Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2192
Views
0
Helpful
2
Replies

ASA WCCP w/Ironport Question

Go to solution
AJ Cruz
Level 3
Level 3

‎11-04-2011 08:11 AM

I'd like to use ASA WCCP to point to a couple different Ironport s160 systems for redundancy. I can't find any documentation that talks about how the WCCP mechanism selects which system to use.

Is it simply round robin or hash-based regardless of cache engine status?

Or does it try the first in the list and if inaccessible move to the next in the llist?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎11-04-2011 08:39 AM

Its hash or mask based (you pick, or the boxes negotiate), against server address or client address, but only if the cache engines are up... ie if one is down, all of the traffic will go to the other one...  Keep in mind that WCCP is sort of like a "subscription".  If both WSA's are down, the ASA will see no "subscriptions" so it will just pass the traffic without trying to redirect it anywhere.  If one is up and talking, it gets all of the traffic..

Take a look at Network/Transparent Redirection, set it for WCCP v2 Router,  and add a service.   The config is there...

Also, don't forget to add 2 ACE's to the ACL on the ASA to keep the traffic from one WSA proxy ip from getting sent to the the other WSA, and vice versa...

(Taken from AnswerID 1663 in the old ironport support knowledge base)

wccp 90 redirect-list acl_http group-list acl_wsas password securewccp

! Access List denying traffic sent to the WSA (as destination IP) to be redirected to the WSA
! this is particular useful when the ASA is configured to redirect traffic to multiple WSAs.
! WSA1 IP address = 10.0.0.1
! WSA2 IP address = 10.0.0.2
access-list acl_http extended deny tcp any host 10.0.0.1
access-list acl_http extended deny tcp any host 10.0.0.2

! Allow http traffic to be redirected
access-list acl_http extended  permit tcp any any eq www

! Allow https traffic to be redirected
access-list acl_http extended  permit tcp any any eq https

! Define which WSAs are allowed to participate on the WCCP communication
access-list acl_wsas standard  permit host 10.0.0.1
access-list acl_wsas standard  permit host 10.0.0.2

!
wccp interface inside 90 redirect in

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ken Stieers
VIP
VIP

‎11-04-2011 08:39 AM

Its hash or mask based (you pick, or the boxes negotiate), against server address or client address, but only if the cache engines are up... ie if one is down, all of the traffic will go to the other one...  Keep in mind that WCCP is sort of like a "subscription".  If both WSA's are down, the ASA will see no "subscriptions" so it will just pass the traffic without trying to redirect it anywhere.  If one is up and talking, it gets all of the traffic..

Take a look at Network/Transparent Redirection, set it for WCCP v2 Router,  and add a service.   The config is there...

Also, don't forget to add 2 ACE's to the ACL on the ASA to keep the traffic from one WSA proxy ip from getting sent to the the other WSA, and vice versa...

(Taken from AnswerID 1663 in the old ironport support knowledge base)

wccp 90 redirect-list acl_http group-list acl_wsas password securewccp

! Access List denying traffic sent to the WSA (as destination IP) to be redirected to the WSA
! this is particular useful when the ASA is configured to redirect traffic to multiple WSAs.
! WSA1 IP address = 10.0.0.1
! WSA2 IP address = 10.0.0.2
access-list acl_http extended deny tcp any host 10.0.0.1
access-list acl_http extended deny tcp any host 10.0.0.2

! Allow http traffic to be redirected
access-list acl_http extended  permit tcp any any eq www

! Allow https traffic to be redirected
access-list acl_http extended  permit tcp any any eq https

! Define which WSAs are allowed to participate on the WCCP communication
access-list acl_wsas standard  permit host 10.0.0.1
access-list acl_wsas standard  permit host 10.0.0.2

!
wccp interface inside 90 redirect in

0 Helpful

Go to solution
AJ Cruz
Level 3
Level 3
In response to Ken Stieers

‎11-04-2011 08:43 AM

Thanks!

0 Helpful
Customers Also Viewed These Support Documents