Need wccp configuration assistance

sdavids5670 · ‎08-15-2012

I'm running wccp between a Nexus 7K and a Bluecoat ProxySG. I've attached a Visio which shows a overview of how all the pieces fit together. I'll also describe it here:

For the purpose of discussing this issue, only two VLANs on the 7K matter. These are VLAN38, on which the firewall to the Internet is attached on the Inside and VLAN39, on which the web-cache engine (ProxySG) is attached. The relevant wccp configuration is below:

feature wccp

!

ip wccp 97 redirect-list Remote-WCCP

ip wccp 98 redirect-list FNB-WCCP

!

IP access list FNB-WCCP

10 deny ip 172.19.0.0/16 156.99.45.0/25

20 deny ip 172.19.0.0/16 156.99.46.0/25

30 deny ip 172.19.0.0/16 156.99.112.0/25

40 deny ip 172.19.0.0/16 156.99.242.208/28

50 deny ip 172.19.0.0/16 156.99.167.192/26

60 deny ip 172.19.0.0/16 156.99.8.192/28

70 deny ip 172.19.0.0/16 156.99.193.0/25

80 deny ip 172.19.0.0/16 192.168.0.0/16

90 permit tcp 172.19.30.96/32 any eq www

100 permit tcp 172.19.30.96/32 any eq 443

!

interface Vlan38

no ip redirects

ip address 172.19.38.3/24

ip ospf passive-interface

ip router ospf 100 area 0.0.0.0

ip wccp 98 redirect out

hsrp 38

authentication text deed

preempt

priority 110

ip 172.19.38.1

description IP Inside Firewall

no shutdown

!

interface Vlan39
description Bluecoat
no shutdown
no ip redirects
ip address 172.19.39.3/24
ip ospf passive-interface
ip router ospf 100 area 0.0.0.0
ip wccp redirect exclude in
hsrp 39
    authentication text deed
    preempt
    priority 110
    ip 172.19.39.1

Two other pieces of information that I think is relevant is that the ProxySG was configured to use the HSRP virtual IP address of the SVI on the Nexus and wccp is in L2 mode (not GRE).

So here's the problem. When the ProxySG receives traffic that is to be bypassed (policy NOT applied) it seems to send the traffic back to the Nexus but not via WCCP. In other words, the "Total Bypassed Packets Received" counter doesn't increment. The traffic comes back to the Nexus because the ProxySG sends the traffic on its way towards the Internet and since the Nexus is the default gateway for the ProxySG, that's where it goes. The problem is (at least this is what I think) that the Nexus then tries to send it back out. In the process it hits the wccp redirect ACL again and it goes back to the ProxySG. This loop is repeated over and over again. This is what I see when I do a packet capture on the port connected to the ProxySG. I think that I can get around this if I move the ProxySG to VLAN38 and change the default gw of the ProxySG to the firewall's address. I am wondering about this counter "Total Bypassed Packets Received". That counter seems to suggest that if the web-cache engine determines that the traffic is to bypass policy that it'd send it back to the wccp server for normal processing.

bportnoy · ‎09-19-2012

We ran into problems as well, but were on an unsupported NX-OS version. What version of NX-OS are you running?

Cheers,

Ben

sdavids5670 · ‎09-19-2012

6.0(2).

I opened a TAC case on this and the TAC engineer stated that I was hitting a new bug.

bportnoy · ‎09-19-2012

Thank you for the information. We'll keep an eye on that when we're ready to move to 6.

Cheers,

Ben