Wccp with wsa

Similar Messages

• WCCP with 3560

  I have configured a 3560 (122-44 IP Services) switch to communicate WCCP with an WAE-612 v4.1. However the devices don't form WCCP server-client relation with each other.
  When I enable "debug wccp all" on the WAE: It complains with:
  "2008 Sep 17 13:54:49 CCI-WC-NC-01 wccp: %WAAS-DDBG-7-899998: ISU assignment capability 2
  2008 Sep 17 13:54:49 CCI-WC-NC-01 wccp: %WAAS-DDBG-7-899998: wccp2.c:3169:
  2008 Sep 17 13:54:49 CCI-WC-NC-01 wccp: %WAAS-DDBG-7-899998: Router cannot support configured capability for assignment method."
  WAE-612 is directly connected to the switch through a vlan. I tried GRE and L2 forwarding methods.

  the wae config and wccp output:
  CCI-WC-NC-01#sh run | i wccp
  wccp router-list 8 192.168.192.33
  wccp tcp-promiscuous router-list-num 8 l2-redirect assign-method-strict l2-return
  wccp version 2
  CCI-WC-NC-01#sh wccp router
  Router Information for Service: TCP Promiscuous 61
  Routers Configured and Seeing this Wide Area Engine(0)
  -NONE-
  Routers not Seeing this Wide Area Engine
  192.168.192.33
  Routers Notified of but not Configured
  -NONE-
  Multicast Addresses Configured
  -NONE-
  Router Information for Service: TCP Promiscuous 62
  Routers Configured and Seeing this Wide Area Engine(0)
  -NONE-
  Routers not Seeing this Wide Area Engine
  192.168.192.33
  Routers Notified of but not Configured
  -NONE-
  Multicast Addresses Configured
  -NONE-
  3560 config and wccp outputs:
  CCI-SW-NC-BB-01#sh run | i ip wccp
  ip wccp 61 redirect-list 101
  ip wccp 62 redirect-list 102
  CCI-SW-NC-BB-01#sh ip wccp
  Global WCCP information:
  Router information:
  Router Identifier: 192.168.192.254
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Service Group Clients: 0
  Number of Service Group Routers: 0
  Total Packets s/w Redirected: 0
  Process: 0
  CEF: 0
  Redirect access-list: 101
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 0
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  Service Identifier: 62
  Number of Service Group Clients: 0
  Number of Service Group Routers: 0
  Total Packets s/w Redirected: 0
  Process: 0
  CEF: 0
  Redirect access-list: 102
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 0
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  thanks

• WCCP with CWAAS WAE

  Dear Community,
  By using WCCP Layer 2 forwarding on C6500, C3750 or ASR 1000 series routers to redirect intercepted traffic to the WAAS WAE the Cisco best practive recommends to use MASK ASSIGMENT for load balancing on such switches and ASR routers.
  With WAAS versin 4.2.1 and up the default MASK ASSIGMENT is "wccp tcp-promiscuous mask src-ip-mask 0xF00 dst-ip-mask 0x0".
  With a typical data center WCCP interception configuration (ingress interception with service 61 on the WAN, ingress interception with service 62 on the LAN), this mask load balances /24 branch subnets (it extracts the last 4 bits of /24 subnets). Connections from one branch subnet will be pinned to one data center WAE.
  Question:
  How should look like the "src-ip.mask" hex value if I would like to balance per host address instead of a Class C subnet?
  A per host /32 load balacing is required on large client-sites where each client ip@ has to be balanced over the WAEs.
  I am working on a project and missing the information how I can't find the "src-ip.mask" hex value information for a per host /32 load balancing on a site where only clients are located.
  Thanks for your comments and replys

  Unfortunately, I did not build the spread sheet so I wouldn't know/ if it's possible to convert to 2003.  I did see on that page that Excel 2007 is mentioned as a requirement for it to work properly.
  However, if you want a mask that will match on the 4th octet of your IP scheme use 0x000F (which simplifies to 0xF).  This will create 16 buckets just like the default mask in 4.2.1 (0xF00) but instead will match on the last 4 bits of the 4th octet of your IP.  Where the default mask matches on the last 4 bits of the 3rd octect.
  Hope this helps,
  Mike

• Load Balancing Internet Sources with WSA

  Hello everyone,
  Is is possible to have multiple internet sources with the WSA like Microsoft Forefront TMG you can have multiple internet sources and adjust for example 33% load on the first link and 66% percent on the second link .
  We currently have the S160 .
  Thanks .

  If you mean "use the WSA to load balance traffic between 2 or more internet providers", no... the WSA won't do that.

• WCCP with Catalyst6500 version 12.2(33)SXH1

  recently I deployed WAAS 4.1.1c with Catalyst6500. We have several different L3 vlan interfaces configured as wccp 61/62 redirect in. The L3 vlan interface connected to the direct servers is normal. However, I found that L3 vlan interface connected to internal FWSM outside interface doesn't work well.
  I don't know if it's a Catalyst6500 IOS or WAAS issue.
  Thanks,
  Daniel

  Hi Daniel,
  Can you please describe wasn't isn't working with the FWSM outside interface? If possible, it would also help to get a copy of the 6500 and WAAS configurations.
  Thanks,
  Zach

• Use of CE/WCCP with Microsoft ISA server acting as an authentication proxy.

  We have a design where all web users are authenticated against Active Directory by Microsofts ISA server proxy service prior to accessing web resources.
  Is it possible to implement a CE behind the ISA server, and still have the proxy authenticate users credentials?
  My concern is that WCCP will redirect traffic to the content engine first, if the content is not available, wil the content engine then forward to the proxy for authentication prior to the request going out to the web?
  Cheers,

  Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
  If anyone else in the forum has some advice, please reply to this thread.
  Thank you for posting.

• WCCP with Catalyst6500 version 12.2(33)SXI

  Hi,
  I deployed 2x6500 and 3xWAE in a branch. Problem is when I set wccp on - all traffic is cut off for the interface with service 61. I've ACL considering traffic which have to be redirected but there is no any match in this ACL.
  Each WAE is connected to both 6500 (FE, full-duplex). I've also another branch in the same configuration working (but WAE is connected by GE - this is only one difference)
  WAAS 4.1.1c
  any idea?

  Darek,
  A couple of comments on your configs. I would not use the following configs with a hardware based redirection on a CAT-6K.
  int tunnel x
  ip wccp 62 redirect in
  - As far as I know, this should not work for redirection on a hardware based platform, however, it WILL work on a software based IOS platform.
  egress-method negotiated-return intercept-method wccp (on the WAE)
  - This should cause your egress traffic to be all prossess by the CPU as it cannot do WCCP-GRE on the SUP. Use Generic GRE egress instead for CAT6Ks. http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v411/configuration/guide/traffic.html#wp1106308
  Both of those configs will give you trouble on a hardware based platform. I might recommend that you move away from the tunnel interface if at all possible. As a side note, on the newer ASR-1000 platform, we can do interception on tunnels as well as negotiated return in hardware.
  Hope that helps,
  Dan

• WAE-674 WCCP with 3725 router

  Hello all,
  This is a new install, I am trying to bring up a WAE-674 box at one my remote sites with 2 routers (a 3725 and a 2621) at this remote site and I am using WCCP for traffic redirection. I am having an issue with WCCP on the 3725 router, for some reason when I enable the command "IP wccp 62 redirect in" under the WAN serial interface I suddenly can no longer telnet to the fastethernet interface on the router but I can still ping it and still able to telnet to the loopback interface. And I have no issue with WCCP on the other 2621 router with the same config setup.
  Has anyone run into this issue before ? I appreciate any feedbacks on this !!!!
  I am running IOS version 12.3(14)T7 on the 3725 router and WAAS software version 4.1.1c
  Thanks in advance !!
  Danny

  You will want to explore CSCsg30875 to see how it applies to your installation
  CSCsg30875 wccp blocking telnet to router
  Since 12.3T is EOL, it probably was not tested and may or may not exist in that Cisco IOS track.
  End-of-Sale and End-of-Life Announcement for Cisco IOS Software Release 12.3T
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6947/ps5207/prod_bulletin0900aecd803a0ffe.html
  Thank You,
  Dan Laden

• Cisco 4507R WCCP with blue coat SG 8000 as proxy server integration

  Dear All,
  I installed the blue coat on one of the vlan with users in diffwrent vlans. The core 4507R is used with L3 vlans as gateway for the respective vlan users. Now i need to configure both core switch and blue coat as proxy server so that all the users in different vlans access internet websites without configure the blue coat proxy address but the core switch would redirect the users request to the blue coat proxy server. I tried with latest IOS upgrade to the switch eventhen i could not get the cmds related to WCCP blue coat documents suggest to use in core switch to configure the proxy server of SG8000
  Could any one help me to solve this issue.
  Thanks
  swamy

  Following link may help you
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008062cfc6.html

• Problem with WSA demo license

  When a do this:
  https://tools.cisco.com/SWIFT/LicensingUI/Quickstart#. -> Get Other License-> Demo and Evaluation->
  Security Products-> Cisco Virtual Appliance Demo License->Cisco Web Security Appliance (WSA) Virtual Appliance 45 Days Demo License
  I see the massage attached in pic.
  How can a get 45 days demo lisence for WSA?
  tnx

  Your Cisco a/c didn't have permission to get demo license.
  You need to ask your local Cisco Sales representative

• WAAS using WCCP with gre tunnel going via vpn

  Hello All
  I am trying to get WAAS using WCCP to work according to the attached diagram. I would like to know if there is a redirection config that I need to apply to the ASAs?
  Many thanks
  Donagh

  Hello
  Thanks for your reply.
  I posted this twice in error.
  Original is here
  http://preview.tinyurl.com/ygpuehy
  You might have a look and see if you agree. I have not deployed yet.
  Thanks
  Donagh

• RTSP support with WSA AsyncOS 7.7.0-753

  Hello,
       I am trying to access a video over the Internet through the WSA.  I setup a capture and can see the stream uses RTSP on TCP port 554.   Does WSA AsyncOS 7.7.0-753 support RTSP without tunneling RTSP in HTTP?  I need RTSP on TCP port 554 to work through the WSA or other options.  I have searched all the product support documentation and haven't found an answer.   The only answer I can find is in this document as a NOTE it says "RTSP is not supported by our appliance at the current time".
  http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117935-technote-csc-00.html
  Thank you

  No. The WSA doesn't support RTSP....

• WCCP with Layer2

  Hi,
  I want to configure WCCP on Layer2 Redirection on Cisco Router 3800, but only GRE mode is working layer2 redirect is not comming up.
  Cisco Router Details: Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 12.4(15)T7, RELEASE
  Proposed diagram is attached.
  WCCP will be configured on LAN Interface of Router.
  Observation: if cashing engine connected on (L3 Switch) LAN side of router, Layer2 Redirection is working fine. But if cashing engine connected on additional interface of router layer2 mode is not working.

  Hi Karthik,
  Please find commands on Router as below and WCCP configuration on Cashing Engines screen is attached --
  Router Configuration
  Router (config)# access-list 101 permit ip 172.60.10.0 0.0.0.255 172.80.10.0 0.0.0.255
  Router (config)# ip wccp 53 redirect-list 101
  Router (config)# ip wccp 54 redirect-list 101
  Router (config)# interface FastEthernet0/0 (LAN Interface of Router)
  Router (config)# ip wccp 53 redirect in
  Router (config)# ip wccp 54 redirect in
  Router (config)# end

• Blocking a user with WSA

  Hi Everybody,
  I want to block a specific user from access every internet page.
  How can I do that?
  Regards.

  Hi Everybody,
  I want to block a specific user from access every internet page.
  How can I do that?
  Regards.

• WSA redundancy and WCCP questions

  Hello! My customer bought a pair of S370 WSA prior to deployment planning. I need to deploy both of them into existing network and I'd like to ask few questions with somebody who knows how to do it.
  1. As I know from manuals, WSA doesn't support any clustering but I'd like to use both of my S370 for redundancy. I'm planning to use WCCP only, no explicit proxy mode will be used. What methods can I use to deploy redundant WCCP cache on pair of WSA? If it possible, I'd prefer to use something like Active\Passive but not load balancing scheme. Does it have Centralized management feature like ESA to share configs between devices?
  2. I have fusion router which "mixes" traffic from different vrf. Is it possible to configure router such way that every vrf(which corresponds every interface and different subnets) will be seen with its own ip address in internet or all of them will be using just WSA's address like in explicit proxy mode?
  3. When I tried to test my WSA in explicit proxy mode prior to configuring WCCP, I found out that I can use it as a proxy without any authentication, just setting it's address and port in my browser. How can I disable explicit proxy mode or set any authentication(no LDAP or NTLM) to prevent unauthorized access to using my proxy?
  I'm newbie with IronPorts so I will appreciate any help including links to manuals

  The WCCP protocol allows for automatic detection of all connected devices, both proxies and routers/firewalls/switches. When configuring WCCP with multiple WSAs, they're all in the WCCP cluster, with the router doing the load balancing beween the detected proxies. From what I've seen, you can't configure an active/passive scenario.
  As you mentioned , WSAs don't support clustering seen in ESAs. You could use a M-series box to provide central management and reporting for multiple WSAs in your enviromment.
  Regarding VRFs: WSAs support IP spoofing, which allows you to send out requests with the client's instead of WSA's external address. You could perform PAT of multiple addresses on the edge router/firewall to send the requests out with a different IP address for each VRF for example.
  I don't think you can fully disable the explicit proxy on the WSA. You can set up a firewall rule to prevent direct client access to the proxy ports..
  Sent from Cisco Technical Support iPad App