03-03-2011 12:59 AM - edited 03-09-2019 11:25 PM
Hi,
After rebooting an ASA configured to redirect WCCP services 0 and 70 (HTTP and HTTPS) redirects to the Websense server have stopped. "I am here" and "I see you" packets perform correctly. The counters on the WCCP stats show that the redirects are being denied. No configuration change has happened at all.
WCCP interface configuration details:
GigabitEthernet0/1
Output services: 0
Input services: 2
Static: None
Dynamic: 000 070
Mcast services: 0
Exclude In: FALSE
Protocol Version: 2.0
Service Identifier: 0
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: WCCPv2
Total Connections Denied Redirect: 40441
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 70
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: WCCPv2
Total Connections Denied Redirect: 23584
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
WCCP-PKT:D00: Received valid Here_I_Am packet from x.x.x.x w/rcv_id 00000606
WCCP-PKT:D00: Sending I_See_You packet to x.x.x.x w/ rcv_id 00000607
WCCP-PKT:D70: Received valid Here_I_Am packet from x.x.x.x w/rcv_id 00000606
WCCP-PKT:D70: Sending I_See_You packet to x.x.x.x w/ rcv_id 00000607
WCCP-PKT:D00: Received valid Here_I_Am packet from x.x.x.x w/rcv_id 00000607
WCCP-PKT:D00: Sending I_See_You packet to x.x.x.x w/ rcv_id 00000608
WCCP-PKT:D70: Received valid Here_I_Am packet from x.x.x.x w/rcv_id 00000607
WCCP-PKT:D70: Sending I_See_You packet to x.x.x.x w/ rcv_id 00000608
Can anyone explain what will deny these redirects or where I might look to resolve this?
I have reset the WCCP configuration, including a WCCP connection restart on the websense server whilst the WCCP configuration was removed.
Thanks in advance
Andy
03-07-2011 05:18 AM
The issue with the above turned out to be an error in the compiling of the WCCP ACL.
Monitoring the WCCPv2 ACL, the deny ACE's were being hit, but none of the permits. Looking at the hit-cnt figures showed this. It was as if there was a "deny any any" rule just before the first permit rule. Interestingly, just before the permite rules were 4 de-activated rules. Moving the permits above these incremented the hit-cnt on the ACL and redirects took place completing the required security checks on web access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide