topic WCCP Service blocking DMVPN tunnels on Cisco ASR 1001 in Application Networking

WCCP Service blocking DMVPN tunnels on Cisco ASR 1001

mshammans — Thu, 27 Sep 2012 17:03:32 GMT

I am trying to configure WCCP on my Routers in a DMVPN environment, in order to setup WAN Optimization. The issue is as soon as i activate the WCCP service on my ASR or any router at my remote sites with either 'ip wccp 98 group-list ACL' or 'ip wccp 98 redirect-list ACL' (ive tried both with troubleshooting) the DMVPN tunnels quit communicating back to my ASR1001 (DMVPN Hub). As soon as i run a traceroute to what is specified in the ACLthe traffic gets lost. Anything not in that ACL is fine. This happens before i even apply it to an interface.

Has anyone ran into this before?

Also, my ASR does have both these configured, as i've seen recommended in other forums:

no ip wccp variable-timers

ip wccp check services all

and it is running wccp version 2 by default.

TAC couldnt figure it out and are digging for bugs, but i thought i'd jump on here as well. Any help is much appreciated.

WCCP Service blocking DMVPN tunnels on Cisco ASR 1001

Natalie Ramirez — Fri, 28 Sep 2012 15:42:00 GMT

Is this WCCP redirection for WAAS? This is the WAAS forum. WAAS uses wccp 61 and 62 by default.

Regardless,

wccp 98 is for http traffic on a port other than port 80, so I am assuming that this is a web caching or proxy server that you are redirecting to.

Let me take a shot in the dark here, wccp 98 is redirecting non port 80 traffic both tcp and udp, DMVPN requires the following protocols

UDP Port 500—ISAKMP as source and destination

UDP Port 4500—NAT-T as a destination

IP Protocol 50—ESP

IP Protocol 51—AH (if AH is implemented)

IP Protocol 47—GRE

My guess would be that you need to exclude UDP ports 500 and 4500 from your ACL to ensure that you are not intercepting VPN tunnel traffic.

WCCP Service blocking DMVPN tunnels on Cisco ASR 1001

ahskhan — Fri, 28 Sep 2012 16:00:06 GMT

Hello,

There are no known issues with DMPVPN , WCCP and redirect applied for WCCP intercept. I would need a lot more data to analyze and to see what is wrong here. lets start with some simple questions.

1: What WCCP Client is running WCCP with ASR? (IronPort, ACNS ?)

2: Do this issue happened when WCCP is configured globally but no redirect applied on interfaces?

3: What TCP / UDP services are asked by WCCP Client for redirect

4: It is important to udnerstant where WCCP redirects are applied, on Tunnel interface or on Physical interface.

Better if you can provide a topology and show techs. but answers to above may hold the key. Thanks.

Ahsan

WCCP Service blocking DMVPN tunnels on Cisco ASR 1001

mshammans — Fri, 28 Sep 2012 17:28:03 GMT

Beau - thanks, i'll give that a shot too and let you know.

Ahsan -

1. Its a VM based WAN Optimization Client called Certeon.

2. Yes. This happens as soon as WCCP is enabled globally before i even apply it to an interface

3. No specific services are being sent during WCCP negotiation

4. Eventually we will apply WCCP to the inside physical interface

Topology is standard on my sites with: Internet->Router->Switch