WCCPv2 problem on ASA - IronPort WSA

Unanswered Question
Jul 13th, 2010

Hi All,

I have to deploy 2 S360 WSA's in my customers network. I have to deploy transparent rediraction using wccp deployment model...

S360 appliances are logically connected to ASA inside segment (from that segment my users are comming). So that should be no problem (ASA WCCP documentation requres WSA and users to be on the same segment).

The problem was thath WCCP was not able to exchange keepalive information with ASA.

WSA is clearly sending Here I am packets, but is not receiving response from ASA !

On firewall, there is no access list that could prevent WCCP from bringing the service up.

In ASA logs we have log about received UDP connection on 2048 port (so ASA received wccp hello), but we do not se outbound connection...

We configured Inside segment IP address as Web-cache IP on WSA. I noticed that in some cases this can be a problem (especially if configured wccp router ID ip address is not the biggest one on ASA - this policy is not officially documented and, really looks unsane especially if we consider that ASA is security appliance...).

Anyway, debug pf wccp events and packets shows wrong web-cache ID message (or something similar). ID's are the same on ASA and on WSA... There is no problem in the configuration !!!

ASA OS version 8.2.2...

Hope someone will help, and had the similar problems...

Regards,

Ana

I have this problem too.
3 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
khoanguy Tue, 07/13/2010 - 16:20

Try using a different service id 90 instead of the default web-cache, this needs to be done on both the IronPort and

ASA.

On the IronPort also configure, explicit advanced settings:

Network > Transparent Redirection > (select wccp profile) > Advanced > (Forward and Return set to "GRE only")

See if it attempt to sync.

ana.peric Tue, 07/13/2010 - 22:40

Thanks khoanguy.

I forgot to mention...

I already did all of that...

Default web-cache was not set at all...

We have tryed to set service gruop ID 100, 90, 91... Tryed with lot of different combinations (ofcourse on WSA and ASA configurations are synchronized)...

My last resort is folowing procedure:

Disabling wccp on both WSA and ASA.

Before WCCP configuration, I'll reload WSA...

Configure wccp on WSA and ASA with web-cache service group (I did not try this, aldough I must do transparent redirection for more web ports not only 80...).

Maybe I'll try with some other service group (ID from 90-99)...

I could be some kind of bug. One option is thath WSA is sending wrong wccp service ID, and then ASA doesnt see the match, and discards wccp here I am... Or ASA has a problem with wccp ID checking and matching...

Anyway, I'll keep you informed.

yao yu jiang Fri, 04/15/2011 - 13:41

hi,

i have the same problem on my asa and wsa, has your problem resolved ? let me know please.

ana.peric Sun, 04/17/2011 - 23:22

Hi,

Yes, the problem is resolved...

Restrictions regardnig WCCPv2 implementation on ASA are:

- Multiple routers in a service group is not supported. Multiple Cache Engines in a service group is still supported.

- Multicast WCCP is not supported.

- The Layer 2 redirect method is not supported; only GRE encapsulation is supported.

- WCCP source address spoofing is not supported

Beside these restrictions, IronPort WSA must be connected to ASA's inside segment.

Also, ASA's inside interface must be in the same IP subnet like IronPort WSA.

If you have problems with wccp on WSA in general, here are some steps that you should follow during troubleshooting:

1. Mind all the WCCP/ASA restrictions mentioned above

2. Capture packets on WSA's interface. If everything is OK, you should see both wccp HIA and wccp "I see you" hello messages.

3. Turn on debug ip wccp events on ASA/router

3. If all WCCP messages are present, you should not have the problem

If not... First see if WSA is sending WCCP messages to ASA/router (debug wccp events).

WSA has one bug that affects WCCP function... Somethimes (and believe me - sometimes==a lot) when WCCP reconfiguration is performed on WSA, it sends WCCP packets with wrong Host ID.

So in that case,  in router/ASA debug you see message like this: "Here_I_Am packet from X.X.X.X w/bad rcv_id 00000000".

If you see this,  you should execute following hidden command on WSA from WSA CLI:

//*****************************

diagnostic->proxy->kick

//*****************************

That's it.

In most of the cases, if you have not made some "design" error, proxy kick will reset WCCP on WSA, and it'll start working...

Best regards,

Ana

yao yu jiang Tue, 04/26/2011 - 12:13

thanks a lot,

I have another quick question, does wccp support using the NTLMSSP  Authentication? i found the wsa can not find the windows domain login username information, when I use the transparent wccp , it only record the client ip address not the username , so if my identity require authenticatiuon with NTLMSSP, WCPP does not work.   but if i use explict proxy , then i have all username informaiton  in my access log.?

Ken Stieers Tue, 04/26/2011 - 12:15

Yes, NTTLMSSP auth works with the WSA using WCCPv2 from a WSA.

I'm doing it right now...

yao yu jiang Tue, 04/26/2011 - 12:50

thanks, you are very helpful.

I tried the wccp with NTLM AUthenticaiton again, the IE just come back with the blank page, this mean the wccp did not get the authentication message, but I require the authentication.

I addded another   identicy use just LDAP protocal, and it came back the same result.

but after I change the one the following it works

-  enable explicit proxy  , point to ironport in IE , it works, I can find the authentication use authcache and find them in my accesslog.

-  NO authentication required,  the wccp works

do you know anything else I need to check? I use IE 7

yao yu jiang Tue, 04/26/2011 - 13:03

I find the problem

i changed the interface name, but for some reason, the transparent proxy auth servcer name is the old name,

  27   wsa2.cbm.local
2976                 wsa2$
3286     mgmt.wsa2.cbm.local

i need figure out how to change the name back

thanks

ana.peric Tue, 04/26/2011 - 22:43

Hi All,

First of all in order to use NTLM with transparent redirection you must configure hostname of ironport proxy interfece under the authentification configuration.

You should be able to resolve that hostname in your DNS - that is very important !

If you are using short hostname (not ironports.yourdomain.com but only "ironport"), configured DNS must be autoritative DNS for domain yourdomain.com.

The second thing about transparent redirection + ntlm authentication are IE security settings. In order to enable your IE to handle NTLM + transparent redirection, you must set ironport's full FQDN inside IE's trusted sites.

I hope I helped...

Best regards,

Ana

yao yu jiang Wed, 04/27/2011 - 10:45

THANKS a lot, it works for me.

here is my summary, I did a lot of test using NTLMSSP AND basic authentication scheme.

===============summary==================

when use wccp for ironport wsa
under identity , NTLMLSSP realm can use both NTLMSSP AND BASIC authentication scheme

1, use NTLMSSP AUTHTICATION ONLY, this is single sign on authentication, it is transparent, becasue after user login to windows using
the domwin username, the IE will forward the authticated information to WSA, SO user do not need type any word , and there is  no pop up
authentication windows

     NEED ADD THE PROXY INTERFCE NAME IN THE DNS SERVER (under cbm.local, add A record MGMT.WSA2)
      -1 MGMT.WSA2.CBM.LOCAL 172.16.16.17
      AND
      -2 ADD MGMT.WSA2.CBM.LOCAL IN THE client IE security option intranet sites
     
      the authentication log/recored show the username under domain name like following:
      CBM\[email protected]
     
     
2, use    basic autheication,
     windows willl pop up windows for username and password, this is basic authentication, the password is transfered insecurely.(clear)

  when use the explicit basic authenticatin
    it show the username like folloiwing it does not show the domain name
     [email protected]
   [email protected]
  [email protected]
 
 
notes, when use firefox for basic authention, then it will pop up 2 windws, first is ntlm windows, it will fail,then the 2nd is the basic
authenticaiton windows, type the usename password,  no need to type the domain name.

mostafa.kamel Sat, 08/31/2013 - 04:29

i run WCCPv2 with the ASA for http trafifc and it work fine, when i try https redirection i found on the ASA there is a match as shown below:

Global WCCP information:

    Router information:

        Router Identifier:                   172.220.0.2

        Protocol Version:                    2.0

    Service Identifier: web-cache

        Number of Cache Engines:             1

        Number of routers:                   1

        Total Packets Redirected:            116423

        Redirect access-list:                WCCP-TRAFFIC

        Total Connections Denied Redirect:   3

        Total Packets Unassigned:            40

        Group access-list:                   wccp-server

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     0

    Service Identifier: 70

        Number of Cache Engines:             1

        Number of routers:                   1

        Total Packets Redirected:            35582

        Redirect access-list:                WCCP-TRAFFIC

        Total Connections Denied Redirect:   0

        Total Packets Unassigned:            0

        Group access-list:                   wccp-server

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     0

but if i don't enable the HTTPS proxy on the WSA all https request are forward and no filter take place.

when i enable the HTTPS proxy on the WSA, all the pages are keep loading and end in error display.

if you had enable HTTPS redirect please i need your support.

thanks and Regards,

Mostafa kamel

Actions

This Discussion

Related Content