WCCP GRE between ProxySg & 6509 ?

Similar Messages

• WSA & CAT6500 WCCP GRE Tunnel

  Hello everyone
  First time writing in the support community. So exiting!!!!
  I am trying to have a transparent WSA (7.5) with a CAT6509 SXF7 WCCP. between them there is a Firewall/router. so I built the WCCP with GRE/L3.
  so far so good. WCCP GRE tunnel is there.
  However cannot surf the internet.
  After much troubleshooting (wireshark mainly) I believe I know where the problem is.
  Client want to surf the Internet (http)
  Client sends a SYN request to the IP of the website (after resolving DNS)
  CAT6500 tunnels the request with GRE to WSA
  WSA receives request and sends to SYN packet to the webpage.
  Webpage sends a SYN ACK to WSA  (no spoofing)
  PROBLEM: WSA then sends the SYN ACK without GRE to client with in turn does not go through the FW
  Client does not receive SYN ACK, sends another SYN and then another until he gives up.
  Question: How can I force the WSA to return traffic through the GRE tunnel.
  I already chose return method as "alloow GRE only" under WCCPv2 Service
  So look forward to receive some help

  Hi,
  Yes, it will work.
  Regards,
  Erik
  Sent from Cisco Technical Support iPad App

• Firefox 4. Could not find compatible GRE between version 2.0 and 2.0.

  When run firefox it output to stdout "Could not find compatible GRE between version 2.0 and 2.0." and exit. What is this? I use xulrunner-system-cairo 1.9.2.15-1.
  Last edited by veg (2011-03-24 17:56:41)

  @veg just get rid of xulrunner-system-cairo and install xulrunner. Now our xulrunner is compiled with system cairo support

• Problem redirecting HTTPS trafic using WCCP on a Cisco 6509

  Hi
  I am implementing af Ironport web scanning solution in a current network and i have som problems with HTTPS trafic.
  I am using the following command.
  ip wccp 70 group-list 9 password xxx accelerated
  interface Vlan2
        ip wccp 70 redirect in
  access-list 9 permit <Ironport IP>
  on the Ironport the "Dynamic service ID" of 70 is configuret to accept port 80 and 443 but i only recive port 80 trafic, but if i use windows proxy settings to direct the trafik i recieve trafic from both ports.
  So i think the problem is in my WCCP configuration.

  Can you reset the WCCP session between the Ironport and the 6K, SPAN the interface where the Ironport is connected, re-establish the WCCP session and collect the captures in pcap format, then upload them?!
  Can you get the show ip wccp commands from the 6K to check the WCCP status?

• WCCP GRE Redirection multiple hops

  When using GRE redirection and negotiated return, is it possible to place the WAEs on a segment that is not directly attached to the routers? I have seen some documentation state, "It allows the WCCP clients to be separate from the router via multiple hops. With WAAS, the WAEs need to be connected directly to a tertiary or sub-interface of the router." This has left me a little confused, but seems like it is possible with new code. If it is possible, is there any possibility on looping occuring? I assume there isn't since the packets are tunneled to and from the routers which would bypass the inspection. This would also allow me to take advantage of WAAS over a high-speed/low latency link to a datacenter that does not physically have WAEs deployed.
  Any input is much appreciated,
  Patrick

  Patrick,
  You are correct, the WAE with negotiated return can be multiple L3 hops away from the router (back in your DC). However for performance, of course it's recommended to be as close as possible. With the return traffic using GRE, the traffic is not being re-intercepted.
  Thanks,
  Dan

• 8Gig Port Channel between two 6509s

  Hey all,
  I have two 6509s that I'm trying to configure an 8 Gig trunk/port channel. I have an 8 port fiber module in slot 3 on both switches. When I use the following command: "set port channel 3/1-8" on it seems to take the command, but if I do "show port channel" it shows two groups:
  3/1-4
  3/5-8
  Is there a limit as to how many gigs a port channel can be? If not, why does it split it like this?
  I should also note I'm using dot1q for the trunks using Auto mode on one switch and Desirable on the other.
  Thanks,
  Scott

  I did a show port cap on the interfaces and I didn't see any sort of restriction. I decided to run the command again 'set port channel 3/1-8 on' and for some reason it seemed to work this time. Not sure what changed, but it's working now.
  Thanks for your help!

• GRE IPSec between Cisco 2811 and FortiGate 110C

  Hello,
  Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?

  Hi,
  You can configure the GRE tunnel on the 2811.
  I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
  I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
  Federico.

• L2 redirection between a 3750 and WAE 674 WCCP

  hi
  we are using a WAE 674 on a cisco 3750 in WCCP
  WCCP is configured to use L2 redirection
  but we saw this on the switch
  Global WCCP information:
      Router information:
          Router Identifier:                   192.168.100.1
          Protocol Version:                    2.0
      Service Identifier: 61
          Number of Service Group Clients:     1
          Number of Service Group Routers:     1
          Total Packets s/w Redirected:        1
            Process:                           0
            CEF:                               1
          Redirect access-list:                -none-
          Total Packets Denied Redirect:       0
          Total Packets Unassigned:            0
          Group access-list:                   -none-
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total Bypassed Packets Received:     0
      Service Identifier: 62
          Number of Service Group Clients:     1
          Number of Service Group Routers:     1
          Total Packets s/w Redirected:        11
            Process:                           0
            CEF:                               11
          Redirect access-list:                -none-
          Total Packets Denied Redirect:       0
          Total Packets Unassigned:            0
          Group access-list:                   -none-
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total Bypassed Packets Received:     0
  switch configuration
  vlan 1 and 2 : data
  vlan 3 routeurs
  vlan 4 : WAE
  interface Vlan1
  ip address 10.0.0.1 255.255.0.0
  ip wccp 61 redirect in
  standby 0 preempt
  standby 1 ip 10.0.0.6
  standby 1 priority 150
  standby 1 preempt
  standby 1 name hsrp_vlan_1
  interface Vlan2
  ip address 10.1.0.1 255.255.0.0
  ip wccp 61 redirect in
  standby 2 ip 10.1.0.6
  standby 2 priority 150
  standby 2 preempt
  standby 2 name hsrp_vlan_2
  interface Vlan3
  description Routage-FT
  ip address 192.168.1.4 255.255.255.0
  ip wccp 62 redirect in
  standby 3 ip 192.168.1.6
  standby 3 priority 150
  standby 3 preempt
  standby 3 name hsrp_vlan_3
  interface Vlan4
  description VLAN WCCP
  ip address 192.168.100.1 255.255.255.0
  WAE configuration
  wccp router-list 8 192.168.100.1
  wccp tcp-promiscuous mask src-ip-mask 0x1741 dst-ip-mask 0x0
  wccp tcp-promiscuous router-list-num 8 l2-redirect mask-assign l2-return
  wccp version 2

  Hi,
  This counter on the 3750 is a software counter, but all WCCP redirection should be happening in hardware.  Thus, it is expected the number of redirected packets to be zero or very low.  The proper way to tell if WCCP is redirecting traffic to your WAE is to issue the command "show wccp gre" on the WAE and look for the line "transparent non-GRE packets received."
  Example:
  pdi-7341-19#sh wccp gre
  Transparent GRE packets received:              0
  Transparent non-GRE packets received:          28887345
  Transparent non-GRE non-WCCP packets received: 0
  Total packets accepted:                        26012975
  Invalid packets received:                      0
  Packets received with invalid service:         0
  Packets received on a disabled service:        0
  Packets received too small:                    0
  Packets dropped due to zero TTL:               0
  ----output omitted ------
  Cheers,
  Mike Korenbaum
  Cisco WAAS PDI Help Desk
  http://www.cisco.com/go/pdihelpdesk

• LACP port channel between 6509 and Nexus 7K

  We are in the process of migrating from dual 6509's to dual 7010's.  We have moved our 5k/2K's behind the 7K and have layer 2 up between the 6509 and 7K.  This link is configured as a port channel with 2 1gig links using LACP.  The port channel is up and working and traffic is passing but it doesn't appear the load it equally distributed between the links.  Both the 7K and 6K are setup for src-dst-ip for the load balancing.  The links have been in place for over 12 hours and I would have expected them to "equal" out.  Has anyone had this issue in or is this to be expected?  For clarification there is not VPC inolved in this configuration it is simply a port-channel between one 6509 and a 7010.
  Thanks,
  Joe

  We are in the process of migrating from dual 6509's to dual 7010's.  We have moved our 5k/2K's behind the 7K and have layer 2 up between the 6509 and 7K.  This link is configured as a port channel with 2 1gig links using LACP.  The port channel is up and working and traffic is passing but it doesn't appear the load it equally distributed between the links.  Both the 7K and 6K are setup for src-dst-ip for the load balancing.  The links have been in place for over 12 hours and I would have expected them to "equal" out.  Has anyone had this issue in or is this to be expected?  For clarification there is not VPC inolved in this configuration it is simply a port-channel between one 6509 and a 7010.
  Thanks,
  Joe

• WCCP Multicast with 6500

  I have two 6500s (6509-1 and 6509-2)and two WAE-674 devices. I am trying to configure these devices in a redundant way. However the WAEs form wccp relation only with the 6509-2.
  6509-2#sh ip wccp 61 detail
  WCCP Cache-Engine information:
  Web Cache ID: 172.27.249.65
  Protocol Version: 2.0
  State: Usable
  Redirection: GRE
  Packet Return: GRE
  Assignment: HASH
  Initial Hash Info: 00000000000000000000000000000000
  00000000000000000000000000000000
  Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  00000000000000000000000000000000
  Hash Allotment: 128 (50.00%)
  Packets Redirected: 0
  Connect Time: 00:36:19
  Web Cache ID: 172.27.249.66
  Protocol Version: 2.0
  State: Usable
  Redirection: GRE
  Packet Return: GRE
  Assignment: HASH
  Initial Hash Info: 00000000000000000000000000000000
  00000000000000000000000000000000
  Assigned Hash Info: 00000000000000000000000000000000
  FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  Hash Allotment: 128 (50.00%)
  Packets Redirected: 0
  Connect Time: 00:36:18
  however on the 6509-1
  6509-1#sh ip wccp 61 detail
  WCCP Cache-Engine information:
  Web Cache ID: 172.27.249.66
  Protocol Version: 2.0
  State: NOT Usable
  Redirection: L2
  Packet Return: L2
  Packets Redirected: 0
  Connect Time: 01:17:18
  Assignment: MASK
  Web Cache ID: 172.27.249.65
  Protocol Version: 2.0
  State: NOT Usable
  Redirection: L2
  Packet Return: L2
  Packets Redirected: 0
  Connect Time: 00:00:15
  Assignment: MASK
  Redirection (L2 on 6509-1 and GRE on the 6509-2) methods are shown differently on the 6500 switches.
  However the configurations on the WAE side is same:
  HOAE1674#sh run
  <outputs omitted>
  primary-interface Standby 1
  interface Standby 1
  ip address 172.27.249.65 255.255.255.240
  exit
  interface GigabitEthernet 1/0
  standby 1 priority 250
  exit
  interface GigabitEthernet 2/0
  standby 1
  exit
  ip default-gateway 172.27.249.78
  <outputs omitted>
  wccp router-list 1 224.10.10.10
  wccp tcp-promiscuous router-list-num 1
  wccp version 2
  And the 6500 configurations:
  6509-2#sh run int vlan 311
  interface Vlan311
  description WAAS-Normal
  ip address 172.27.249.77 255.255.255.240
  ip wccp 61 group-listen
  ip wccp 62 group-listen
  ip pim dense-mode
  standby 211 ip 172.27.249.78
  6509-2#sh run | i redire
  ip wccp 61 group-address 224.10.10.10 redirect-list 101
  ip wccp 62 group-address 224.10.10.10 redirect-list 102
  I know that L2-redirection and masking advised on the 6500s, however when I configure, 6500 sh ip wccp output shows that GRE masking is used.
  The WAE devices are connected directly to the 6509-2, I suspected a multicast issue, to test I shutdown the 6509-2 vlan interface but no help
  The version on the 6500s are same (12.2SXF8), as I know that 12.2SXF14 is suggested. However a software upgrade requires a lot of change management procedures. I want to be sure that I did not make a configuration mistake.

  Thanks Dan, Matthew
  After I remove l2-return, wccp seems to be ok:
  HOAE1674#sh run | i wccp
  wccp router-list 1 224.10.10.10
  wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign
  wccp version 2
  6509-1#sh ip wccp 61
  Global WCCP information:
  Router information:
  Router Identifier: 192.168.2.253
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Cache Engines: 2
  Number of routers: 2
  Total Packets Redirected: 0
  Redirect access-list: 101
  Total Packets Denied Redirect: 13843
  Total Packets Unassigned: 0
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  6509-1#sh ip wccp 61 de
  WCCP Cache-Engine information:
  Web Cache ID: 172.27.249.66
  Protocol Version: 2.0
  State: Usable
  Redirection: L2
  Packet Return: GRE
  Packets Redirected: 0
  Connect Time: 01:32:23
  Assignment: MASK
  Mask SrcAddr DstAddr SrcPort DstPort
  0000: 0x00001741 0x00000000 0x0000 0x0000
  Value SrcAddr DstAddr SrcPort DstPort CE-IP
  0032: 0x00001000 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
  0033: 0x00001001 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
  0034: 0x00001040 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
  0035: 0x00001041 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
  0036: 0x00001100 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
  0037: 0x00001101 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
  0038: 0x00001140 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
  Now I am trying to redirect packets over the these appliances.
  However TCP connections could not be established between redireced subnets. I can sniff that packet is forwarded to the WAAS but it did not send a respond. I saw that bad bucket error are incrementing when I try new connections.
  HOAE1674#sh wccp gre | i buckets
  Packets dropped due to bad buckets: 516
  regards,
  Bulent

• WAAS: WCCP Mask or Hash on Routers?

  I'm starting thinking about using mask assign on an ISR router running 12:4(24)T with GRE/GRE. Has anyone done this before and can you use mask assign with GRE/GRE? We need to use it with GRE/GRE because our egress method has to be WCCP return. My thought was mask assign will be much better at load balancing across multiple WAEs in a cluster than hash because you can specify a long mask assignment. Right now, see more load on WAE than the other and are sometimes getting TFO overload.

  The page you linked contains recommendations (in bold) for each platform. On the ISR G2 specifically, you should be able to use any combination of GRE/L2 and MASK/HASH assignment. Some other platforms require specific disribution and redirection methods to maintain the hardware acceleration of WCCP traffic. However, the ISR G2 does not have this requirement.
  WCCP GRE and HASH distribution on ISR G2 is typically recommended to make deployment easier. With GRE, content devices can be an L3 hop away (if needed), and it reduces the chance of customers accidentally creating a WCCP redirect loop.
  L2 distribution and HASH redirection method should typically require the least CPU and memory load on the ISR. These should perform the best in most cases.
  The MASK distribution method gives better controls on how load is divided between multiple content devices, typically at the cost of more CPU and memory utilization. If you have only one or two content devices in your cluster, typically HASH will meet the need for slightly less CPU. As Zach said, most times MASK is used on the Datacenter side to give the ability to 'tweak' how the load is distributed across multiple devices.
  Thanks,
  Aaron

• 3945 Router Issue between WAAS Module and IOS Firewall

  I have a new 3945 router with a SM-SRE-900 module for WAAS. The 3945 also has IP inspection configured. When IP inspection and WCCP redirection running at the same time, user connections to data center were all lost. If just IP inspection or WCC Rredirection but not both, user connections were good.
  I'm feeling the problem is IP inspection not WAAS aware. I tried "ip inpsect waas enable", but the command was not available. The 3945 router, SM-SRE module, and the IOS code, are all newest versions. So I was wondering if anyone has seen the similar issues and had experience of enabling WAAS through IP inspection on those new products.
  Here is the configuration info:
  3945 G2 ISR: IOS 15.1(1)T1;
  SM-SRE-900: WAAS 4.2.3 build7;
  3945 LAN interface: ip inspection in and ip wccp 61 redirect in
  3945 WAN interface: ip wccp 62 redirect in
  3945 SM 1/0 interface: internal connection to SM-SRE module
  Between 3945 and SM-SRE module: WCCP GRE redirection and IP Forwarding return.
  If you are aware of any 15.1(1)T1 bugs that may be related, please let me know too.
  Thanks for any help.

  Hi,
     This is in general for IOS / ISR. On CCO we have a very good document for ZBFW and WAAS intigration, see below
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1118498
  If you still need to run CBAC, then recommended solution in my first post should work for you.
  If the router is in the middle of TCP optamization path, then depending upon optamization product you need to configure the firewall feature like anyother firewall. for Cisco WAAS we have "ip inspect WAAS enable".
  Hope this has answer your question. Thanks.
  Ahsan Khan

• Enabling WCCP and traffic flowing, increased CPU 10% with one site only.

  Hello,
  We are deploying a WAAS solution for a customer Datacenter and we are doing a pilot on WCCP redirection towards few 7341 WAAS boxes on the DC.
  The redirecting platform is a couple of 7200's running 12.4(13) version - we are using WCCP GRE negotiated return and ingress with hash assignment.
  for the moment we enabled one remote site  with an inline WAE and are optimizing traffic across that connection. All remote sites except this one are being filtered out by the WCCP redirect-list.
  At this moment we are a bit concerned due to two things:
  - when traffic started being redirected on the 7200, (about 1,5 Mbps in/out for the pilot site= allowed traffic on redirected list), we saw a 10% CPU increase on the 7200. Having in mind that the redirecting list is denying a lot of traffic, I'm considering it to also add CPU% overhead to the processor usage.
  The first question is - Does anybody have any experience on how can we expect the CPU to grow, while adding more sites? We can grow up to (theoretically) 1Gbps of traffic coming from remote sites.
  The second question is - we have 4 x 7341 on the DC, but we are seeing quite uneven load distribution on them. We are using service 61 in on the LAN interface and service 62 in on WAN interface. From what I can gather the hashing across boxes is then made based on the LAN side IP address (that is the servers).
  Would it be recommended to swap both services between interfaces (61 on WAN and 62 on LAN) so that the hashing is based on the WAN side IP address? what would be the downside of this?
  I saw that from version 12.4(20)T on, software based platforms support L2 redirect and mask assignment. Would that be a recommended upgrade to make in order to easen up the CPU load on the 7200? Does anybody have any experience on WCCP with this particular config on 7200?
  Thanks for any input!
  Gustavo Novais

  An alternative to using the "Lookup" functionality in Network Utility is to run "nslookup" from the command prompt (or the shell prompt) using Terminal. Both the Network Utility and Terminal are found in the Utilities folder under Application.
  While in Terminal, enter this:
  nslookup statcounter.com
  It should return something like this:
  Note: nslookup is deprecated and may be removed from future releases.
  Consider using the `dig' or `host' programs instead. Run nslookup with
  the `-sil[ent]' option to prevent this message from appearing.
  Server: 68.87.69.146
  Address: 68.87.69.146#53
  Non-authoritative answer:
  Name: statcounter.com
  Address: 66.98.186.36
  Name: statcounter.com
  Address: 66.98.134.100
  The first portion of the output indicates the IP address of your DNS. The second portion indicates the IP address of statcounter.com.
  You can also run "dig statcounter" while in Terminal. This provides the same output as the "Lookup" functionality in Network Utility.
  If you are not getting the IP address of statcounter.com from running the nslookup command, the most likely reason is your DNS (or your ISP's DNS) does not contain information about statcounter.com.
  Hope this helps.

• WCCP and 7600 - not redirecting traffic

  I have a Blue Coat SG 210 connected to a 7600(SUP720).  All web traffic is passing thru the 7600, WCCP config between the SG and 7600 are working.  However traffic isn;t being redirected to Blue Coat..any idea why? 
  ip wccp 0 redirect-list BLUE-COAT group-list 90
  Extended IP access list BLUE-COAT
      1 permit tcp host 10.160.161.125 any eq www
      2 permit tcp host 10.160.161.125 any eq 443
      10 permit tcp host 10.160.161.199 any eq www
      20 permit tcp host 10.160.161.199 any eq 443
  Standard IP access list 90
      8 permit 10.148.131.42 (2217 matches)
  interface GigabitEthernet5/1
  ip address 10.148.130.13 255.255.255.252
  ip wccp 0 redirect in (I have tried both in/out)
  ip pim sparse-dense-mode
  ip route-cache flow
  ip ospf network point-to-point
  sh ip wccp
  Global WCCP information:
      Router information:
      Router Identifier:                   10.148.135.253
      Protocol Version:                    2.0
      Service Identifier: 0
      Number of Cache Engines:             1
      Number of routers:                   1
      Total Packets Redirected:            0
      Redirect access-list:                BLUE-COAT
      Total Packets Denied Redirect:       0
      Total Packets Unassigned:            0
      Group access-list:                   90
      Total Messages Denied to Group:      0
      Total Authentication failures:       0
  sh ip wccp 0 detail
  WCCP Cache-Engine information:
      Web Cache ID:          10.148.131.42
      Protocol Version:      2.0
      State:                 Usable
      Redirection:           GRE
      Packet Return:         GRE
      Packets Redirected:    0
      Connect Time:          05:52:10
      Assignment:            MASK
      Mask  SrcAddr    DstAddr    SrcPort DstPort
      0000: 0x0000003F 0x00000000 0x0000  0x0000
      Value SrcAddr    DstAddr    SrcPort DstPort CE-IP
      0000: 0x00000000 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0001: 0x00000001 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0002: 0x00000002 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0003: 0x00000003 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0004: 0x00000004 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0005: 0x00000005 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0006: 0x00000006 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0007: 0x00000007 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0008: 0x00000008 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0009: 0x00000009 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0010: 0x0000000A 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0011: 0x0000000B 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0012: 0x0000000C 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0013: 0x0000000D 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0014: 0x0000000E 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0015: 0x0000000F 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0016: 0x00000010 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0017: 0x00000011 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0018: 0x00000012 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0019: 0x00000013 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0020: 0x00000014 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0021: 0x00000015 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0022: 0x00000016 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0023: 0x00000017 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0024: 0x00000018 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0025: 0x00000019 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0026: 0x0000001A 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0027: 0x0000001B 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0028: 0x0000001C 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0029: 0x0000001D 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0030: 0x0000001E 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
          0031: 0x0000001F 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0032: 0x00000020 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0033: 0x00000021 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0034: 0x00000022 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0035: 0x00000023 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0036: 0x00000024 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0037: 0x00000025 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0038: 0x00000026 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0039: 0x00000027 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0040: 0x00000028 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0041: 0x00000029 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0042: 0x0000002A 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0043: 0x0000002B 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0044: 0x0000002C 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0045: 0x0000002D 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0046: 0x0000002E 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0047: 0x0000002F 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0048: 0x00000030 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0049: 0x00000031 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0050: 0x00000032 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0051: 0x00000033 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0052: 0x00000034 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0053: 0x00000035 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0054: 0x00000036 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0055: 0x00000037 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0056: 0x00000038 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0057: 0x00000039 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0058: 0x0000003A 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0059: 0x0000003B 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0060: 0x0000003C 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0061: 0x0000003D 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0062: 0x0000003E 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)
      0063: 0x0000003F 0x00000000 0x0000  0x0000  0x0A94832A (10.148.131.42)

  Ilir,
  How is this second group of users connected to the ASA?  Their outbound traffic has to be going out the "inside" interface also. If they are on another port on the ASA, WCCP won't catch their traffic. i.e. You can't use the DMZ interface on an ASA and point its web traffic at a WSA that lives inside.
  Ken

• WCCP - All Packets are "UNASSIGNED" - HELP!!!

  I just brought up a couple WAAS appliances up connected to my 6509 and it appears none of the traffic is getting redirected to my 2 WAAS devices. When I do a "sh ip wccp",all packets are unassigned. I am running 4.1.1b on the WAAS.
  phx-core-sw-a#sh ip wccp
  Global WCCP information:
  Router information:
  Router Identifier: 10.20.255.252
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Service Group Clients: 2
  Number of Service Group Routers: 2
  Total Packets s/w Redirected: 0
  Process: 0
  CEF: 0
  Redirect access-list: -none-
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 427007868
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  Service Identifier: 62
  Number of Service Group Clients: 2
  Number of Service Group Routers: 2
  Total Packets s/w Redirected: 0
  Process: 0
  CEF: 0
  Redirect access-list: -none-
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 12021424
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  Config Snippets from 6509's - same on both
  ip wccp 61
  ip wccp 62
  interface GigabitEthernet9/48
  description Interface to WAN Router
  ip address 10.20.255.2 255.255.255.252
  ip wccp 62 redirect in
  interface Vlan112
  description File Servers 10.0.12.0/24
  ip address 10.0.12.2 255.255.255.0
  ip wccp 61 redirect in
  ************WAAS Config*********
  device mode application-accelerator
  hostname phx-waas-app-01
  clock timezone MST -7 0
  primary-interface PortChannel 1
  interface PortChannel 1
  description Port Channel to phx-core-sw-a
  ip address 10.20.253.250 255.255.255.0
  exit
  interface GigabitEthernet 1/0
  channel-group 1
  exit
  interface GigabitEthernet 2/0
  channel-group 1
  exit
  ip default-gateway 10.20.253.254
  no auto-register enable
  ! ip path-mtu-discovery is disabled in WAAS by default
  ntp server 10.10.254.252
  wccp router-list 1 10.20.255.252 10.20.255.253
  wccp tcp-promiscuous router-list-num 1 l2-redirect
  wccp version 2

  Any improvment with the Mask-assign method? If it's still not working, I would do the following.
  1. do "no wccp ver 2" on your WAEs. Let things set for a few minutes and then bring it back up. This will take down your acceleration, so be careful but will allow you to re-establish wccp if it's still attempting to use hash assign (default).
  2. If it's not working yet, then clear the counters and let some traffic flow so we can see fresh info, and do the following on your routers.
  sh ip wccp 61 detail
  sh ip wccp 62 detail
  and do the following on your WAEs
  sh wccp gre
  sh wccp router
  And post it and we'll see what you get.
  Thanks,
  Dan