Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
2
Replies

IronPort and Internet

ttran
Level 1
Level 1

‎08-11-2010 02:10 PM

I have a remote office and setup site to site vpn to HQ using ASA for both location.  All data traffic and internet browser on the VPN link back to HQ.

Everything is working fine and strange thing happened that there are 2 users can not connect to internet.  If I bypass these 2 users from Ironport

then their internet are working fine.  The IronPort setup as transparent and wccp configure on the ASA here in HQ.

If I put those users back on the access list on the ASA for WSA then their internet browser are connecting but no error no webpage display.

Keep getting waiting for www.yahoo.com like hours glass.  Turn on the access log and saw the connection established without any deny on the log.

Anyone has any idea?

Thank you.

Labels:
0 Helpful
2 Replies 2

edadios
Cisco Employee
Cisco Employee

‎08-11-2010 04:11 PM

You said only two users has the problem, does that mean other users on same remote subnet through the vpn, also configured for WCCP on the main office ASA and redirected to the WSA is working fine? If other users work fine, are the two users using the same identity configured on the WSA, and going through the same access policy?

You can also check the access logs on the WSA for the none working user, and the working user to see the difference in logs, if going through the same internet url. Guide for access logs on WSA here http://tinyurl.com/6ekeec

Otherwise you will need to trace where the packets from the client is being lost going to the internet.

Packet captures for traffic of the client on ASA and WSA will possibly need to be done to find out.

Some good info on forum for ASA packet capture her

https://supportforums.cisco.com/docs/DOC-1222

I suggest doing it on the interface facing the WSA, and filter on the client ip address.

Capture on WSA here http://tinyurl.com/g4qxy

I suggest doing the capture on the interface facing the ASA, and filter on the client ip address.

I hope this helps you get further on your troubleshooting.

Regards,

0 Helpful

ttran
Level 1
Level 1
In response to edadios

‎08-12-2010 10:09 AM

Edadios,

Thanks for the feedback.  The 2 users are on the same subnet with the rest of users at remote location and use same identity on WSA and

same access policy.  That is why a bit strange for me.

As soon as I get hold of user PC and do the testing with packet capture I will let you know.

0 Helpful
Customers Also Viewed These Support Documents