Cisco ASA not returning traffic when wccp peering with Bluecoat.

nikhil.kulkarni · ‎07-11-2012

Experts,

My setup has a Cisco ASA where we are doing wccp with a Bluecoat SG box. The traffic gets redirected to the Bluecoat due to the wccp settings so it's just transparent to the end users. Theye do not have to do any manual proxy settings in their IE.

We however notice that somehow the ASA does not return these connection back to the requesting hosts and somehere the connection table breaks. The message we see on the ASA that state table is somehow not being maintained. Any idea where this connection must be breaking?

Regards,

Nikhil Kulkarni.

mvsheik123 · ‎07-11-2012

Hi Nikhil,

Below links may give some hint on this (not 100% solution though)

https://kb.bluecoat.com/index?page=content&id=KB2955

https://supportforums.cisco.com/thread/2017370

https://supportforums.cisco.com/thread/2143974

hth

MS

Luis Silva Benavides · ‎07-13-2012

Nikhil,

Let me give you a little bit of backgrounf in regards to WCCP that can help you. As you stated the ASA will do transparent redirection, so the client doesn't have to configure anything on the PC.

The traffic will get to the ASA (port 80/443 or any configured port) and then the ASA will establish a GRE tunnel with WCCP server and will redirect the traffic. After the Bluecoat receives the traffic it will "spoof" the IP address of the requested web page (the WCCP server needs to have direct comunication with the client PC without passing through the ASA). I have seen some issues where the ASA and the WCCP server are unable to establish the GRE tunnel becuase the ASA uses the highest IP address as the router ID and uses this IP address to establish the tunnel. The WCCP keepalives (Here I am, I see you) are sent using the IP address of the closest IP address to the WCCP server.

At this point you may turn on the WCCP debugs and run some "show WCCP" commands.

I hope it helps

Luis Silva