Cisco ASA WCCP Configuration Guidelines to BlueCoat ProxySG (TCP No Connection Errors)

Jonathan Bekkers · ‎07-03-2013

So... ASAs and WCCP seem to be a bit of a downer. Before I go any further I wanted to list out the resources I've been reading as there really doesn't seem to be a lot more out there:

Cisco Forums Basic Config Guide: https://supportforums.cisco.com/docs/DOC-12623
BlueCoat Proxy Configuration Guidelines for ASAs: https://kb.bluecoat.com/index?page=content&id=KB1813&actp=LIST
Cisco Forums Detailed ASA WCCP Information (good!): https://supportforums.cisco.com/docs/DOC-32709
Squid Proxy Configuration Guidelines for ASA http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2#Very_important_passage_from_the_Cisco-Manual
Cisco 9.1 ASA Configuration Guide: http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/basic_wccp.html

I've configured WCCP on IOS and CatOS without issue in the past. I am aware of the 3-parts of WCCP (i.e. WCCP peering, Ingress Redirection, Egress Redirection). I'm confused by the configuration of the WCCP on the ASA given my understanding of how WCCP works on routers/switches.

My issue I am experiencing is as follows:

Proxy builds relationship to ASA in WCCP group 90.
Redirected User tries to browse to "www.google.com"
ASA redirects traffic from user to proxy.
Proxy seeing redirected GRE packets from ASA
....?
ASA seeing "TCP No Connection" drops in logs for google sourced packets destined to the real IP of the user's device (SYN ACK) I believe on the outside interface
Client gets time out in web browser

I'm not seeing anything in the logs of the ASA to indicate any proxy to ASA communications. I've done packet-captures and viewed filtered live ASDM monitoring sessions... nothing showing up "from proxy to website", "from client to proxy" or "from proxy to client". From what I've been reading it sounds like WCCP gets handled at an odd location in the ASA's network stack and I may never see the real packet-flows through normal debugging means (i.e. ACLs are applied then WCCP bypasses all other features of ASA).

To describe the topology briefly:

Internet --- (Outside) ASA (Inside) ---- Switch ---- L3 Core Switch

|

-- BlueCoat ProxySG

This topology should meet some of the more obscure requirements I've read in some of the linked documents (i.e. "Client and proxy devices must be one same security interface of ASA. Proxy must be able to communicate to client without going through the ASA firewall"). The ASA, Proxy and L3 core switch are all on a /29 network. The ASA NATs traffic to the internet (dynamic overload on the Outside interface). We're running 9.1 code on the ASA but I've had colleagues have similar issues on other sites with older versions of code (8.2).

Now, I understand what "TCP No Connection" drops mean (stateful drop due to lack of seeing the session initiation through stateful table) but I'll be damned if I can get my head around what is actually occuring between the proxy receiving the request via ASA redirect, and the server responding to the client IP address rather than the proxies IP address. Obviously the SYN and ACK are occurring somehow because we only see a SYN ACK deny due to TCP No Connection on the ASA's outside interface from the public website.

For reasons I won't get into the Core Switch as a WCCP server is out of the question for the moment.

I wanted to know if anyone has:

Gotten ASA WCCP to work with anything before?
Whether proxy, client and servers all had to be on same interface of ASA? Or is it just client/proxy that need to be on same interface?
Does anyone have some configuration/troubleshooting tips for CIsco ASA to BlueCoat ProxySG WCCP deployments?

Jonathan Bekkers · ‎07-03-2013

10.1.1.1 = Proxy Address

10.2.2.2 = User PC Address

203.x.x.x = ASA Outside Interface

ASA# show run wccp

wccp web-cache redirect-list wccp-traffic group-list wccp-servers

wccp 90 redirect-list wccp-traffic group-list wccp-servers

wccp interface inside 90 redirect in

wccp interface Outside 90 redirect in This was added for troubleshooting. No change either way

ASA# show access-list wccp-traffic

access-list wccp-traffic; 4 elements; name hash: 0xb7b6044d

access-list wccp-traffic line 1 extended deny ip any host 10.1.1.1 (hitcnt=0) 0x70f41ca5 This was added for troubleshooting. No change either way

access-list wccp-traffic line 2 extended deny ip host 10.1.1.1 any (hitcnt=0) 0xa90016f1 This was added for troubleshooting. No change either way

access-list wccp-traffic line 3 extended permit ip host 10.2.2.2 any (hitcnt=759) 0xace63804

access-list wccp-traffic line 4 extended permit ip any host 10.2.2.2 (hitcnt=0) 0xe635443d

ASA# show access-list wccp-servers

access-list wccp-servers; 1 elements; name hash: 0x7b83fa88

access-list wccp-servers line 1 extended permit ip host 10.1.1.1 any (hitcnt=284) 0x8b8c6102

OTHER SHOW COMMANDS:

ASA# show wccp interfaces

WCCP interface configuration:

GigabitEthernet0/0 Inside interface

Output services: 0

Input services: 1

Mcast services: 0

Exclude In: FALSE

GigabitEthernet0/3 Outside interface

Output services: 0

Input services: 1

Mcast services: 0

Exclude In: FALSE

ASA# show wccp 90

Global WCCP information:

Router information:

Router Identifier: 203.x.x.x

Protocol Version: 2.0

Service Identifier: 90

Number of Cache Engines: 1 How many devices we’ve peered with

Number of routers: 1

Total Packets Redirected: 718 How many packets we’ve redirected via GRE to the Proxy

Redirect access-list: wccp-traffic

Total Connections Denied Redirect: 0

Total Packets Unassigned: 0

Group access-list: wccp-servers

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total Bypassed Packets Received: 7

ASA# show wccp 90 view

WCCP Routers Informed of:

203.x.x.x ASA’s “highest IP address” ID. (i.e. Outside interface)

WCCP Cache Engines Visible:

10.228.15.252 The proxy seen as a valid cache engine.

WCCP Cache Engines NOT Visible:

-none-

ASA# show wccp 90 service

WCCP service information definition:

Type: Dynamic

Id: 90

Priority: 1

Protocol: 6

Options: 0x00000011

--------

Hash: SrcIP

Alt Hash: -none-

Ports: Destination:: 80 0 0 0 0 0 0 0 The services dynamically learnt that the proxy supports.

Jonathan Bekkers · ‎07-04-2013

Nevermind! We resolved the issue. The BlueCoat has some specific settings that needed to be changed. The basic configuration of the ASA was correct. A complete template below (all testing stuff removed):

access-list wccp-servers extended permit ip host 10.1.1.1 any
access-list wccp-traffic extended permit ip host 10.2.2.2 any
wccp 90 redirect-list wccp-traffic group-list wccp-servers
wccp interface inside 90 redirect in

No need to redirect on outside interface. No need to bypass proxy sourced traffic. The ASA doesn't see TCP No Connection issues anymore. Proxy is proxying traffic.

Some settings here were important: https://kb.bluecoat.com/index?page=content&id=KB2955

Other settings were required to be changed on BlueCoat beyond the above. I'll try provide a sample BlueCoat configuration if I can.

genicus1991 · ‎09-28-2013

Hello Johnatan

I am currently facing the same problem as you have. My network setup is nearly identical as yours.
I can see the ASA forward the packets to the Bluecoat. The Bluecoat shows this nicely in the active sessions so everything should be fine.
However. It looks like the ProxySG doesn't proxy the request: pages time out, and the active sessions view show client bytes, but no server bytes.

It looks like there is some configuration problem on the BC; I can ping outside from the BC console, I can fetch webpages on the console with the "test http get" command.
What are the additional configuration changes you did on your Bluecoat to let this setup work?

Thanks in advance

Jonathan Bekkers · ‎09-29-2013

Here's what we used. I can't recall exactly the features on the BlueCoat but the below includes the settings that were customized. Hopefully you can figure it out. We did get it working in the end. Remember the "devices getting intercepted" and "the proxy" must exist via the same interface of the ASA as WCCP seems to bypass the normal packet-flow through the firewall (hence the limitations). Good luck!

ASA Configuration:

ASA5515# show run | inc wccp

wccp 0 redirect-list wccp-traffic group-list wccp-servers

wccp interface inside 0 redirect in

!

access-list wccp-servers extended permit ip host 10.1.1.1 any

access-list wccp-traffic extended permit ip 10.1.0.0 255.255.0.0 any

BlueCoat Configuration:

; WCCP Configuration File

; Version 2.0

wccp enable

wccp version 2

;This service group is configured to ‘0’ to match the ASA’s predefined service group

service-group 0

;ASA’s only support GRE based forwarding Unicast

forwarding-type GRE

multicast-ttl 1

priority 1

protocol 6

;ASA facing Interface

interface 1:0

primary-hash-weight 1:0 0

assignment-type hash

service-flags source-ip-hash

;ASA’s Home Router IP

home-router 1.2.3.4

service-flags ports-defined

; Ports to be re-directed – in this case just TCP 80

ports 80 0 0 0 0 0 0 0

end