ASR WCCP problem - WCCP plus Class protection defined for Citrix

rberke · ‎12-11-2015

We're having trouble applying the combination of WCCP redirection of Citrix traffic to a Citrix Cloudbridge WAN accelerator appliance, and applying Policy/Class to protect a few Mbits of Citrix traffic outbound via the WAN interface.

We originally were successful configuring/running our ASR router with WCCP the Cloudbridge appliance. We used an ACL to redirect just the Citrix traffic (TCP 1494 and 2598). Cloudbridge requires WCCP redirect In on both the WAN and LAN interfaces of the router. Okay, different than Riverbed which can work with the router configured for both In and Out on just the LAN interfaces, but it worked.

We next applied a Policy-map / Class definition to protect a few Mbits/sec of Citrix traffic. We applied that as service policy out on our IPSEC WAN tunnel interface. The router seemed to seize up. All routing was unusable. Lost our SSH session to the router. Had to go through the console port. We could watch EIGRP neighbor relationships establish, but remain up for only about 60 seconds or less. The router overall did not reboot. We tried a reboot, but that didn't fix the behavior. We disabled WCCP and just had the Policy / Class running. Routing is fine and the Policy / Class is working fine.

We tried again 3 weeks later to apply the WCCP service group for Cloudbridge. Same disruption of routing occurred.

It's baffling why the Policy/Class which pertain to outbound traffic on the tunnel interface seems related to the incoming packets WCCP redirection. Similarly the incoming packets via the LAN interface with WCCP applied there should be related to outgoing packet handling for the WAN tunnel interface.

TAC so far doesn't have an answer for this.

Has anyone run into this weird behavior with that combination of features?

ASR 1002.

Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S6, RELEASE SOFTWARE (fc2)

Thanks,

Richard Berke

T. Rowe Price

Owings Mills, MD

Richard Bradfield · ‎12-13-2015

can you post relevant config for WCCP and your Policy you are trying to implement.

rberke · ‎12-14-2015

Config - this works fine on 4331 router in the lab. Trouble on ASR 1002 in Production.

! Global wccp statements

ip wccp check services all
ip wccp 62 redirect-list WCCP-CIFS
ip wccp 72 redirect-list WCCP-Citrix

! Policy elements

class-map match-any data
match ip precedence 3
class-map match-any management
class-map match-any Citrix
match access-group name WCCP-Citrix
class-map match-all data-backups
match access-group name backup-servers
class-map match-any control
match ip precedence 6 7
class-map match-any video
match ip precedence 4
class-map match-any voice
match ip precedence 5

policy-map protect-classes
class voice
priority percent 10
class video
bandwidth percent 20
class control
bandwidth percent 5
class data
bandwidth percent 15
class Citrix
bandwidth percent 15
class class-default
bandwidth percent 35
queue-limit 256 packets
random-detect dscp-based
random-detect dscp 0 64 128
policy-map main-policy
class class-default
shape average 4800000
service-policy protect-classes

interface Tunnel9200
description 40Mb tunnel to OMTCLABRTB
bandwidth 40000
ip address 10.19.2.26 255.255.255.252
ip mtu 1400
ip wccp 62 redirect in
ip wccp 62 redirect out
ip wccp 72 redirect in
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.19.2.21
tunnel bandwidth transmit 40000
tunnel bandwidth receive 40000
tunnel protection ipsec profile VTI
service-policy output main-policy
!
interface GigabitEthernet0/0/0
description UOMTCLABRTB Gi0/1 via Apposite
ip address 10.19.2.22 255.255.255.252
ip helper-address 10.19.9.54
ip pim sparse-mode
negotiation auto
!
interface GigabitEthernet0/0/1
description TOMTCLABSWA Gi0/01
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.1
description vlan 1 - omtclabswa .80 subnet
encapsulation dot1Q 1 native
ip address 10.19.80.1 255.255.255.0
ip directed-broadcast

ip wccp 62 redirect in
ip wccp 72 redirect in
ip tcp adjust-mss 1350

! WCCP redirect lists

ip access-list extended WCCP-Citrix
permit tcp any eq 1494 any
permit tcp any eq 2598 any
permit tcp any any eq 1494
permit tcp any any eq 2598

ip access-list extended WCCP-CIFS
permit tcp any eq 139 any
permit tcp any eq 445 any
permit tcp any any eq 139
permit tcp any any eq 445

Richard Bradfield · ‎12-14-2015

the only thing I can think of is put the QOS policy on the switch that connects to interface GigabitEthernet0/0/1.1 but then be shaping before its compressed so wont be getting the full bandwidth.

shouldn't "ip wccp 72 redirect out" be on the tunnel interface?

though I am no expert on the ASRs

rberke · ‎12-15-2015

Thanks for thinking through on this for us.

We we really need the WAN router to have the class/queue protection. The WAN queue is where the competition / contention is felt. Other traffic that flows across the WAN needs the mix of classes defined/enforced.

The LAN side is a pair of big Nexus switches. The ASR connects to each of those with 1-Gig pipes. Unless the LAN side was congested, no queuing logic would be exercised. We can't use Nexus configs to limit the ASR's LAN pipes as if they were WAN pipes because we need full-speed for the LAN portion of conversations with the WAN-accelerator appliances.

Richard