WCCP & Bluecoat bad rcv_id

Unanswered Question
Mar 27th, 2012

On a Catalyst 6509 switch I have configured wccp protocol in order to redirect the Http traffic to a Bluecoat SG8100. It was working fine until a new L3 interface implementation.  Thereafter I was unable to redirect the http traffic due to an error reported from the Cat6509:

WCCP-EVNT:D10: Built new router view: 0 routers, 0 usable web caches, change # 00000001

WCCP-PKT:D10: Sending I_See_You packet to 10.64.28.240 w/ rcv_id 00000001

WCCP-PKT:D10: Sending I_See_You packet to 10.64.28.240 w/ rcv_id 00000002

WCCP-PKT:D10: Sending I_See_You packet to 10.64.28.240 w/ rcv_id 00000003

WCCP-EVNT:D10: Here_I_Am packet from 10.64.28.240 w/bad rcv_id 00000000

WCCP-EVNT:D10: Here_I_Am packet from 10.64.28.240 w/bad rcv_id 00000000

WCCP-EVNT:D10: Here_I_Am packet from 10.64.28.240 w/bad rcv_id 00000000

WCCP-PKT:D10: Sending Removal_Query packet to 10.64.28.240w/ rcv_id 00000004

WCCP-EVNT:wccp_free_wc_assignment_memory: enter

WCCP-EVNT:wccp_free_wc_assignment_memory: deallocate orig info (40 bytes)

WCCP-EVNT:wccp_free_wc_assignment_memory: exit

WCCP-EVNT:wccp_change_router_view: D10

WCCP-EVNT:wccp_change_router_view: deallocate rtr_view (24 bytes)

WCCP-EVNT:wccp_change_router_view: allocate hash rtr_view (1560 bytes)

WCCP-EVNT:wccp_change_router_view: rtr_view_size set to 24 bytes

WCCP-EVNT:D10: Assignment wait timer started

the final status is:

SWA1-1#sh ip wccp 10 deta

WCCP Cache-Engine information:

        Web Cache ID:          10.64.28.240

        Protocol Version:      2.0

        State:                      NOT Usable

        Redirection:             L2

        Packet Return:         L2

        Packets Redirected:    0

        Connect Time:          00:00:19

        Assignment:             MASK

After some checks I supposed that the problem should be the UDP 2048 port connection between the Switch and the Bluecoat while the switch L3 port and the bluecoat are on the same Lan. A deep analysis found that the WCCP protocol seems to be as follow:

Proxy address 10.64.28.240 to Switch Port 10.64.28.250 Here I Am

Switch Port 10.64.28.250 to Proxy address 10.64.28.240 I See You

Switch Port 10.66.0.251 to Proxy address 10.64.28.240 UDP 2048 packet (dropped by firewall)

It's strange to me that the first dialog is correctly handled by the correct Cat6509 interface while the UDP packets are flowing from another Vlan interface not configured with the WCCP and apparently not involved on the protocol.

Last of all the WCCP is now disabled and unusable, any idea?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
John Blakley Tue, 03/27/2012 - 03:41

Can you give a quick diagram on how this is laid out? You said that you configured a new L3 interface, but then you state that UDP packets could be dropped by the firewall. Where are your users in relation to wccp? Are they on the same interface as the proxy or are they on a different interface? Have you tried rebooting the proxy server?

rosarra Tue, 03/27/2012 - 04:06

Here you found see the network diagram. The old working interface was the Vlan100 the same users vlan. A new interface was added (Vlan 99) but the dropped packets are flowing from the interface Vlan300. It's a very strange behaviour with a no-sense explanation. I don't think that the Bluecoat reboot can solve the problem because the issue is related to the switch not to the proxy.

branfarm1 Tue, 05/22/2012 - 10:12

Were you ever able to find a solution to this issue? I am seeing the same debug messages on a 4510 with Barracuda web filter:

050445: May 22 11:07:22.311 MDT: WCCP-EVNT:S00: Here_I_Am packet from 10.2.0.51 w/bad rcv_id 00000000

050446: May 22 11:07:32.307 MDT: WCCP-EVNT:S00: Here_I_Am packet from 10.2.0.51 w/bad rcv_id 00000000

Thanks,

Brandon

rosarra Wed, 05/23/2012 - 00:52

Unfortunatly in our case there is no solution for this issue. The problem is due to an asymmetric path between the Core Siwtch and the Bluecoat Appliance. At first the switch sent the WCCP packet using the correct interface then reply to the Bluecoat using another interface blocked from the Firewall.

Consider that we are using VRF on the Core Switch and WCCP is not VRF aware.

Actions

Login or Register to take actions

This Discussion

Posted March 27, 2012 at 3:09 AM
Stats:
Replies:4 Avg. Rating:
Views:1476 Votes:0
Shares:0
Tags: wccp, 6509, vrf
+
Categories: Switches
+

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,155
3 7,740
4 7,083
5 6,742
Rank Username Points
140
75
73
64
40