WCCP on ASA

Unanswered Question
Feb 14th, 2007

Hello,

I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:

Eth 0/0 : Outside (to internet)

Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)

Eth 0/1.211 : Vlan211 (20.21.10.0/24)

Eth 0/1.212 : Vlan212 (20.21.20.0/24)

Eth 0/1.220 : Vlan220 (20.22.0.0/16)

Eth 0/2 : WAAS (20.21.30.0/24)

I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.

I get this error message:

3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)

How can I fix this?

My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:

wccp 61 redirect-list WCCP_To_LAN

wccp 62 redirect-list WCCP_To_WAN

wccp interface outside 62 redirect in

wccp interface LAN 61 redirect in

access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0

access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any

I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?

Thanks

Ankit

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mark.duffy Thu, 02/15/2007 - 00:16

Hi

I did a WAAS deployment last year, the edge routers however were 6500s but the theory should be the same. After many discussions with Cisco SE's I was advised to used redirect lists with WCCP to only match the traffic from selected host subnets going to specific servers, this way you could be sure you were only matching the traffic you wanted, in our case we were trying to prove CIFS optimisation. Because your matching from a host subnet to a server and vice versa it was easier.

ip wccp 61 redirect-list Permit_WCCP_interception

ip wccp 62 redirect-list Permit_WCCP_interception

!

!

interface GigabitEthernet1/10

description MPLS Link

ip address 10.1.1.254 255.255.255.252

ip wccp 61 redirect in

ip wccp 62 redirect out

speed 100

duplex full

mls qos trust dscp

!

interface Vlan100

description WAE_vlan

ip address 192.168.1.255 255.255.255.0

ip wccp redirect exclude in

!

ip access-list extended Permit_WCCP_interception

permit tcp 192.168.100.0 0.0.0.255 host 192.168.10.27

permit tcp host 192.168.10.27 192.168.100.0 0.0.0.255

deny ip any any

Here you can see we had a redirect in and redirect out on the link into the MPLS cloud, and a redirect exlude in on the VLAN with the WAE in at the remote site. This was essentially replicated at both ends, with the topology being a pair of 6500s at the core and a single 6500 at the edge. The server VLANs in the core have no redirects as its all picked up inbound and outbound on the WAN link, likewise at the remote end.

This probably goes against everything in the documentation, but after lots of pain it worked! With this configuration though you have to identify all traffic flows and for all protocols you want to configure.

Hope its of some help,

Mark

ankit_parikh Thu, 02/15/2007 - 03:10

Hello Mark,

Thanks for your response. Your config is correct but ASA doesn't provide many options. For instance there is 'redirect out' and 'exclude in'. So the options are really limited.

WCCP is easy to implement on a router but we are trying to implement it on a ASA as an alternative.

Ankit

ravmishr Tue, 02/20/2007 - 19:42

My apology as I am not a routing guy,but is your ACL has correct mask? it should be 0.0.255.255 in my understanding.

Also, try seeing stat of wccp on WAE, give sh wccp gre cli on WAE, and see the packets redirected by GRE. You can also enable debug wccp packets on WAE for more troubelshooting.

You could try redirect in and out on LAN interface only.It generally works.

you can also try giving wccp redirect exclude-in on WAE interface, though its not necessary here.

Also check WAE default gateway should be eth0/2.

If nothing works, you can try PBR for WAAS.

ankit_parikh Tue, 02/20/2007 - 20:33

Hello,

The subnet mask is correct. I am trying to address 20.20.x.x, 20.21.x.x, 20.22.x.x ...

all with 255.252.0.0 mask or the way you specified it 0.3.255.255.

I have tried enabling the debug for WCCP and packets. I couldn't see any traffic getting redirected.

The output 'sh wccp gre' just shows 0 packets for everything, since wccp isn't working.

ASA doesn't provide an option for redirect out and exclude statements. So I have to use redirect in on 2 separate interfaces. PBR is not an option with ASA.

guibarati Wed, 03/21/2007 - 10:00

The ASA appliance does not support the WCCP engine to be in a different interface of the host that will be served with the cached content.

ankit_parikh Wed, 03/21/2007 - 14:46

hello Guilherme,

Thanks for your reply. This does make quite a few things clear for me.

Ankit

guibarati Fri, 06/13/2008 - 06:43

"WCCP redirect is supported only on the ingress of an interface. The only topology that the security

appliance supports is when client and cache engine are behind the same interface of the security

appliance and the cache engine can directly communicate with the client without going through the

security appliance."

This is a copy and paste of: Cisco Security Appliance Command Line Configuration Guide

For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8.0(1)

It's on chapter 10 page 10 (178 on pdf)

heronmb Thu, 06/12/2008 - 15:48

Hello Guilherme,

I have version 8.0.3 on ASA, do you know if it has the same issue ?

guibarati Fri, 06/13/2008 - 06:44

"WCCP redirect is supported only on the ingress of an interface. The only topology that the security

appliance supports is when client and cache engine are behind the same interface of the security

appliance and the cache engine can directly communicate with the client without going through the

security appliance."

This is a copy and paste of: Cisco Security Appliance Command Line Configuration Guide

For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8.0(1)

It's on chapter 10 page 10 (178 on pdf)

Actions

This Discussion