topic Re: WCCP on ASA in Application Networking

WCCP on ASA

ankit_parikh — Thu, 15 Feb 2007 00:23:15 GMT

Hello,

I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:

Eth 0/0 : Outside (to internet)

Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)

Eth 0/1.211 : Vlan211 (20.21.10.0/24)

Eth 0/1.212 : Vlan212 (20.21.20.0/24)

Eth 0/1.220 : Vlan220 (20.22.0.0/16)

Eth 0/2 : WAAS (20.21.30.0/24)

I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.

I get this error message:

3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)

How can I fix this?

My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:

wccp 61 redirect-list WCCP_To_LAN

wccp 62 redirect-list WCCP_To_WAN

wccp interface outside 62 redirect in

wccp interface LAN 61 redirect in

access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0

access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any

I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?

Thanks

Ankit

Re: WCCP on ASA

mark.duffy — Thu, 15 Feb 2007 08:16:51 GMT

I did a WAAS deployment last year, the edge routers however were 6500s but the theory should be the same. After many discussions with Cisco SE's I was advised to used redirect lists with WCCP to only match the traffic from selected host subnets going to specific servers, this way you could be sure you were only matching the traffic you wanted, in our case we were trying to prove CIFS optimisation. Because your matching from a host subnet to a server and vice versa it was easier.

ip wccp 61 redirect-list Permit_WCCP_interception

ip wccp 62 redirect-list Permit_WCCP_interception

interface GigabitEthernet1/10

description MPLS Link

ip address 10.1.1.254 255.255.255.252

ip wccp 61 redirect in

ip wccp 62 redirect out

speed 100

duplex full

mls qos trust dscp

interface Vlan100

description WAE_vlan

ip address 192.168.1.255 255.255.255.0

ip wccp redirect exclude in

ip access-list extended Permit_WCCP_interception

permit tcp 192.168.100.0 0.0.0.255 host 192.168.10.27

permit tcp host 192.168.10.27 192.168.100.0 0.0.0.255

deny ip any any

Here you can see we had a redirect in and redirect out on the link into the MPLS cloud, and a redirect exlude in on the VLAN with the WAE in at the remote site. This was essentially replicated at both ends, with the topology being a pair of 6500s at the core and a single 6500 at the edge. The server VLANs in the core have no redirects as its all picked up inbound and outbound on the WAN link, likewise at the remote end.

This probably goes against everything in the documentation, but after lots of pain it worked! With this configuration though you have to identify all traffic flows and for all protocols you want to configure.

Hope its of some help,

Mark

Re: WCCP on ASA

ankit_parikh — Thu, 15 Feb 2007 11:10:30 GMT

Hello Mark,

Thanks for your response. Your config is correct but ASA doesn't provide many options. For instance there is 'redirect out' and 'exclude in'. So the options are really limited.

WCCP is easy to implement on a router but we are trying to implement it on a ASA as an alternative.

Ankit

Re: WCCP on ASA

ravi_mishra — Wed, 21 Feb 2007 03:42:44 GMT

My apology as I am not a routing guy,but is your ACL has correct mask? it should be 0.0.255.255 in my understanding.

Also, try seeing stat of wccp on WAE, give sh wccp gre cli on WAE, and see the packets redirected by GRE. You can also enable debug wccp packets on WAE for more troubelshooting.

You could try redirect in and out on LAN interface only.It generally works.

you can also try giving wccp redirect exclude-in on WAE interface, though its not necessary here.

Also check WAE default gateway should be eth0/2.

If nothing works, you can try PBR for WAAS.

Re: WCCP on ASA

ankit_parikh — Wed, 21 Feb 2007 04:33:49 GMT

Hello,

The subnet mask is correct. I am trying to address 20.20.x.x, 20.21.x.x, 20.22.x.x ...

all with 255.252.0.0 mask or the way you specified it 0.3.255.255.

I have tried enabling the debug for WCCP and packets. I couldn't see any traffic getting redirected.

The output 'sh wccp gre' just shows 0 packets for everything, since wccp isn't working.

ASA doesn't provide an option for redirect out and exclude statements. So I have to use redirect in on 2 separate interfaces. PBR is not an option with ASA.

Re: WCCP on ASA

guibarati — Wed, 21 Mar 2007 17:00:56 GMT

The ASA appliance does not support the WCCP engine to be in a different interface of the host that will be served with the cached content.

Re: WCCP on ASA

ankit_parikh — Wed, 21 Mar 2007 21:46:18 GMT

hello Guilherme,

Thanks for your reply. This does make quite a few things clear for me.

Ankit

Re: WCCP on ASA

heronmb — Thu, 12 Jun 2008 22:48:07 GMT

Hello Guilherme,

I have version 8.0.3 on ASA, do you know if it has the same issue ?

Re: WCCP on ASA

guibarati — Fri, 13 Jun 2008 13:43:29 GMT

"WCCP redirect is supported only on the ingress of an interface. The only topology that the security

appliance supports is when client and cache engine are behind the same interface of the security

appliance and the cache engine can directly communicate with the client without going through the

security appliance."

This is a copy and paste of: Cisco Security Appliance Command Line Configuration Guide

For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8.0(1)

It's on chapter 10 page 10 (178 on pdf)

Re: WCCP on ASA

guibarati — Fri, 13 Jun 2008 13:44:35 GMT

"WCCP redirect is supported only on the ingress of an interface. The only topology that the security

appliance supports is when client and cache engine are behind the same interface of the security

appliance and the cache engine can directly communicate with the client without going through the

security appliance."

This is a copy and paste of: Cisco Security Appliance Command Line Configuration Guide

For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8.0(1)

It's on chapter 10 page 10 (178 on pdf)