cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4593
Views
4
Helpful
1
Comments
Pulkit Nagpal
Cisco Employee
Cisco Employee

 

 

 

 

Introduction

 

This document lists defects which should be taken care of before using WCCP in your network.

 

Requirements

 

There are no specific requirements for this document.

 

List of defects and related workaround

Release 12.2

 

DefectDescriptionFixed inWorkaround

CSCsd20327WCCP going up down12.2(18)SXF7There is no workaround

CSCsa77785

Router crashes when L2 redirection is configured with HTTP traffic12.2(18)SXF6

Use extended ACL or mask based Standard ACL for WCCP redirect ACL to avoid system crash

CSCse69713

Redirect traffic punted to software when all CEs in the group are lost

12.2(18)SXF6

Remove and re-enter the ip wccp webcache command

CSCsd28870

Entries from redirect acl list with log keyword not programmed into tcam

12.2(18)SXF5

Remove log keyword from wccp redirect list

CSCsb61021

IP Spoofed packets from CE are not hw switched with egress WCCP

12.2(18)SXF6

Use "ip wccp redirect-in" on both inbound and outbound interfaces

CSCsb21972

Tracebacks when both WCCP and Netflow are configured

12.2(18)SXF5

Disable one of the features

CSCeh85087

WCCP stops after a redirect list is configured.

12.2(18)SXF5

Do not configure explicit "deny ip any any " in WCCP redirect ACL. If the redirect has only one line "deny ip any any", there is no workaround

CSCeh56916

Router crashed due to WCCP going over allocated buffer.

12.2(18)SXF2

A possible workaround is to use Hash rather than Mask assignment for the service group.

Alternatively reduce the number of cache sin the service group.

CSCsb18740

High cpu utilisation with heavy WCCP-redirected traffic

12.2(18)SXF

No workaround

CSCsb26773

Cat6500 Sup720: Inbound ACL may cause WCCP redirection to fail

12.2(18)SXF

Add a line to the inbound ACL to permit traffic from switches WCCP Router ID to

all Cache engine IP address.

Example:

WCCP Router ID(can be retrieved from show ip

wccp): 10.1.1.1

Cache engine IP: 192.168.1.1

permit ip host 10.1.1.1 host 192.168.1.1

CSCec55429

wccp priority ignored by router

12.2(18)SXF

ensure that the service groups appear in the router configuration in priority order, highest priority first

CSCuk50878

Spurious memory access in wccp_srvc_grp_find

12.2(18)SXE2

There is no workaround

CSCsa67611

incoming mpls labelled packet might bypass output ACL lookup

12.2(18)SXE

disable and reapply all output features on the output interface and

output feature will start to work again

CSCeh13292

WCCP Multiple Configurations causes high CPU

12.2(18)SXE

Disable WCCP

CSCeb28941

IOS NAT and WCCP do not work together

12.2(18)SXE

Downgrade the systems to 12.2T if possible

 

Release 12.4

 

DefectDescriptionFixed inWorkaround

CSCsc65232

Crash observed using WCCP with redirect-lists

Release Pending

Do not use WCCP with redirect-lists

CSCsg30999

When using ip inspect along with wccp, outbound access ceases.

Release Pending

Disable wccp (or disconnect the cache) or remove the ip inspect statement.

CSCts49162

Netflow export wrong data with WCCP enabled

12.4T/15.1T

Do not configure WCCP with netflow.

CSCsu11069

WCCP router may reload if client interface line protocol goes down

12.4(15)T8

There is no workaround.

CSCsb89463

WCCP doesn't redirect packets with 'ip cef' enabled

12.4(5.2)T

Disable cef with the global command 'no ip cef' or disable cef on the interfaces where WCCP is configured. ALternatively, remove and re-apply the WCCP interface configurations.

CSCsj60365

WCCP packets, returned from a WCCP appliance for further processing, are forwarded as invalid/corrupt packets leading to hung TCP connections.

12.4(15)T2

Use CEF switching.

CSCsq64362

Running config for wccp has missing and duplicated services.

12.4(21.15)

When the problem is seen the symptom seen in the running config and "show ip wccp" output can be corrected by temporarily configuring a dummy WCCP service, e.g. "ip wccp 0" which can then be removed.

CSCsm39259

WCCP: closed mode web-cache service should ignore service ACL.

12.4(19.16)T1

Do not configure closed mode WCCP service with service ACL.

CSCeh76239

Web Cache Communication Protocol (WCCP) may fail.

12.4(2.11)T

When the ip inspect out command is enabled on the WCCP-redirected interface but the ip inspect in command is not configured on the client interface, configure a WCCP redirect list that excludes the address of the WCCP-redirected interface.

CSCsm32473

WCCP fails to redirect or causes high CPU load or causes a reload

12.4(19.3)T

If possible shutdown all but one of the equal cost paths prior to restarting the appliance. Alternatively remove the WCCP interface configuration (no ip wccp service redirect direction) before restarting the device.

 

Release 15.x

DefectDescriptionFixed inWorkaround

CSCum599317200 crash with DHCP suspending WCCP15.5(0.18)S0.7none

CSCuo94293

WCCP trace back with ISM-VPN15.5(0.9)T 15.5(1.2.1a)GB

Reload

CSCtz44141

Incorrect "complex WCCP access-list" error when configuring redirect ACL

15.2(3.10)T 15.3(0.4)S 15.2(3)T0.2

none

CSCtz61271

6500/7600: Ports not considered in permits in WCCP redirect-list

15.0(1)IA273.318 15.1(1)SY

Prepend the WCCP redirect ACL with "deny" entries for the undesired ports

CSCup94886

WCCP PI inform PD for assignment update even if the details are same

15.2(1)IC273.152 15.3(3)S3.11

Remove WCCP from interface

 

 

 

 

 

Related Information

 

 

Comments

Search

 

Remote Access VPN on ASA - Authentication using LDAP Server

Document

May 3, 2013 12:54 PM
2 years ago

 

 

 

Introduction

This document provides an example on how to Configure Remote Access VPN on ASA and do the Authentication using LDAP server

Prerequisites

ASA and LDAP server both should be reachable.
 

Components Used

1. ASA 8.2

2. LDAP (Microsoft)

Configuration Remote Access VPN on ASA

interface configuration:

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config)# no shutdown

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha 
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside

Configuring an Address Pool

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

Adding a User

hostname(config)# username testuser password 12345678

Creating a Transform Set

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

Creating a Tunnel group

hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

Creating a Dynamic crypto map

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

Creating a Crypto Map Entry to Use the Dynamic Crypto Map

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

Configuring LDAP server on the ASA

ciscoasa(config-aaa-server-group)#aaa-server LDAP (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-password **********
ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName
ciscoasa(config-aaa-server-host)#ldap-scope subtree
ciscoasa(config-aaa-server-host)#server-type microsoft
ciscoasa(config-aaa-server-host)#exit

Assigning LDAP server under tunnel group

ciscoasa(config)#tunnel-group testgroup general-attributes
ciscoasa(config-tunnel-general)#authentication-server-group LDAP

Verifcation

Test with CLI:

You can use the test command on the command line in order to test your AAA setup. A test  request is sent to the AAA server, and the result appears on the command line.

ciscoasa#test aaa-server authentication LDAP host 192.168.1.2
   username cisco password cisco123INFO: Attempting Authentication test to IP address <192.168.1.2>
   (timeout: 12 seconds)
INFO: Authentication Successful

Troubleshoot

If unsure of the current DN string to use, you can issue the dsquery command on a Windows Active Driectory server from a command prompt in  order to verify the appropriate DN String of a user object.

C:\Documents and Settings\Administrator>dsquery user -samid cisco!--- Queries Active Directory for samid id "cisco""CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com"

The debug ldap 255 command can help to troubleshoot authentication problems in this  scenario. This command enables LDAP debugging and allows you to watch  the process that the ASA uses to connect to the LDAP server.

Debug - Successful authentication

ciscoasa#debug ldap 255[7] Session Start
[7] New request Session, context 0xd4b11730, reqType = 1
[7] Fiber started
[7] Creating LDAP context with uri=ldap://192.168.1.2:389
[7] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[7] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[7] supportedLDAPVersion: value = 3
[7] supportedLDAPVersion: value = 2
[7] supportedSASLMechanisms: value = GSSAPI
[7] supportedSASLMechanisms: value = GSS-SPNEGO
[7] supportedSASLMechanisms: value = EXTERNAL
[7] supportedSASLMechanisms: value = DIGEST-MD5

!--- The ASA connects to the LDAP server for admin bind and search for cisco.
[7] Binding as administrator
[7] Performing Simple authentication for admin to 192.168.1.2
[7] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=cisco]
        Scope   = [SUBTREE]
[7] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][7] Talking to Active Directory server 192.168.1.2
[7] Reading password policy for cisco, dn:CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com

!--- The ASA binds to the LDAP server as cisco to test the password.
[7] Binding as user
[7] Performing Simple authentication for kate to 192.168.1.2
[7] Checking password policy for user cisco
[7] Binding as administrator
[7] Performing Simple authentication for admin to 192.168.1.2
[7] Authentication successful for kate to 192.168.1.2
[7] Retrieving user attributes from server 192.168.1.2[7] Retrieved Attributes:
[7]     objectClass: value = top
[7]     objectClass: value = person
[7]     objectClass: value = organizationalPerson
[7]     objectClass: value = user
[7]     cn: value = cisco
[7]     givenName: value = cisco
[7]     distinguishedName: value = CN=cisco,CN=Users,DC=ftwsecurity,
           DC=cisco,DC=com
[7]     instanceType: value = 4
[7]     whenCreated: value = 20070815155224.0Z
[7]     whenChanged: value = 20070815195813.0Z
[7]     displayName: value = cisco
[7]     uSNCreated: value = 16430
[7]     memberOf: value = CN=Castaways,CN=Users,DC=ftwsecurity,DC=cisco,DC=com
[7]     memberOf: value = CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com
[7]     uSNChanged: value = 20500
[7]     name: value = cisco
[7]     objectGUID: value = ..z...yC.q0.....
[7]     userAccountControl: value = 66048
[7]     badPwdCount: value = 1
[7]     codePage: value = 0
[7]     countryCode: value = 0
[7]     badPasswordTime: value = 128321799570937500
[7]     lastLogoff: value = 0
[7]     lastLogon: value = 128321798130468750
[7]     pwdLastSet: value = 128316667442656250
[7]     primaryGroupID: value = 513
[7]     objectSid: value = ............Q..p..*.p?E.Z...
[7]     accountExpires: value = 9223372036854775807
[7]     logonCount: value = 0
[7]     sAMAccountName: value = cisco
[7]     sAMAccountType: value = 805306368
[7]     userPrincipalName: value = cisco@ftwsecurity.cisco.com
[7]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,
           DC=ftwsecurity,DC=cisco,DC=com
[7]     dSCorePropagationData&colon; value = 20070815195237.0Z
[7]     dSCorePropagationData&colon; value = 20070815195237.0Z
[7]     dSCorePropagationData&colon; value = 20070815195237.0Z
[7]     dSCorePropagationData&colon; value = 16010108151056.0Z
[7] Fiber exit Tx=685 bytes Rx=2690 bytes, status=1
[7] Session End

Debug - Authentication fails - Incorrect Password

ciscoasa#debug ldap 255[8] Session Start
[8] New request Session, context 0xd4b11730, reqType = 1
[8] Fiber started
[8] Creating LDAP context with uri=ldap://192.168.1.2:389
[8] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[8] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[8] supportedLDAPVersion: value = 3
[8] supportedLDAPVersion: value = 2
[8] supportedSASLMechanisms: value = GSSAPI
[8] supportedSASLMechanisms: value = GSS-SPNEGO
[8] supportedSASLMechanisms: value = EXTERNAL
[8] supportedSASLMechanisms: value = DIGEST-MD5

!--- The ASA connects to the LDAP server as admin to search for cisco.
[8] Binding as administrator
[8] Performing Simple authentication for admin to 192.168.1.2
[8] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=kate]
        Scope   = [SUBTREE]
[8] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][8] Talking to Active Directory server 192.168.1.2
[8] Reading password policy for cisco, dn:CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com
[8] Read bad password count 1

!--- The ASA attempts to bind as cisco, but the password is incorrect.
[8] Binding as user
[8] Performing Simple authentication for kate to 192.168.1.2
[8] Simple authentication for cisco returned code (49) Invalid credentials[8] Binding as administrator
[8] Performing Simple authentication for admin to 192.168.1.2
[8] Reading bad password count for cisco, dn: CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com
[8] Received badPwdCount=1 for user cisco
[8] badPwdCount=1 before, badPwdCount=1 after for cisco
[8] now: Tue, 28 Aug 2007 15:33:05 GMT, lastset: Wed, 15 Aug 2007 15:52:24 GMT,
       delta=1122041, maxage=3710851 secs
[8] Invalid password for cisco
[8] Fiber exit Tx=788 bytes Rx=2904 bytes, status=-1
[8] Session End

Debug - Authentication Fail - User not found on LDAP server

ciscoasa#debug ldap 255[9] Session Start
[9] New request Session, context 0xd4b11730, reqType = 1
[9] Fiber started
[9] Creating LDAP context with uri=ldap://192.168.1.2:389
[9] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[9] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[9] supportedLDAPVersion: value = 3
[9] supportedLDAPVersion: value = 2
[9] supportedSASLMechanisms: value = GSSAPI
[9] supportedSASLMechanisms: value = GSS-SPNEGO
[9] supportedSASLMechanisms: value = EXTERNAL
[9] supportedSASLMechanisms: value = DIGEST-MD5

!--- The user Minakshi is not found.
[9] Binding as administrator
[9] Performing Simple authentication for admin to 192.168.1.2
[9] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=minakshi]
        Scope   = [SUBTREE]
[9] Requested attributes not found[9] Fiber exit Tx=256 bytes Rx=607 bytes, status=-1
[9] Session End

Please post comments if there are any queries and rate if useful.

 

Scenario 2:

Problem:

Is it possible to strip the suffix from a username to authenticate against an active directory in ACS 5.4? I can find this when using an external proxy service, but not for network access.

Solution:

Username suffix/prefix stripping is possible when using:
LDAP
Radius Identity server
External Proxy
With AD, the option is unavailable.
Self proxy + AD is a workaround but that has some limitations and is a complex configuration.

 

Source Discussion:

CSC Discussion:

 
 
expertadvisor20151 about 4 hours ago
 

To scale the performance of WAE devices and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.

Also, recent blog : Intelligent Traffic Director @ Cisco Live Milan

 

ITD Provides CAPEX and OPEX Savings for Customers

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.

ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking for a $25 gift card