cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
291
Views
0
Helpful
0
Replies

WCCP on ASA: few basic questions

tvotna
Beginner
Beginner

Hi team,

I'm trying to understand how WCCP is supposed to work on ASA as well as few limitations listed in Cisco documentation. First of all, the following configuration example says that the cache responds directly to the Web client, bypassing ASA:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116046-config-wccp-asa-00.html

How can this work from ASA point of view, if it sees outbound traffic only (from the client to the Internet)? TCP SEQ checking would break in such a case, because TCP SEQ would inevitably go out of TCP window... Official documentation says "When the ASA determines that a packet needs redirection, it ignores TCP state tracking, TCP sequence number randomization, and NAT on these traffic flows" (https://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/asa-wccp.html), but I don't see anything like this on my box. When I telnet to the TCP/80 of Cisco Web site, I see that regular TCP connection is created and NAT is applied:

TCP outside: xxx.10.37.140/80 (xxx.10.37.140/80) inside: 10.39.142.108/62582 (yyy.186.207.131/14617), flags UxO , idle 1s, uptime 1s, timeout 1h0m, bytes 21, xlate id 0x7f739d015940

TCP flags do not indicate TCP state bypass. Also, when this connection is closed, it is immediately torn down on the ASA, as though ASA sees FIN coming from both inside and outside sides of the connection.

Further, if I open connection from the browser, I see that all of my TCP connections have 'I' flag added to them, which means that ASA indeed sees inbound traffic.

So I'm puzzled. Does all of the above mean that documentation is wrong and cache returns inbound traffic, arriving from the Internet, to the ASA over WCCP GRE and then ASA sends it back to the client?

 

Second question. Documentation says that "Multiple routers in a service group" is unsupported feature on ASA. I don't understand where this limitation comes from. Does this mean we cannot add 2nd IP address (of another ASA) to the WSA service group config and need to create new WCCP service group for each ASA we have?

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers