WCCP - WAAS separated by layer 3 from the router

ronaldobf · ‎03-21-2012

Hi guys

Today I got a customer that installed a WAE device on its LAN environment.

Basically, they engineering team, for some reason, did not allow to be directly connected to our router so we have the WAE device on a different vlan from the router subnet.

the router has the wccp enabled on it, but with no communication with the WAE.

Topology:

WAAS----SWITCH----ROUTER----WAN

This is a multilayer switch and it has several VLANs.

There is a /30 between the router and the switch (like a transit vlan).

Then, the WAE is a layer 3 hop far from the router´s interface which has the wccp on it.

WAE is reachable and seems to be a problem related to WCCP and how it is currently configured.

Router is a 2801

WAAS is a WAE-674-K9

I heard that this should be solved with the egress-method, however I am not sure how to configure it and if I need to create a tunnel interface and so on...

The router is already in production so I want to avoid impact. I want to make sure about the configs before applying anything.

If possible, please, let me know the steps to do it and references.

Thanks in advance

Some info:

Under the LAN interface (connected to the switch):

ip wccp 61 redirect in

Under the WAN interface (connected to the provider edge):

ip wccp 62 redirect in

sh ip wccp output:

Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 61
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            0
        Process:                             0
        Fast:                                0
        CEF:                                 0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

    Service Identifier: 62
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            0
        Process:                             0
        Fast:                                0
        CEF:                                 0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

WAAS:

wccp router-list 1 10.122.1.2 (this is the switch´s SVI)

wccp version 2

thanks in advance

Dan-Ciprian Cicioiu · ‎03-21-2012

Hi ,

The lan interface is the same as for WAE link ?

Dan

ronaldobf · ‎03-22-2012

It is on a different one, separated by a layer 3 hop.

There is a /30 between the router´s LAN interface and the switch (like a transit vlan).

Thw WAE is within another subnet

Regards

Dan-Ciprian Cicioiu · ‎03-22-2012

If you are using the Layer 2 redirect mode, so you will need a layer 2 connection (vlan) between the router and the WAE.

Also I think that you have to enable on WAE :

wccp tcp-promiscuous router-list 1

Regards

Dan

finn.poulsen · ‎03-22-2012

Hi,

You don't have to define any tunnels.

Configurering the egress method is this command :

egress-method negotiated-return intercept-method wccp

This will encapsulated the "response" from the WAAS into an GRE tunnel and return it to the IP-address where it came from - i.e. back to the router.

The router will GRE encapsulate the redirected packet in order to forward the packet to a non-L3 adjacent WAAS.

However I don't think this is the original problem here, since the router apparently doesn't see the WCCP hello packets from the WAAS ("Number of Cache Engines: 0")

You should set the IP-address in the router-list to the "closest" IP address on the router and not on the switch, as this is the IP address the WAAS send the WCCP "Hello" to.

Best regards

Finn Poulsen

ronaldobf · ‎03-26-2012

Thanks guys.
I had no chance to apply the configs yet. The commands are not permited in configuration mode (tcp-promiscuous and egress-method).

I guess I have to upgrade everything since they just have pluged them on the network.

They are all seeing the CM.

Below, the boxes and software version.

CM:
WAVE-274-K9
oe274-4.1.5c.17
WAAS-4.1.5c-b17

WAE (this is the one that WCCP does not communicate with the router):
WAE-674-K9
ce674-5.5.15.2
ACNS-5.5.15-b2

WAE (module - this is working, but I want to upgrade):
NME-WAE-502-K9
nme-wae-502-4.3.3.14
WAAS-4.3.3-b14

I need to upgrade every equipment in order to have all in the same version. Them ,I will try to change the egress mode and anything else needed.

What is the version you guys recommend for all of them?

Is the CM a different software them the others?

I have the software waas-universal-4.3.1.6-k9.bin which I was used to upgrade the branch equipments for a different customer. Does this work for the CM as well?

I really appreciate your help.

Thanks in advance

finn.poulsen · ‎03-27-2012

Ohh,

Your WAE-674 does not run WAAS but ACNS :

WAE (this is the one that WCCP does not communicate with the router):

WAE-674-K9

ce674-5.5.15.2

ACNS-5.5.15-b2

Use the rescue disk supplied with the device, or download one from CCO.

On the resucue disk menu use the following menupoints :

Install flash cookie

Wipe disks and install .bin image

Check this guide :

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/waas/v441/configuration/guide/maint.html#wp1133526

CM has to be the newest version bur advisable to use the same everywhere.

Take a newer version and the universal image will install everywhere (CM or Accelerator).

Best regards

Finn Poulsen

ronaldobf · ‎03-27-2012

Thanks again for the quick response.

So, I could use the universal for both CM and the WAE.

And, for the one with ACNS, I should download the rescue disk to get a WAAS image, correct? Then, I can upgrade with the WAAS image I want as well, like the universal one.

Maybe this box was in use by another customer and we should use WAAS.

Does the ftp command for upgrade (the WAAS upgrade process) works on the ACNS to upgrade to a WAAS image?

thanks again

ronaldobf · ‎03-27-2012

Nevermind.

I am reading the documentation.

I let you guys know if I did it successfuly.

ronaldobf · ‎03-29-2012

I could upgrade from ACNS to WAAS. I used the Rescue CD for the version waas-4.4.5.5-K9.

Now, I have all the WAEs running the same OS, including the CM.

All are registered in the CM with no alarms.

When I activated the wccp, I got some loss of conection (to the router and WAAS). The ping was fine, snmpwalk that I ran on my monitoring server was fine, but telnet for example, was not working anymore.

Not sure if this could be anything related to WAFS, since the legacy CIFS is not supported anymore. I see that the CIFS acceleration is enabled

If so, how can I solve this?

Should I use "ip wccp redirect exclude in" in the router´s interface?

I heard that using egress-method could cause high CPU utilization.

I did noticed two spikes in the router, but was really fast. And if this was the case, both snmp, ping and telnet should not work.

Could be something in the CM instead of that WAAS?

this is the router´s log during that time:

*Mar 30 01:11:19.894: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:11:19.894: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:12:05.880: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:12:07.892: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:12:53.889: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:12:55.901: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:13:55.901: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:13:57.913: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:14:55.917: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:14:57.925: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:16:07.928: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:16:09.936: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:16:55.938: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:16:57.945: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:17:53.946: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:17:55.950: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:18:55.958: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:18:57.962: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:20:07.969: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:20:09.976: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:20:55.978: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:20:57.982: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:22:03.985: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:22:05.993: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired
*Mar 30 01:22:51.995: %WCCP-1-CACHELOST: Web Cache XX.XX.XX.XX lost
*Mar 30 01:22:53.999: %WCCP-5-CACHEFOUND: Web Cache XX.XX.XX.XX acquired

Any sugestions and advises?

Here is the current config (SEE MORE IN THE ATTACHED FILE):

wccp router-list 1 XX.XX.XX.XX

wccp tcp-promiscuous service-pair 61 62 failure-detection 30

wccp tcp-promiscuous service-pair 61 62 router-list-num 1

!

egress-method negotiated-return intercept-method wccp

cms enable

some show outputs:

XXXX-WAAS#sh acc

Accelerator     Licensed        Config State    Operational State
-----------     --------        ------------    -----------------
cifs            Yes             Enabled         Running
epm             Yes             Enabled         Running
http            Yes             Enabled         Running
mapi            Yes             Enabled         Running
nfs             Yes             Enabled         Running
ssl             Yes             Enabled         Running
video           No              Enabled         Shutdown

XXXX-WAAS#sh cms in
Device registration information :
Device Id                            = 318
Device registered as                 = WAAS Application Engine
Current WAAS Central Manager         = XX.XX.XX.XX
Registered with WAAS Central Manager = XX.XX.XX.XX
Status                               = Online
Time of last config-sync             = Thu Mar 29 21:52:45 2012

CMS services information :
Service cms_ce is running

I need to get this in production tomorrow :/

I really appreciate your help.

ronaldobf · ‎03-31-2012

Last Friday I was analysing the situation.

Not sure, but I think this could be related to the WCCP using GRE.

Since the wccp is using the GRE, it uses the router ID elected by the WCCP as destination to return the traffic to the router.

WCCP router ID is the highest loopback address. If there is no loopback interface, it gets the highest IP address of the active interfaces.

In my case, it´s the loopback address and the switch does not have route to the router´s loopback.

This could explain that the behavior was the same using the default egress-method or the GRE.

I will try to change it and make another testing.