12-11-2008 07:13 AM
Unable to figure out what I am doing wrong. Similar config on a 2811 with an WAE-NM is working as expected.
High level network setup has a central WAAS manager running on WAE-512 a central WAAS enterprise server running on a WAE-612 which is connected to a Cisco 3750. Remote office is running a 2811-WAE502. IP connectivity is ok.
The WAE-612 and the Cat3750 a connected through L2 WCCP.
Configured a WAE-612 WAAS engine to a Cisco Catalyst 3750 and getting WAAS event messages on the 3750 containing w/bad rcv_id 00000000. I solved this by changing from GRE to L2 on the WAE and now the 3750 is correctly registered to the WAE. But now I got message like
18w5d: WCCP-EVNT:D62: Here_I_Am packet from 10.0.7.10 w/bad rcv_id 0000086F
18w5d: WCCP-EVNT:D62: Here_I_Am packet from 10.0.7.10 w/bad rcv_id 0000086F
18w5d: WCCP-EVNT:D62: Here_I_Am packet from 10.0.7.10 w/bad rcv_id 0000086F
18w5d: WCCP-EVNT:D61: Redirect_Assignment packet from 10.0.7.10 w/bad rcv_id 00000877
18w5d: WCCP-EVNT:D61: Redirect_Assignment packet from 10.0.7.10 w/bad rcv_id 00000878
18w5d: WCCP-EVNT:D61: Redirect_Assignment packet from 10.0.7.10 w/bad rcv_id 00000879
18w5d: WCCP-EVNT:D61: Redirect_Assignment packet from 10.0.7.10, no change in MV set
18w5d: WCCP-EVNT:D62: Redirect_Assignment packet from 10.0.7.10 w/bad rcv_id 00000870
18w5d: WCCP-EVNT:D62: Redirect_Assignment packet from 10.0.7.10 w/bad rcv_id 00000871
18w5d: WCCP-EVNT:D62: Redirect_Assignment packet from 10.0.7.10 w/bad rcv_id 00000872
Diagnostic Report for Device ns-wa0002 performed on 12/10/2008 23:0:18
WCCP configuration and operation FAIL
WARN BAD_WCCP_RTR WAE does not see router 10.0.7.1
Recommendation: Check if WCCP router address is correct, reachable and configured to use WCCP.
FAIL NO_WCCP_RTRS Device does not see any of WCCP routers
WCCP Client information:
WCCP Client ID: 10.0.7.10
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 00:23:35
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
---- ------- ------- ------- -------
0000: 0x00001741 0x00000000 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
Need some advise,
WAE-612 is running 4.1.1c
Cat3750 is running 12.2(44)SE2 AdvIPSer
Solved! Go to Solution.
12-14-2008 02:45 PM
12.4(15)T8 is probably a little more stable for WCCP then what you were using as L2/MASK features were just introduced. I have a lot of customers running 12.4(15)Tx w/NMEs and GRE redirect so I think that is a good solution.
Traffic passing through 1 WAAS box will just be put into passthrough, not dropped. During the 3-way handshake, if another WAE isn't detected, those connections are put into passthrough and not touched for optimization.
So WAAS won't help out for internet traffic unless there is another WAAS box at the other end. I would exclude that traffic if at all possible to elminate operational overhead. If you have a WAAS box at the other end (at a proxy site or something), then I would try accelerating it.
Hope that helps, remember to rate the conversations if you get a chance.
Thanks,
Dan
12-11-2008 08:54 AM
Hi,
Please check the SDM template on the 3750 (sh sdm prefer). You should be using a template that prefers routing, or WCCP won't work.
sdm prefer routing
See if that helps you, it allows the TCAM to be used for routing features, which is required for WCCP.
Hope that helps,
Dan
12-11-2008 09:08 AM
Hi,
Please check the SDM template on the 3750 (sh sdm prefer). You should be using a template that prefers routing, or WCCP won't work.
sdm prefer routing
See if that helps you, it allows the TCAM to be used for routing features, which is required for WCCP.
Hope that helps,
Dan
12-11-2008 12:56 PM
Hi,
Did that already. Not solving the problem.
ns-rt0001# sh sdm prefer
The current template is "desktop routing" template.
12-11-2008 01:22 PM
Please post your wccp configs off the 3750 and the WAE. I think there is a misconfiguration somewhere.
Thanks,
Dan
12-11-2008 02:04 PM
12-11-2008 02:18 PM
12-11-2008 02:23 PM
I think I solved the problem.
The WAE router list must ONLY contain ONE IP address per router. In my case the 3750 has bind the WCCP process to the loopback address. This address must be in the router list and not interface ip address.
Am I right ?
12-11-2008 03:01 PM
You should only use a single L3 address from each router. I usually use the address from the interface that that WAE is attached to. The router ID will come in as the highest IP address (usually the loopback), however you don't have to use that as the IP in the router list.
Dan
12-11-2008 03:13 PM
Thx for helping me out so far.
Problem continues.
