29:43.015: WCCP-PKT:IPv4:S0: Sending 64 bytes from 192.168.120.40 to 192.168.120.19
    *Feb 18 09:29:43.967: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 912)
    *Feb 18 09:29:43.967: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:913
    *Feb 18 09:29:43.967: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
    *Feb 18 09:29:44.987: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 913)
    *Feb 18 09:29:44.987: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:914
    *Feb 18 09:29:44.987: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
    *Feb 18 09:29:46.007: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 914)
    *Feb 18 09:29:46.007: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:915
    *Feb 18 09:29:46.007: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
    *Feb 18 09:29:47.979: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 915)
    *Feb 18 09:29:47.979: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:916
    *Feb 18 09:29:47.979: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
    *Feb 18 09:29:48.015: WCCP-EVNT:IPv4:S0: Cache removal timer expired (192.168.120.19)
    *Feb 18 09:29:48.015: WCCP-EVNT:IPv4:S0: deallocated wc 192.168.120.19 orig assign info (hash)
    On WSA a launched tail command on wccp subscription (30) and this is the output :
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20  -- 29 ISY(s) outstanding
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10  -- 29 ISY(s) outstanding
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20  -- 29 ISY(s) outstanding
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10  -- 29 ISY(s) outstanding
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.120.40  -- 42 ISY(s) outstanding
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20  -- 29 ISY(s) outstanding
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10  -- 29 ISY(s) outstanding
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
    Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:ISY received from 192.168.120.40.(136 bytes)
    Mon Feb 18 10:32:58 2013 Warning: WCCP : - : ERROR:repeated capabilities
    Mon Feb 18 10:32:58 2013 Warning: WCCP : - : ERROR:ISY: cap error
    Note that the ISR router ip address is 192.168.120.40. I've also WCCP service active on two other L3 switches (two Cisco 3560G-24TS-S) so in logs above you can see wccp requests come from 192.168.208.10 and 192.168.208.20. On those switches WCCP works fine.
    I noticed that ther's a difference on time settings between WSA and ISR router, can this be cause of malfunction?
    Thankyou so much.
    Best Regards.
    Alessandro

  • Airport Express 1st Generation base station not showing up using new Linksys E1500 router.  Compatibility problem?

    Airport Utility cannot find base station.  The AirPort Status Icon is showing on my iMac's menu bar, but when I click on it I do not see an AirPort option in the list --- only the various networks that are within range and the options to Create or Join a network.  I have a 1st generation Airport Express (Moded A1264) and recently installed a new router, Linksys E1500.  Could the router be the problem?  Another computer in the house had to be set up on the router using Cisco Connect on my husband's Window's 7 computer.  This was also necessary for our Wii console.  When I try to use Cisco Connect to see if it needs to recognize the AirPort device, it gives me certain wireless settings necessary to connect the device (Network Name (SSID), Security key and Security Type (WPA2 or WAP).    looked on the site but didn't see an option for setting up Airport Express.  I also upgraded from Snow Leopard OS to Lion shortly before adding the new router.  I use the Airport Express to play our Tune music on powered speakers in our kitchen and did not think to see if it was operating between the time I upgraded the operating system and the time I installed a new router.  I have two different versions of AirPort Utility on the computer  6.0 and 5.6.  Any suggestions?

    Just spoke with Cisco about the router.  They said the router is compatible with the E1500.  They suggested that I contact Apple to see if their default IP address was that same as the router (192.168.1.1).  They told me I would have to change it if that was the case.  How would I do that?

  • Route or NAT problem?

    Hi Everyone,
    We have an ASA 5540 at our data center, with ASA 5505's at most remote sites.
    At the sites without layer 3 switches behind the ASA 5505's, we can't reach the data center internal network through the ASA for flow-export, etc.
    So, what I'm basically saying is, even though the tunnel is up and everything behind the branch ASA can reach the data center networks fine, the ASA itself cannot reach hosts on the data center network.
    I'm hoping to configure these ASA 5505's so I can do flow export and SNMP logging from them, but without this routing or nat problem resolved, they just won't do it.
    Doing a packet tracer from the ASA 5505 to the data center server I'm most focused on, reveals this:
    BRANCH5505f01# packet input inside icmp 10.15.16.1 8 0 10.1.1.15 detailed
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb0b6698, priority=1, domain=permit, deny=false
            hits=1004755, user_data=0x0, cs_id=0x0, l3_type=0x8
            src mac=0000.0000.0000, mask=0000.0000.0000
            dst mac=0000.0000.0000, mask=0100.0000.0000
            input_ifc=inside, output_ifc=any
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   10.1.1.15       255.255.255.255 outside
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (rpf-violated) Reverse-path verify failed
    I am thinking the problem is NAT related, but with the new ASA NAT rule format due to v9.1... struggling to get a grip on where it is... any thoughts/help are appreciated.
    Ken
    Here is the relevant config for the Branch ASA and also the relevant config from the data center ASA:
    Branch ASA Config Parts:
    : Saved
    ASA Version 9.1(2)
    hostname BRANCHASA5505
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    speed 100
    duplex full
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    description LAN_NETWORK
    nameif inside
    security-level 100
    ip address 10.15.6.1 255.255.254.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address <outside ip> 255.255.255.248
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object-group network BRANCH_NETWORKS
    description BRANCH LOCAL NETWORKS
    network-object 10.15.6.0 255.255.254.0
    object-group network LAN_NETWORKS
    network-object 10.0.0.0 255.0.0.0
    network-object 134.200.131.0 255.255.255.0
    network-object 134.200.220.0 255.255.255.0
    network-object 134.201.2.0 255.255.255.0
    network-object 163.243.195.0 255.255.255.0
    network-object 172.16.0.0 255.240.0.0
    network-object 192.168.0.0 255.255.0.0
    network-object 10.1.3.0 255.255.255.0
    network-object 10.31.2.0 255.255.255.0
    network-object 10.1.1.0 255.255.255.0
    network-object 172.26.1.0 255.255.255.0
    object-group network NETWORK_MGMT
    network-object 10.0.0.0 255.0.0.0
    access-list DATACENTER_VPN_ACL remark *******************************************************************
    access-list DATACENTER_VPN_ACL remark * FOR VPN CONNECTION TO DATACENTER/VEYANCE NETWORKS *
    access-list DATACENTER_VPN_ACL remark *******************************************************************
    access-list DATACENTER_VPN_ACL extended permit ip host <outside ip> host <outside ip datacenter asa>
    access-list DATACENTER_VPN_ACL extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
    access-list INSIDE_NONAT extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
    access-list INSIDE_FILTER extended permit tcp any4 any4 eq www
    access-list INSIDE_FILTER extended permit tcp any4 any4 eq 8080
    logging host inside 10.1.1.15
    flow-export destination inside 10.1.1.15 2055
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
    nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
    nat (inside,outside) source dynamic any interface
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group FROM_OUTSIDE in interface outside
    route outside 0.0.0.0 0.0.0.0 <outside ip gateway> 1
    route outside 10.1.1.15 255.255.255.255 <outside ip datacenter asa> 1
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    tunnel-group <outside ip datacenter asa> type ipsec-l2l
    tunnel-group <outside ip datacenter asa> ipsec-attributes
    ikev1 pre-shared-key *****
    class-map type regex match-any DomainBlockList
    match regex DomainList-Netflix
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map inspection_default
    match default-inspection-traffic
    class-map httptraffic
    match access-list INSIDE_FILTER
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map type inspect http http_inspection_policy
    parameters
      protocol-violation action log
    class BlockDomainsClass
      reset log
    policy-map URL-filter-policy
    class httptraffic
      inspect http http_inspection_policy
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect http
    class class-default
      flow-export event-type all destination 10.1.1.15
    service-policy URL-filter-policy interface inside
    prompt hostname context
    Datacenter ASA Config Parts:
    ASA Version 9.0(1)
    hostname DATACENTERASA5540
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    interface GigabitEthernet0/0
    description *** TO OUTSIDE NETWORK AT DATACENTER ***
    speed 100
    duplex full
    nameif OUTSIDE
    security-level 0
    ip address <outside ip>
    interface GigabitEthernet0/1
    description *** TO INSIDE NETWORK ***
    nameif INSIDE
    security-level 100
    ip address 10.1.3.2 255.255.255.0
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network LAN_NETWORKS
    network-object 10.0.0.0 255.0.0.0
    network-object 134.200.131.0 255.255.255.0
    network-object 134.200.220.0 255.255.255.0
    network-object 134.201.2.0 255.255.255.0
    network-object 163.243.195.0 255.255.255.0
    network-object 172.16.0.0 255.240.0.0
    network-object 192.168.0.0 255.255.0.0
    network-object 10.1.3.0 255.255.255.0
    network-object 10.31.2.0 255.255.255.0
    network-object 10.1.1.0 255.255.255.0
    network-object 172.26.1.0 255.255.255.0
    object-group network DATACENTER_NETWORKS
    network-object 10.1.0.0 255.255.0.0
    object-group network BRANCH_NETWORKS
    network-object 10.15.6.0 255.255.254.0
    access-list BRANCH_VPN_ACL remark ****************************************************
    access-list BRANCH_VPN_ACL remark *  FOR SITE TO SITE VPN TO BRANCH WV USA  *
    access-list BRANCH_VPN_ACL remark ****************************************************
    access-list BRANCH_VPN_ACL extended permit ip host <outside ip> host <outside ip branch asa>
    access-list BRANCH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group BRANCH_NETWORKS
    flow-export destination INSIDE 10.1.1.15 2055
    flow-export template timeout-rate 1
    flow-export delay flow-create 180
    ip verify reverse-path interface OUTSIDE
    ip verify reverse-path interface INSIDE
    no failover
    nat (INSIDE,OUTSIDE) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
    access-group FROM_OUTSIDE in interface OUTSIDE
    route OUTSIDE 0.0.0.0 0.0.0.0 <outside ip> 1
    route INSIDE 10.0.0.0 255.0.0.0 10.1.3.1 1
    route OUTSIDE 10.15.6.0 255.255.254.0 <outside ip branch asa> 1
    crypto map OUTSIDE-MAP 156 match address BRANCH_VPN_ACL
    crypto map OUTSIDE-MAP 156 set pfs
    crypto map OUTSIDE-MAP 156 set peer <outside ip branch asa>
    crypto map OUTSIDE-MAP 156 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
    tunnel-group <outside ip branch asa> type ipsec-l2l
    tunnel-group <outside ip branch asa> ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    class class-default
      flow-export event-type all destination 10.1.1.15
      user-statistics accounting
    service-policy global_policy global
    smtp-server 172.19.1.137
    prompt hostname context
    call-home reporting anonymous
    Again, any help you can provide is appreciated... will vote for best...

    I ran it, with the source IP corrected (it is 10.15.6.2):
    BRANCHASA# packet input inside icmp 10.15.6.2 8 0 10.1.1.15 detailed
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb0b6698, priority=1, domain=permit, deny=false
            hits=1203279, user_data=0x0, cs_id=0x0, l3_type=0x8
            src mac=0000.0000.0000, mask=0000.0000.0000
            dst mac=0000.0000.0000, mask=0100.0000.0000
            input_ifc=inside, output_ifc=any
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 3
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
    Additional Information:
    NAT divert to egress interface outside
    Untranslate 10.1.1.15/0 to 10.1.1.15/0
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   10.15.6.0       255.255.254.0   inside
    Phase: 5
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
    Additional Information:
    Static translate 10.15.6.2/0 to 10.15.6.2/0
    Forward Flow based lookup yields rule:
    in  id=0xcb12f2f0, priority=6, domain=nat, deny=false
            hits=15824, user_data=0xcb0fdef8, cs_id=0x0, flags=0x0, protocol=0
            src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
            dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=inside, output_ifc=outside
    Phase: 6
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcaa712e0, priority=0, domain=nat-per-session, deny=true
            hits=77610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=any, output_ifc=any
    Phase: 7
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb0bc128, priority=0, domain=inspect-ip-options, deny=true
            hits=91404, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=inside, output_ifc=any
    Phase: 8
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb0bbc28, priority=66, domain=inspect-icmp-error, deny=false
            hits=4585, user_data=0xcb0bb238, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
            src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
            input_ifc=inside, output_ifc=any
    Phase: 9
    Type: VPN
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    out id=0xcb0c1218, priority=70, domain=encrypt, deny=false
            hits=708, user_data=0xbf63c, cs_id=0xcb9ad918, reverse, flags=0x0, protocol=0
            src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
            dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=any, output_ifc=outside
    Phase: 10
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
    Additional Information:
    Forward Flow based lookup yields rule:
    out id=0xcb12fb00, priority=6, domain=nat-reverse, deny=false
            hits=15837, user_data=0xcb124438, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
            src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
            dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=inside, output_ifc=outside
    Phase: 11
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 143081, packet dispatched to next module
    Module information for forward flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_translate
    snp_fp_adjacency
    snp_fp_encrypt
    snp_fp_fragment
    snp_ifc_stat
    Module information for reverse flow ...
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow

  • RG54G2 Wireless Router Internet Connection Problem

    Hi,
    (apologies for the long message - trying to cover all details - summary: wireless router often drops internet connection)
    I recently bought an RG54G2 Wireless Router, a CB54G2 PCMCIA Wireless card and a D-Link GWL-630 PCMCIA Wireless card.  In addition to two laptops connected to the wireless router WLAN, I have two PCs (one Win WP Pro SP 1 and one Win98SE) connected to the router via wired LAN.  I also have a SurfBoard SB3100 Cable Modem connected to the WAN port (this connects to my ISP -  Optusnet (Australia) via DHCP).
    The problem I have is that the internet connection is disconnected many times a day (often every few minutes, sometimes an hour or so).  I am able to reconnect by resetting the wireless router via the wireless router configuration page.  When the internet is disconnected I am still able to access the computers on the LAN/WLAN (via Windows Explorer and Ping), I am also able to ping the router and the Cable Modem, but nothing outside of the cable modem.
    Also, when the internet is disconnected the System Status page indicates that the router is still connected to the internet, and the Diagnostics page passes the Test Connection test, though no external pings work.
    I did not have this problem when the cable modem was connected directly to the Win98SE PC (and other PCs via ICS).
    I have disabled the WLAN and the problem still exists with only the wired LAN.
    I have changed numerous settings in the wireless router config page with no success (eg disabling DHCP and setting each IP address, minimising LAN and WLAN speeds to 10 and 11MBps plus others).
    I have upgraded the wireless router firmware to R1.0.6.0 (no change to the problem).
    Searching on Google I have found several other cases of routers with unstable internet connections (none refering to the MSI routers), but none had solutions that helped my situation (most replies suggested updating the firmware).
    Any suggestions of how to make the router internet connection stable?
    Thanks,
    Mike

