cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
0
Helpful
10
Replies

WCCP and Crypto Maps

mlouis
Level 1
Level 1

I have a customer who is deploying waas on their wan links. They currently have their serial interfaces configured to encrypt traffic in IPSEC tunnels from the client networks at each site into the home office location. Here is an example configuration:

interface Serial0/0/0.1 point-to-point

ip address x.x.0.2 255.255.255.252

no ip redirects

no ip unreachables

ntp disable

no cdp enable

frame-relay interface-dlci 701 IETF

class fr-class-voip2

crypto map combined

The WAE is attached to a seperate subnet via a 4ESW. I am using WCCPv2 redirection to redirect traffic on the client network and the serial interface to the WAE.

my wccp return method is ip forwarding.

When we enabled redirection yesterday all tcp based traffic was broken. Is the problem with the crytpo map being applied to the interface? Does wccp redirect the actual IPSEC packet before decapsulating it?

Any ideas?

10 Replies 10

dstolt
Cisco Employee
Cisco Employee

Can you outline how you implemented WCCP? It sounds like a loop issue (re-intercepting the traffic leaving the WAE), but can't be sure until we see more info.

If you are doing redirect-out, then you probably need a ip redirect exclude in statement on the WAE interface. If not, it could be something else, but we probably need more data.

Dan

Dan,

I am using three interfaces, 1 LAN and 1 WAN with a 3rd interface for the WAE, all routed. I am using WCCP redirect in on the LAN/WAN interfaces 61 and 62 respectively. I am using redirect exclude in on the 3rd WAE interface.

The issue goes away when we remove the cryptomap command.

dstolt
Cisco Employee
Cisco Employee

Did you enable WCCP on the physical interface or the subinterface? Also, what version of IOS are you running and what platform?

Another thing you can try if you are using a software based router is to run 61 (in) and 62(out) on the LAN interface and see if that comes up OK. You are already using exclude in, so that will prevent re-interception.

Dan

Dan,

here is the relevant configuration

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$

ip address x.x.x.x 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip wccp 61 redirect in

ip wccp 62 redirect out

ip route-cache flow

no ip mroute-cache

duplex auto

speed auto

no cdp enable

no mop enabled

interface Integrated-Service-Engine1/0

ip address 10.x.1.17 255.255.255.248

ip wccp redirect exclude in

service-module ip address 10.x.1.18 255.255.255.248

service-module ip default-gateway 10.x.1.17

no keepalive

interface Serial0/0/0.1 point-to-point

description frame-relay to BellSouthMPLS

ip address 192.168.0.18 255.255.255.252

no ip redirects

no ip unreachables

no cdp enable

frame-relay interface-dlci 705 IETF

class fr-class-voip2

crypto map combined

When i apply the ip wccp 61 and ip wccp 62 commands i lose TCP at the site.

dstolt
Cisco Employee
Cisco Employee

What version of IOS are you running? Can I also see the running config of the WAE?

thanks, Dan

Dan,

The customer is running 12.4(9)T AdvIPservices. Can i email you the configuration on the WAE. I would rather not post it.

Mike

dstolt
Cisco Employee
Cisco Employee

You can email it to me at dstolt@cisco.com.

Dan

We had the same problem with WAAS in conjunction with IP-Sec. Even in in-path deployment.

The solution was to configure a smaller MTU on the WAE, because of the IP-Sec/GRE Overhead.

There is a point in the Configuration Menu of the CM where you can fix that.

Hello,

Could you please explain the problem more, and why the mtu is a problem ?

do you know what is the best value of the mtu on the WAAS ?

Thanks & BR

Moamen

I was recently at a Cisco WAAS presentation where the SE said that the order of operations for interfaces with crypto and WAAS have been configured has been changed to allow WCCP to be processed before encryption. Today we had to run WCCP 61 and 62 on the LAN interface since it would not work when applied to the serial interface with Crypto map applied. Has this been resolved? If so what release of code for the ISR addresses this issue?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: