05-18-2010 07:19 AM - edited 03-11-2019 10:47 AM
I'm trying to create a WCCP connection between my Squid server (on 10.9.10.10 - inside LAN) and my ASA 5510 (inside: 10.9.254.1 - outside 201.234.x.x). WCCP/GRE tunnel works perfect, they see each other, i've seen I_See_You and Here_I_Am packets. The problem is that when ASA gets the packet, it redirects alright to the Squid but with the wrong ID, because it's using its outside IP which cannot be reached from inside.
I found out that Router ID is created using higher IP configured. I tried unassigning ip addresses in every interface except inside, creating WCCP web-cache, and it does work, but the moment i assign the rest of the interfaces IPs it takes outside IP as ID again.
Is there any way that this Router ID can be changed manually?
05-18-2010 09:51 AM
Unfortunately the id cannot be changed. It will always pick the high one.
You need to have the engine support it and have a route back to it through the ASA.
I hope it helps.
PK
05-18-2010 10:01 AM
Now that I think of it, if WCCP is working (I_See_You and Here_I_Am packets are going through), shouldn't everything be working?
05-18-2010 10:04 AM
"show wccp" statistics will show you redirect counters and if the engine is built properly.
If those look ok it is probably working.
Of course check if pages that the engine is set to block are actually blocked.
PK
05-18-2010 10:27 AM
Everything seems to be working in the ASA, but i can't get to any page. Not even Google, and there's no blocking there.
AR01-ASA01# sh wccp
Global WCCP information:
Router information:
Router Identifier: 201.234.XX.XXX
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 857
Redirect access-list: SquidGRE
Total Connections Denied Redirect: 0
Total Packets Unassigned: 1
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
05-18-2010 10:39 AM
Probably the problem is with the route id.
The HELLOS are exchanged, but probably the engine is rejecting the wccp GRE packets from the router id.
Also the wccp engine should be able to directly talk to the host that is browsing, you need to ensure that is allowed also.
I hope it helps.
PK
05-18-2010 11:01 AM
Ok, first of all, thanks for replying every time. I really appreciate it.
So, probably i should configure Squid wccp server so it matches Router ID in ASA. But the problem is that i can't get to the public IP since ASA won't let me go through. How can I make it work?
05-18-2010 11:42 AM
Change your routing so that the traffic destined to the routing id hits the ASA inside.
I don't think that is your problem now.I believe that Squid ignores that router id.
PK
05-19-2010 05:26 AM
Ok, i'm starting to feel like a newbie.
How can i add a route like that? And where?
Squid is connected to Layer 3 switch Cisco 3560, which is connected to ASA.
Where should I add a route? and how? ip route xxx xx xx xx?
05-19-2010 05:56 AM
Upstream to your routing devices that are between wccp engine and ASA.
PK
10-24-2013 11:57 PM
Hi Patircio,
Can you let me know if this scenario was working for you. Because I have issue now.
Can you let me know what solved it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide