WCCP and Crypto Maps

Unanswered Question

I have a customer who is deploying waas on their wan links. They currently have their serial interfaces configured to encrypt traffic in IPSEC tunnels from the client networks at each site into the home office location. Here is an example configuration:

interface Serial0/0/0.1 point-to-point

ip address x.x.0.2

no ip redirects

no ip unreachables

ntp disable

no cdp enable

frame-relay interface-dlci 701 IETF

class fr-class-voip2

crypto map combined

The WAE is attached to a seperate subnet via a 4ESW. I am using WCCPv2 redirection to redirect traffic on the client network and the serial interface to the WAE.

my wccp return method is ip forwarding.

When we enabled redirection yesterday all tcp based traffic was broken. Is the problem with the crytpo map being applied to the interface? Does wccp redirect the actual IPSEC packet before decapsulating it?

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dstolt Thu, 09/11/2008 - 09:01

Can you outline how you implemented WCCP? It sounds like a loop issue (re-intercepting the traffic leaving the WAE), but can't be sure until we see more info.

If you are doing redirect-out, then you probably need a ip redirect exclude in statement on the WAE interface. If not, it could be something else, but we probably need more data.


dstolt Thu, 09/11/2008 - 11:24

Did you enable WCCP on the physical interface or the subinterface? Also, what version of IOS are you running and what platform?

Another thing you can try if you are using a software based router is to run 61 (in) and 62(out) on the LAN interface and see if that comes up OK. You are already using exclude in, so that will prevent re-interception.



here is the relevant configuration

interface FastEthernet0/0


ip address x.x.x.x

no ip redirects

no ip unreachables

no ip proxy-arp

ip wccp 61 redirect in

ip wccp 62 redirect out

ip route-cache flow

no ip mroute-cache

duplex auto

speed auto

no cdp enable

no mop enabled

interface Integrated-Service-Engine1/0

ip address 10.x.1.17

ip wccp redirect exclude in

service-module ip address 10.x.1.18

service-module ip default-gateway 10.x.1.17

no keepalive

interface Serial0/0/0.1 point-to-point

description frame-relay to BellSouthMPLS

ip address

no ip redirects

no ip unreachables

no cdp enable

frame-relay interface-dlci 705 IETF

class fr-class-voip2

crypto map combined

When i apply the ip wccp 61 and ip wccp 62 commands i lose TCP at the site.

dstolt Fri, 09/12/2008 - 07:04

What version of IOS are you running? Can I also see the running config of the WAE?

thanks, Dan

moamen.elhefnawy Wed, 04/01/2009 - 09:13


Could you please explain the problem more, and why the mtu is a problem ?

do you know what is the best value of the mtu on the WAAS ?

Thanks & BR


I was recently at a Cisco WAAS presentation where the SE said that the order of operations for interfaces with crypto and WAAS have been configured has been changed to allow WCCP to be processed before encryption. Today we had to run WCCP 61 and 62 on the LAN interface since it would not work when applied to the serial interface with Crypto map applied. Has this been resolved? If so what release of code for the ISR addresses this issue?


This Discussion