I removed the WCCP configuration last night from the 2811 with the WAE module and now do not get it to work any more.
nhl-rt0001#sh ip wccp 61 detail
WCCP Client information:
WCCP Client ID: 10.254.252.4
Protocol Version: 2.0
State: NOT Usable (Incompatible redirection method)
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 00:10:34
Assignment: MASK
019695: Dec 11 23:08:27.686: WCCP-EVNT:D62: Here_I_Am packet from 10.254.252.4 with incompatible capabilites
019696: Dec 11 23:08:29.686: WCCP-EVNT:D61: Here_I_Am packet from 10.254.252.4 w/bad rcv_id 00000000
019697: Dec 11 23:08:29.686: WCCP-EVNT:wccp_update_assignment_status: enter
019698: Dec 11 23:08:29.686: WCCP-EVNT:wccp_update_assignment_status: exit
019699: Dec 11 23:08:29.686: WCCP-EVNT:wccp_copy_wc_assignment_data: enter
019700: Dec 11 23:08:29.686: WCCP-EVNT:wccp_copy_wc_assignment_data: reuse orig mask info (28 bytes)
019701: Dec 11 23:08:29.686: WCCP-EVNT:wccp_copy_wc_assignment_data: exit
019702: Dec 11 23:08:29.686: WCCP-EVNT:D62: Here_I_Am packet from 10.254.252.4 w/bad return method L2, received indirectly via Integrated-Service-Engine1/0
When running the troubleshooting tool one the WAE-502 all systems are go. No errors.
2811 is running 12.4.22T (same as yesterday)
Redirection/Return methodes are set to L2 at both end, same as MASK.
Should I use WCCP negotiated return or IP Forwarding as Egress method ?
12-12-2008 07:48 AM
Set up your NME separately from the WAE appliance (don't do them in a device group). The 3750 only supports L2 redirect/mask assign. The 2811 (depending on what version of IOS you are using) should only use GRE redirect (default) with hash assign.
Dan
12-12-2008 05:27 PM
Hi default is mask, not hash for both the NME and the WAE.
For some reason it is not working. All systems are go, see each other in the topology table.
No errors in debug mode.
Between the WAAS engines are to ASA's connected through the internet via a IPSEC vpn. IP connectivity is straight without NAT. WAAS inspect is enabled.
What I do see is that the counters on the 3750 are not increasing:
Global WCCP information:
Router information:
Router Identifier: 10.0.252.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 3
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 9
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
While on the 2811 they are.
Connectivity such as RDP is not working. ICMP ping is possible. When turning off WAAS it is working as expected.
Hope you are reading emails during the weekend....
12-12-2008 06:07 PM
Okay,
On your connectivity via the ASA and IPSec, I see you set the MSS to 1300 already, was that to allow for your ipsec header overhead? Make sure it's on both WAEs (at each end of the WAN link).
I recommend you use 2 different setups for wccp in your scenario, something like this. See if your configs match.
1. WAE-612 + 3750 : WAE uses the following wccp configs
-----------------
wccp router-list 1 10.0.7.1
wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign assign-method-strict l2-return
wccp version 2
-----------------
You will not see any of the counters increase on the router (3750) due to the traffic being processed in the hardware. Counters only increase if packets are processed in software (like on the ISR platforms). Use "sh wccp gre" on the WAE instead and you should see the counter "Transparent non-GRE packets received: " incrementing.
2. NME-WAE-502 + 2811 - NME should use the basic WCCP configs - NO MASK or L2, they are only available in 12.4(20)T or later.
------------
wccp router-list 1 x.x.x.x (network module router interface IP address)
wccp tcp-promiscuous router-list-num 1
wccp version 2
------------
You will see the counters increase on both the router and the counter "Transparent GRE packets received:" incrementing on the WAE in "sh wccp gre".
Let me know, I'm doing installs all weekend and will keep checking in.
Dan
12-13-2008 01:49 AM
MSS 1300 is for the IPSEC overhead.
I are right regarding the hardware switching. Counter are incrementing.
2811 is running 12.4.22T
When doing a sh ip wccp on the 3750 you see that the wccp process using 10.0.252.1 . I have used that ip address in the router list.
WCCP connection between WAE and 3750 seem to be fine.
I also made sure WCCP inspect is turned on in the ASA's
12-13-2008 06:24 AM
It seems to be working. Going to test further and keep u posted.
The problem was a unnumbered ip usage for the NME module on the same vlan as the client resided. When logged in on the NME the NME was unable to reach the client essentially in the same LAN. Played around with GRE and exclude in and such, but nothing worked.
Now running on 12.4.15T8. This provides way less overhead on cpu usage when using the 2811.
What else should I check to make the optimum config.
The next thing I am going to test is redirect access-list to ony allow WAAS traffic for specific subnets (customers) since I am deploying a Managed WAAS service.
What happens with traffic flowing through a WAAS engine on the ingress but no WAAS engine is available on the other end. Is it going to be dropped ?
On the customer network I have a split tunnel internet. HTTP/S is directly going to the internet and all other traffic is traversing the VPN toward the datacenter. Is WAAS help out for internet traffic as well ?
Obviously I should not forget to thank you for your willingness to help ! Really appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide