Can't really find my answer and have some mixed comments and articles out there. From what I can tell there is not Active/Standby configuration for the WSA's. I did hear that there is a clustering configuration for the WSA's that would allow my licensing to apply to the cluster? The scenario is I have 2 WSA devices, while the ASA will only support 1 WSA for WCCP as the limitation is ASA side, I have two sitting there and only 1 actually working. Now I have both IPs listed in the object group for the ASA in the even one fails I assume the ASA would query the other one, not entirely sure though. So if I have licensing for 350 users, do I need to purchase two of those packages for each WSA or will that license apply to both? I think it will apply to both since I read something about unlimited amount of WSA virtual appliances as long as I do not exceed my seat licenses, so I assume this would also apply to the physical units as well.
This is what useful info I found, but not sure 100%.
"It would be licensed per cluster, so in this scenario we would quote the customer 300 user licenses. The licenses would failover to the standby unit in the event of a failure."
WSA's are licensed per seat, plus purchasing the hardware. So yes you're covered for your x users on as many WSAs as you want...eg if you were running vms you could do 5, 10, 100 WSAv's you're covered for your 350 users. So no, you don't have to purchase a second set of user licensing. You do have to get the appropriate feature keys on you WSAs though (which don't reference user counts in any way)
ASAs can support up to 32 WSAs. (a WCCP version 2 limit) Not sure where you got that. I have 2...and I've done 3
Make sure your acl is correct so you don't get into loops:
access-list WCCP_Redirect extended deny ip any4 object-group myInternalNet
access-list WCCP_Redirect extended deny ip host 172.16.15.10 any4 <--wsa
access-list WCCP_Redirect extended deny ip host 172.16.15.11 any4 <--wsa
access-list WCCP_Redirect extended permit ip object-group myInternalNet any4
In this instance, the ASA is the router. The WSA is the web cache engine.
So you can't have 2 ASAs both doing redirection at the same time to the same service group, so an active/active ASA cluster would have issues. An active/passive ASA cluster works, though the web conversations get dropped because the ASAs don't copy the redirection table, but since web connections tend to be ephemeral, users don't see much disruption.
Ahh that makes sense, I guess I was mixing up the roles within the scenario. But I could have an ASA doing WCCP for clients to going to the internet and then a WAN site to site router doing WCCP for traffic going to another site correct?
Yes, though you don't have to do it that way if you don't want to. I know I wouldn't, because you get no failover that way....
All WAN sites come back to our data center and that ASA active/passive cluster has WCCP pointed at a pair of WSAs.
We have three sites connected via metro-E links, in essentially a triangle, so traffic can route the opposite way in the event of a failure. So Internet exists at all sites, so all my user traffic comes from building 1 through core 4500's then out to ASA's to hit the internet. The WAN router for the other sites, hangs off the core 4500's, so in the event the local internet is down, we would route the user traffic out to building 2 or 3 for internet. So would you still suggest sending all traffic to the ASA then back down to the core, then over to the router?
Putting them all in the central site may not be the right choice, depending upon how/where from your routes are published, and how things act when a route is down.
We had to publish our internet route from the ASAs for some reason, so if the internet is down, that route gets pruned, and the web traffic would never hit it to to get WCCP'd to the WSA stack.
You may want to split your WSA's up in that case...
Yes I have thought about that with the ability to use current physical licensing for VM's. I could keep the two appliances at the main HQ where all the users are and put some VM's out at the datacenters for failover internet reasons
If you have the infrastructure to do that, that's exactly what I'd do... you could put just one in each site, and if you only have 350 users, an S100V is plenty (that's what we run for about 450). YMMV...
We have S370s for physical hardware, I think that's kind of overkill, but security department knows all! LOL.
I think that's the venture I am going to take. I have ASA's at every site so roll up some VMs for failover and I am good to go. Then just work on the routing...that's the nightmare.