×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Need wccp configuration assistance

Unanswered Question
Aug 15th, 2012
User Badges:

I'm running wccp between a Nexus 7K and a Bluecoat ProxySG.  I've attached a Visio which shows a overview of how all the pieces fit together.  I'll also describe it here:


For the purpose of discussing this issue, only two VLANs on the 7K matter.  These are VLAN38, on which the firewall to the Internet is attached on the Inside and VLAN39, on which the web-cache engine (ProxySG) is attached.  The relevant wccp configuration is below:


feature wccp

!

ip wccp 97 redirect-list Remote-WCCP

ip wccp 98 redirect-list FNB-WCCP

!

IP access list FNB-WCCP

        10 deny ip 172.19.0.0/16 156.99.45.0/25

        20 deny ip 172.19.0.0/16 156.99.46.0/25

        30 deny ip 172.19.0.0/16 156.99.112.0/25

        40 deny ip 172.19.0.0/16 156.99.242.208/28

        50 deny ip 172.19.0.0/16 156.99.167.192/26

        60 deny ip 172.19.0.0/16 156.99.8.192/28

        70 deny ip 172.19.0.0/16 156.99.193.0/25

        80 deny ip 172.19.0.0/16 192.168.0.0/16

        90 permit tcp 172.19.30.96/32 any eq www

        100 permit tcp 172.19.30.96/32 any eq 443

!

interface Vlan38

  no ip redirects

  ip address 172.19.38.3/24

  ip ospf passive-interface

  ip router ospf 100 area 0.0.0.0

  ip wccp 98 redirect out

  hsrp 38

    authentication text deed

    preempt

    priority 110

    ip 172.19.38.1

  description IP Inside Firewall

  no shutdown

!

interface Vlan39
  description Bluecoat
  no shutdown
  no ip redirects
  ip address 172.19.39.3/24
  ip ospf passive-interface
  ip router ospf 100 area 0.0.0.0
  ip wccp redirect exclude in
  hsrp 39
    authentication text deed
    preempt
    priority 110
    ip 172.19.39.1


Two other pieces of information that I think is relevant is that the ProxySG was configured to use the HSRP virtual IP address of the SVI on the Nexus and wccp is in L2 mode (not GRE).


So here's the problem.  When the ProxySG receives traffic that is to be bypassed (policy NOT applied) it seems to send the traffic back to the Nexus but not via WCCP.  In other words, the "Total Bypassed Packets Received" counter doesn't increment.  The traffic comes back to the Nexus because the ProxySG sends the traffic on its way towards the Internet and since the Nexus is the default gateway for the ProxySG, that's where it goes.  The problem is (at least this is what I think) that the Nexus then tries to send it back out.  In the process it hits the wccp redirect ACL again and it goes back to the ProxySG.  This loop is repeated over and over again.  This is what I see when I do a packet capture on the port connected to the ProxySG.  I think that I can get around this if I move the ProxySG to VLAN38 and change the default gw of the ProxySG to the firewall's address.  I am wondering about this counter "Total Bypassed Packets Received".  That counter seems to suggest that if the web-cache engine determines that the traffic is to bypass policy that it'd send it back to the wccp server for normal processing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bportnoy Wed, 09/19/2012 - 08:44
User Badges:

We ran into problems as well, but were on an unsupported NX-OS version.  What version of NX-OS are you running?


Cheers,

Ben

sdavids5670 Wed, 09/19/2012 - 08:52
User Badges:

6.0(2).


I opened a TAC case on this and the TAC engineer stated that I was hitting a new bug.

bportnoy Wed, 09/19/2012 - 10:32
User Badges:

Thank you for the information.  We'll keep an eye on that when we're ready to move to 6.


Cheers,

Ben

Actions

This Discussion

Related Content