WCCP and 7600 - not redirecting traffic

Similar Messages

• Folder redirection configured in GPO does not create Documents folder and does not redirect

  Hi
  Another Folder Redirect-post - sorry for that, but I could not find an answer for my problem so far: even with consulting many threads here...
  We have an existing environment under Windows XP and want to move away from that. Now I ran into troubles with folder redirection...
  The following folder- and permission structure exists so far:
  \\<server>\<Users$-share>: This is the base folder for all users-directories
  -> Permissions: SYSTEM: Full / Administrators: Full / Users: Read&Execute, only this folder
  -> Share-permissions: Authenticated users: Full control
  \\<server>\<Users$-share>\<username>: base folder for the specific user
  -> Permissions: SYSTEM: Full / Administrators: Full / User: Change, all permissions inherited onwards
  -> Giving only change permission prevent further problems with self-called "advanced users"... ;-)
  \\<server>\<Users$-share>\<username>\profil.V2: Profile directory of the user
  -> Of course here the permissions are set by the system: override the predefined permission
  \\<server>\<Users$-share>\<username>\daten: Atcual Home directory of the user
  \\<server>\<Users$-share>\<username>\daten\Documents: Suposed Documents directory of the user
  Now I am going to Server 2012 and Windows 8.1, configured the GPO to redirect Documents folder into the above mentioned:
  GPO - User configuration - Policies - Windows settings - Folder Redirection - Documents:
  Setting: Standart - redirects all folders to the same path
  Destination folder: Copy to base directory of the user
  I apply policy to the user, log out and in - it doesn't work, no folder Documents created in my home-folder, Folder Documents still configured at C:\Users\<user>\Documents
  A very special point:
  I also do Redirection of the My Pictures-folder: Define it to follow the Documents folder. Funnily that one works and creates and configures \\<server>\<Users$-share>\<username>\daten\Pictures
  -> So in my eyes, it should work!
  Then: I want to do the folder redirection without Offline Files, due to the fact, that our users work with dynamically assigned virtual desktops, which are been cleaned everytime a user logs off a machine. Therefore synchronizing doesn't make sense...
  I just cannot see, why this redirection does not work :-(
  Thank you very much for any help!
  Kind regards
  David

  Hi David,
  Before going further, would you please let me confirm the OS version of the Windows Server which you used to
  configure folder redirection? Based on your description, did you mean that those users (who will be applied folder redirection settings) logged on Windows XP client computer?
  When you configure the folder redirection setting in Document Properties (path:
  User Configuration-> Policies-> Windows Settings-> Folder Redirection-> Documents), please check if you checked “Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating system” in Settings
  tab. As below picture shows.
  à
  GPO - User configuration - Policies - Windows settings - Folder Redirection - Documents:
  à•Setting: Standart
  - redirects all folders to the same path
  à•Destination
  folder: Copy to base directory of the user
  Would you please provide a screenshot of those settings you describe? Meanwhile, please summarily describe
  that how you configure. For example, where this GPO link to? Or any other. It will help me to understand clearly. Thanks for your understanding.
  In addition, please use
  gpresult command to check if the folder redirection group policy was really applied.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• WCCP not redirecting users traffic from other subnets

  Hello,
  I have configured WCCP redirection on ASA for redirecting transparently http and https traffic.
  I have configured a service ID 90 that contains 80 and 443 port. The ironport S160 has two interfaces, one for management and the other for data.
  The interface used for data is on a different subnet that the inside interface of ASA where it is configured WCCP.
  The problem is that the users that are in the same subnet with ironport data interface, their traffic gets redirected, while the traffic of the other users that are not in the same subnet with ironport data interface is not processed correctly from ironport and this users does not have internet access.
  Any idea ?
  BR,
  Ilir

  Ilir,
  How is this second group of users connected to the ASA?  Their outbound traffic has to be going out the "inside" interface also. If they are on another port on the ASA, WCCP won't catch their traffic. i.e. You can't use the DMZ interface on an ASA and point its web traffic at a WSA that lives inside.
  Ken

• WCCP not redirecting packets

  Hello,
  I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.
  I cant get the packets to redirect.
  The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.
  It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.
  (After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)
  SDM prefer is enabled.
  Here is the config:
  SiteA#sh run
  Building configuration...
  Current configuration : 7699 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SiteA
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.
  username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1
  no aaa new-model
  switch 1 provision ws-c3750x-24
  switch 2 provision ws-c3750x-24
  system mtu routing 1500
  ip routing
  ip wccp 90 redirect-list 115 group-list 15
  vtp mode transparent
  track 1 ip sla 1 reachability
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 10
  ip ssh version 2
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface FastEthernet0
  no ip address
  no ip route-cache cef
  no ip route-cache
  interface GigabitEthernet1/0/1
  no switchport
  ip address 192.168.20.2 255.255.255.252
  speed 100
  duplex full
  interface GigabitEthernet1/0/2
  no switchport
  ip address 192.168.20.9 255.255.255.252
  interface GigabitEthernet1/0/3
  switchport access vlan 10
  switchport mode access
  interface GigabitEthernet1/1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode active
  interface GigabitEthernet2/0/1
  description *BlueCoat Proxy*
  switchport access vlan 10
  switchport mode access
  interface GigabitEthernet2/0/2
  switchport access vlan 10
  switchport mode access
  interface GigabitEthernet2/1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode active
  interface GigabitEthernet2/1/2
  interface GigabitEthernet2/1/3
  interface GigabitEthernet2/1/4
  interface TenGigabitEthernet2/1/1
  interface TenGigabitEthernet2/1/2
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 10.10.20.3 255.255.255.0
  standby 10 ip 10.10.20.1
  standby 10 priority 110
  standby 10 preempt
  ip wccp 90 redirect in
  router eigrp 1
  network 10.10.20.0 0.0.0.255
  network 192.168.10.0
  network 192.168.20.0 0.0.0.3
  redistribute static
  ip local policy route-map IP_SLA_SiteA
  ip http server
  ip http secure-server
  ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
  ip sla 1
  icmp-echo 4.2.2.2 source-ip 192.168.20.9
  threshold 300
  frequency 15
  ip sla schedule 1 life forever start-time now
  ip sla enable reaction-alerts
  logging esm config
  access-list 15 permit 10.10.20.220
  access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
  access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
  access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
  access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
  access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
  access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
  access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
  route-map IP_SLA_SiteA permit 10
  match ip address 101
  set ip next-hop 192.168.20.10
  SiteA#
  SiteA#show ip wccp 90
  Global WCCP information:
      Router information:
          Router Identifier:                   192.168.20.9
          Protocol Version:                    2.0
      Service Identifier: 90
          Number of Service Group Clients:     1
          Number of Service Group Routers:     1
          Total Packets s/w Redirected:        0
            Process:                           0
            CEF:                               0
          Redirect access-list:                115
          Total Packets Denied Redirect:       52389
          Total Packets Unassigned:            71
          Group access-list:                   15
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total GRE Bypassed Packets Received: 0
  SiteA#show ip wccp 90 detail
  WCCP Client information:
          WCCP Client ID:          10.10.20.220
          Protocol Version:        2.0
          State:                   Usable
          Redirection:             L2
          Packet Return:           GRE
          Packets Redirected:    0
          Connect Time:          00:19:36
          Assignment:            MASK
          Mask  SrcAddr    DstAddr    SrcPort DstPort
          0000: 0x00000000 0x0000003F 0x0000  0x0000
          Value SrcAddr    DstAddr    SrcPort DstPort CE-IP
          0000: 0x00000000 0x00000000 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0001: 0x00000000 0x00000001 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0002: 0x00000000 0x00000002 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0003: 0x00000000 0x00000003 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0004: 0x00000000 0x00000004 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0005: 0x00000000 0x00000005 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0006: 0x00000000 0x00000006 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0007: 0x00000000 0x00000007 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0008: 0x00000000 0x00000008 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0009: 0x00000000 0x00000009 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0010: 0x00000000 0x0000000A 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0011: 0x00000000 0x0000000B 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0012: 0x00000000 0x0000000C 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0013: 0x00000000 0x0000000D 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0014: 0x00000000 0x0000000E 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0015: 0x00000000 0x0000000F 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0016: 0x00000000 0x00000010 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0017: 0x00000000 0x00000011 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0018: 0x00000000 0x00000012 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0019: 0x00000000 0x00000013 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0020: 0x00000000 0x00000014 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0021: 0x00000000 0x00000015 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0022: 0x00000000 0x00000016 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0023: 0x00000000 0x00000017 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0024: 0x00000000 0x00000018 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0025: 0x00000000 0x00000019 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0026: 0x00000000 0x0000001A 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0027: 0x00000000 0x0000001B 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0028: 0x00000000 0x0000001C 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0029: 0x00000000 0x0000001D 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0030: 0x00000000 0x0000001E 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0031: 0x00000000 0x0000001F 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0032: 0x00000000 0x00000020 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0033: 0x00000000 0x00000021 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0034: 0x00000000 0x00000022 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0035: 0x00000000 0x00000023 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0036: 0x00000000 0x00000024 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0037: 0x00000000 0x00000025 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0038: 0x00000000 0x00000026 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0039: 0x00000000 0x00000027 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0040: 0x00000000 0x00000028 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0041: 0x00000000 0x00000029 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0042: 0x00000000 0x0000002A 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0043: 0x00000000 0x0000002B 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0044: 0x00000000 0x0000002C 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0045: 0x00000000 0x0000002D 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0046: 0x00000000 0x0000002E 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0047: 0x00000000 0x0000002F 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0048: 0x00000000 0x00000030 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0049: 0x00000000 0x00000031 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0050: 0x00000000 0x00000032 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0051: 0x00000000 0x00000033 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0052: 0x00000000 0x00000034 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0053: 0x00000000 0x00000035 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0054: 0x00000000 0x00000036 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0055: 0x00000000 0x00000037 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0056: 0x00000000 0x00000038 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0057: 0x00000000 0x00000039 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0058: 0x00000000 0x0000003A 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0059: 0x00000000 0x0000003B 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0060: 0x00000000 0x0000003C 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0061: 0x00000000 0x0000003D 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0062: 0x00000000 0x0000003E 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0063: 0x00000000 0x0000003F 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
  SiteA#
  SiteA#sh sdm prefer
  The current template is "desktop routing" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  3K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    11K
      number of directly-connected IPv4 hosts:        3K
      number of indirect IPv4 routes:                 8K
    number of IPv4 policy based routing aces:         0.5K
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 1K
  SiteA#