    maybe this is the FIX 4 wireles router internet connection problem
    please let me know if any one fix the problem with this tips
    thankz
    M. B.      Feb 6 2004, 8:20 am     hide options
    Newsgroups: comp.os.ms-windows.networking.windows
    From: "M. B." - Find messages by this author
    Date: Fri, 06 Feb 2004 16:20:48 GMT
    Local: Fri, Feb 6 2004 8:20 am
    Subject: SOLUTION to my router loosing connection to Windows XP
    Reply | Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse
    I am happy to report that after 8 days of constant battles, reboots, phone
    calls, cable pulling, router changing, it seems that I finally have found a
    combination that has had me using Verizon DSL account for over 12 hours so
    far without any kind of interruptions.
    Since so many of you tried giving me comments and suggestions, I felt that
    it is necessary for me to post this here so that the next person will not
    (hopefully) need to go through this hell as I did!
    My original problem was that when after I purchased a D-Link Wireless Router
    DI-624, I would get disconnected from Verizon DSL at least once every 2
    hours or so. My internet access would "freeze" and then a little popup box
    at the bottom right system tray would tell me that the "LAN cable has been
    unplugged".   After about a minute or so, my internet connection would be
    back working   This was NEVER happening during the 2+ years I was using my
    Westell modem alone (running in router mode).
    Please keep in mind: The problem I was having was not wireless related as
    it was happening to the desktop computer to which the router/westell was
    connected to!
    During these last 8 days, I tried: one DI-624 wireless router, two Netgear
    614v3 routers and two Linksys WRT54G v.2 routers. In addition, I received a
    brand new Westell 2200 modem from Verizon.   I also tried about four
    different CAT-5 cables. Here is the final outcome:
    I have the Linksys WRT54G (version 2) wireless router connected to the
    Netgear Fast Ethernet FA310TX network card in Auto-Sense mode (using the
    built-in XP drivers, as Netgear told me that there was never a newer
    revision released). I have DISABLED the built-in 3Com Gigabit LOM (3C940)
    network card (via the ASUS P4C800 Deluxe motherboard BIOS), DISABLED the
    Zero Wireless Configuration service, and have put in the IP/Gateway/DNS
    address numbers inside my Windows XP Network Connections | LAN setup. My
    operating system is Windows XP Pro SP1 and the modem is a Westell 2200
    configured as bridge only.
    If my situation continues to be stable, I *might* try to go back to the 3Com
    built-in card (disable any power management) and then re-enabling the Zero
    Wireless Configuration services. But in reality, I am happy with the way
    things are and have already spent enough time trying to get my router to
    work with Verizon DSL without having it drop connections!
    Now, the next step will be setting up the WIRELESS part of this. I don't
    even yet have a laptop with me on the premises, but the 802.11g card that I
    already have is the D-Link DWL-G650. I hope and assume that this will work
    okay with the Linksys...
    One thing I must say is that I never realized that how many problems other
    users are having. I would have thought that since 802.11x has been around
    in the mainstream by now 2+ years, that things would have been much more
    "system friendlier".   And again, my issues were not even WIRELESS related.
    All 3 tech supports were not really helpful, as none of them realized that
    the problem is somehow between the router and Windows XP (Ethernet card?)
    loosing a connection, which of course results in Verizon DSL loosing the
    connection also.
    One other comment about the Netgear 614 v.3 router: A number of people have
    responded to tell me that they have had this random "router resetting"
    happen to them (where the routers behaves as if someone turned the power off
    and then back on, and the lights flash) just as if you first turn it on). I
    was lucky to witness it myself during one of the "disconnects" that I had.
    This was actually the reason why I went back to try the Linksys one more
    time. So, I would definitely recommend staying way from this 614 (version
    3) model.
    Once again - THANK YOU everyone!

  • WCCP problem or routing

    Hi,
    We have two datacenters same logical LAN.
    Two ISP routers and two WAE 674 and using WCCP "egress-method negotiated-return intercept-method wccp"
    See attached file.
    The problem is when one of the "line" WAN interface goes down, some of the network are not reach from the LAN side and some are.
    We are using BGP as routing protocol in the ISP routers.
    Any suggestion for the problem?
    Jan

    Hello I am from the ISP and wanted to address these issues
    2. When WAN goes down and LAN remains up, your WCCP is still UP and hence, it continues to forward packets out of same WAN interface but  because that interface is down, packets ultimately die / gets blackholed.
    3. Another speculation is: Asymmetric routing. When WAN is down but LAN is up, you are forwarding soem traffic out of LAN but as WAN goes down, the return packets then come up on different interface and creates asymmetric routing.
    On question 2 with WCCP the router would still try to send packets out the wan interface even though its down?   Wouldn't the router be able to tell that routing changed to the source/dest subnets and not blindly send packets to a down interface?   If not then this most likely is what happened.
    Here is the WAN interface config WCCP is enabled for inbound redirection but the same for the actual data LAN interface
    interface GigabitEthernet0/0
    description link to PE
    bandwidth 9000
    no ip address
    ip route-cache flow
    duplex full
    speed 10
    media-type rj45
    no cdp enable
    interface GigabitEthernet0/0.22
    encapsulation dot1Q 22
    ip address **********omit ****** 255.255.255.252
    ip wccp 62 redirect in
    no cdp enable
    and here is the LAN side
    interface GigabitEthernet0/1
    no ip address
    ip access-group 113 in
    ip route-cache flow
    duplex full
    speed 100
    media-type rj45
    service-policy output CE_OUT_MARK_0
    interface GigabitEthernet0/1.2450
    description Customer LAN
    encapsulation dot1Q 2450
    ip address ********* 255.255.255.224
    ip wccp 61 redirect in
    no cdp enable
    interface GigabitEthernet0/1.2459
    description Connection to customer-managed WAE Device For WCCP
    encapsulation dot1Q 2459
    ip address ******** 255.255.255.224
    ip wccp redirect exclude in
    no cdp enable
    interface GigabitEthernet0/1.2460
    encapsulation dot1Q 2460
    ip address ******* 255.255.255.224
    ip wccp redirect exclude in
    no cdp enable
    The sister router is configured in much the same way.
    On question 3
    3. Another speculation is: Asymmetric routing. When WAN is down but LAN is up, you are forwarding soem traffic out of LAN but as WAN goes down, the return packets then come up on different interface and creates asymmetric routing.
    Wouldn't Asymetric routing just result in non optimized connections as it would never see the tcp option set for optimization?
    We are going to run this same test this weekend and I will look at all these things but it seems as though asymetric routing would result in no optimization but not packet blockage.   Regarding question 2 if wccp remains up and is black holing traffic I can see this as an issue for sure.
    One last question also regarding the loopbacks and GRE return.  There are distribute lists that block each router from learning the others loopback when the WAN is down.   Do you think this would matter?    Reason I ask is because on the Asymetric side again lets say a packet comes into router #1 via the lan and gets redirected to the WAE with source ip of the Loopback.   When the Was returns the packet to the router I would think it would not need routing to the #2 routers loopback as the destination at this point would be back to the client/server.   Also when the router forwards to the WAE what ip on the WAE does it use?

  • WAAS Optimization problem

    Hello experts,
    I have a problem about the WAAS optimization.
    The topology is...
    Center: 7200 Router working with WCCP (512 WAE)
    Edge: 2800 Router working with WCCP (612 WAE)
    When i tried to reach the Database (behind the 7200 Router) from the Edge site. its working! but during this time, when i look the Current Connection status, there is no optimization traffic(you can see the attach file).
    I have done this setup, demo etc. too many times, but the first time i encountered such a problem.
    you can see the configuration at the below.
    By the way, when i look the "show ip wccp" command output. there is no traffic on Service identifier 62. Do we  need to see increased this traffic?
    Thanks in advance for  your help.
    BM-7206-METRO#show ip wccp
    Global WCCP information:
        Router information:
            Router Identifier:                   10.200.200.193
            Protocol Version:                    2.0
        Service Identifier: 61
            Number of Service Group Clients:     1
            Number of Service Group Routers:     1
            Total Packets s/w Redirected:        37207
              Process:                           0
              Fast:                              0
              CEF:                               37207
            Service mode:                        Open
            Service access-list:                 -none-
            Total Packets Dropped Closed:        0
            Redirect access-list:                199
            Total Packets Denied Redirect:       1074214
            Total Packets Unassigned:            0
            Group access-list:                   -none-
            Total Messages Denied to Group:      0
            Total Authentication failures:       0
            Total Bypassed Packets Received:     0
        Service Identifier: 62
            Number of Service Group Clients:     1
            Number of Service Group Routers:     1
            Total Packets s/w Redirected:        0
              Process:                           0
              Fast:                              0
              CEF:                               0
            Service mode:                        Open
            Service access-list:                 -none-
            Total Packets Dropped Closed:        0
            Redirect access-list:                -none-
            Total Packets Denied Redirect:       0
            Total Packets Unassigned:            0
            Group access-list:                   -none-
            Total Messages Denied to Group:      0
            Total Authentication failures:       0
            Total Bypassed Packets Received:     0
    CORE_WAE
    configure terminal
    primary-interface gigabitEthernet 1/0
    device mode application-accelerator
    central-manager address 10.10.10.10
    cms enable
    wccp version 2
    wccp router-list 1 2.2.2.1 (ROUTER IP add)
    wccp tcp-promiscuous router-list-num 1
    EDGE_WAE
    configure terminal
    primary-interface gigabitEthernet 1/0
    device mode application-accelerator
    central-manager address 10.10.10.10
    cms enable
    wccp version 2
    wccp router-list 1 1.1.1.1
    wccp tcp-promiscuous router-list-num 1
    CORE_ROUTER
    ip wccp version 2
    ip wccp 61
    ip wccp 62
    interface gi 2/0 (LAN)
    ip wccp 61 redirect in
    interface gi 3/0.26 (WAN) (Note: also this interface have a Tunnel int. connect to edge router tunnel int.)
    ip wccp 62 redirect in
    interface gi 1/0 (WAE LAN)
    ip wccp redirect exclude in
    ip cef
    EDGE_ROUTER
    ip wccp version 2
    ip wccp 61
    ip wccp 62
    interface gi 1/0 (LAN)
    ip wccp 61 redirect in
    interface ATM 2/0.1 (WAN) (Note: also this interface have a Tunnel int. connect to central router tunnel  int.)
    ip wccp 62 redirect in
    interface gi 2/0 (WAE LAN)
    ip wccp redirect exclude in
    ip cef

    Hi Zach
    Center router IOS version is c7200-advipservicesk9_li-mz.124-11.T.bin
    Edge router IOS version is c2800nm-adventerprisek9-mz.124-9.T2.bin
    Also you can see the configurations at the attach
    Thanks,
    My best.
    CORE WAE CONFIG:
    Based on the input, the following configurations will be done:
           central-manager address 10.166.0.10
           interface GigabitEthernet 1/0
             ip address 10.166.0.20 255.255.0.0
             autosense
           exit
           ip default-gateway 10.166.0.1
           ip name-server 10.201.0.201
           ip domain-name  tcmb.gov.tr
           primary-interface GigabitEthernet 1/0
           hostname CORE
           clock timezone UTC 0 0
           wccp version 2
           wccp router-list 8 10.166.0.1
           wccp tcp-promiscuous router-list 8
           cms enable
    EDGE WAE CONFIG:
    Based on the input, the following configurations will be done:
            central-manager address 10.166.0.10
            interface GigabitEthernet 1/0
              ip address 10.126.2.20 255.255.255.0
              autosense
            exit
            ip default-gateway 10.126.2.1
            ip name-server 10.201.0.201
            ip domain-name  tcmb.gov.tr
            primary-interface GigabitEthernet 1/0
            hostname EDGE
            clock timezone UTC 0 0
            wccp version 2
            wccp router-list 8 10.126.2.1
            wccp tcp-promiscuous router-list 8
            cms enable

  • WAAS - WCCP L2-redirection in WS-C6509-E

    Hi,
    I have a costumer with three offices, one is the data center. The other two offices get information from the data center and between them.
    Each one of these remotes offices go through two different SP to the data center, and each one is received in his own router. The core of the data center is a switch WS-C6509-E (IOS s72033-entservicesk9_wan-vz.122-18.SXF7.bin).
    Because there are two different SP in the data center, the traffic redirection must be done in the switch c6500. I think that the following configuration is the correct one:
    ip wccp version 2
    ip wccp 61 redirect-list 101
    ip wccp 62 redirect-list 101
    interface Vlan1
    description *** WAN routers and users ***
    ip address 10.0.16.1 255.255.240.0
    ip wccp 62 redirect out
    ip wccp 61 redirect in
    interface Vlan 200
    description *** WAEs ***
    ip address 10.34.114.65 255.255.255.252
    ip wccp redirect exclude in
    interface Vlan201
    description *** Servers and Users 1 ***
    ip address 10.15.240.1 255.255.240.0
    ip wccp 61 redirect in
    interface Vlan202
    description *** Servers and Users 2 ***
    ip address 10.16.128.1 255.255.240.0
    ip wccp 61 redirect in
    But now I read about the problems using GRE redirection in the switch c6500. I read too that the best way to do this is using L2-redirection, but I don't have any idea of how to do this. I am using the WAAS version 4.1.1.
    Can anybody help me with explaining me the way to configure that?

    Dan,
    I think that the best option for this network is number one, use WCCP on the two 7206VXRs, and redirect the traffic to a single WAE in the same subnet of the hosts.
    But now, I don't understand the implications of use the command “egress-method negotiated-return intercept-method wccp”. What else should I consider or configure (in the router or in the WAE) to make this interception works?
    I think that the configuration on the routers and in the WAE should be something like this:
    --- Router 1
    ip wccp version 2
    ip wccp 61 redirect-list 101
    ip wccp 62 redirect-list 101
    interface Serial3/3:1
    ip address 10.34.113.213 255.255.255.252
    ip wccp 61 redirect in
    ip wccp 62 redirect in
    interface GigabitEthernet0/1
    ip address 10.0.16.2 255.255.240.0
    ip wccp redirect exclude in
    --- Router 2
    ip wccp version 2
    ip wccp 61 redirect-list 101
    ip wccp 62 redirect-list 101
    interface Serial3/3:1
    ip address 10.134.143.217 255.255.255.252
    ip wccp 61 redirect in
    ip wccp 62 redirect in
    interface GigabitEthernet0/1
    ip address 10.0.16.3 255.255.240.0
    ip wccp redirect exclude in
    --- WAE
    interface GigabitEthernet 1/0
    ip address 10.0.16.4 255.255.255.0
    exit
    egress-method negotiated-return intercept-method wccp
    wccp router-list 1 10.0.16.2 10.0.16.3
    wccp tcp-promiscuous router-list-num 1
    Thanks and Regards,
    Pablo

