Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
9
Replies

WCCP failure - packets forwarded

Go to solution
edw
Level 1
Level 1

‎04-23-2015 08:12 AM - last edited on ‎03-25-2019 05:55 PM by Community Manager

Hi,

 

I've set-up WCCP which has been working great. However I have found out that when the proxy is offline that traffic is being forward out of the appliance regardless. What I want is my traffic to be filtered by the proxy and if the proxy is offline no traffic is passed ? Is this possible ?

 

Thanks


Ed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-23-2015 10:06 PM

Hi,

Not available currently.

This is the enhancement:- CSCtl20957 and will hopefully be integrated in future.

https://tools.cisco.com/bugsearch/bug/CSCtl20957/?reffering_site=dumpcr

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-23-2015 10:06 PM

Hi,

Not available currently.

This is the enhancement:- CSCtl20957 and will hopefully be integrated in future.

https://tools.cisco.com/bugsearch/bug/CSCtl20957/?reffering_site=dumpcr

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
edw
Level 1
Level 1
In response to Vibhor Amrodia

‎04-24-2015 07:34 AM

Thanks - unfortunately I don't have access to that bug.

 

What do users do at present to deal with this, just let unfiltered traffic through ?

 

Thanks


Ed

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to edw

‎04-24-2015 11:07 AM

Hi,

If you want , i can provide a Workaround for this as well.

You can create an outbound ACL on the Outside interface allowing only the WCCP services for the Source as WCCP server IP and denying the rest of the WCCP services traffic.

Also at the end , put a permit ip any any.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
edw
Level 1
Level 1
In response to Vibhor Amrodia

‎04-27-2015 07:50 AM

Thanks - could you clarify this a bit more ?

At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.

My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.

 

Thanks

Ed

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to edw

‎04-28-2015 06:40 AM

Hi,

This Outbound ACL that you are referring to is on which interface ? Inside ? Correct ?

I was recommending you an ACL in OUT direction on the outside interface where the connection will be sourced from the proxy IP to the internet.

If you have an ACL on the inside for the Outbound traffic , that would not affect the traffic or this workaround.

You can check the order in which the ACL are used using Packet Tracer:-

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
edw
Level 1
Level 1
In response to Vibhor Amrodia

‎04-27-2015 07:51 AM

Thanks - could you clarify this a bit more ?

At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.

My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.

 

Thanks

Ed

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to edw

‎04-27-2015 09:17 PM

Hi,

I think the ACL you are pointing at is the ACL on the Inside interface.

I was recommending to put an acl on the Outside interface in the OUT direction and only allow the traffic out only from the source which is the IP address of the proxy.

So something like this:-

access-list wccp-fail-close permit tcp host <wccp server ip> any eq 443

access-list wccp-fail-close permit tcp host <wccp server ip> any eq 80

access-list wccp-fail-close deny tcp any any eq 443

access-list wccp-fail-close deny tcp any any eq 80

access-list wccp-fail-close permit ip any any

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
edw
Level 1
Level 1
In response to Vibhor Amrodia

‎04-28-2015 06:12 AM

Thanks - sorry about the duplicate replies, my browser went nuts.

 

My understanding for this is that I can only have one ACL per interface ? I currently have inbound ACLs on three interfaces. One per interface. Would I have to change my outside interface (internet facing) to have a ACL which is in the OUT direction and lose my IN direction ACL ?

Thanks


Ed

0 Helpful

Go to solution
edw
Level 1
Level 1
In response to Vibhor Amrodia

‎04-27-2015 07:54 AM

Thanks - could you clarify this a bit more ?

At present I have a ACL for redirecting traffic to the proxy. I have outbound ACL for all traffic allowed including the proxy and internal clients.

My understanding is in the outbound ACL I have to have a ACL for the client to be allowed to use HTTP and also the proxy to use HTTP. If I remove the client ACL it stops the client flow-through whether going through the proxy or not.

 

Thanks

Ed

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card