Solved: WAE and WCCP mismatch

fisherstephen · ‎12-19-2011

Hello,

I seem to be having a lot of trouble with a very simple implementation. I have 2 routers and a data centre WAE via WCCP. These devices are on the same L2/L3 segment (x.x.x.0/24). The WAN interfaces on the routers are in different networks. The remote WAE is inline. I configured ip wccp 61 redirect in on the LAN interface of each router and ip wccp 62 redirect in on the WAN interface of each router. I get the alarm "WCCP router x.x.x.1(LAN) unusable for service id:61 reason redirection mismatch with router" and "WCCP router x.x.x.1(LAN) unusable for service id:62 reason redirection mismatch with router". For the WAN interfaces I get the alarm they are unreachable for the service ID.

Snadard router config

ip wccp version 2

ip wccp 61

ip wccp 62

int gi0/0

description LAN

ip address x.x.x.1

ip wccp 61 redirect in

int gi0/1

description WAN

ip address y.y.y.1

ip wccp 62 redirect in

Should I only be trapping inbound traffic on the LAN interface ?

The other thing I noticed was these messages from the PIX on the same L2/L3 segment

Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER1/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER2/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER1/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER2/2048 on interface outside

Access list
access-list outside_access_in extended permit udp host WADMZJA02 host IROUTER1 log notifications
access-list outside_access_in extended permit udp host WADMZJA02 host IROUTER2 log notifications
access-list outside_access_in extended permit udp host IROUTER1 host WADMZJA02 log notifications
access-list outside_access_in extended permit udp host IROUTER2 host WADMZJA02 log notifications

Best regards

Stephen

WAE config

sh run

2011 Dec 20 07:06:27 WADMZJA02 -admin-shell: %WAAS-PARSER-6-350232: CLI_LOG log_cli_command: sh run

! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
!
device mode application-accelerator
!
!
hostname WADMZJA02
!
clock timezone Europe/Brussels 1 0
!
!
ip domain-name fibe.fortis
!
!
!
primary-interface GigabitEthernet 1/0
!
!
!
interface GigabitEthernet 1/0
ip address x.x.x.248 255.255.255.0
exit
interface GigabitEthernet 2/0
shutdown
exit
!
!
ip default-gateway x.x.x.4 <== firewall
!
no auto-register enable
!
! ip path-mtu-discovery is disabled in WAAS by default
!
! <== traffic to be rerouted outbound ==>
ip route a.a.a.0 255.255.255.0 x.x.x.1 <== Outbound HSRP
!
ip access-list extended HK
permit ip any 0.0.0.0 255.255.255.0
exit
!
!
logging console enable
logging console priority debug
!
!
interception access-list HKWAAS
!
!
wccp router-list 1 z.z.z.202 y.y.y.122 x.x.x.1 x.x.x.2 x.x.x.3
wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return
wccp version 2
!
egress-method negotiated-return intercept-method wccp
!
ip icmp rate-limit unreachable df 0
!
directed-mode enable
!
!
transaction-logs flow enable
--More--
! [K
!
!
!
!
inetd enable rcp
!
!
sshd allow-non-admin-users
sshd enable
!
!
!
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
!
accelerator http metadatacache enable
accelerator http metadatacache https enable
accelerator http dre-hints enable
!
!
!
!
central-manager address x.x.x.247
cms enable
!
!
!
!
!
!
! End of WAAS configuration

Daniel Arrondo Ostiz · ‎12-20-2011

Hi Stephen,

The "Redirection mismatch" messages indicate that the redirection or return method configured on the WAE is not compatible with the router. Probably, the routers you are using don't support L2 redirection

Moving forward, I would recommend you to change the line "wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return" for "wccp tcp-promiscuous router-list-num 1". This will negotiate hash assignment, as well as GRE redirection and return, which are the parameters supported by most platforms.

As for the firewall messages, it seems that some WCCP negotiation packets (UDP port 2048) are being dropped. Unfortunately, my firewall knowledge is very limited, so I cannot really help you with that part.

Regards

Daniel

View solution in original post

Daniel Arrondo Ostiz · ‎12-20-2011

Hi Stephen,

The "Redirection mismatch" messages indicate that the redirection or return method configured on the WAE is not compatible with the router. Probably, the routers you are using don't support L2 redirection

Moving forward, I would recommend you to change the line "wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return" for "wccp tcp-promiscuous router-list-num 1". This will negotiate hash assignment, as well as GRE redirection and return, which are the parameters supported by most platforms.

As for the firewall messages, it seems that some WCCP negotiation packets (UDP port 2048) are being dropped. Unfortunately, my firewall knowledge is very limited, so I cannot really help you with that part.

Regards

Daniel

Bhavin Yadav · ‎12-20-2011

Hi Stephen,

It looks to me as your firewall is blocking / dropping packets on port 2048. Please make sure firewall is allowing traffic between WAE and WCCP routers thru firewall over UDP port 2048, bidirectionally.

As Daniel mentioned above, open up the wccp on WAE to negotiate itself with whatever router supports. You can find more details on router supported WCCP parameters at this link:

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html

Take care.