Can someone help clarrify some things. I read that WCCP is supposed to support failover. I want to WCCP redirect some web traffic to a proxy. If that proxy is not avvailable the I want to redirect it to another "backup" proxy but when looking at the WCCP settings in ASDM and the cli commands I dont see where yuo configure a second address to redirect to. How does this failover actually work?
Proxy should register to ASA (or any WCCP "server") not the other way around.
That's why ASA's configuration is to create an ACL to allow registration from particular IPs:
bsns-asa5520-2(config)# wccp web-cache ?
configure mode commands/options:
group-list Set the access-list used to permit group membership
You can have a look at WCCP at-a-glance operation on wikipedia:
There are links to Cisco documentation later on there.
You can have a look at the status of registration via:
show wccp [service-name-or-number] detail
Hope that clears things up.
If you're seeing problem with registering both proxys to ASA, open up a TAC case.
•Multiple cache engines in a service group.
Great that explains it thanks. From what im reading about ASA WCCP implemntation the client and the "proxy" have to both be reachable on the same interface as WCCP. You cant redirect the request to a "proxy" that might be sitting on a DMZ of another interface, is that correct?
In this case what if the "proxy" is on another vlan that is still on the same interface, is that ok?
What if the "proxy" is on another subnet, maybe even a different location. Is it still ok provided that is reached via the same interface the original request was recieved on?
Also one more thing I read that there has to be a rule permitting the traffic for WCCP to intercept it. IS that correct? So that would mean if I want to recirect all traffic from host A out to te internet then not only do I have to put an ACL in the WCCP to redirect traffic from that host but there must also be a rule saying Host A on ANY port has a permit tot he internet? That seems risky to me, if your "proxy" goes down wont it just thne allow the traffic out? I would not want that.
Same interface in this case means same instance of interface (as seen in "show nameif").
You are also correct on the ACL issue. ACLs ARE processed before WCCP.
An ingress access list entry always takes higher priority over WCCP. For example, if an access list does not permit a client to communicate with a server, then traffic is not redirected to a cache engine. Both ingress interface access lists and egress interface access lists are applied.
But that actually helps you address a situation where users could access internet without WCCP present.
On the outside interface in egress direction you can DENY any tcp/80 traffic unless it's coming from one of the proxies.