Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1437
Views
0
Helpful
11
Replies

WSA Router Identifier is taking highest IP:DMZ instead of inside

rasri8@inter-ikea.com
Level 1
Level 1

‎01-31-2018 10:56 AM - edited ‎03-08-2019 07:43 PM

WSA---->L3_SWITCH----->(inside)ASA(dmz)----

 

 

++ASA is not redirecting packets to WSA however i see The HELLOS are exchanged.

++L3 switch has a route to reach ASA DMZ interface.

++In WSA i have configured both inside and DMZ ip under WSA>transparent redirection>router ip address

 

WCCP-PKT:S00: Received valid Here_I_Am packet from 10.101.68.200 w/rcv_id 00000043

WCCP-PKT:S00: Sending I_See_You packet to 10.101.68.200 w/ rcv_id 00000044

 

Global WCCP information:
Router information:
Router Identifier: 192.168.243.254
Protocol Version: 2.0

Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: wccp_traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: wccp-server
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

 

Could you pls let me know if iam missing something

Appreciate your help!

Labels:
0 Helpful
11 Replies 11

Ken Stieers
VIP
VIP

‎01-31-2018 11:29 AM

What version of ASA code are you running?

I seem to remember having an issue like this on 8.2 or 8.4???? I'll go digging in my tickets...
0 Helpful

rasri8@inter-ikea.com
Level 1
Level 1
In response to Ken Stieers

‎01-31-2018 11:33 AM

Thanks for responding..

version:- 9.8(2)

Please feel free to let me know if you need any kind of information reg setup or config

0 Helpful

rasri8@inter-ikea.com
Level 1
Level 1
In response to rasri8@inter-ikea.com

‎01-31-2018 12:10 PM

FYI here is the config in ASA:-

WSA----L3_switch-----(inside)ASA(dmz)

 

WSA IP:-10.101.68.200

ASA inside ip:-10.101.71.65

ASA DMZ ip:-192.168.243.254 ---->Highest ip address

 

Configuration:-

-----------

wccp 90 redirect-list wccp_traffic group-list wccp-server
wccp interface inside 90 redirect in

 

access-list wccp-server extended permit ip host 10.101.68.200 any

 

access-list wccp_traffic extended permit tcp host 10.101.64.112 any eq www
access-list wccp_traffic extended permit tcp host 10.101.64.112 any eq https
access-list wccp_traffic extended deny ip any any

 

Show command output:-

--------------------

###sh wccp 90

Global WCCP information:
Router information:
Router Identifier: 192.168.243.254
Protocol Version: 2.0

Service Identifier: 90
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: wccp_traffic
Total Connections Denied Redirect: 1675
Total Packets Unassigned: 0
Group access-list: wccp-server
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

 

###sh wccp 90 detail:-

WCCP Cache-Engine information:
Web Cache ID: 10.101.68.200
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Hash Allotment: 0 (0.00%)
Packets Redirected: 0
Connect Time: 03:00:16

 

###sh wccp 90 view
WCCP Routers Informed of:
192.168.243.254

WCCP Cache Engines Visible:
10.101.68.200

WCCP Cache Engines NOT Visible:
-none-

 

##Dubugs hello packets

WCCP-PKT:D90: Sending I_See_You packet to 10.101.68.200 w/ rcv_id 00000417

WCCP-PKT:D90: Received valid Here_I_Am packet from 10.101.68.200 w/rcv_id 00000417

 

 

Configuration on WSA:-

--------------------

Allow GRE only  for forward and return packet

Allow Hash only

router ip address: 192.168.243.254, 10.101.71.65

0 Helpful

Ken Stieers
VIP
VIP
In response to rasri8@inter-ikea.com

‎01-31-2018 02:19 PM

Looking at mine in production, the router identification is NOT the interface that is connected.

Its the highest IP on the ASA.   Did a little digging, and I'm pretty sure that's just how the ASA works. (see my show wccp below)

 

My bug was in 9.1.1 (CSCue02226)... unrelated...

 

My WCCP config doesn't have a server list, I just use the password.

Are you trying to surf from 10.101.64.112 

 


Global WCCP information:
    Router information:
 Router Identifier:                   172.25.0.1
 Protocol Version:                    2.0

    Service Identifier: 90
 Number of Cache Engines:             1
 Number of routers:                   1
 Total Packets Redirected:            36880541
 Redirect access-list:                WCCP_Redirect
 Total Connections Denied Redirect:   609
 Total Packets Unassigned:            658
 Group access-list:                   -none-
 Total Messages Denied to Group:      0
 Total Authentication failures:       0
 Total Bypassed Packets Received:     65925

0 Helpful

rasri8@inter-ikea.com
Level 1
Level 1
In response to Ken Stieers

‎02-01-2018 02:01 AM

yes. I'm trying to surf from 10.101.64.112.

Could you tell me if it using DMZ IP or Inside IP to contact WSA?

because the HELLOS are exchanged, but probably the engine is rejecting the wccp GRE packets from the router id or viceversa.

0 Helpful

Ken Stieers
VIP
VIP
In response to rasri8@inter-ikea.com

‎02-01-2018 04:20 PM

The communication would be over the inside IP/port.




0 Helpful

rasri8@inter-ikea.com
Level 1
Level 1
In response to Ken Stieers

‎02-01-2018 09:05 PM

WSA-10.101.68.200---->L3_switch----->(inside-10.101.71.65)ASA(dmz-192.168.23.254)

 

I have turned on captures in ASA inside interface
I see WSA is communicating with both Inside and DMZ.

 

First capture:- WSA--communicating with---->Inside interface of ASA
============

1: 05:47:42.409005 10.101.68.200.2048 > 10.101.71.65.2048: udp 120
2: 05:47:42.409082 10.101.71.65.2048 > 10.101.68.200.2048: udp 140
3: 05:47:52.424569 10.101.68.200.2048 > 10.101.71.65.2048: udp 120
4: 05:47:52.424630 10.101.71.65.2048 > 10.101.68.200.2048: udp 140
5: 05:48:02.380153 10.101.68.200.2048 > 10.101.71.65.2048: udp 120
6: 05:48:02.380214 10.101.71.65.2048 > 10.101.68.200.2048: udp 140


Second capture:-WSA---communicating with--->DMZ interface of ASA -===>BOLOCKED
==============
packet tracer shows:- Drop-reason: (no-route) No route to host

1: 05:47:32.393366 10.101.68.200.2048 > 192.168.243.254.2048: udp 148
2: 05:47:42.408975 10.101.68.200.2048 > 192.168.243.254.2048: udp 148
3: 05:47:52.424523 10.101.68.200.2048 > 192.168.243.254.2048: udp 148

 

 

So why WSA is talking to DMZ interface then? As far as i know by design we cannot talk/communicate to ASA's other interface IP.

 

0 Helpful

Ken Stieers
VIP
VIP
In response to rasri8@inter-ikea.com

‎02-02-2018 02:54 AM

What does the configuration on the WSA look like? Just because the ASA says that's its ID is the DMZ ip, you still configure the WSA to do WCCP with the ip of the ASA inside interface.
0 Helpful

rasri8@inter-ikea.com
Level 1
Level 1
In response to Ken Stieers

‎02-02-2018 03:55 AM - edited ‎02-02-2018 03:56 AM

I have Both inside and DMZ IP address in WSA

1.JPG

0 Helpful

Ken Stieers
VIP
VIP
In response to rasri8@inter-ikea.com

‎02-02-2018 04:48 AM

The wsa should only have the ASA inside ip...
0 Helpful

rasri8@inter-ikea.com
Level 1
Level 1
In response to Ken Stieers

‎02-02-2018 03:58 AM

I gave both inside and DMZ ip address in WSA

 

1.JPG

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents