Hi,

Did that already. Not solving the problem.

ns-rt0001# sh sdm prefer

The current template is "desktop routing" template.

Please post your wccp configs off the 3750 and the WAE. I think there is a misconfiguration somewhere.

Thanks,

Dan

The 3750 config is quite simple. Just

ip wccp 61

ip wccp 62

and the ip wccp 61/62 redirect in on the LAN and WAN interfaces.

See attachment for the WAE config

The full 3750 config as well

I think I solved the problem.

The WAE router list must ONLY contain ONE IP address per router. In my case the 3750 has bind the WCCP process to the loopback address. This address must be in the router list and not interface ip address.

Am I right ?

You should only use a single L3 address from each router. I usually use the address from the interface that that WAE is attached to. The router ID will come in as the highest IP address (usually the loopback), however you don't have to use that as the IP in the router list.

Dan

Thx for helping me out so far.

Problem continues.

I removed the WCCP configuration last night from the 2811 with the WAE module and now do not get it to work any more.

nhl-rt0001#sh ip wccp 61 detail

WCCP Client information:

WCCP Client ID: 10.254.252.4

Protocol Version: 2.0

State: NOT Usable (Incompatible redirection method)

Redirection: L2

Packet Return: L2

Packets Redirected: 0

Connect Time: 00:10:34

Assignment: MASK

019695: Dec 11 23:08:27.686: WCCP-EVNT:D62: Here_I_Am packet from 10.254.252.4 with incompatible capabilites

019696: Dec 11 23:08:29.686: WCCP-EVNT:D61: Here_I_Am packet from 10.254.252.4 w/bad rcv_id 00000000

019697: Dec 11 23:08:29.686: WCCP-EVNT:wccp_update_assignment_status: enter

019698: Dec 11 23:08:29.686: WCCP-EVNT:wccp_update_assignment_status: exit

019699: Dec 11 23:08:29.686: WCCP-EVNT:wccp_copy_wc_assignment_data: enter

019700: Dec 11 23:08:29.686: WCCP-EVNT:wccp_copy_wc_assignment_data: reuse orig mask info (28 bytes)

019701: Dec 11 23:08:29.686: WCCP-EVNT:wccp_copy_wc_assignment_data: exit

019702: Dec 11 23:08:29.686: WCCP-EVNT:D62: Here_I_Am packet from 10.254.252.4 w/bad return method L2, received indirectly via Integrated-Service-Engine1/0

When running the troubleshooting tool one the WAE-502 all systems are go. No errors.

2811 is running 12.4.22T (same as yesterday)

Redirection/Return methodes are set to L2 at both end, same as MASK.

Should I use WCCP negotiated return or IP Forwarding as Egress method ?

Set up your NME separately from the WAE appliance (don't do them in a device group). The 3750 only supports L2 redirect/mask assign. The 2811 (depending on what version of IOS you are using) should only use GRE redirect (default) with hash assign.

Dan

Hi default is mask, not hash for both the NME and the WAE.

For some reason it is not working. All systems are go, see each other in the topology table.

No errors in debug mode.

Between the WAAS engines are to ASA's connected through the internet via a IPSEC vpn. IP connectivity is straight without NAT. WAAS inspect is enabled.

What I do see is that the counters on the 3750 are not increasing:

Global WCCP information:

Router information:

Router Identifier: 10.0.252.1

Protocol Version: 2.0

Service Identifier: 61

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 0

Process: 0

CEF: 0

Redirect access-list: -none-

Total Packets Denied Redirect: 0

Total Packets Unassigned: 3

Group access-list: -none-

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total Bypassed Packets Received: 0

Service Identifier: 62

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 0

Process: 0

CEF: 0

Redirect access-list: -none-

Total Packets Denied Redirect: 0

Total Packets Unassigned: 9

Group access-list: -none-

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total Bypassed Packets Received: 0

While on the 2811 they are.

Connectivity such as RDP is not working. ICMP ping is possible. When turning off WAAS it is working as expected.

Hope you are reading emails during the weekend....

Okay,

On your connectivity via the ASA and IPSec, I see you set the MSS to 1300 already, was that to allow for your ipsec header overhead? Make sure it's on both WAEs (at each end of the WAN link).

I recommend you use 2 different setups for wccp in your scenario, something like this. See if your configs match.

1. WAE-612 + 3750 : WAE uses the following wccp configs

-----------------

wccp router-list 1 10.0.7.1

wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign assign-method-strict l2-return

wccp version 2

-----------------

You will not see any of the counters increase on the router (3750) due to the traffic being processed in the hardware. Counters only increase if packets are processed in software (like on the ISR platforms). Use "sh wccp gre" on the WAE instead and you should see the counter "Transparent non-GRE packets received: " incrementing.

2. NME-WAE-502 + 2811 - NME should use the basic WCCP configs - NO MASK or L2, they are only available in 12.4(20)T or later.

------------

wccp router-list 1 x.x.x.x (network module router interface IP address)

wccp tcp-promiscuous router-list-num 1

wccp version 2

------------

You will see the counters increase on both the router and the counter "Transparent GRE packets received:" incrementing on the WAE in "sh wccp gre".

Let me know, I'm doing installs all weekend and will keep checking in.

Dan

MSS 1300 is for the IPSEC overhead.

I are right regarding the hardware switching. Counter are incrementing.

2811 is running 12.4.22T

When doing a sh ip wccp on the 3750 you see that the wccp process using 10.0.252.1 . I have used that ip address in the router list.

WCCP connection between WAE and 3750 seem to be fine.

I also made sure WCCP inspect is turned on in the ASA's

It seems to be working. Going to test further and keep u posted.

The problem was a unnumbered ip usage for the NME module on the same vlan as the client resided. When logged in on the NME the NME was unable to reach the client essentially in the same LAN. Played around with GRE and exclude in and such, but nothing worked.

Now running on 12.4.15T8. This provides way less overhead on cpu usage when using the 2811.

What else should I check to make the optimum config.

The next thing I am going to test is redirect access-list to ony allow WAAS traffic for specific subnets (customers) since I am deploying a Managed WAAS service.

What happens with traffic flowing through a WAAS engine on the ingress but no WAAS engine is available on the other end. Is it going to be dropped ?

On the customer network I have a split tunnel internet. HTTP/S is directly going to the internet and all other traffic is traversing the VPN toward the datacenter. Is WAAS help out for internet traffic as well ?

Obviously I should not forget to thank you for your willingness to help ! Really appreciate it.