WCCP breaks Application Traffic
Hello Friends,
I have setup a test WAAS setup. The remote site connects to the main site through a site-to-site VPN connection. Cisco 1841 router is doing WCCP redirection at the remote end without any access lists. So all the traffic is being intercepted. I have set it up as explained in the WAAS quick config guide. File services are working fine but email, http and citrix traffic is being blocked somewhere in the network. This means WAFS is working but application acceleration is not at all working.. When I disable WCCP, everything works.
What am I doing wrong here?
thanks
Ankit
Ankit,
Per Cisco the
Minimum Recommended Versions (IOS Routing Platforms) for WCCP w/ WAAS are
M Train
12.4(10)
T Train
12.4(9)T1
You might want to try upgrading your IOS to 12.4(10) or the T train if possible. I would start there.
Found these caveats on 12.4 code
?CSCuk61396
Symptoms: WCCP service redirection may not work. In particular, packets that are rejected by a third-party vendor appliance device and are returned to the router for normal forwarding may be discarded.
Conditions: This symptom is observed on a Cisco router when NAT or Cisco IOS Firewall features are enabled on the same interfaces that have WCCP enabled.
Workaround: There is no workaround.
HTH
Mike
Similar Messages
-
Cisco Configuration Professional - Monitor - Traffic Status - Application traffic view
Installed the Latest version of CCP. Noticed that it use Internet Explorer as the default browser.
Current issue - Monitor - Traffic Status - Application traffic view show a window that is to large for my current screen,
I've tried several options to make it more viewable, but no luck.
Screenshot, Explaining the issue - Notice the difficulty to view the graphs
Any advice will be appreciated.
PhilipI've manage to fix it by changing the zoom on Internet Explorer
-
Blocking p2p application traffic and tunneling
I need help ........
We have taken two ASA with AIP card, and have configured Active/Active , but user are using p2p and tunneling softwares . how can we block p2p and tunneling traffic ..
plz anyone reply me..........
regardsIf you are using Firewall software 12.4(9)T and above, it has integrated policies to block or rate limit p2p application traffic using dynamically updateable application
definitions for newer p2p applications. KaZaA, Gnutella, BitTorrent, and eDonkey are currently supported.
You may also see this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml -
WCCP on ASA & traffic between physical interfaces on ASA
Hello,
I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
Eth 0/0 : Outside (to internet)
Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
Eth 0/1.211 : Vlan211 (20.21.10.0/24)
Eth 0/1.212 : Vlan212 (20.21.20.0/24)
Eth 0/1.220 : Vlan220 (20.22.0.0/16)
Eth 0/2 : WAAS (20.21.30.0/24)
I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
I get this error message:
3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
How can I fix this?
My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
wccp 61 redirect-list WCCP_To_LAN
wccp 62 redirect-list WCCP_To_WAN
wccp interface outside 62 redirect in
wccp interface LAN 61 redirect in
access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
Thanks
Ankitcommon guys
Am I doing something wrong here?
No one replies to my posts. I had the same experience with the previous one.
Is this not the right forum for this query???
Ankit -
EM Plug-In for Peoplesoft 8.50 Breaking Application Server When Discovering
During the Discover process, even though, the Application Server, web Server, and schedulers are down; the Plug-In for EM PeopleSoft breaks the PeopleSoft environment. We have to rebuild the Applications Server and Scheduler to get this to work. There is a value the must reside in the ubx file and that was changed, but the discovery always breaks the environments..
My question is this: If we have to stop and start the PeopleSoft Architecture through EM, no problem. We just need to be able to explain why the environments keep breaking and we have to keep rebuilding the domains.
8.50.08, Windows 2003, Oracle 64-bit, 11.1.0.7 (Everything is on Windows).
Any insight will be helpful to our situation.
ThanksI experienced similar thing. The EM plugin for PS break the PS env down. I did not take time yet to investigate, and so far did not use it at all.
Nicolas. -
Creative Cloud ToS breaks application interop
I'm noticing that every update comes with another 'accept ToS' prompt and if you haven't accepted and launch from another app or from the context menu from a file, the application launch workflow breaks.
Example:
New updates trigger ToS.
Launch Premiere and accept.
Do some work, select a sequence and attempt to replace with an After Effects composition.
Result:
After Effects launches into ToS and after accepting, the context of the launch is lost and I'm just presented with the app. Now, the originating application expects a return pointer to the generated AEP file, so it offlines the media when it doesn't get one. This severely breaks my workflow and causes a lot of frustration given the speed at which apps are updated.
Another thing that causes this issue is rebooting. CC Desktop does not automatically sign in nor does it pop up on launch to remind you you haven't signed in. This also breaks workflows as the context is lost at the sign in window on app launch.
I know the workaround is to launch all apps after update and to remember to sign in on reboot, but those manual steps suck and asking customers to launch every app in the suite to ensure the ToS is signed (when it's likely going to be updated again in a few days) is unacceptable for a premium service.
I'd love to at least know this is being tracked - I know no comment can be made about unreleased functionality, but I'm pretty tired of the behavior.got it installed.
Didn't have to uninstall all the software this time..
And I got a clue to where Adobe may be having problems. I think they have an old library that has broken code for accessing profiles in Windows.
Ran the cleaner for CS6 & Creative cloud.
it then lists all the CS6 and CC Apps including CC Desktop.. I chose that but got a :
"Was cleaned with errors" message
GREAT.. even the cleaner is broke!!!
but unlike other tools tells me where the LOG file is... EXCEPT.
Instead of c:\Users\Tim.Domain\... rest of path where it was
The error lists c:\Users\Tim~1~DOM\.. rest of path.
Well \Tim~1~DOM is a left over folder from a previous profile... that is actually nearly empty. Yet Adobe's error used it not the correct profile in the Error.
So imagine that certain other calls are also using busted Profile calls. that grab simular profies vs the correct one.. BUSTED INSTALLER!!
after the Cleaner was run for only CC Desktop.. I was then able to download and install the current version from Adobe.
Code that grabs the wrong profile path is going to cause problems.... -
Air plugin for dreamweaver breaks application.xml file
the air plugin for dreamweaver breaks the application.xml file when the version is changed from 2.0 to 2.7
How to fix this?Hi Roberto,
I'm sorry I don't know the answer to this one, but I'll ask around. Have you checked out the dreamweaver forum?
Chris -
Hi,
Thanks for your previous helpful responses.
I will be doing a POC at Customer site, I have the following applications listed that I will optimizing:
Oracle
MS windows (CIFS)
MS Exchange
EFAX- oracle
RTGS- Real Traffic Gross settlements
T24
internet thru proxy server.
Banknet - Intranet Service.
DNS.
Mcafee antivirus updates service.
I guess one way to capture the traffic types is to run a sniffer on the network, how do i know exactly how the application works so as to know what kind of ATP to create for some of these applications mentioned and what kind of optimation to apply since all do not have a ATP defined in the default Cisco ATP.
ThanksObiora,
There are several apps you list that are in the default application policies (CIFS, Oracle, Proxy server, etc.). I would recommend that you create a policy for Exchange via destination IP with full optimization as long is it's not encrypted by the Outlook clients.
For the other apps, you are correct, you may have to run a sniffer to look at them as they may be customer apps. After you have found out what ports and/or IP addresses they will use, you can create customer policies if they don't fit into the default set.
Hope that helps,
Dan -
Adobe AIR runtime update dialog breaks application
I'm working on a large project that utilizes a C++ application to house the core logic and an AIR application to display a UI. The C++ program launches the AIR UI and passes it several command line parameters, including locale and port number to call back to the C++ application with. Under normal circumstances, this works great.
However, when there's an Adobe AIR runtime update, things go bad. The runtime intercepts the UI invocation, kills it, and displays the generic AIR "do you want to update?" dialog. Whether the user presses update or cancel, the UI application eventually gets relaunched -- but without the command line parameters originally passed to it! I presume this is a bug in the Adobe AIR runtime updater code.
The end result of this is that the UI gets relaunched, but doesn't know how to localize itself or what port to call back to the C++ application with! If the user relaunches, it works fine (because the update dialog won't intercept again), but by then the user experience has already been mangled. We can't even display a localized error message to tell them to relaunch because we don't know what locale they're using any more, and we can't call back to the C++ application to ask.
I'm trying to find solutions/workarounds to this issue. Because AIR won't let us turn off the update check on a per-application basis, it seems like the only viable solution would be to turn off the runtime update check for the whole machine. But altering machines settings for the benefit of one application is definitely bad form, and I'd prefer not to do that if any other viable workaround exist.
Any ideas?I filed a bug report last night using that same form.
The duplication steps are straightforward. I can duplicate the following with 100% success on a freshly imaged Win 7 32-bit box, admin user account:
1) Install older version of Adobe AIR framework (I tried both 1.1 and 1.5.1). It will ask you to update. Click "Update later".
2) Pull up task manager and watch the process list
3) Run ANY Adobe AIR app with some parameters (I used Adobe's Settings Manager as a sample because it's small)
4) Note that your application appears in the task manager briefly
5) Your app is terminated and "Adobe Air Installer.exe" appears in the task manager. A dialog pops up asking you to update.
6) Click cancel
7) Your app is reinvoked without any parameters
As for my specific case, by "session" I do mean a single launch.
I'm not aware of an evoke event -- perhaps you meant invoke event? The invoke event is not executing before the app terminates (in step 5 above). I think the AIR app is just running long enough to load the runtime and then the runtime takes over from there.
Thanks... -
IE6 Recording breaks application
I have been trying to capture a sequence using the
Agile PC Client (version 9.2.2.0) I start Captivate recording, and
launch the Agile application, and get to my home page... now the
problem starts, when I select to open a new object ( new web form
page) Agile launches the web page, but Adobe Captivate prevents the
content from loading in the web form object page. It just locks up
with "Loading web page" I have tried this with many variations of
agile objects and it seems to be a consistient problem...one would
expect that this should not happen....I am using IE (company
requirement) and Java 1.6, Firefox, Safari or other application is
not an option.I had a similar problem recording Vignette, which uses
multiple pop up windows and JavaScript.
The workaround: use Safari. -
10.5.3 Update Breaks Applications
I resolved the issue, but I was just wondering if anyone else has had any issues where right after you restart your computer after the 10.5.3 update, all your applications don't open and freeze up. It happened to me several times, and I eventually just erased and installed from scratch.
Thanks.
-MacWiz1220macwiz1220 wrote:
I resolved the issue, but I was just wondering if anyone else has had any issues where right after you restart your computer after the 10.5.3 update, all your applications don't open and freeze up. It happened to me several times, and I eventually just erased and installed from scratch.
Without knowing which apps you are referring to, it is difficult to answer your question.
Most freezeups are from having 3rd party apps that are not supported by Leopard 10.5.3.
I have had no such issues with any of my 3 Leopard systems.
Freezeups are usually the symptom of some bad software or bad hardware, or a failure to run DU and repair the HD and permissions before updating a system. -
Adding Allowed procedure breaks application
My application was working fine. Then I added a custom procedure mypkg.myproc to allowed list of procedure under security tab. Then i could not access my application. It gives error "Requested url http://myserver/apex/f not allowed.
So i added "f" and "wwv_flow_custom_auth_sso*" and i could access the application. But all styling/images are gone and also submitting forms gives error "Requested url http://myserver/apex/wwv_flow not allowed".
So do i have to add all apex packages to the list if i want to add one custom package ? This seems wrong.. am imissing something here.. Please advise.
Listener version -1.0.2Hi,
1. You need to list the apex packages in APEX Listener for Allowed Procedures, but you don't need the database validation for these packages. You don't need to define the Validation Function if you use the Allowed Procedures in the APEX Listener, you just double the check.
Anyway, as an example, you can easily use the function provided with APEX (wwv_flow_epg_include_mod_local in the APEX040000 schema) or see the one given in the Installation and Developers Guide (section "Configuring Security").
2. No, you can include them in your custom list when needed.
But again: If you plan to use APEX Listener for APEX and you use the Allowed Procedures, you don't need to configure the validation function.
The idea is:
Allowed Procedures = Whitelist - only the ones in there are allowed (including asterisks)
Blocked Procedures = Blacklist - procedures listed there are not allowed (can be combined with whitelist to exclude selected items from asterisk-inclusion)
These two are executed in that order in the APEX Listener itself.
Database Validation Function = gets the procedurename as parameter and returns boolean as result.
Basically, you'll do the same there as you can do with the APEX Listeners allowed/blocked feature, but you do it in the database. I think this is only relevant if you either run a mixed scenario (i.e., you use the same function for EPG or OHS/mod_plsql) or you want a more complex evaluation, e.g. you put some other environment variables like request IP address or some custom header into that evaluation in order to limit access to certain procedures just to intranet users or something like that.
-Udo -
2 WAE WCCP l2 only 1 gets the traffic
Hi,
I have 1 WAN Router and 2 WAVE devices configured in WCCP. The configuration works fine except that only the first WAVE that sees the router and established the WCCP receives the traffic. What I mean is that both WAVEs see the router and vice versa. When I establish the WCCP connection, the first WAVE to establish it becomes LEAD WAE and the other one does not get packets. If I disconnect the lead WAE or change its WCCP config and put it back, WCCP switches over to the other WAE and the other one is now exclusevly receiving the traffic. No load balancing is acheived.
First here's my setup:
1 WAN Router Cisco ISR G2 2911 IOS 15.2(1)T
2 Cisco WAVE-274 WAAS version 4.3.3 configured identically for WCCP.
Router IP: 10.x.y.1/22
WAVE IPs: 10.x.y.9 and 10.x.y.7 /22 and default gateway is the router 10.x.y.1
Users are on the same network 10.x.y.0/22 (is this a problem? i read in some WAAS config guide that the WAE cannot be in the same network as users)
Second here's the relevant config:
Router:
ip cef
ip wccp 61
ip wccp 62
interface GigabitEthernet0/0
description *** LAN Connection ***
ip wccp 61 redirect in
ip addr 10.x.y.1 255.255.252.0
interface GigabitEthernet0/1
description *** WAN Connection ***
ip wccp 62 redirect in
ip addr WAN_IP...
WAAS:
primary-interface GigabitEthernet 1/0
interface GigabitEthernet 1/0
ip address 10.x.y.9 255.255.252.0 (and .7 for the second WAVE)
interface InlineGroup 1/1
shutdown
wccp router-list 1 10.x.y.1
wccp tcp-promiscuous router-list-num 1 l2-redirect l2-return
wccp version 2
When I do the following on the router:
show ip wccp 61 detail
or show ip wccp 62 detail
I see:
WCCP Client information:
WCCP Client ID: 10.x.y.7
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
00000000000000000000000000000000
Hash Allotment: 128 (50.00%)
Packets s/w Redirected: 103912
Connect Time: 03:34:05
GRE Bypassed Packets
Process: 0
CEF: 0
Errors: 0
WCCP Client ID: 10.x.y.9
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Assignment: HASH
Initial Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
00000000000000000000000000000000
Assigned Hash Info: 00000000000000000000000000000000
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 128 (50.00%)
Packets s/w Redirected: 0
Connect Time: 01:46:24
GRE Bypassed Packets
Process: 0
CEF: 0
Errors: 0
On the WAAS, the WCCP Assignment Settings for Load Balancing is the default: Hash. (Hash on Source IP (Service 61):)
the Egress Method is IP forwarding
I have several connections from different source IP addresses and somehow they all end up hashed on the same WAE:
ConnID Source IP:Port Dest IP:Port PeerID Accel RR
360 10.x.y.3:49463 10.q.w.36:52732 xx:xx:xx:xx:xx:xx TMDL 16.1%
373 10.x.y.4:55005 10.q.w.36:52732 xx:xx:xx:xx:xx:xx TMDL 24.8%
I checked in several places and read the best practices; the router platform support... and it seems that the config is OK
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
Any ideas?
Thanks,
PatrickAlthough it is recommended to use HASH for 2900 series routers, I just switched to MASK method for load balancing on both WAVE devices. This is supported according to Cisco doc. It seems that connections are now being accelerated by both WAVEs.
The behaviour is a bit weird though, connections are first being sent to one WAE then they show up as passthrough on it for a quick second and after that they get treated by the second wave!
I also see this behaviour when looking at the counters on the router, the counters went up to 274 packets on one router and are no longer changing although new connections are being treated, while the other router has a lot more packets:
ROUTER#show ip wccp 61 detail
WCCP Client information:
WCCP Client ID: 10.x.y.7
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 274
Connect Time: 01:49:58
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x00000F00 0x00000000 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0008: 0x00000800 0x00000000 0x0000 0x0000
0009: 0x00000900 0x00000000 0x0000 0x0000
0010: 0x00000A00 0x00000000 0x0000 0x0000
0011: 0x00000B00 0x00000000 0x0000 0x0000
0012: 0x00000C00 0x00000000 0x0000 0x0000
0013: 0x00000D00 0x00000000 0x0000 0x0000
0014: 0x00000E00 0x00000000 0x0000 0x0000
0015: 0x00000F00 0x00000000 0x0000 0x0000
WCCP Client ID: 10.x.y.9
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 100788
Connect Time: 01:49:56
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x00000F00 0x00000000 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0000: 0x00000000 0x00000000 0x0000 0x0000
0001: 0x00000100 0x00000000 0x0000 0x0000
0002: 0x00000200 0x00000000 0x0000 0x0000
0003: 0x00000300 0x00000000 0x0000 0x0000
0004: 0x00000400 0x00000000 0x0000 0x0000
0005: 0x00000500 0x00000000 0x0000 0x0000
0006: 0x00000600 0x00000000 0x0000 0x0000
0007: 0x00000700 0x00000000 0x0000 0x0000
Any ideas?
Maybe I should've just clustered the WAVEs inline... -
ACE as cache engine for wccp redirection
Does anybody know if the ACE 4710 appliance supports WCCP acting as a web-cache engine? I am exausting all possible options, and then some, for deploying a new application networking environment. I just returned from ACE training last week and found myself ramping up to deploy a new ACE.
I have pretty much exhausted my options for topology. We discussed several different designs in class and I don't like any of them. I have some serious problems with using the ACE as a default-gateway for servers. That options is out due to how other "non application" traffic is handled. Traffic such as RDP from IT support staff, patching from SMS servers, virus dat updates, vulnerability scanning... it all routes to the ACE which has to have static routes... then clients hitting the application VIPs have to be natted so the ACE does not use the static routes and reply directly... it all becomes a very big problem over time.
Second and third options are one-armed and direct server return... both not suitable for my requirements.
Now... that leaves me with an option we currently have deployed. That is to use a distribution route-switch (Catalyst 4500 Sup-IV) in the middle. The Cat uses PBR to return http traffic from the web servers back to the ACE. All other traffic follows normal routing table.
Ok... that works perfect... except PBR is not supported in the Sup-6 engine. Unbelievable... I know. This is a major fly in the ointment for this new deployment.
Now... there is another protocol that is often used for redirection... WCCP. If the ACE were a wccp web-cache, the router could be configured to redirect ingress http to the ACE. But... the ACE would have to act as a web-cache engine and register with the Cat as a home-router.
I am sure this option is not an option... but it would be nice. The ACE 4710 appliance has the general processor to do it but it would have to be implemented in software. I'm running A3(1.0) and I cannot find anything related to wccp. Nothing in the command-reference.
If there are any Cisco developers interested in adding some killer funtionality... this would be it. Wccp can be done in layer-2 as well as layer-3. The Sup-6 supports layer-2 redirection. Since the ACE is generally layer-2 adjacent this would be rather easy to implement. Anyway... food for thought.I just would like to mention that you could have ACE in bridge mode inserted between your servers and the gateway (4500).
All traffic will go through ACE but no need for nating and no statc routes (just one default route pointing to the 4500).
The only problems would be if you exceed the BW of the 4710 with all your traffic.
Regarding the WCCP support for the 4710 this is not currently in our roadmap.
Ask your cisco account team to introduce the request.
Thanks,
Gilles. -
Does introducing WCCP redirect for WAAS disrupt Netflow information?
Before installing WAAS and WCCP redirect on some 6500 interfaces in our data center, those interfaces showed Netflow flows for users at a remote location accessing servers at our data center. Now with WCCP redirecting that traffic to the WAEs, I notice the only netflow flows for that remote location are UDP flows and some ICMP stuff.
Is this an unintended consequence of installing WAAS - that netflow statistics are going to be skewed by not showing flows that are now accelerated?I believe your problem may be due to the fact that you are redirecting http
based traffic per the ACL configuration. The sup720 uses wccp v2 as a default
version,however, the Sup720 does NOT support the hardware-based redirection for the TCP port 80 when we enable wccpv2.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/wccp.
htm#wp1017009
Support for Non-HTTP Services:
WCCPv2 allows redirection of traffic other than HTTP (TCP port 80 traffic), including a variety of UDP and TCP traffic. WCCPv1 supported the redirection of HTTP (TCP port 80)traffic only. WCCPv2 supports the redirection of packets intended for other ports, including those used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for ports other than 80, and real audio, video, and telephony applications.
Maybe you are looking for
-
Printing Watermark in Acrobat 5.0
I've Watermark created in Acrobat 8.0 Std./Prof. and distributed to the user community which has Acrobat 5.0 installed on their PCs. They can see the Watermark but when they print it comes out without the Watermark. Please help as its a large user co
-
In the keybourd of my mac 10.8.3 OSX, some battons are not working
n the keybourd of my mac 10.8.3 OSX, some battons are not working
-
HTML attachments of the mail can not be opened
I can not open HTML attachments of the mail in the PlayBook. Is there any solution to this???
-
PDF restricts printing when I only restricted editing
Hello everyone. I create and sell printable wedding invitation templates that customers can fill in and print at home or at a copy shop. I create the fillable forms in Acrobat. Obviously I don't want people to open the PDFs in Illustrator and edit my
-
JAXB tromps schema DataType definition
This is my first attempt at working w/ XML Schema (and XML in general) so please pardon me if I am not providing enough information. I am using a jwsdp1.3 out of the box w/ J2SDK_1.4.2 for this work. I'm trying to create a set of bindings using the H