Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1380
Views
0
Helpful
3
Replies

WCCP Service blocking DMVPN tunnels on Cisco ASR 1001

mshammans
Level 1
Level 1

‎09-27-2012 10:03 AM

I am trying to configure WCCP on  my Routers in a DMVPN environment, in order to setup WAN Optimization. The issue is as soon as i activate the WCCP service on my ASR or any router at my remote sites with either 'ip wccp 98 group-list ACL' or 'ip wccp 98 redirect-list ACL' (ive tried both with troubleshooting) the DMVPN tunnels quit communicating back to my ASR1001 (DMVPN Hub). As soon as i run a traceroute to what is specified in the ACLthe traffic gets lost. Anything not in that ACL is fine. This happens before i even apply it to an interface.

Has anyone ran into this before?

Also, my ASR does have both these configured, as i've seen recommended in other forums:

no ip wccp variable-timers

ip wccp check services all

and it is running wccp version 2 by default.

TAC couldnt figure it out and are digging for bugs, but i thought i'd jump on here as well. Any help is much appreciated.

0 Helpful
3 Replies 3

Natalie Ramirez
Level 1
Level 1

‎09-28-2012 08:42 AM

Is this WCCP redirection for WAAS?  This is the WAAS forum.  WAAS uses wccp 61 and 62 by default.

Regardless,

wccp 98 is for http traffic on a port other than port 80, so I am assuming that this is a web caching or proxy server that you are redirecting to.

Let me take a shot in the dark here, wccp 98 is redirecting non port 80 traffic both tcp and udp, DMVPN requires the following protocols

UDP Port 500—ISAKMP as source and destination

UDP Port 4500—NAT-T as a destination

IP Protocol 50—ESP

IP Protocol 51—AH (if AH is implemented)

IP Protocol 47—GRE

My guess would be that you need to exclude UDP ports 500 and 4500 from your ACL to ensure that you are not intercepting VPN tunnel traffic.

0 Helpful

ahskhan
Cisco Employee
Cisco Employee

‎09-28-2012 09:00 AM

Hello,

          There are no known issues with DMPVPN , WCCP and redirect applied for WCCP intercept. I would need a lot more data to analyze and to see what is wrong here. lets start with some simple questions.

1: What WCCP Client is running WCCP with ASR? (IronPort, ACNS ?)

2: Do this issue happened when WCCP is configured globally but no redirect applied on interfaces?

3: What TCP / UDP services are asked by WCCP Client for redirect

4: It is important to udnerstant where WCCP redirects are applied, on Tunnel interface or on Physical interface.

Better if you can provide a topology and show techs. but answers to above may hold the key. Thanks.

Ahsan

0 Helpful

mshammans
Level 1
Level 1
In response to ahskhan

‎09-28-2012 10:28 AM

Beau - thanks, i'll give that a shot too and let you know.

Ahsan -

1. Its a VM based WAN Optimization Client called Certeon.

2. Yes. This happens as soon as WCCP is enabled globally before i even apply it to an interface

3. No specific services are being sent during WCCP negotiation

4. Eventually we will apply WCCP to the inside physical interface

Topology is standard on my sites with: Internet->Router->Switch

0 Helpful
Customers Also Viewed These Support Documents