cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12462
Views
0
Helpful
10
Replies

ASA 5510 - WCCP Router Id

aresiusxp
Level 1
Level 1

I'm trying to create a WCCP connection between my Squid server (on 10.9.10.10 - inside LAN) and my ASA 5510 (inside: 10.9.254.1 - outside 201.234.x.x). WCCP/GRE tunnel works perfect, they see each other, i've seen I_See_You and Here_I_Am packets. The problem is that when ASA gets the packet, it redirects alright to the Squid but with the wrong ID, because it's using its outside IP which cannot be reached from inside.

I found out that Router ID is created using higher IP configured. I tried unassigning ip addresses in every interface except inside, creating WCCP web-cache, and it does work, but the moment i assign the rest of the interfaces IPs it takes outside IP as ID again.

Is there any way that this Router ID can be changed manually?

10 Replies 10

Panos Kampanakis
Cisco Employee
Cisco Employee

Unfortunately the id cannot be changed. It will always pick the high one.

You need to have the engine support it and have a route back to it through the ASA.

I hope it helps.

PK

Now that I think of it, if WCCP is working (I_See_You and Here_I_Am packets are going through), shouldn't everything be working?

"show wccp" statistics will show you redirect counters and if the engine is built properly.

If those look ok it is probably working.

Of course check if pages that the engine is set to block are actually blocked.

PK

Everything seems to be working in the ASA, but i can't get to any page. Not even Google, and there's no blocking there.

AR01-ASA01# sh wccp

Global WCCP information:

    Router information:

        Router Identifier:                   201.234.XX.XXX

        Protocol Version:                    2.0

    Service Identifier: web-cache

        Number of Cache Engines:             1

        Number of routers:                   1

        Total Packets Redirected:            857

        Redirect access-list:                SquidGRE

        Total Connections Denied Redirect:   0

        Total Packets Unassigned:            1

        Group access-list:                   -none-

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     0

Probably the problem is with the route id.

The HELLOS are exchanged, but probably the engine is rejecting the wccp GRE packets from the router id.

Also the wccp engine should be able to directly talk to the host that is browsing, you need to ensure that is allowed also.

I hope it helps.

PK

aresiusxp
Level 1
Level 1

Ok, first of all, thanks for replying every time. I really appreciate it.

So, probably i should configure Squid wccp server so it matches Router ID in ASA. But the problem is that i can't get to the public IP since ASA won't let me go through. How can I make it work?

Change your routing so that the traffic destined to the routing id hits the ASA inside.

I don't think that is your problem now.I believe that Squid ignores that router id.

PK

Ok, i'm starting to feel like a newbie.

How can i add a route like that? And where?

Squid is connected to Layer 3 switch Cisco 3560, which is connected to ASA.

Where should I add a route? and how? ip route xxx xx xx xx?

Upstream to your routing devices that are between wccp engine and ASA.

PK

Varun K S
Level 1
Level 1

Hi Patircio,

Can you let me know if this scenario was working for you. Because I have issue now.

Can you let me know what solved it.

Review Cisco Networking for a $25 gift card