ASA 5520 WCCP router ID

ivanka_busta · ‎08-25-2014

I have configured WCCP in an ASA 5520 to work with a McAfee Web Gateway (MWG). However, it's not working as I can't see any website even the ones which are permited by the MWG.

I enclose my network topology and the traffic I can see in the ASA. I think that my problem is similar to the one described in: https://supportforums.cisco.com/discussion/10903396/asa-5510-wccp-router-id but I'm not sure and I don't know how to apply the solution proposed there to my topology.

To sum up, my situation is that I can see 'Here I am' and 'I see you' packets between ASA and MWG. However, the traffic that is redirected from the ASA to the MWG in GRE packets has as source IP the outside IP of the ASA which cannot be reached from inside.

Thanks for your help,

Richard Burts · ‎08-25-2014

I looked into this recently when a customer was thinking about using WCCP on their ASA. Unfortunately when Cisco implemented WCCP on the ASA they took some short cuts that are not present in the implementation of WCCP on IOS routers. One of those short cuts is to always pick the highest IP address as the WCCP router ID. There is no way to over ride this or to manually specify the address for the router ID. And in some cases that choice does seem to create problems. It sounds like you may have that problem. I have looked at the discussion in the link that you provide and do not fully understand how the suggestion to change routing would address the issue.

I must admit that I am not sure why the choice of router ID creates the problem. Your MWG will receive GRE encapsulated packets from that address but will not send any packets to that address. That is another thing that Cisco did to implement WCCP on the ASA that the GRE encapsulated traffic is strictly one way (ASA to filtering device) and there is no return traffic using GRE to the ASA. The packet capture in your post does show GRE encapsulated packet with the source address as the ASA router ID and the destination address as the MWG, as expected. However if you say that it does create a problem then it obviously it does. I wonder if it would help the situation if you could create a new VLAN on the ASA, give it an address higher than your ASA outside interface address, and associate the VLAN with something routable inside?

HTH

Rick

HTH

Rick

ivanka_busta · ‎08-26-2014

Thank you for your comments.

I'm not sure about creating a new vlan as all the ASA interfaces already have an address which is smaller than the wccp router id.

Although there are GRE packets leaving the ASA I'm not sure if they can reach their destination and if that's the case how to redirect them properly to their destination (the filtering device). I enclose a screenshot of my interfaces and static routes in the ASA in case you could help me to determine if the problem is because there is no communtication from the ASA to the filtering device.

Thanks.

Richard Burts · ‎08-26-2014

I am pretty sure that the GRE packets are getting to the MWG. If I understand correctly the address of the MWG is 10.250.2.33 and clearly you have a route for that network. And if you are seeing the Here I Am and I See You packets then clearly there is correct routing of traffic from the ASA to the MWG.

If you are still concerned that the GRE packets are not getting to the MWG then perhaps you can set up a packet capture just before the MWG.

I am not familiar with the MWG but I wonder if there are any logs on the MWG that might shed light on the situation. It is my assumption that the problem is not that the GRE does not get to the MWG but the problem is more likely that MWG receives and rejects the packet. Perhaps that is reflected in log messages?

Is there any documentation with MWG that talks about how MWG communicates with the WCCP device? I wonder if MWG thinks that it needs to send responses via GRE and does not have a route to the address specified in the GRE packet? The Cisco documentation for the ASA is somewhat clear that they treat the GRE as a one way tunnel and will not accept any GRE traffic from the MWG?

HTH

Rick

HTH

Rick