Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to setup and troubleshoot Web Cache Communication Protocol Version (WCCP) redirection to Cisco Wide Areas Application Services (WAAS) devices with Cisco Expert Nicolas Fournier. Nicolas has worked in the Cisco Technical Assistance Center for six years where he is responsible for supporting full-time content technologies and focuses in the areas of Cisco Wide Area Application Services (WAAS) and TCP acceleration. He is a graduate of the Universite catholique de Louvain and holds CCIE #19944 Security certification.
Remember to use the rating system to let Nicolas know if you have received an adequate response.
Nicolas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through July 1st, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
Hi Sandy Pan,
"Show stat conn" , should list the connection , pass through connections will be identified as PT, check for these port numbers. Also do a "show run |
I'm not aware of any way to see it from the Central Manager directly but you can easily see this from the CLI of your WAAS devices by issuing the following command:
show statistics pass-through
Taken from the config guide, here is an explanation of each entry you will find there:
Total number of connections passed through.
The connection is pass-through due to no peer WAE being found during TFO auto-discovery.
The connection is pass-through due to auto discovery finding that the peer WAE does not have the required capabilities.
The connection is pass-through due to auto discovery finding that the peer WAE does not have the required resources.
Rjct No License
Number of connections passed through due to no license.
Number of connections passed through due to policy configuration.
Number of connections passed through due to optimization being disabled globally.
Number of connections passed through due to asymmetric routing in the network (could be an interception problem).
Number of connections passed through due to connections seen by the WAE mid-stream.
Number of connections passed through because the WAE was in between two other WAEs.
Number of connections passed through due to miscellaneous internal errors such as memory allocation failures, and so on.
Number of connections passed through because an application accelerator requested the connection to be passed through.
Server Black List
Number of connections passed through due to the server IP being present in the black list.
AD Version Mismatch
Number of connections passed through due to auto discovery version incompatibility.
AD AO Incompatible
Number of connections passed through due application accelerator versions being incompatible.
AD AOIM Progress
Number of connections passed through due to ongoing peer negotiations.
DM Version Mismatch
Number of connections passed through because directed mode, though enabled locally, is not supported by the peer device.
Number of connections passed through due to an upstream serial peer handling optimization and telling this WAE not to optimize the connection.
Bad AD Options
Number of connections passed through due to invalid auto discovery options.
Number of connections passed through because the only peer found is configured as a non-optimizing serial peer.
Number of connections passed through due to an interception ACL denying them.
If you want to see which hosts are generating this traffic you can also use the following command:
show statistics connection pass-through
It will give you the list of all pass-through connections going through your device.
You can also filter this output using the following options:
WAE#show statistics connection pass-through ?
client-ip Display passthrough connection statistics for client ip address
client-port Display passthrough connection statistics for client port number
peer-id Display passthrough connection statistics for peer idenitifier
server-ip Display passthrough connection statistics for server-ip
server-port Display passthrough connection statistics for server port number
| Output Modifiers
I hope this is the info you were looking for but please let me know if there is anything else you would like to know.
We have two datacenters with the same LAN, with two line's "load sharing" with BGP and two WAE's, running:
|Interception Method:||WCCP TCP Promiscuous|
|Egress Method:||WCCP Negotiated Return|
Somethimes we get "asymmetric asymmetric routing is seen in the device" when we run the diagnostic tests for the WCCP and sometimes it's ok.
Where should we start to look?
I believe the diagnostic tool is having a look at the output of the show statistics connection pass-through command for Asymmetric sessions.
If you issue the command right after a failed diagnostic, you should see some of those and hopefully, it will help you identify the traffic which is bypassing your WAE's.
It should be triggered by PT Asym Client or PT Asym Server connections.
If you want to have a look at the list of all the different pass-through states you can see there and their explanation, you can have a look at this link: http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/waas/v421/command/reference/execmds.html#wp3113061
We have problem to see the traffic in our provider IDS system and from the netflow from our two provider core router's.
As we are using Redirect and Return Method: WCCP GRE and not beeing able to use WWCP L2 we are cannot see the GRE traffic from our provider two router's.
My solution was to send an netflow from the two WAE also to our provider IDS system on the WAN side, but we can't do that as the WAE have limit configuration possibilities on port and UDP for the flow.
Can you recommend any solution for this?
Regards Jan Rockstedt
Neflow support on the WAE is meant for sending the data to a NAM so unfortunately, there isn't much tweaking you can do with it.
Could you let me know why you cannot use the reporting values of the router when WAAS is used with GRE return and negotiated return?
You might be missing the destination interface of the flow because of CSCsl30451 but AFAIK you should still see the flows when they originally hit the router.
So maybe it have something to do with CSCsl30451.
If i do an trafic report from the IDS system on the hole subnet I can see alot of trafik on the WAE using GRE, it is on the top hosts.
If do on the specific host I can also see the trafic on that host, but I need to know as an first step, the trafic as an overview on the subnet.
Could it be the CSCsl30451?
Which version is running on your provider router?
Could you check if the version he is running is affected by "CSCsm35350 WCCP GRE return breaks IPsec traffic AND/OR creates phantom packet count"?
You can have a look at the bug description from the following link:
Then you are not facing CSCsm35350 since it is fixed in this version.
I did some researches on your issue and found two other possible candidates that might explain what you see:
If you are using Flexible Netflow:
CSCsl76763 FNF is double accounting WCCP GRE return packets
If you are using Traditional Netflow:
CSCti86131 2811 WAN usage reporting incorrect with WAAS