cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3165
Views
0
Helpful
15
Replies

Unable to get WCCP working on an ISR4331

neil.hillard
Level 1
Level 1

Hi,

 

I've been having major issues getting WCCP and the Zone Based Firewall working together on an ISR4331. To rule out the Zone Based Firewall, I've removed all of its configuration.  I still can't get WCCP to work!

 

Clients are on 10.10.0.0/16, the Sophos web appliance is on 192.168.100.254 and the Internet connection is currently behind a NATing device as I'm reluctant to connect the router to the Internet without being able to defend itself although ultimately it will have a direct Internet connection.

 

I had this setup running on a Cisco 2821 (out of the scrap pile, no firewall though) as a proof of concept but using L2 WCCP as that's all that would work with the 2821. Everything worked fine (and still does when I plug the POC router back in)! With the ISR4331 I can't even get L2 WCCP working but I understand that I really need it to be GRE in order to play nicely with the ZBFW (and I really want the ZBFW to keep the router protected).  The Sophos appliance can be configured for either L2 or GRE but not both.

 

Here are the relevant parts of the config from the ISR4331:

boot-start-marker
boot system flash bootflash:isr4300-universalk9.16.06.02.SPA.bin
boot-end-marker
!
ip dhcp excluded-address 10.10.0.1 10.10.0.255
!
ip dhcp pool Guests
network 10.10.0.0 255.255.0.0
dns-server 8.8.8.8 8.8.4.4
domain-name xxx-guest.local
default-router 10.10.0.1
lease 0 4
!
ip wccp web-cache mode closed password 7 xxxxxxxxxxxxxxxxxx
ip wccp 70 password 7 xxxxxxxxxxxxxxxxxx
!
license boot suite FoundationSuiteK9
!
redundancy
mode none
!
interface GigabitEthernet0/0/0
description Internet
ip address 192.168.1.251 255.255.255.0
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description Guests
ip address 10.10.0.1 255.255.0.0
ip nat inside
ip wccp web-cache redirect in
ip wccp 70 redirect in
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description DMZ
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip wccp redirect exclude in
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 172.30.101.101 255.255.254.0
negotiation auto
!
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 remark Addresses to NAT
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.100.0 0.0.0.255 any

When the Sophos appliance is configured with L2 WCCP, I see:

#sh ip wccp summ
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: 192.168.1.251):
web-cache   1         1         MASK        L2         L2
70          1         1         MASK        L2         L2

#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.1.251

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
          Platform:                          0
        Service mode:                        Closed
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        4
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
          Platform:                          0

And with GRE WCCP:

#sh ip wccp summ
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: 192.168.1.251):
web-cache   1         1         HASH        GRE        GRE
70          1         1         HASH        GRE        GRE

#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.1.251

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
          Platform:                          0
        Service mode:                        Closed
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        64
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
          Platform:                          0
        GRE tunnel interface:                Tunnel1

#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.1.251   YES manual up                    up
GigabitEthernet0/0/1   10.10.0.1       YES NVRAM  up                    up
GigabitEthernet0/0/2   192.168.100.1   YES NVRAM  up                    up
GigabitEthernet0       172.30.101.101  YES NVRAM  up                    up
Tunnel0                192.168.100.1   YES unset  up                    up
Tunnel1                192.168.100.1   YES manual up                    up

Because web-cache is "Closed" I can't get to HTTP sites (which is how it should be if the Sophos appliance is not available).  I can however ping sites over the Internet so I know that the routing is setup correctly and if I remove the WCCP redirects on Gi0/0/1 then my access starts working.

 

Does anyone have any ideas?  Many, many thanks in advance,

 

 

Neil.

15 Replies 15

Richard Burts
Hall of Fame
Hall of Fame

Neil

 

In the config that you posted I see this

ip wccp web-cache mode closed password 7 xxxxxxxxxxxxxxxxxx

 

did you configure the mode or did the ISR do that dynamically?

 

HTH

 

Rick

HTH

Rick

Hi Rick,

 

Many thanks for the reply.  I configured the mode manually (my understanding was that in closed mode, if there are no WCCP clients then the request will fail, i.e. if the Sophos appliance dies then clients aren't able to get to any sites, good or bad).  I had closed mode set on the 2821 and it worked as expected (albeit in L2 mode).

 

I've just quickly remove 'mode closed' but the requests from the clients are still being counted under 'Total Packets Unassigned'!

 

Thanks once again,

 

 

Neil.

 

PS. Just cracked out a 2921 to see whether it works on that!

Hi,

 

Just to sanity check the ISR4331, I now have a 2921 configured up with the same configuration.

 

With the 2921 running 15.1(4)M4 (which was on it when it came out of stock), L2 mode worked as it did on the 2821.  GRE mode wouldn't work as it complained about an 'incompatible method'.  I can provide a log if required.

 

Upgrading the 2921 to Version 15.4(3)M8, gives an identical experience to the ISR4331:

 

#sh ip wccp summ
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: 213.152.44.122):
web-cache   0         0         HASH/MASK   GRE/L2     GRE/L2
70          0         0         HASH/MASK   GRE/L2     GRE/L2

With the Sophos appliance in L2 mode:

#sh ip wccp summary
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: xxx.xxx.xxx.xxx):
web-cache   1         1         MASK        L2         L2
70          1         1         MASK        L2         L2

#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   xxx.xxx.xxx.xxx

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            211
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0

With the Sophos appliance in GRE mode:

#sh ip wccp summary
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: xxx.xxx.xxx.xxx):
web-cache   1         1         HASH        GRE        GRE
70          1         1         HASH        GRE        GRE

#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   xxx.xxx.xxx.xxx

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            77
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
        GRE tunnel interface:                Tunnel1

Whilst configured for GRE mode, I see the following in the logs:

*Jan 24 15:30:28.163: WCCP-EVNT:IPv4:D70: HIA from 192.168.100.254 with bad rcv_id 1025 (expected 1026)
*Jan 24 15:30:28.163: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash)
*Jan 24 15:30:28.163: WCCP-EVNT:IPv4:S0: HIA from 192.168.100.254 with bad rcv_id 1026 (expected 1027)
*Jan 24 15:30:38.155: WCCP-EVNT:IPv4:D70: updating wc 192.168.100.254 orig assign info (hash)
*Jan 24 15:30:38.155: WCCP-EVNT:IPv4:D70: HIA from 192.168.100.254 with bad rcv_id 1027 (expected 1028)
*Jan 24 15:30:38.155: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash)

Do you think that this will be causing an issue?

 

Essentially it looks like the router is not able to assign the traffic to a WCCP client:

#sh ip wccp web-cache assignment
            Assignment Method:  HASH
               Assignment Key:  UNKNOWN, 0
         Assignments Received:  0
                 (duplicates):  0
                    (invalid):  0

    XX|  0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    --|-------------------------------------------------
    00| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    10| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    20| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    30| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    40| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    50| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    60| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    70| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    80| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    90| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    A0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    B0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    C0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    D0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    E0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    F0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --

    Key:

    Target  WCCP Client Address
    ------  -------------------
        --  NOT ASSIGNED

Is there anything I can do (or more debugging ip wccp events and ip wccp packets currently being debugged)?

 

Many thanks in advance,

 

 

Neil.

Neil

 

Thanks for the additional information.  I notice that you say that WCCP is working when operating in L2 mode. But I see this in the output that you post about L2 mode

        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0

        Total Packets Unassigned:            211

which looks to me pretty much like the output you post for L3/GRE.

 

Looking on the positive side it is good that the router and Sophos are recognizing each other and negotiating enough of WCCP for the router to know about the services being monitored. But clearly something is not working. The log messages you post are clear evidence that something is not in sync

*Jan 24 15:30:28.163: WCCP-EVNT:IPv4:D70: HIA from 192.168.100.254 with bad rcv_id 1025 (expected 1026)
*Jan 24 15:30:28.163: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash)

 

I am not sure what these mean but believe that they are identifying a problem. Is it possible that something is interfering with communication between the router and Sophos? Is Sophos directly connected to the router or is there some device between them?

 

The choice of L2 or L3/GRE is made on the server and negotiated with the router. I wonder if there is something else that needs to be changed on the server as it changes from L2 to L3?

 

HTH

 

Rick 

 

HTH

Rick

Hi Rick,

 

Many thanks once again.  Apologies for the confusion.  I don't have any copies of the stats for the L2 modes that worked but I can recreate them if necessary.  Just to make things clearer, this is the timeline:

 

We performed a proof of concept using a 2821.  It only supported L2 mode (not sure what IOS but I believe it was the latest released for it) and worked perfectly.

 

We got an ISR4331 for the final implementation (as we need to be able to sustain 200Mbps throughput).  That currently has 16.06.02 on it and had the issues with both L2 and L3/GRE modes.

 

I then got a 2921 out of the stock pile and that was running 15.1(4)M4, configured in L2 mode and it worked exactly the same as the 2821.  It wouldn't work in L3/GRE mode.

 

I upgraded the 2921 to 15.4(3)M8 and it now experiences the same issues as the ISR4331!  Essentially both L2 and L3/GRE modes appear to work, the router sees the client but doesn't send any traffic to it!

 

According to Sophos, the only important thing to do is to wait 30 seconds between changing modes so that the router removes the entries for the WCCP client:

 

https://community.sophos.com/kb/en-us/110419

 

The Sophos appliance is running on a VM and both the router and VM host are connected to the same switch so there shouldn't be anything that can mess with the traffic.

 

I've included a screenshot from the appliance - there really isn't much to change!

 

I'll see whether we can raise a call with Sophos tomorrow and at least I can quote the bad rcv_id logs to them!

 

At least it looks like it's not me missing the blindingly obvious...

 

Many thanks once again,

 

 

Neil.

I've made a little progress by reconfiguring everything related to WCCP on both the router and Sophos Appliance.  I'm no longer seeing any 'bad rcv_id' messages so things are looking a little better.  However, it's still not working!  This is currently on a 2921 which I'm using for my tests.

 

#show debugging
WCCP packet info debugging is on for IPv4
WCCP events debugging is on for IPv4
*Feb  2 10:50:12.426: WCCP-EVNT:IPv4:D70: updating wc 192.168.100.254 orig assign info (hash)
*Feb  2 10:50:12.426: WCCP-PKT:IPv4:D70: Sending ISY to 192.168.100.254, rcv_id:14931
*Feb  2 10:50:12.426: WCCP-PKT:IPv4:D70: Sending 176 bytes from 192.168.100.1 to 192.168.100.254
*Feb  2 10:50:12.426: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash)
*Feb  2 10:50:12.426: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.100.254, rcv_id:14931
*Feb  2 10:50:12.426: WCCP-PKT:IPv4:S0: Sending 176 bytes from 192.168.100.1 to 192.168.100.254
*Feb  2 10:50:22.426: WCCP-EVNT:IPv4:D70: updating wc 192.168.100.254 orig assign info (hash)
*Feb  2 10:50:22.426: WCCP-PKT:IPv4:D70: Sending ISY to 192.168.100.254, rcv_id:14932
*Feb  2 10:50:22.426: WCCP-PKT:IPv4:D70: Sending 176 bytes from 192.168.100.1 to 192.168.100.254
*Feb  2 10:50:22.426: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash)
*Feb  2 10:50:22.426: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.100.254, rcv_id:14932
*Feb  2 10:50:22.426: WCCP-PKT:IPv4:S0: Sending 176 bytes from 192.168.100.1 to 192.168.100.254

 

Here's the relevant configuration from the router:

 

ip dhcp excluded-address 10.10.0.0 10.10.0.255
!
ip dhcp pool Guests
 network 10.10.0.0 255.255.0.0
 default-router 10.10.0.1
 dns-server 8.8.8.8 8.8.4.4
 domain-name mod-guest.local
!
ip domain name network.local
ip cef
ip wccp web-cache password 0 xxxxxxxx
ip wccp 70 password 0 xxxxxxxx
no ipv6 cef
!
class-map type inspect match-all any
 match access-group name ANY
!
policy-map type inspect dmz_to_self
 class class-default
  pass
policy-map type inspect self_to_dmz
 class class-default
  pass
policy-map type inspect guests_to_dmz
 class type inspect any
  inspect
 class class-default
  drop
policy-map type inspect guests_to_internet
 class type inspect any
  inspect
 class class-default
  drop
policy-map type inspect dmz_to_internet
 class type inspect any
  inspect
 class class-default
  drop log
policy-map type inspect internet_to_self
 class class-default
  drop log
!
zone security internet
zone security guests
zone security dmz
zone-pair security internet_to_self source internet destination self
 service-policy type inspect internet_to_self
zone-pair security guests_to_internet source guests destination internet
 service-policy type inspect guests_to_internet
zone-pair security guests_to_dmz source guests destination dmz
 service-policy type inspect guests_to_dmz
zone-pair security dmz_to_internet source dmz destination internet
 service-policy type inspect dmz_to_internet
zone-pair security dmz_to_self source dmz destination self
 service-policy type inspect dmz_to_self
zone-pair security self_to_dmz source self destination dmz
 service-policy type inspect self_to_dmz
!
interface GigabitEthernet0/0
 ip address 10.10.0.1 255.255.0.0
 ip wccp web-cache redirect in
 ip wccp 70 redirect in
 ip nat inside
 ip virtual-reassembly in
 zone-member security guests
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Internet
 ip address nnn.nnn.nnn.nnn 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 zone-member security internet
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.100.1 255.255.255.0
 ip wccp redirect exclude in
 ip nat inside
 ip virtual-reassembly in
 zone-member security dmz
 duplex auto
 speed auto
!
interface GigabitEthernet0/2.100
 encapsulation dot1Q 100
 ip address 172.30.aaa.aaa 255.255.254.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 nnn.nnn.nnn.nnn
ip ssh version 2
!
ip access-list extended ANY
 permit ip any any
!
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.100.0 0.0.0.255 any

Everything looks good in the WCCP summary:

#sh ip wccp summary
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: nnn.nnn.nnn.nnn):
web-cache   1         1         HASH        GRE        GRE
70          1         1         HASH        GRE        GRE

And for the web-cache service:

#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   nnn.nnn.nnn.nnn

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            8652
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       15
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
        GRE tunnel interface:                Tunnel1

Here's the detail:

#sh ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          192.168.100.254
        Protocol Version:        2.00
        State:                   Usable
        Redirection:             GRE
        Packet Return:           GRE
        Assignment:              HASH
        Connect Time:            19:24:16
        Redirected Packets:
          Process:               0
          CEF:                   0
        GRE Bypassed Packets:
          Process:               0
          CEF:                   0
        Hash Allotment:          None
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      None

But there are no assignments:

#sh ip wccp web-cache assignment
            Assignment Method:  HASH
               Assignment Key:  UNKNOWN, 0
         Assignments Received:  0
                 (duplicates):  0
                    (invalid):  0

    XX|  0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    --|-------------------------------------------------
    00| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    10| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    20| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    30| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    40| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    50| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    60| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    70| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    80| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    90| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    A0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    B0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    C0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    D0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    E0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
    F0| -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --

    Key:

    Target  WCCP Client Address
    ------  -------------------
        --  NOT ASSIGNED

Does anyone know what would prevent the router assigning a WCCP client to the requests?

 

 

Many thanks in advance,

 

 

Neil.

Neil

 

I am glad that you have made some progress. I wish I saw something in this data that you posted that looked like an issue but I am not seeing any obvious issue. Are there any messages on Sophos that might shed light on what is going on?

 

HTH

 

Rick

HTH

Rick

Hi Rick,

 

I wish you saw something, too! :-)  I'm currently trying to get this raised as a support call as we should have software support on the 4331 (definitely not on the 2921 as it was in the scrap/spares pile)!

 

If/when I get a solution I'll post it here.

 

Bizarrely the Sophos appliance is complaining "Unable to communicate with the following WCCP routers: 192.168.100.1 (HTTPS server), 192.168.100.1 (HTTP service)"!  However the router shows the Sophos appliance as a WCCP client!

 

Many thanks for spending the time to have a look at this problem.

 

 

Neil.

Hello Neil,

 

I have a feeling that the ZBF is the culprit. I know that in XE, layer 2 redirection is not supported at all, and you have to configure WCCP GRE redirection. On the 2921, I don't know if GRE redirection is possible at all, you might want to give it a try (or temporarily disable the ZBF in order to confirm that this is actually the problem).

Here is the link to the configuration guide for WCCP GRE redirection:

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html

When I read the suggestion from Georg about ZBF my first reaction was to agree with it. But then I looked at the original post from Neil and found this "To rule out the Zone Based Firewall, I've removed all of its configuration.  I still can't get WCCP to work!".

 

Neil does talk about testing WCCP on 2821 using L2 redirection. Was this also with ZBF?

 

I also found these comments "With the 2921 running 15.1(4)M4 (which was on it when it came out of stock), L2 mode worked as it did on the 2821.  GRE mode wouldn't work"

 

I don't know if it is significant but I wonder how Sophos defines service70.

 

HTH

 

Rick

HTH

Rick


Hi Rick,

 

Yes, I definitely removed the ZBF from my configuration as I feared that it was preventing things from working.  Sadly it didn't improve matters.  I will give it a try now that the 'bad rcv_id' errors are no longer present and will report back.

 

The 2821 doesn't have the ZBF (I'm pretty sure that it doesn't) and I certainly never tried it at the time of the proof of concept.  As it was behind a NATing router I didn't feel the need to configure the ZBF (if available) or any ACLs for router protection (I wish I had tried now)!  We only used it for a controlled demonstration to our internal customer.

 

Sophos documentation states to use service group 70 for HTTPS:

 

This option requires that there be two WCCP service groups on the selected router. The required groups are group 0 for HTTP, and group 70 for HTTPS.

 

The full document is here: http://swa.sophos.com/webhelp/swa/tasks/ConfigNetWCCP.html

 

I have a port aggregator and have inserted it between the router (2921) and Sophos appliance so can see all the traffic and see the regular 'here I am' from the Sophos appliance and 'I see you' in response from the router.  Nothing looks to be out of the ordinary!

 

I'll report back shortly from my next test, back with the 4331.

 

Many thanks,

 

 

Neil.

Neil

 

Thanks for the update confirming that at least some of the testing of WCCP was done with no ZBF. Also for confirming that Sophos specifies service group 70 for HTTPS. That eliminates one more possible cause of problems.

 

It looks like the initial negotiation is successful and that there is agreement on using GRE redirection. So I am puzzled at what is causing the problem.

 

HTH

 

Rick

HTH

Rick

Hi Rick,

 

I'm rather puzzled too!  I have the 4331 back in place, no ZBF whatsoever but still no packets being redirected to the Sophos appliance (the good news is that there's still no 'bad rcv_id' messages being logged):

 

#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.100.1

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
          Platform:                          0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            1477
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
          Platform:                          0
        GRE tunnel interface:                Tunnel1

Do you think there would there be any benefit for me to capture the initial handshake between the router and Sophos appliance, now that I have the port aggregator in place?

 

Unfortunately I'm still waiting for internal confirmation of how to raise the support ticket with Cisco so haven't been able to do that yet.

 

Many thanks,

 

 

Neil.

Neil

 

I really do not think that ZBF caused the problem. But I am a big believer in keeping things simple while testing. So I suggest that you leave ZBF alone while we test and put it back after we have WCCP working.

 

It would not hurt to capture the initial exchange. But I am not optimistic that it will reveal much since it appears that negotiation between router and Sophos is successful.

 

Can you verify that while testing that there was a mix of HTTP and HTTPS traffic sent through the router?

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: