ASA WCCP Failover

Unanswered Question
Aug 1st, 2012

Can someone help clarrify some things.  I read that WCCP is supposed to support failover.  I want to WCCP redirect some web traffic to a proxy.  If that proxy is not avvailable the I want to redirect it to another "backup" proxy but when looking at the WCCP settings in ASDM and the cli commands I dont see where yuo configure a second address to redirect to.  How does this failover actually work?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Marcin Latosiewicz Thu, 08/02/2012 - 00:50

Lance,

Proxy should register to ASA (or any WCCP "server") not the other way around.

That's why ASA's configuration is to create an ACL to allow registration from particular IPs:

bsns-asa5520-2(config)# wccp web-cache ?

configure mode commands/options:

  group-list     Set the access-list used to permit group membership

You can have a look at WCCP at-a-glance operation on wikipedia:

http://en.wikipedia.org/wiki/Web_Cache_Communication_Protocol

There are links to Cisco documentation later on there.

You can have a look at the status of registration via:

show wccp [service-name-or-number] detail

Hope that clears things up.

If you're seeing problem with registering both proxys to ASA, open up a TAC case.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html#wp1101443

supported:

Multiple cache engines in a service group.

M.

lfkentwell Thu, 08/02/2012 - 15:12

Great that explains it thanks.  From what im reading about ASA WCCP implemntation the client and the "proxy" have to both be reachable on the same interface as WCCP.  You cant redirect the request to a "proxy" that might be sitting on a DMZ of another interface, is that correct?

In this case what if the "proxy" is on another vlan that is still on the same interface, is that ok?

What if the "proxy" is on another subnet, maybe even a different location.  Is it still ok provided that is reached via the same interface the original request was recieved on?

Also one more thing I read that there has to be a rule permitting the traffic for WCCP to intercept it.  IS that correct?  So that would mean if I want to recirect all traffic from host A out to te internet then not only do I have to put an ACL in the WCCP to redirect traffic from that host but there must also be a rule saying Host A on ANY port has a permit tot he internet?  That seems risky to me, if your "proxy" goes down wont it just thne allow the traffic out?  I would not want that.

Thanks.

Marcin Latosiewicz Fri, 08/03/2012 - 01:33

Lance,

Same interface in this case means same instance of interface (as seen in "show nameif").

You are also correct on the ACL issue. ACLs ARE processed before WCCP.

An ingress access list entry always takes higher priority over WCCP. For example, if an access list does not permit a client to communicate with a server, then traffic is not redirected to a cache engine. Both ingress interface access lists and egress interface access lists are applied.

But that actually helps you address a situation where users could access internet without WCCP present.

On the outside interface in egress direction you can DENY any tcp/80 traffic unless it's coming from one of the proxies.

Makes sense?

Marcin.

Actions

Login or Register to take actions

This Discussion

Posted August 1, 2012 at 7:36 PM
Stats:
Replies:3 Avg. Rating:
Views:807 Votes:0
Shares:0
Tags: failover, wccp, asa
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446