ASA WCCP w/Ironport Question

Answered Question
Nov 4th, 2011

I'd like to use ASA WCCP to point to a couple different Ironport s160 systems for redundancy. I can't find any documentation that talks about how the WCCP mechanism selects which system to use.

Is it simply round robin or hash-based regardless of cache engine status?

Or does it try the first in the list and if inaccessible move to the next in the llist?

I have this problem too.
0 votes
Correct Answer by kstieers1 about 2 years 5 months ago

Its hash or mask based (you pick, or the boxes negotiate), against server address or client address, but only if the cache engines are up... ie if one is down, all of the traffic will go to the other one...  Keep in mind that WCCP is sort of like a "subscription".  If both WSA's are down, the ASA will see no "subscriptions" so it will just pass the traffic without trying to redirect it anywhere.  If one is up and talking, it gets all of the traffic..

Take a look at Network/Transparent Redirection, set it for WCCP v2 Router,  and add a service.   The config is there...

Also, don't forget to add 2 ACE's to the ACL on the ASA to keep the traffic from one WSA proxy ip from getting sent to the the other WSA, and vice versa...

(Taken from AnswerID 1663 in the old ironport support knowledge base)

wccp 90 redirect-list acl_http group-list acl_wsas password securewccp

! Access List denying traffic sent to the WSA (as destination IP) to be redirected to the WSA
! this is particular useful when the ASA is configured to redirect traffic to multiple WSAs.
! WSA1 IP address = 10.0.0.1
! WSA2 IP address = 10.0.0.2
access-list acl_http extended deny tcp any host 10.0.0.1
access-list acl_http extended deny tcp any host 10.0.0.2

! Allow http traffic to be redirected
access-list acl_http extended  permit tcp any any eq www

! Allow https traffic to be redirected
access-list acl_http extended  permit tcp any any eq https

! Define which WSAs are allowed to participate on the WCCP communication
access-list acl_wsas standard  permit host 10.0.0.1
access-list acl_wsas standard  permit host 10.0.0.2

!
wccp interface inside 90 redirect in

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
kstieers1 Fri, 11/04/2011 - 08:39

Its hash or mask based (you pick, or the boxes negotiate), against server address or client address, but only if the cache engines are up... ie if one is down, all of the traffic will go to the other one...  Keep in mind that WCCP is sort of like a "subscription".  If both WSA's are down, the ASA will see no "subscriptions" so it will just pass the traffic without trying to redirect it anywhere.  If one is up and talking, it gets all of the traffic..

Take a look at Network/Transparent Redirection, set it for WCCP v2 Router,  and add a service.   The config is there...

Also, don't forget to add 2 ACE's to the ACL on the ASA to keep the traffic from one WSA proxy ip from getting sent to the the other WSA, and vice versa...

(Taken from AnswerID 1663 in the old ironport support knowledge base)

wccp 90 redirect-list acl_http group-list acl_wsas password securewccp

! Access List denying traffic sent to the WSA (as destination IP) to be redirected to the WSA
! this is particular useful when the ASA is configured to redirect traffic to multiple WSAs.
! WSA1 IP address = 10.0.0.1
! WSA2 IP address = 10.0.0.2
access-list acl_http extended deny tcp any host 10.0.0.1
access-list acl_http extended deny tcp any host 10.0.0.2

! Allow http traffic to be redirected
access-list acl_http extended  permit tcp any any eq www

! Allow https traffic to be redirected
access-list acl_http extended  permit tcp any any eq https

! Define which WSAs are allowed to participate on the WCCP communication
access-list acl_wsas standard  permit host 10.0.0.1
access-list acl_wsas standard  permit host 10.0.0.2

!
wccp interface inside 90 redirect in

Actions

Login or Register to take actions

This Discussion

Posted November 4, 2011 at 8:11 AM
Stats:
Replies:2 Avg. Rating:5
Views:1533 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard