Ask the Expert: Setting up and troubleshooting WCCP on IOS - Page 2

ciscomoderator · ‎08-13-2012

With Michael Schueler

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to setup and troubleshoot WCCP (Web Cache Communication Protocol) on different IOS platforms from Cisco experts Peter Van Eynde and Michael Schueler

Peter Van Eynde is a customer support engineer in the Technical Assistance Center in Belgium, where he supports content technologies including Cisco Wide Area Application Services (WAAS), Cisco Application and Content Networking System (ACNS), and Cisco Content Delivery System Internet Streaming (CDS-IS). He holds CCIE certification #23042 in Security.

Michael Schueler has been a Cisco support engineer in the Cisco Technical Support Assistance team in Germany for more than 5 years. He and is an expert on content technologies including Cisco Wide Area Application Services (WAAS), Cisco Application and Content Networking System (ACNS), Cisco Content Delivery System Internet Streaming (CDS-IS), and Cisco Digital Media Suite (DMS). He holds CCIE certification #23835 in Security.

Remember to use the rating system to let Peter and Michael know if you have received an adequate response.

They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community "Wide Area Application Services"discussion forum shortly after the event. This event lasts through August,24 2012. Visit this forum often to view responses to your questions and the questions of other community members.

pevaneyn · ‎08-22-2012

Hello Kevin,

1. What do you mean by "If the parameters are not ok you either get software redirection/return or WCCP fails"?
What kinds of parameters are considered not ok...could you please give me an example?
I just want to make sure our switches handle wccp in hardware.

For example on the ASR1000 if the client wants to use the HASH method the switch will reject this. On the Catalyst 6500 however it will accept this and process the traffic in software.

A good way to determine if the processing is in software or hardware is to generate a decent amount of traffic and then monitor the CPU of the device. If it goes up and down with the traffic load then it is processed in software.

2. Does the option "accelerated" do anything at all?

Even when I specify it, it doesn't show up in running-config on a 3560:

This was only usefull for WCCP version 1

3. You had said most of the parameters are determined by the lead WCCP client.

So what happens if the client's parameters deviate from the "standard" in terms of what a service group is supposed to do?

Would the router accept or reject the parameters?

I'm asking because we may have non-Cisco products that don't follow the "standard".

If it is just regarding the WCCP id's then there is no problem, if this is regarding the rest of the WCCP standard you might have a problem.

Please note that in more recent versions we introduced WCCP variable timers, which might cause problems for non-CIsco WCCP clients.

Service groups 61 & 62 are defined as "tcp-promiscuous" because that's how WAAS is implemented, correct?

Correct

During the wccp negotiation, does the cache (WAAS) instruct the router how a service group behaves (61&62 = tcp),

or does the IOS device have "built-in" intelligence that knows they're supposed to redirect all tcp traffic?

All of this information comes from the lead WCCP client, in this case the WAAS device.

Just trying to understand if the dynamic groups in table in https://supportforums.cisco.com/thread/2067558 is just a guideline, or if all vendors must use the standard group numbers.

Just a guideline. With WAAS 5.0.1 and multiple WCCP groups it is even outdated.

4. currently the timers are 10sec/30sec for hello/dead.

Is there any plan to allow custom values, such as 1sec/3sec?

We'd like to be able to detect a cache failure faster than 30 seconds.

See above

Best regards, Peter

Jorge Guimaraes · ‎08-22-2012

Hello folks,

I wonder why is WCCP redirection not happening on my 3750 although the WCCP adjancency has estiblished just fine?

Also, sometimes I've noticed that when using WCCP with L2 redirection and experience high CPU as soon as I enable WCCP. What I am doing wrong? Is this a bug?

Thanks

- Jorge

huangedmc · ‎08-22-2012

Not trying to step on Michael & Peter's toes here, but have you changed the SDM to the routing template, and rebooted switch?

Not sure about high CPU.

I'd love to know why that is as well though.

pevaneyn · ‎08-22-2012

Hello Kevin,

Exactly right.

High CPU is sometimes caused by the WCCP client who keeps sending requests to redirect traffic, causing the switch to spend a lot of time analysing and rejecting these requests.

show processes cpu sorted 1min

often will tell you more.

Best regards, Peter

pevaneyn · ‎08-22-2012

Hello Jorge,

I would go through the steps outlined in the troubleshooting document at http://docwiki.cisco.com/wiki/Cisco_WAAS_Troubleshooting_Guide_for_Release_4.1.3_and_Later_--_Troubleshooting_WCCP which is pretty detailed.

For the 3550 you can check the TCAM utilization with:

remote command all show platform tcam util asic all

and the contents of said TCAM with:

show platform forward    ip   tcp   0

but first always check the SDM template selected, as this is often the cause of the problem.

Best regards, Peter

Jorge Guimaraes · ‎08-23-2012

Peter,

Thanks for the advise. I have followed the steps and now it's all fine.

I have another question, though

How do I configure which traffic to redirect?

Thank you

- Jorge

Michael Schueler · ‎08-23-2012

Hi Jorge,

This depends on what exactly you would like to achieve.

If you want to further restrict which traffic shall be redirected, you want to use a WCCP redirect-list on the 3750 like this:

   ip access-list extended WCCP
    permit tcp any host 10.10.10.10
    permit tcp 192.168.10.0 0.0.0.255 any
   !
   ip wccp 90 redirect-list WCCP

Note, that on the 3750 platform the WCCP redirect-list must not contain any deny entries, only permit entries are supported.

If, however, you want to redirect additional traffic (e.g. redirect not only HTTP traffic on TCP port 80, but also HTTPS traffic on TCP port 443), you will need to modify the WCCP service on the WCCP client to include the additional protocols. WCCP services 90-97 can be used for this purpose.

Note, that Cisco WAAS does not support user-configurable services, while e.g. Cisco ACNS and Ironport WSA do support this.

Best regards,

Michael

Best regards,

Michael

huangedmc · ‎08-23-2012

Michael,

Is wccp smart enough to redirect the return traffic, or do you have to specify both directions in the redirect ACL?

In the example you gave above, you only match single direction.

Kevin

pevaneyn · ‎08-23-2012

Hello Kevin,

Is wccp smart enough to redirect the return traffic, or do you have to specify both directions in the redirect ACL?
In the example you gave above, you only match single direction.

No WCCP is not that smart, because you do not want to redirect the traffic in both directions in all cases.

You need two WCCP services, with mirrored access-lists, to redirected both directions. Just like WAAS does. This is because WAAS does not terminate the connection, it only modifies the packets in flight. (more of less packets might appear on the WAN then on the LAN, but from a connection point of view it remains the same IP/port combination)

To only see one direction, for example for web caching, you only need one service. In this case ACNS for example terminates the connection and there is no real return traffic, because the ACNS will go out and get the data with its own IP.

Best regards, Peter