  • WAAS / WCCP service groups / L2 adjacencies

    Hi all,
    I'm having trouble finding a definitive answer on this one. I'm working on a WAAS deployment in a network with asymmetric routing. I want to deploy WAAS accelerators at two geographically dispersed data centre sites (head end). Do the WAAS boxes themselves need to be L2 adjacent with each other in this configuration? i.e. can the service group consist of two routers (one at each DC) and two WAEs (one at each site), with routed links between the DCs (WAEs in separate IP subnets)?
    Something like:
    - two routers (rtr-A, rtr-B)
    - two WAAS accelerators (waas-A, waas-B)
    - rtr-A and waas-A are L2 adjacent and use WCCP w/L2 redirection
    - rtr-B and waas-B are L2 adjacent and use WCCP w/L2 redirection
    - rtr-A and waas-B are not L2 adjacent and use WCCP w/GRE redirection
    - rtr-B and waas-A are not L2 adjacent and use WCCP w/GRE redirection
    Here's a quick diagram:
    http://i4.tinypic.com/62nhf5u.jpg
    (all links are L3/routed)
    cheers!

    Dale,
    There is no requirement for the WAE's to be L2 adjacent to each other. Note that the WCCP Forwarding Method is negotiated per Service Group -- so it can either be L2 or GRE. Based on your description, you would want to use GRE Forwarding.
    Regards,
    Zach

  • WAAS WCCP help

    Hi guys,
    Please have a look at my topology attached.Right now this is what I have configured on the core:
    ip wccp 61
    ip wccp 62
    int vlan 151
    ip wccp 61 redirect in
    int vlan 173
    ip wccp 62 redirect in
    The same is configured on the branch office with the appropriate vlans.
    Whatever I do, the "total packets redirected" count never seems to increase. I tried turning on ip wccp 62 redirect out on vlan 173, and ip wccp 61 redirect in on the same vlan, but then only the count for service 61 goes up.
    Also, should I use access-lists to permit redirection only to branch offices that have a WAE? If I don't use a redirect-list, shouldn't all packets be redirected to the WAE, and then the WAE would decide whether to optimize or not based on if there's another WAE at the endpoint location?
    Here's an output of "sh ip wccp 61 detail"
    WCCP Cache-Engine information:
    Web Cache ID: x.x.x.x
    Protocol Version: 2.0
    State: Usable
    Redirection: L2
    Packet Return: GRE
    Packets Redirected: 0
    Connect Time: 00:51:22
    Assignment: MASK
    Any help is greatly appreciated.

    Since you are performing L2 rewrite under WCCP, you will not see the packets redirected increase. The redirection is handled by hardware instead of software. If redirection was done on a router, you would see packet increases.
    I have had WAAS in place for about a year now and you can see below that I have only redirected 2 packets. I am redirecting on a 6509 as well.
    mp1swcr01#show ip wccp 61
    Global WCCP information:
    Router information:
    Router Identifier:
    Protocol Version: 2.0
    Service Identifier: 61
    Number of Cache Engines: 2
    Number of routers: 2
    Total Packets Redirected: 2
    Redirect access-list: WAAS_61
    Total Packets Denied Redirect: 9179
    Total Packets Unassigned: 186
    Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0

  • WAAS: WCCP Mask or Hash on Routers?

    I'm starting thinking about using mask assign on an ISR router running 12:4(24)T with GRE/GRE. Has anyone done this before and can you use mask assign with GRE/GRE? We need to use it with GRE/GRE because our egress method has to be WCCP return. My thought was mask assign will be much better at load balancing across multiple WAEs in a cluster than hash because you can specify a long mask assignment. Right now, see more load on WAE than the other and are sometimes getting TFO overload.

    The page you linked contains recommendations (in bold) for each platform. On the ISR G2 specifically, you should be able to use any combination of GRE/L2 and MASK/HASH assignment. Some other platforms require specific disribution and redirection methods to maintain the hardware acceleration of WCCP traffic. However, the ISR G2 does not have this requirement.
    WCCP GRE and HASH distribution on ISR G2 is typically recommended to make deployment easier. With GRE, content devices can be an L3 hop away (if needed), and it reduces the chance of customers accidentally creating a WCCP redirect loop.
    L2 distribution and HASH redirection method should typically require the least CPU and memory load on the ISR. These should perform the best in most cases.
    The MASK distribution method gives better controls on how load is divided between multiple content devices, typically at the cost of more CPU and memory utilization. If you have only one or two content devices in your cluster, typically HASH will meet the need for slightly less CPU. As Zach said, most times MASK is used on the Datacenter side to give the ability to 'tweak' how the load is distributed across multiple devices.
    Thanks,
    Aaron

  • WAAS WCCP Errors

    Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
    Transparent GRE packets received: 0
    Transparent non-GRE packets received: 1940435323
    Transparent non-GRE non-WCCP packets received: 0
    Total packets accepted: 461319375
    Invalid packets received: 731
    Packets received with invalid service: 0
    Packets received on a disabled service: 0
    Packets received too small: 0
    Packets dropped due to zero TTL: 0
    Packets dropped due to bad buckets: 617
    Packets dropped due to no redirect address: 0
    Packets dropped due to loopback redirect: 227
    Pass-through pkts dropped on assignment update:61
    Connections bypassed due to load: 0
    Packets sent back to router: 1829
    GRE packets sent to router (not bypass): 0
    Packets sent to another WAE: 63037
    GRE fragments redirected: 1116193
    GRE encapsulated fragments received: 0
    Packets failed encapsulated reassembly: 0
    Packets failed GRE encapsulation: 0
    Packets dropped due to invalid fwd method: 0
    Packets dropped due to insufficient memory: 0
    Packets bypassed, no conn at all: 0
    Packets bypassed, no pending connection: 0
    Packets due to clean wccp shutdown: 0
    Packets bypassed due to bypass-list lookup: 166
    Packets received with client IP addresses: 460833489
    Spoofed packets dropped: 57416
    Conditionally Accepted connections: 0
    Conditionally Bypassed connections: 0
    L2 Bypass packets destined for loopback: 0
    Packets w/WCCP GRE received too small: 0
    Packets dropped due to received on loopback: 219
    Packets dropped due to IP access-list deny: 0
    Packets fragmented for bypass: 0
    Packets fragmented for egress: 0
    Packet pullups needed: 5484
    Packets dropped due to no route found: 0

    Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
    Transparent GRE packets received: 0
    Transparent non-GRE packets received: 1940435323
    Transparent non-GRE non-WCCP packets received: 0
    Total packets accepted: 461319375
    Invalid packets received: 731
    Packets received with invalid service: 0
    Packets received on a disabled service: 0
    Packets received too small: 0
    Packets dropped due to zero TTL: 0
    Packets dropped due to bad buckets: 617
    Packets dropped due to no redirect address: 0
    Packets dropped due to loopback redirect: 227
    Pass-through pkts dropped on assignment update:61
    Connections bypassed due to load: 0
    Packets sent back to router: 1829
    GRE packets sent to router (not bypass): 0
    Packets sent to another WAE: 63037
    GRE fragments redirected: 1116193
    GRE encapsulated fragments received: 0
    Packets failed encapsulated reassembly: 0
    Packets failed GRE encapsulation: 0
    Packets dropped due to invalid fwd method: 0
    Packets dropped due to insufficient memory: 0
    Packets bypassed, no conn at all: 0
    Packets bypassed, no pending connection: 0
    Packets due to clean wccp shutdown: 0
    Packets bypassed due to bypass-list lookup: 166
    Packets received with client IP addresses: 460833489
    Spoofed packets dropped: 57416
    Conditionally Accepted connections: 0
    Conditionally Bypassed connections: 0
    L2 Bypass packets destined for loopback: 0
    Packets w/WCCP GRE received too small: 0
    Packets dropped due to received on loopback: 219
    Packets dropped due to IP access-list deny: 0
    Packets fragmented for bypass: 0
    Packets fragmented for egress: 0
    Packet pullups needed: 5484
    Packets dropped due to no route found: 0

Maybe you are looking for

  • How do I include XSD definition inside WSDL?

    Hello, I am pasting the WSDL and XSD (They were sent as a seperate files) The Name space that was mentioned in the WSDL is different from where I am currently developing . I would like to do the following 3 things 1. Include XSD inside WSDL definitio

  • Optical out/internal speakers no longer work

    Hello, I was wondering if anyone could help, my macbook now believes that there is an opitcal lead in the jack all the time - and so the internal speakers no longer work, i can plug in headphones and the optical but when everything is removed then no

  • Diff between two timestamp in minutes on case condition

    Hi Gurus, I wanted to find the diff between two timestamp in minutes on case condition when type=1 then min(col2) and type=2 then max(col2) type-(datatype-numeric) col2-(datatype-timestamp) how can i do this Thanks

  • Dataguard Vs Standby

    Hi All, I know most of you have experienced in production implem of standby and dataguard. For me I only done it on test theory and not yet on production becuase it generats lots of logs and also affects performance. Also For me I only do shutdown an

  • AD Network, clients receiving DHCP config from standalone routers - possible?

    A local Active Directory network is broken into multiple subnets, each behind a stand-alone router (not a Windows server) that also distributes DHCP configuration to its own client computers. Is it going to work? Are there any problems to expect?