https://community.cisco.com/t5/web-security/asa-wccp-w-ironport-question/m-p/1805113#M1982 <HTML><HEAD></HEAD><BODY><P>Its hash or mask based (you pick, or the boxes negotiate), against server address or client address, but only if the cache engines are up... ie if one is down, all of the traffic will go to the other one...&nbsp; Keep in mind that WCCP is sort of like a "subscription".&nbsp; If both WSA's are down, the ASA will see no "subscriptions" so it will just pass the traffic without trying to redirect it anywhere.&nbsp; If one is up and talking, it gets all of the traffic..</P><P></P><P>Take a look at Network/Transparent Redirection, set it for WCCP v2 Router,&nbsp; and add a service.&nbsp;&nbsp; The config is there... </P><P></P><P>Also, don't forget to add 2 ACE's to the ACL on the ASA to keep the traffic from one WSA proxy ip from getting sent to the the other WSA, and vice versa...</P><P>(Taken from AnswerID 1663 in the old ironport support knowledge base)</P><TABLE border="1" cellpadding="2" cellspacing="0" style="background-color: #fafafa; border: #6b6b6b 1px solid;"><TBODY><TR><TD><STRONG style="background-color: #dbddba; color: black;">wccp</STRONG> 90 redirect-list acl_http group-list acl_wsas password securewccp<P>! Access List denying traffic sent to the WSA (as destination IP) to be redirected to the WSA<BR />! this is particular useful when the ASA is configured to redirect traffic to multiple WSAs.<BR />! WSA1 IP address = 10.0.0.1<BR />! WSA2 IP address = 10.0.0.2<BR />access-list acl_http extended deny tcp any host 10.0.0.1<BR />access-list acl_http extended deny tcp any host 10.0.0.2</P><P>! Allow http traffic to be redirected<BR />access-list acl_http extended&nbsp; permit tcp any any eq www</P><P>! Allow https traffic to be redirected<BR />access-list acl_http extended&nbsp; permit tcp any any eq https</P><P>! Define which WSAs are allowed to participate on the <STRONG style="background-color: #dbddba; color: black;">WCCP</STRONG> communication<BR />access-list acl_wsas standard&nbsp; permit host 10.0.0.1<BR />access-list acl_wsas standard&nbsp; permit host 10.0.0.2</P><P>!<BR /><STRONG style="background-color: #dbddba; color: black;">wccp</STRONG> interface inside 90 redirect in</P></TD></TR></TBODY></TABLE></BODY></HTML> Fri, 04 Nov 2011 15:39:47 GMT Ken Stieers 2011-11-04T15:39:47Z https://community.cisco.com/t5/web-security/asa-wccp-w-ironport-question/m-p/1805112#M1981 <P>I'd like to use ASA WCCP to point to a couple different Ironport s160 systems for redundancy. I can't find any documentation that talks about how the WCCP mechanism selects which system to use. </P><P>Is it simply round robin or hash-based regardless of cache engine status?</P><P>Or does it try the first in the list and if inaccessible move to the next in the llist?</P> Fri, 04 Nov 2011 15:11:30 GMT https://community.cisco.com/t5/web-security/asa-wccp-w-ironport-question/m-p/1805112#M1981 AJ Cruz 2011-11-04T15:11:30Z https://community.cisco.com/t5/web-security/asa-wccp-w-ironport-question/m-p/1805113#M1982 <HTML><HEAD></HEAD><BODY><P>Its hash or mask based (you pick, or the boxes negotiate), against server address or client address, but only if the cache engines are up... ie if one is down, all of the traffic will go to the other one...&nbsp; Keep in mind that WCCP is sort of like a "subscription".&nbsp; If both WSA's are down, the ASA will see no "subscriptions" so it will just pass the traffic without trying to redirect it anywhere.&nbsp; If one is up and talking, it gets all of the traffic..</P><P></P><P>Take a look at Network/Transparent Redirection, set it for WCCP v2 Router,&nbsp; and add a service.&nbsp;&nbsp; The config is there... </P><P></P><P>Also, don't forget to add 2 ACE's to the ACL on the ASA to keep the traffic from one WSA proxy ip from getting sent to the the other WSA, and vice versa...</P><P>(Taken from AnswerID 1663 in the old ironport support knowledge base)</P><TABLE border="1" cellpadding="2" cellspacing="0" style="background-color: #fafafa; border: #6b6b6b 1px solid;"><TBODY><TR><TD><STRONG style="background-color: #dbddba; color: black;">wccp</STRONG> 90 redirect-list acl_http group-list acl_wsas password securewccp<P>! Access List denying traffic sent to the WSA (as destination IP) to be redirected to the WSA<BR />! this is particular useful when the ASA is configured to redirect traffic to multiple WSAs.<BR />! WSA1 IP address = 10.0.0.1<BR />! WSA2 IP address = 10.0.0.2<BR />access-list acl_http extended deny tcp any host 10.0.0.1<BR />access-list acl_http extended deny tcp any host 10.0.0.2</P><P>! Allow http traffic to be redirected<BR />access-list acl_http extended&nbsp; permit tcp any any eq www</P><P>! Allow https traffic to be redirected<BR />access-list acl_http extended&nbsp; permit tcp any any eq https</P><P>! Define which WSAs are allowed to participate on the <STRONG style="background-color: #dbddba; color: black;">WCCP</STRONG> communication<BR />access-list acl_wsas standard&nbsp; permit host 10.0.0.1<BR />access-list acl_wsas standard&nbsp; permit host 10.0.0.2</P><P>!<BR /><STRONG style="background-color: #dbddba; color: black;">wccp</STRONG> interface inside 90 redirect in</P></TD></TR></TBODY></TABLE></BODY></HTML> Fri, 04 Nov 2011 15:39:47 GMT https://community.cisco.com/t5/web-security/asa-wccp-w-ironport-question/m-p/1805113#M1982 Ken Stieers 2011-11-04T15:39:47Z https://community.cisco.com/t5/web-security/asa-wccp-w-ironport-question/m-p/1805114#M1983 <HTML><HEAD></HEAD><BODY><P>Thanks!</P></BODY></HTML> Fri, 04 Nov 2011 15:43:10 GMT https://community.cisco.com/t5/web-security/asa-wccp-w-ironport-question/m-p/1805114#M1983 AJ Cruz 2011-11-04T15:43:10Z