Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1516
Views
0
Helpful
1
Replies

WCCP Redirect Denial

Wantser1981_2
Level 1
Level 1

‎03-03-2011 12:59 AM - edited ‎03-09-2019 11:25 PM

Hi,

After rebooting an ASA configured to redirect WCCP services 0 and 70 (HTTP and HTTPS) redirects to the Websense server have stopped. "I am here" and "I see you" packets perform correctly. The counters on the WCCP stats show that the redirects are being denied. No configuration change has happened at all.

WCCP interface configuration details:
    GigabitEthernet0/1
Output services: 0
Input services:  2
Static:          None
Dynamic:         000 070
Mcast services:  0
Exclude In:      FALSE

Protocol Version:                    2.0

    Service Identifier: 0
Number of Cache Engines:             1
Number of routers:                   1
Total Packets Redirected:            0
Redirect access-list:                WCCPv2
Total Connections Denied Redirect:   40441
Total Packets Unassigned:            0
Group access-list:                   -none-
Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

    Service Identifier: 70
Number of Cache Engines:             1
Number of routers:                   1
Total Packets Redirected:            0
Redirect access-list:                WCCPv2
Total Connections Denied Redirect:   23584
Total Packets Unassigned:            0 
Group access-list:                   -none-
Total Messages Denied to Group:      0
Total Authentication failures:       0
Total Bypassed Packets Received:     0

WCCP-PKT:D00: Received valid Here_I_Am packet from x.x.x.x w/rcv_id 00000606

WCCP-PKT:D00: Sending I_See_You packet to x.x.x.x w/ rcv_id 00000607

WCCP-PKT:D70: Received valid Here_I_Am packet from x.x.x.x w/rcv_id 00000606

WCCP-PKT:D70: Sending I_See_You packet to x.x.x.x w/ rcv_id 00000607

WCCP-PKT:D00: Received valid Here_I_Am packet from x.x.x.x w/rcv_id 00000607

WCCP-PKT:D00: Sending I_See_You packet to x.x.x.x w/ rcv_id 00000608

WCCP-PKT:D70: Received valid Here_I_Am packet from x.x.x.x w/rcv_id 00000607

WCCP-PKT:D70: Sending I_See_You packet to x.x.x.x w/ rcv_id 00000608

Can anyone explain what will deny these redirects or where I might look to resolve this?

I have reset the WCCP configuration, including a WCCP connection restart on the websense server whilst the WCCP configuration was removed.

Thanks in advance

Andy

Labels:
0 Helpful
1 Reply 1

Wantser1981_2
Level 1
Level 1

‎03-07-2011 05:18 AM

The issue with the above turned out to be an error in the compiling of the WCCP ACL.

Monitoring the WCCPv2 ACL, the deny ACE's were being hit, but none of the permits. Looking at the hit-cnt figures showed this. It was as if there was a "deny any any" rule just before the first permit rule. Interestingly, just before the permite rules were 4 de-activated rules. Moving the permits above these incremented the hit-cnt on the ACL and redirects took place completing the required security checks on web access.

0 Helpful
Customers Also Viewed These Support Documents