  Hi Jon,
  There are no more throughput issues.
  Everything is working well. Thanks so much!
  As for the WCCP,
  I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)
  I'm not sure what you meant when you said:
  Then you simply use site1 or site2's devices for web traffic.
  Do I need to change the gateway for the users vlan in Site 3750_3 to something else?
  Right now it is pointing to 10.20.20.1 on the 3750_3.
  Below is what I have so far on the 3750_3.
  I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.
  UserSite(config)#do sh run
  Building configuration...
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname UserSite
  boot-start-marker
  boot-end-marker
  no aaa new-model
  switch 1 provision ws-c3750x-48p
  switch 2 provision ws-c3750x-48p
  system mtu routing 1500
  ip routing
  vtp mode transparent
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 10
  vlan 20
  name clients
  interface FastEthernet0
  no ip address
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  interface GigabitEthernet1/0/47
  description *CERTES-MGMT-MAIN*
  switchport access vlan 20
  switchport mode access
  interface GigabitEthernet1/0/48
  description *MAN-LINE-TO-DC-MAIN*
  no switchport
  ip address 192.168.20.1 255.255.255.252
  speed 100
  duplex full
  interface GigabitEthernet1/1/1
  interface GigabitEthernet1/1/2
  interface GigabitEthernet1/1/3
  interface GigabitEthernet1/1/4
  interface TenGigabitEthernet1/1/1
  interface TenGigabitEthernet1/1/2
  interface GigabitEthernet2/0/47
  description *CERTES-MGMT-DR*
  switchport access vlan 20
  switchport mode access
  interface GigabitEthernet2/0/48
  description *MAN-LINE-TO-DC-DR*
  no switchport
  ip address 192.168.20.5 255.255.255.252
  speed 100
  duplex full
  interface GigabitEthernet2/1/1
  interface GigabitEthernet2/1/2
  interface GigabitEthernet2/1/3
  interface GigabitEthernet2/1/4
  interface TenGigabitEthernet2/1/1
  interface TenGigabitEthernet2/1/2
  interface Vlan1
  ip address 192.168.10.254 255.255.255.0
  interface Vlan20
  ip address 10.20.20.1 255.255.255.0
  ip helper-address 10.10.20.30
  router eigrp 1
  network 10.20.20.0 0.0.0.255
  network 192.168.10.0
  network 192.168.20.0 0.0.0.7
  offset-list 10 in 100 GigabitEthernet2/0/48
  eigrp stub connected summary
  ip local policy route-map PBR_Proxy
  ip classless
  ip http server
  ip http secure-server
  ip access-list extended Traffic2Proxy
  permit tcp 10.20.20.0 0.0.0.255 eq www any
  permit tcp 10.20.20.0 0.0.0.255 eq 443 any
  ip sla enable reaction-alerts
  route-map PBR_Proxy permit 10
  match ip address Traffic2Proxy
  set ip next-hop 192.168.50.220
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  login local
  line vty 0 4
  exec-timeout 30 0
  privilege level 15
  logging synchronous
  login local
  length 0
  transport input telnet ssh
  line vty 5 15
  exec-timeout 30 0
  privilege level 15
  logging synchronous
  login local
  transport input telnet ssh
  end

• Igoogle costantly redirects and will not open why? Cookies are ok.

  Whenever I enter igoogle in the address box or click on igoogle in the bookmark bar a box appears with a message stating, redirected, do not try again as it will not work or words to that effect. How do I access igoogle? Tracking cookie are not blocked. Any help would be appreciated. Thanks.

  See:
  *Firefox > Options/Preferences > Advanced > General : Accessibility : [ ] "Warn me when web sites try to redirect or reload the page"
  The setting in "Tools > Options > Advanced > General" is meant as an accessibility feature, as you can see by the label of that section, so that people with disabilities or people who use screen readers do not get confused and is not meant as a safety protection to stop redirecting.
  See also:
  *https://support.mozilla.org/kb/settings-network-updates-and-encryption#w_general-tab
  *http://kb.mozillazine.org/accessibility.blockautorefresh
  *http://kb.mozillazine.org/Accessibility_features_of_Firefox

• (Linecard image not present) at WS-SSC-600 and 7600-SIP-400

  i install two modules WS-SSC-600 and 7600-SIP-400 in slot 5 and 6 in 13-slot chassis and give this output from show power (Linecard image not present)
    for both cards.
  supervisor engine is : VS-S720-10G with sub-module VS-F6K-PFC3CXL and VS-F6K-MSFC3
  IOS : s72033-advipservicesk9-mz.122-33.SXI9
  what that mean and how to fix it ?

  Ok problem solved by upgrade ios to another version but the new image must contains (_wan) in image name for example (
  s72033-advipservicesk9_wan-mz.122-33.SXJ6 ) otherwise the two modules will not powered up.

• Almost everytime I click on a website it redirects me somewhere else. I deleted all my files from my computer and have not reloaded them. I ran an antivirus program and it shows nothing. How do I get rid of this redirect???

  I don't know what other details I can give you. I get redirected when I want to go to most websites. How do I get rid of it?

  Do a malware check with some malware scan programs. You need to scan with all programs because each program detects different malware. Make sure that you update each program to get the latest version of the database before doing a scan.
  * http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
  * http://www.superantispyware.com/ - SuperAntispyware
  * http://www.microsoft.com/windows/products/winfamily/defender/default.mspx - Windows Defender: Home Page
  * http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
  * http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
  See also "Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked and Searches are redirected to another site

• Single WAE \ WCCP \ Dual Routers - Slow Accelerated Traffic

  Our standard WAE design was to have dual WAE's at sites with dual Routers.
  The WAE's are either 674's or 574's and the routers are Cisco ISR's all works well.
  Several new sites have coome online but these sites now only have a single WAE devcie and two WAN routers.  Some users at
  The issue I have now is that some "Accelerated" sessions via the WAE devices are reported by users as being very slow. When those sessions are removed from WAAS policy and set to pass through the user reports normal access again.
  On looking at the problem I have possibly identified that the lack of the command;
  ip wccp redirect exclude in on the router interface
  But this command was never applied to the exisiting design, though potentialy under normal conditiaon where both routers and both WAE's are working it's never been a problem.
  From Cisco;
  In any scenario where egress redirection is used, the command above MUST be issued on the router interface adjacent to the WAE. This command, "ip wccp redirect exclude in", ensures that packets received on the interface are not redirected again. This prevents an optimized packet from being rerouted directly back to the WAE. Instead, with this command applied, the router would simply see the packet coming in and forward it normally (WCCP would be bypassed for packets received on that interface).
  The WAE's are NOT L2 connected to the Routers so the following config is applied,
  rtr no 1
  ip wccp 61 redirect-list WAAS
  ip wccp 62 redirect-list WAAS
  ip cef
  interface GigabitEthernet0/0
  description *** Data LAN
  ip address x.y.7.6 255.255.255.192
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  rtr no 2ip wccp 61 redirect-list WAAS
  ip wccp 62 redirect-list WAAS
  ip cef
  interface GigabitEthernet0/0
  description *** Data LAN
  ip address x.y.7.1 255.255.255.192
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  WAE Configprimary-interface Standby 1
  interface Standby 1
  ip address x.y.7.65 255.255.255.192
  interface GigabitEthernet 1/0
  standby 1 primary
  exit
  interface GigabitEthernet 2/0
  standby 1
  exit
  wccp router-list 1 x.y.7.1 x.y.7.6
  wccp tcp-promiscuous router-list-num 1
  wccp version 2
  Option 2 below is used.  But all sites have DUAL Routers.  Note Redirect Exclude is NOT configured.
  Thanks in advance for any support offered.

  Thanks for your post, details below.
  What do you mean by "sessions removed from WAE policy" ? Are you configuring static bypass on the WAE or are you excluding specific traffic with the WCCP redirect list ?
  I am defining certain traffic as Passtrough via a ststic bypass on the WAE’s
  - check if the slowness affects all the redirected traffic or just particular sources/destinations/applications
        Recent testing has identified it just seems to affect a certain share, which I am investigating as this share has some kind of "Archive" solution in place.
  - make sure that the WCCP redirect ACL matches both directions of the connections
        It does
  - check the redirect / return method that is being negotiated
        All OK     
  - make sure both routers are seeing the WAE via WCCP
        Yes they are
  - check for "routing loop" in the WAE syslog.txt to understand if the WAE is receiving some traffic twice
        Investigating and will post reply. 
  Are the affected connections showing up in the "show stat connection" output on the WAE ? If so, are they optimized or PT ?
       They show as fully optimized when configured for the CIFS AO, but revert to PT when the static WAE policy is altered.

• WCCP and ISDN / Dialer

  We have two routers running the same IOS version in our core - c7200-is-mz.123-10a.bin. One terminates a number of tunnels and the other has a number of dialer interfaces associated with an ISDN PRI. Each of our site routers has a tunnel going to the core (via an ADSL connection) and a backup ISDN interface with a dialer configured. When we are running on the primary links everything works fine. When we are running on the backup links (the ISDN) WCCP redirection seems to prevent clients from accessing services on TCP in the core (I can telnet to the core ISDN router from a PC on site, but can't access anything else). Ping always works fine - hence my suspicions about WCCP. If I disable WCCP on the core router with the ISDN links backup connections work fine.
  Our remote routers use c2800nm-advsecurityk9-mz.124-11.T4.bin.
  My question is - is there any issue with WCCP redirection and dialer interfaces?
  Below is the relevant config for the routers that don't work (addresses, names and numbers have been sanitized.
  corerouter#
  ip wccp 61
  ip wccp 62
  interface Dialer183
  description Backup DoD for remote site
  bandwidth 64
  ip address 192.168.1.1 255.255.255.252
  ip wccp 61 redirect out
  ip wccp 62 redirect in
  encapsulation ppp
  dialer pool 2
  dialer remote-name siterouter
  dialer idle-timeout 300
  dialer enable-timeout 60
  dialer wait-for-carrier-time 10
  dialer caller 222222
  dialer-group 1
  snmp ifindex persist
  ppp authentication chap
  End
  siterouter#sh run
  ip wccp 61
  ip wccp 62
  interface Dialer1
  description Backup DoD to the core via ISDN
  bandwidth 64
  ip address 192.168.1.2 255.255.255.252
  ip wccp 62 redirect in
  encapsulation ppp
  dialer pool 2
  dialer remote-name corerouter
  dialer idle-timeout 300
  dialer enable-timeout 60
  dialer wait-for-carrier-time 10
  dialer string 111111
  dialer caller 222222
  dialer-group 2
  ppp authentication chap
  end

  Zach,
  I've tried that as you suggested and it made no difference. I had seen a bug on the bugtracker about process switched packets possibly not being WCCP redirected correctly, so I have also tried ensuring that CEF was enabled, and removing compression in case that made the packets process switch.
  I have also tried removing the multilink and ensuring that only one ISDN B channel is pulled up for that dialer interface. That made no difference.
  I have verified that it is the router in the core that is causing the issue because I can have the remote site connect to the core via ISDN and have WAAS optimise traffic from that remote site to another remote site via the core (if I disable WCCP in the core).
  Thanks,
  Peter

• Wccp and Sophos Web Appliance

  I am new to WCCP and I am having trouble getting the Sophos Web Appliance to Connect to a 6509e port channel. The Web app is on a VM host and the host is connected to the 6509 by two interfaces on a port channel.
  Here are the wccp parts of the config:
  ip wccp web-cache group-list 98 password
  Standard IP access list 98
      10 permit 172.18.4.55 (1403 matches) (host)
  sh ip wccp
  Global WCCP information:
      Router information:
          Router Identifier:                   10.1.18.251
          Protocol Version:                    2.0
      Service Identifier: web-cache
          Number of Service Group Clients:     0
          Number of Service Group Routers:     0
          Total Packets s/w Redirected:        0
            Process:                           0
            CEF:                               0
          Redirect access-list:                -none-
          Total Packets Denied Redirect:       0
          Total Packets Unassigned:            0
          Group access-list:                   98
          Total Messages Denied to Group:      0
          Total Authentication failures:       735
          Total Bypassed Packets Received:     0
  sh ip wccp web-cache view
      WCCP Routers Informed of:
          -none-
      WCCP Clients Visible:
          -none-
      WCCP Clients NOT Visible:
         -none-
  #sho ip wccp web-cache det
  WCCP Client information:
          WCCP Client ID:          172.18.4.55
          Protocol Version:        2.0
          State:                   NOT Usable (Initializing)
          Redirection:             L2
          Packet Return:           L2
          Packets Redirected:    0
          Connect Time:          00:00:04
          Assignment:            MASK
          At one time I had the Server listed in WCCP Clients visible but, now it's gone. I am concerned about the State:                   NOT Usable (Initializing) statment. It is not changing. Has anyone had this problem? Of course Sophos said it was easy!
  Thank you in advance.

  The fix is to white list download.acrocomcontent.com for future reference.
  Bye!

• Redirecting traffic on SunOne 6.1 SP4

  hi all,
  i've got a web server running SunOne 6.1 SP4, and im trying to figure how to redirect traffic from 2 different locations.
  the web server is accessed both thru the LAN and the Internet. how is it possible to re-direct traffic coming from an internal UP to another interanl IP and traffic from an external IP to an external IP.....?
  currently im using the following in my obj.conf file. but this is re-directing all traffic to one location.
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="http://x.x.x.x/"
  </Client>
  how can i configure this to re-direct traffic coming from the LAN (these come from a 10.1.x.x segment) to another internal IP and traffic coming from the web to another external IP...?
  any help on the matter would be highly appreciated.
  thanks and regards,

  To Documentation team,
  Here is what to do :
  update in http://docs.sun.com/app/docs/doc/820-1643/6nda4qg75?l=en&a=view#abvau
  Old Text :
  <Client ip="~192.85.250.*">AddLog fn="flex-log" name="access"</Client>
  New Text :
  <Client ip="\*~192.85.250.\*">
  AddLog fn="flex-log" name="access"
  </Client>
  Note that a * (asterisk) is required before ~ (tilda) and make these 3 separate lines.

• Iptables and tor, reroute all traffic for security... Help?

  I'm attempting to route all TCP traffic that does not go through polipo through port 9040, tor's default TransPort. My web browser uses polipo to cache stuff, so I'd like to keep it in place if possible. However, all non-http traffic needs to be sent through the transPort. My current config, which does not take into account rerouting, is below:
  # Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
  #*nat
  #:PREROUTING ACCEPT [12:3420]
  #:INPUT ACCEPT [1:261]
  #:OUTPUT ACCEPT [0:0]
  #:POSTROUTING ACCEPT [0:0]
  #-A OUTPUT ! -p tcp -m owner --owner-uid tor -j REDIRECT --to-ports 9040
  #-A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 9053
  #COMMIT
  # Completed on Fri Oct 12 16:33:33 2012
  # Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
  *filter
  :INPUT DROP [9:1175]
  :FORWARD ACCEPT [0:0]
  :OUTPUT DROP [8:488]
  # allow loopback
  -A INPUT -i lo -j ACCEPT
  -A OUTPUT -o lo -j ACCEPT
  # allow NTPD time syncs
  -A OUTPUT -p udp --dport 123 -j ACCEPT
  # allow tor
  -A OUTPUT -j ACCEPT -m owner --uid-owner tor
  -A OUTPUT -p tcp --dport 9040 -j ACCEPT
  -A OUTPUT -p udp --dport 53 -j ACCEPT
  # allow BitTorrent
  -A OUTPUT -p tcp --dport 6969 -j ACCEPT
  -A OUTPUT -p tcp --dport 51413 -j ACCEPT
  -A OUTPUT -p udp --dport 51413 -j ACCEPT
  # allow pings (still not working. fix?)
  -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
  -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
  # allow traffic on established connections
  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m conntrack --ctstate INVALID -j DROP
  COMMIT
  # Completed on Fri Oct 12 16:33:33 2012
  as you can see, I've already tried to redirect traffic using the --uid-owner polipo rule. So far, it's just caused iptables to spit out errors. I'm stumped, so I thought I'd come to you wonderful people at the Archlinux forums for help.

  Using the command you gave me, I found that the polipo user is indeed executing /usr/bin/polipo. Other than that, polipo is executing no processes.
  I tried adding the following to my iptables rules nat section:
  -A OUTPUT -p tcp -m tcp -m owner ! --uid-owner polipo -j ACCEPT
  -A OUTPUT -p tcp -m tcp -m owner ! --uid-owner polipo -j REDIRECT --to-ports 9040
  polipo now works, but the rest of my traffic that should go to the TransPort gets blocked.
  [EDIT]
  I'm now trying the same thing, except that I've chained privoxy with polipo like so:
  browser > privoxy > polipo > tor > internet
  my iptables rules look like this:
  # Generated by iptables-save v2.4.15 on Fri Oct 12 16:33:33 2012
  *nat
  :PREROUTING ACCEPT [12:3420]
  :INPUT ACCEPT [1:261]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  #-A OUTPUT -p tcp -m tcp -m owner ! --uid-owner tor -j REDIRECT --to-ports 9040
  -A OUTPUT -p tcp -m tcp -m owner ! --uid-owner tor -m owner ! --uid-owner polipo -m owner ! --uid-owner privoxy -j REDIRECT --to-ports 9040
  COMMIT
  # Completed on Fri Oct 12 16:33:33 2012
  # Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
  *filter
  :INPUT DROP [9:1175]
  :FORWARD ACCEPT [0:0]
  :OUTPUT DROP [8:488]
  # general
  -A OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  # allow loopback
  -A INPUT -i lo -j ACCEPT
  -A OUTPUT -o lo -j ACCEPT
  -A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
  # allow NTPD time syncs
  -A OUTPUT -p udp --dport 123 -j ACCEPT
  # allow tor
  -A OUTPUT -p tcp --dport 9040 -j ACCEPT
  -A OUTPUT -p udp --dport 53 -j ACCEPT
  -A OUTPUT -p tcp --dport 8123 -j ACCEPT
  -A OUTPUT -p tcp --dport 8118 -j ACCEPT
  # allow pings
  -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
  COMMIT
  # Completed on Fri Oct 12 16:33:33 2012
  and it STILL won't route traffic right. iptables redirects to the TransPort, but any traffic passed through polipo or privoxy reveals "connection reset" error message. Help?
  Last edited by ParanoidAndroid (2013-03-12 01:50:51)

• WAAS Rjct Resources and conditions for asymmetric traffic

  Hello,
  I have a customer network of 30 WAE's connected to an MPLS cloud. Interception method is inline for all WAE, and WCCP for NM-WAE.
  Of those WAE's (running 4.1.1c), I have 3 that are connected in Datacenters, as such they are expected to receive most of the traffic and have been dimensioned as OE7341 appliances.
  It is my impression that this network statistics are not as good as they should be: Some of the optimizations factor are at 1.2 or 1.3X and most are simply 1.0X.
  My impression is that there is a lot of passthrough traffic, and although some of it is configured as so on the application policies, when I check statistics pass-through on several WAE's on the network I see that the Rjct Resources is very high in a particular WAE in a Datacenter - that has a 7341 Box (12Gb RAM!) - and I also do get non-zero counters on other boxes.
  Is there any way to see on a given moment how many connections are going through the box so that I understand if I'm really facing a box capacity issue? The initial shows I did didn't look as there were that many connections running through the box, but if I checked them live I saw about 65 Rjct Resource connection at a given time.
  Can anybody shed some light on this particular statistic?
  sghmansin--17w#
  sh statistics pass-through
  Outbound
  PT Client:
  Bytes 4081578138946
  Packets 11567591648
  PT Server:
  Bytes 8833662508567
  Packets 13797553929
  Active Completed
  Overall 0 0
  No Peer 7 141742513
  Rjct Capabilities 0 0
  Rjct Resources 65 273669865
  App Config 6 25610854
  Global Config 0 0
  Asymmetric 1 1597096
  In Progress 97 453847516
  Intermediate 0 0
  Overload 0 0
  Internal Error 0 478
  App Override 0 0
  Server Black List 0 150553
  AD Version Mismatch 0 0
  sghmansin--17w#
  One other observation is that pass-through through asymetric is also very frequent. Given that the customer is mostly using inline interception, even if a connection comes through a WAN/LAN interface pair and exits through another, the optimization should still be done.
  The datacenter designs are dual-homed active/passive, and traffic goes through the same (and only) WAE box. The customer assures me that there is no asymetrical traffic.
  Can anybody explain to me how is the decision made to mark a given flow as asymmetrical (and them pass-through it)?
  Thanks
  Gustavo Novais

  Hi Dan, Thank you for your reply.
  That show was just from one of the boxes, in this case on the Datacenter.
  For instance I also see asymetricals in NM-WAE's configured for WCCP. But the number is not that substantial, which makes me believe the interception is well configured (unfortunately the routers are managed by a third party, and I am yet to have access to their config).
  All boxes on this network have Enterprise License activated.
  How can I check on a given moment all connections count on the box? is there any MIB oid pollable to check that?
  Do passthrough connections count to the overall limit?
  While doing the diagnostics on the WAAS devices there was in deed a WAAS device marked as having asymetrical traffic, but many others have PT Asym connections and have not been marked as such by the diagnostics?
  How does the diagnostic work? Is it a instantaneous dianostic (i.e. checks connection table at time T to see if any of the current connections is PT Asym )?
  If on the far end of a connection we do have an asymetrical network topology, does the near end also mark the same connection as PT Asym, or will it simply say No Peer?
  thanks
  Thanks

• WCCP and WAN optimisation via Layer 3 connection

  Hi There,
  I need some help with WCCP, however with Riverbeds instead of WAAS.
  The topology of the set up is as follows:
  WAN - R1 - LAN - L3 Switch - Riverbed
  The clients reside on the WAN side and the servers reside on the LAN side.
  My business wishes to enable WCCP on two separate WAN routers to the single Riverbed. One router is fuly managed service, and the other rout the is managed by the business IT team.
  All the articles that I have come across talk about enabling WCCP on the router whereby the WAN optimisation appliance is directly connected to a interface router. I need to configure WCCP to a Riverbed that is connected to a subnet that is a single hop away via a Layer 3 switch.
  My plan is to enable WCCP in the inbound directions on both the LAN and WAN interfaces, however my concern is that this design will mean the traffic passing through the LAN side interface will be optimised twice.
  Can any one confirm if this would happen? If it could happen can it potentially be stopped by placing a "ip wccp redirect exclude out" command on the LAN interface.
  Thanks is advance for your help.

  Hi Andreas,
  "ip wccp redirect exclude out" only makes sense if you have a "ip wccp redirect out"
  on a L3 interface on the router.
  It's purpose is to avoid redirecting an already optimised packet, comming from a L3-interface where the WAAS/Riverbed device is connected, once more.
  A double redirect will, in a WAAS setup, cause the WAAS device to drop the packet, because
  it suspects a routing loop... don't know what Riverbed does.
  Running only with "ip wccp redirect in" on both the WAN and LAN interface will cause :
  1) a packet comming in from the LAN, is supposed to be unoptimised, and will be redirected
  2) a packet comming in from the WAN, is supposed to be optimised, and will also redirected
  3) an IP-interface with only the WAAS/Riverbed connected should NEVER be redirected !
  If you cannot isolate your WAAr/Riverbed in it's own L3 subnet (subinterface/VLAN),
  and therefore have to place it in the "ordinary" LAN subnet, packets from the WAAS/Riverbed will becomes candidates for redirection (even with "ip wccp redirect in"), you'll need to use "WCCP negotiated Return", but don't know whether Riverbed supports this,
  Riverbed normally uses "tunnels" on the WAN side, and this makes the WCCP setup somewhat different.
  You should really consult the Riverbed documentation or their support
  ... or migrate to Cisco WAAS ;-)
  Best regards
  Finn Poulsen

• How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine

  We have a CFTV system running on Win2008R2 that listens on 4 sequential port numbers and the last port is the Web Browser Port number for management and viwing cameras
  When we configure the port 8077 on the software, it opens 8077, 8078, 8079 and 8080 and works with no problem
  But...
  When we try to configure ports 77 (and therefore 77, 78, 79 and 80) thw applications hangs and seems like not be possible to configure to use port 80
  I could confirm that,  using NETSTAT and the main CFTV application open all required ports with no problem, but only works on ports with a different number from "80", wich is what i want, to make users more confortable, avoiding to type ":PORT_NUMBER"
  after the URL, it will be more "ellegant" solution to use default port 80 for user´s connections
  The question is: How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine?
  May i Use NETSH? (based on Help, it can be used to do this, but on different machines, not the same one)
  There is a RELIABLE application, running as a service, that can do the port forward/redirect?

  Hi,
  I’m sorry to tell you that we can’t redirect traffic from a port to another port on the same server itself. But we can do it with a router which is configured to portfoward.
  By the way, according to your description, another program may use the port 80. Is there an IIS installed on the server? If it is necessary, you can consult your CFTV system vendor.
  Hope this helps.
  Steven Lee
  TechNet Community Support