FTD Pre-filter blocking WCCP

tahscolony · ‎03-18-2025

I am trying to insert an internal IPS on the inside interface of our ASA. The ASA has a few WCCP tunnels to our WSA. We have an old 7125 Firepower that has no issues with passing WCCP through this setup, but the new FTD, does. I am leaning towards the Pre-filter.

GRE Tunnel Limitations

GRE tunnel processing is limited to IPv4 and IPv6 passenger flows. Other protocols, such as PPTP and WCCP, are not supported within the GRE tunnel.

I ran a packet capture on FMC both sides of the firewall to the WSA and I am not seeing any packets with the firewalls IP to the WSA IP, there should be consistent packets for the handshakes between them to keep the tunnel active. The only packets I see is between the WSA and external IP's, so some traffic is coming through, but no where near the volume of traffic expected.

What happens is when I flip to the standby ASA that is interconnected to the FTD, and open a browser, I may be able to go to some bookmarked sites, but any new site will time out. Log on the WSA shows the transition between firewalls, a timeout period, then a connection to the standby IP of the other ASA (failover pair), then switch back when failing back.

1.184 is the active inside IP, 1.185 is the secondary IP for the inside.

Tue Mar 18 12:12:18 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895411 ###handleISY.svc_print_all
Tue Mar 18 12:12:19 2025 Debug: WCCP : - : [4294967295:-1] FLOW:Postponing SG 60 RA until 22895427
Tue Mar 18 12:12:19 2025 Debug: WCCP : - : [4294967295:-1] FLOW:Postponing SG 0 RA until 22895427
Tue Mar 18 12:12:19 2025 Debug: WCCP : - : [4294967295:-1] FLOW:Postponing SG 80 RA until 22895427
Tue Mar 18 12:12:19 2025 Debug: WCCP : - : [4294967295:-1] FLOW:Postponing SG 70 RA until 22895427
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895416 ### middle of Wccp2HandleUdp
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:RQ received from 192.168.1.185.(80 bytes)...
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 60 RQ accepted
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895416 ### middle of Wccp2HandleUdp
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:RQ received from 192.168.1.185.(80 bytes)...
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 0 RQ accepted
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895416 ### middle of Wccp2HandleUdp
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:RQ received from 192.168.1.185.(80 bytes)...
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 80 RQ accepted
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895416 ### middle of Wccp2HandleUdp
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:RQ received from 192.168.1.185.(80 bytes)...
Tue Mar 18 12:12:23 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 70 RQ accepted
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:send_HIA called
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 60 HIA sent to 192.168.1.184. (136 bytes) -- 1 ISY(s) outstanding
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895417 ### end of send_HIA
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:send_HIA called
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 0 HIA sent to 192.168.1.184. (136 bytes) -- 1 ISY(s) outstanding
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895417 ### end of send_HIA
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:send_HIA called
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 80 HIA sent to 192.168.1.184. (136 bytes) -- 1 ISY(s) outstanding
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895417 ### end of send_HIA
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:send_HIA called
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 70 HIA sent to 192.168.1.184. (136 bytes) -- 1 ISY(s) outstanding
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895417 ### end of send_HIA
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:### Timestamp 22895417 ### middle of Wccp2HandleUdp
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:ISY received from 192.168.1.184. (156 bytes)
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:ISY: cache '192.168.94.99' is local address.
Tue Mar 18 12:12:24 2025 Debug: WCCP : - : [4294967295:-1] FLOW:SG 60 ISY accepted: RcvID=741179 MCN=17

This is the ONLY time I see the secondary IP show up in the logs, when flipping active to standby when the active is connected to FTD.

The FTD has a rule, only one rule actually, allow ANY to 192.168.98.99 and trust, and the reverse from 99 to ANY and trust, with logging begin and end. I don't think that rule even gets touched.