IronPort and Internet

Unanswered Question

I have a remote office and setup site to site vpn to HQ using ASA for both location.  All data traffic and internet browser on the VPN link back to HQ.

Everything is working fine and strange thing happened that there are 2 users can not connect to internet.  If I bypass these 2 users from Ironport

then their internet are working fine.  The IronPort setup as transparent and wccp configure on the ASA here in HQ.

If I put those users back on the access list on the ASA for WSA then their internet browser are connecting but no error no webpage display.

Keep getting waiting for like hours glass.  Turn on the access log and saw the connection established without any deny on the log.

Anyone has any idea?

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
edadios Wed, 08/11/2010 - 16:11

You said only two users has the problem, does that mean other users on same remote subnet through the vpn, also configured for WCCP on the main office ASA and redirected to the WSA is working fine? If other users work fine, are the two users using the same identity configured on the WSA, and going through the same access policy?

You can also check the access logs on the WSA for the none working user, and the working user to see the difference in logs, if going through the same internet url. Guide for access logs on WSA here

Otherwise you will need to trace where the packets from the client is being lost going to the internet.

Packet captures for traffic of the client on ASA and WSA will possibly need to be done to find out.

Some good info on forum for ASA packet capture her /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I suggest doing it on the interface facing the WSA, and filter on the client ip address.

Capture on WSA here

I suggest doing the capture on the interface facing the ASA, and filter on the client ip address.

I hope this helps you get further on your troubleshooting.



This Discussion