08-11-2010 02:10 PM
I have a remote office and setup site to site vpn to HQ using ASA for both location. All data traffic and internet browser on the VPN link back to HQ.
Everything is working fine and strange thing happened that there are 2 users can not connect to internet. If I bypass these 2 users from Ironport
then their internet are working fine. The IronPort setup as transparent and wccp configure on the ASA here in HQ.
If I put those users back on the access list on the ASA for WSA then their internet browser are connecting but no error no webpage display.
Keep getting waiting for www.yahoo.com like hours glass. Turn on the access log and saw the connection established without any deny on the log.
Anyone has any idea?
Thank you.
08-11-2010 04:11 PM
You said only two users has the problem, does that mean other users on same remote subnet through the vpn, also configured for WCCP on the main office ASA and redirected to the WSA is working fine? If other users work fine, are the two users using the same identity configured on the WSA, and going through the same access policy?
You can also check the access logs on the WSA for the none working user, and the working user to see the difference in logs, if going through the same internet url. Guide for access logs on WSA here http://tinyurl.com/6ekeec
Otherwise you will need to trace where the packets from the client is being lost going to the internet.
Packet captures for traffic of the client on ASA and WSA will possibly need to be done to find out.
Some good info on forum for ASA packet capture her
https://supportforums.cisco.com/docs/DOC-1222
I suggest doing it on the interface facing the WSA, and filter on the client ip address.
Capture on WSA here http://tinyurl.com/g4qxy
I suggest doing the capture on the interface facing the ASA, and filter on the client ip address.
I hope this helps you get further on your troubleshooting.
Regards,
08-12-2010 10:09 AM
Edadios,
Thanks for the feedback. The 2 users are on the same subnet with the rest of users at remote location and use same identity on WSA and
same access policy. That is why a bit strange for me.
As soon as I get hold of user PC and do the testing with packet capture I will let you know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide