I currently have WCCP redirection setup on my ASA 5520 to redirect to an ironport on ip address 10.11.1.10. The ASA inside ip is 10.11.1.1 and the ironport is setup for transparent redirection to that IP. This all works well and the Service Identifier i'm using for WCCP is 95.
I am now creating another WCCP group because on my ironport I have 4 interfaces so I wanted to use them for our admin network. So I created an ACL on the ASA for our admin traffic and I want to redirect that using Service Identifier 94 to the ip on the ironport of 10.11.1.22. But I can't get traffic to redirect, instead I see the following:
Group access-list: WCCP_IronportInterface_for_Users
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
You can see that ID group 94 is the one I'm having difficulty with. All messages are denied and I'm not sure why? I can still get out to the web, my traffic just isn't being redirected to the ironport?
The messages are being denied because there are no cache engines available for service group 94:
Number of Cache Engines: 0
I would suggest setting up a quick packet capture on the interface for all traffic to and from 10.11.1.22. This will give you a better idea of where the communication between the ASA and the WSA is failing.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...