cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
0
Helpful
4
Replies

ASR WCCP problem - WCCP plus Class protection defined for Citrix

rberke
Level 1
Level 1

We're having trouble applying the combination of WCCP redirection of Citrix traffic to a Citrix Cloudbridge WAN accelerator appliance, and applying Policy/Class to protect a few Mbits of Citrix traffic outbound via the WAN interface.

We originally were successful configuring/running our ASR router with WCCP the Cloudbridge appliance.  We used an ACL to redirect just the Citrix traffic  (TCP 1494 and 2598).  Cloudbridge requires WCCP redirect In on both the WAN and LAN interfaces of the router.   Okay, different than Riverbed which can work with the router configured for both In and Out on just the LAN interfaces, but it worked.

We next applied a Policy-map / Class definition to protect a few Mbits/sec of Citrix traffic.  We applied that as service policy out on our IPSEC WAN tunnel interface.  The router seemed to seize up.  All routing was unusable. Lost our SSH session to the router. Had to go through the console port.  We could watch EIGRP neighbor relationships establish, but remain up for only about 60 seconds or less.  The router overall did not reboot.  We tried a reboot, but that didn't fix the behavior.  We disabled WCCP and just had the Policy / Class running.  Routing is fine and the Policy / Class is working fine.

We tried again 3 weeks later to apply the WCCP service group for Cloudbridge.  Same disruption of routing occurred.

It's baffling why the Policy/Class which pertain to outbound traffic on the tunnel interface seems related to the incoming packets WCCP redirection.  Similarly the incoming packets via the LAN interface with WCCP applied there should be related to outgoing packet handling for the WAN tunnel interface.

TAC so far doesn't have an answer for this.

Has anyone run into this weird behavior with that combination of features?  

ASR 1002. 

Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S6, RELEASE SOFTWARE (fc2)

Thanks,

Richard Berke

T. Rowe Price

Owings Mills, MD

4 Replies 4

can you post relevant config for WCCP and your Policy you are trying to implement.

Config - this works fine on 4331 router in the lab.  Trouble on ASR 1002 in Production.

! Global wccp statements

ip wccp check services all
ip wccp 62 redirect-list WCCP-CIFS
ip wccp 72 redirect-list WCCP-Citrix

! Policy elements

class-map match-any data
 match ip precedence 3
class-map match-any management
class-map match-any Citrix
 match access-group name WCCP-Citrix
class-map match-all data-backups
 match access-group name backup-servers
class-map match-any control
 match ip precedence 6  7
class-map match-any video
 match ip precedence 4
class-map match-any voice
 match ip precedence 5

policy-map protect-classes
 class voice
  priority percent 10
 class video
  bandwidth percent 20
 class control
  bandwidth percent 5
 class data
  bandwidth percent 15
 class Citrix
  bandwidth percent 15
 class class-default
  bandwidth percent 35
  queue-limit 256 packets
  random-detect dscp-based
  random-detect dscp 0 64 128
policy-map main-policy
 class class-default
  shape average 4800000   
   service-policy protect-classes

interface Tunnel9200
 description 40Mb tunnel to OMTCLABRTB
 bandwidth 40000
 ip address 10.19.2.26 255.255.255.252
 ip mtu 1400
 ip wccp 62 redirect in
 ip wccp 62 redirect out
 ip wccp 72 redirect in
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0/0
 tunnel mode ipsec ipv4
 tunnel destination 10.19.2.21
 tunnel bandwidth transmit 40000
 tunnel bandwidth receive 40000
 tunnel protection ipsec profile VTI
 service-policy output main-policy
!
interface GigabitEthernet0/0/0
 description UOMTCLABRTB Gi0/1 via Apposite
 ip address 10.19.2.22 255.255.255.252
 ip helper-address 10.19.9.54
 ip pim sparse-mode
 negotiation auto
!
interface GigabitEthernet0/0/1
 description TOMTCLABSWA Gi0/01
 no ip address
 negotiation auto
!
interface GigabitEthernet0/0/1.1
 description vlan 1 - omtclabswa .80 subnet
 encapsulation dot1Q 1 native
 ip address 10.19.80.1 255.255.255.0
 ip directed-broadcast

 ip wccp 62 redirect in
 ip wccp 72 redirect in
 ip tcp adjust-mss 1350

! WCCP redirect lists

ip access-list extended WCCP-Citrix
 permit tcp any eq 1494 any
 permit tcp any eq 2598 any
 permit tcp any any eq 1494
 permit tcp any any eq 2598

ip access-list extended WCCP-CIFS
 permit tcp any eq 139 any
 permit tcp any eq 445 any
 permit tcp any any eq 139
 permit tcp any any eq 445

the only thing I can think of is put the QOS policy on the switch that connects to interface GigabitEthernet0/0/1.1 but then be shaping before its compressed so wont be getting the full bandwidth.

shouldn't  "ip wccp 72 redirect out" be on the tunnel interface?

though I am no expert on the ASRs

Thanks for thinking through on this for us.

We we really need the WAN router to have the class/queue protection.  The WAN queue is where the competition / contention is felt.  Other traffic that flows across the WAN needs the mix of classes defined/enforced.

The LAN side is a pair of big Nexus switches.  The ASR connects to each of those with 1-Gig pipes.  Unless the LAN side was congested, no queuing logic would be exercised.  We can't use Nexus configs to limit the ASR's LAN pipes as if they were WAN pipes because we need full-speed for the LAN portion of conversations with the WAN-accelerator appliances.

Richard