WCCP redirecction on ASA 5540

Miguel Ortega · ‎04-04-2013

Hi to everyone

First of all my apologies for my poor english, spanish is my first language

I have saw many posts regarding this but after read most of them none can solve my problem

I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN

of my catalyst 3750G

I want to filter traffic on port 80 (www) to the users on the LAN side

debug on the ASA show me that comunication between that device and Websense is OK,

there is Here_I_Am and I_See_You packets

WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B

WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B

WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C

WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C

WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D

From show WCCP i saw that WCCP engine and ASA were detected

FW# sh wccp

Global WCCP information:

Router information:

Router Identifier: 200.X.X.X

Protocol Version: 2.0

Service Identifier: 0

Number of Cache Engines: 1

Number of routers: 1

Total Packets Redirected: 0

Redirect access-list: wccp-users-trafico

Total Connections Denied Redirect: 14979

Total Packets Unassigned: 0

Group access-list: wccp-server-client

Total Messages Denied to Group: 0

Total Authentication failures: 10

Total Bypassed Packets Received: 0

FW-CORFO#

My configuration is the following, I have checked here and also on Websense Support website

for testing i am using just one host on the network to check websense filtering

FW-# sh run | include wccp

access-list wccp-users-trafico extended deny ip host 172.16.121.4 any

access-list wccp-users-trafico extended deny ip CLASE_A_PRIVADA 255.0.0.0 any

access-list wccp-users-trafico extended deny ip CLASE_B_PRIVADA 255.240.0.0 any

access-list wccp-users-trafico extended deny ip CLASE_C_PRIVADA 255.255.0.0 any

access-list wccp-users-trafico extended permit ip host 172.16.127.70 any

wccp 0 redirect-list wccp-users-trafico group-list wccp-server-client password *****

wccp interface LAN 0 redirect in

So the problems is that , there is no packets redirected to Websense

I have checked many times all the configuration, and it´s seems to be OK

ASA software is 8.2

Websense is 7.7

thanks in advance for any help or clue regarding this issue

Miguel

Jouni Forss · ‎04-04-2013

Hi,

This is really something that I have NOT done much but just thought I'd point this out

Total Authentication failures: 10

Is there somekind of missmatch with regards to the password configured?

- Jouni

Miguel Ortega · ‎04-04-2013

my mistake, I have forgotten clear WCPP statistcs before the execution of show wccp command

authentication failures were registered before the password were configurated on Websense

so is not a problem

Miguel Ortega · ‎04-11-2013

nobody knows how to solve this ??? or someone who could give some clue about this issue.....

Akshay Dubey · ‎04-11-2013

Hi Miguel,

As per the configuration only traffic from 172.16.127.70 would be considered for re-direction:

access-list wccp-users-trafico extended permit ip host 172.16.127.70 any

Also on what type of traffic you want re-direction??

-Akshay

Miguel Ortega · ‎04-11-2013

Hi Akshay

i am using only my IP address for testing, and i want to redirect www port