01-23-2018 09:41 AM - edited 03-05-2019 09:48 AM
Hi,
I've been having major issues getting WCCP and the Zone Based Firewall working together on an ISR4331. To rule out the Zone Based Firewall, I've removed all of its configuration. I still can't get WCCP to work!
Clients are on 10.10.0.0/16, the Sophos web appliance is on 192.168.100.254 and the Internet connection is currently behind a NATing device as I'm reluctant to connect the router to the Internet without being able to defend itself although ultimately it will have a direct Internet connection.
I had this setup running on a Cisco 2821 (out of the scrap pile, no firewall though) as a proof of concept but using L2 WCCP as that's all that would work with the 2821. Everything worked fine (and still does when I plug the POC router back in)! With the ISR4331 I can't even get L2 WCCP working but I understand that I really need it to be GRE in order to play nicely with the ZBFW (and I really want the ZBFW to keep the router protected). The Sophos appliance can be configured for either L2 or GRE but not both.
Here are the relevant parts of the config from the ISR4331:
boot-start-marker boot system flash bootflash:isr4300-universalk9.16.06.02.SPA.bin boot-end-marker ! ip dhcp excluded-address 10.10.0.1 10.10.0.255 ! ip dhcp pool Guests network 10.10.0.0 255.255.0.0 dns-server 8.8.8.8 8.8.4.4 domain-name xxx-guest.local default-router 10.10.0.1 lease 0 4 ! ip wccp web-cache mode closed password 7 xxxxxxxxxxxxxxxxxx ip wccp 70 password 7 xxxxxxxxxxxxxxxxxx ! license boot suite FoundationSuiteK9 ! redundancy mode none ! interface GigabitEthernet0/0/0 description Internet ip address 192.168.1.251 255.255.255.0 ip nat outside negotiation auto ip virtual-reassembly ! interface GigabitEthernet0/0/1 description Guests ip address 10.10.0.1 255.255.0.0 ip nat inside ip wccp web-cache redirect in ip wccp 70 redirect in negotiation auto ip virtual-reassembly ! interface GigabitEthernet0/0/2 description DMZ ip address 192.168.100.1 255.255.255.0 ip nat inside ip wccp redirect exclude in negotiation auto ip virtual-reassembly ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 172.30.101.101 255.255.254.0 negotiation auto ! ip nat inside source list 100 interface GigabitEthernet0/0/0 overload ip forward-protocol nd no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.1.254 ! access-list 100 remark Addresses to NAT access-list 100 permit ip 10.10.0.0 0.0.255.255 any access-list 100 permit ip 192.168.100.0 0.0.0.255 any
When the Sophos appliance is configured with L2 WCCP, I see:
#sh ip wccp summ WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: 192.168.1.251): web-cache 1 1 MASK L2 L2 70 1 1 MASK L2 L2 #sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.1.251 Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Platform: 0 Service mode: Closed Service Access-list: -none- Total Packets Dropped Closed: 4 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 Platform: 0
And with GRE WCCP:
#sh ip wccp summ WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: 192.168.1.251): web-cache 1 1 HASH GRE GRE 70 1 1 HASH GRE GRE #sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.1.251 Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Platform: 0 Service mode: Closed Service Access-list: -none- Total Packets Dropped Closed: 64 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 Platform: 0 GRE tunnel interface: Tunnel1 #sh ip int brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 192.168.1.251 YES manual up up GigabitEthernet0/0/1 10.10.0.1 YES NVRAM up up GigabitEthernet0/0/2 192.168.100.1 YES NVRAM up up GigabitEthernet0 172.30.101.101 YES NVRAM up up Tunnel0 192.168.100.1 YES unset up up Tunnel1 192.168.100.1 YES manual up up
Because web-cache is "Closed" I can't get to HTTP sites (which is how it should be if the Sophos appliance is not available). I can however ping sites over the Internet so I know that the routing is setup correctly and if I remove the WCCP redirects on Gi0/0/1 then my access starts working.
Does anyone have any ideas? Many, many thanks in advance,
Neil.
01-24-2018 12:56 AM
Neil
In the config that you posted I see this
ip wccp web-cache mode closed password 7 xxxxxxxxxxxxxxxxxx
did you configure the mode or did the ISR do that dynamically?
HTH
Rick
01-24-2018 01:20 AM
Hi Rick,
Many thanks for the reply. I configured the mode manually (my understanding was that in closed mode, if there are no WCCP clients then the request will fail, i.e. if the Sophos appliance dies then clients aren't able to get to any sites, good or bad). I had closed mode set on the 2821 and it worked as expected (albeit in L2 mode).
I've just quickly remove 'mode closed' but the requests from the clients are still being counted under 'Total Packets Unassigned'!
Thanks once again,
Neil.
PS. Just cracked out a 2921 to see whether it works on that!
01-24-2018 07:38 AM
Hi,
Just to sanity check the ISR4331, I now have a 2921 configured up with the same configuration.
With the 2921 running 15.1(4)M4 (which was on it when it came out of stock), L2 mode worked as it did on the 2821. GRE mode wouldn't work as it complained about an 'incompatible method'. I can provide a log if required.
Upgrading the 2921 to Version 15.4(3)M8, gives an identical experience to the ISR4331:
#sh ip wccp summ WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: 213.152.44.122): web-cache 0 0 HASH/MASK GRE/L2 GRE/L2 70 0 0 HASH/MASK GRE/L2 GRE/L2
With the Sophos appliance in L2 mode:
#sh ip wccp summary WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: xxx.xxx.xxx.xxx): web-cache 1 1 MASK L2 L2 70 1 1 MASK L2 L2 #sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: xxx.xxx.xxx.xxx Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Service mode: Open Service Access-list: -none- Total Packets Dropped Closed: 0 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 211 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0
With the Sophos appliance in GRE mode:
#sh ip wccp summary WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: xxx.xxx.xxx.xxx): web-cache 1 1 HASH GRE GRE 70 1 1 HASH GRE GRE #sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: xxx.xxx.xxx.xxx Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Service mode: Open Service Access-list: -none- Total Packets Dropped Closed: 0 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 77 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 GRE tunnel interface: Tunnel1
Whilst configured for GRE mode, I see the following in the logs:
*Jan 24 15:30:28.163: WCCP-EVNT:IPv4:D70: HIA from 192.168.100.254 with bad rcv_id 1025 (expected 1026) *Jan 24 15:30:28.163: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash) *Jan 24 15:30:28.163: WCCP-EVNT:IPv4:S0: HIA from 192.168.100.254 with bad rcv_id 1026 (expected 1027) *Jan 24 15:30:38.155: WCCP-EVNT:IPv4:D70: updating wc 192.168.100.254 orig assign info (hash) *Jan 24 15:30:38.155: WCCP-EVNT:IPv4:D70: HIA from 192.168.100.254 with bad rcv_id 1027 (expected 1028) *Jan 24 15:30:38.155: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash)
Do you think that this will be causing an issue?
Essentially it looks like the router is not able to assign the traffic to a WCCP client:
#sh ip wccp web-cache assignment Assignment Method: HASH Assignment Key: UNKNOWN, 0 Assignments Received: 0 (duplicates): 0 (invalid): 0 XX| 0 1 2 3 4 5 6 7 8 9 A B C D E F --|------------------------------------------------- 00| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 10| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 20| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 40| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 50| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 60| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 70| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 80| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 90| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- A0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- B0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- C0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- D0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- E0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- F0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Key: Target WCCP Client Address ------ ------------------- -- NOT ASSIGNED
Is there anything I can do (or more debugging ip wccp events and ip wccp packets currently being debugged)?
Many thanks in advance,
Neil.
01-24-2018 08:36 AM
Neil
Thanks for the additional information. I notice that you say that WCCP is working when operating in L2 mode. But I see this in the output that you post about L2 mode
Total Packets Redirected: 0
Process: 0
CEF: 0
Total Packets Unassigned: 211
which looks to me pretty much like the output you post for L3/GRE.
Looking on the positive side it is good that the router and Sophos are recognizing each other and negotiating enough of WCCP for the router to know about the services being monitored. But clearly something is not working. The log messages you post are clear evidence that something is not in sync
*Jan 24 15:30:28.163: WCCP-EVNT:IPv4:D70: HIA from 192.168.100.254 with bad rcv_id 1025 (expected 1026)
*Jan 24 15:30:28.163: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash)
I am not sure what these mean but believe that they are identifying a problem. Is it possible that something is interfering with communication between the router and Sophos? Is Sophos directly connected to the router or is there some device between them?
The choice of L2 or L3/GRE is made on the server and negotiated with the router. I wonder if there is something else that needs to be changed on the server as it changes from L2 to L3?
HTH
Rick
01-24-2018 08:53 AM
Hi Rick,
Many thanks once again. Apologies for the confusion. I don't have any copies of the stats for the L2 modes that worked but I can recreate them if necessary. Just to make things clearer, this is the timeline:
We performed a proof of concept using a 2821. It only supported L2 mode (not sure what IOS but I believe it was the latest released for it) and worked perfectly.
We got an ISR4331 for the final implementation (as we need to be able to sustain 200Mbps throughput). That currently has 16.06.02 on it and had the issues with both L2 and L3/GRE modes.
I then got a 2921 out of the stock pile and that was running 15.1(4)M4, configured in L2 mode and it worked exactly the same as the 2821. It wouldn't work in L3/GRE mode.
I upgraded the 2921 to 15.4(3)M8 and it now experiences the same issues as the ISR4331! Essentially both L2 and L3/GRE modes appear to work, the router sees the client but doesn't send any traffic to it!
According to Sophos, the only important thing to do is to wait 30 seconds between changing modes so that the router removes the entries for the WCCP client:
https://community.sophos.com/kb/en-us/110419
The Sophos appliance is running on a VM and both the router and VM host are connected to the same switch so there shouldn't be anything that can mess with the traffic.
I've included a screenshot from the appliance - there really isn't much to change!
I'll see whether we can raise a call with Sophos tomorrow and at least I can quote the bad rcv_id logs to them!
At least it looks like it's not me missing the blindingly obvious...
Many thanks once again,
Neil.
02-02-2018 02:54 AM
I've made a little progress by reconfiguring everything related to WCCP on both the router and Sophos Appliance. I'm no longer seeing any 'bad rcv_id' messages so things are looking a little better. However, it's still not working! This is currently on a 2921 which I'm using for my tests.
#show debugging WCCP packet info debugging is on for IPv4 WCCP events debugging is on for IPv4
*Feb 2 10:50:12.426: WCCP-EVNT:IPv4:D70: updating wc 192.168.100.254 orig assign info (hash) *Feb 2 10:50:12.426: WCCP-PKT:IPv4:D70: Sending ISY to 192.168.100.254, rcv_id:14931 *Feb 2 10:50:12.426: WCCP-PKT:IPv4:D70: Sending 176 bytes from 192.168.100.1 to 192.168.100.254 *Feb 2 10:50:12.426: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash) *Feb 2 10:50:12.426: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.100.254, rcv_id:14931 *Feb 2 10:50:12.426: WCCP-PKT:IPv4:S0: Sending 176 bytes from 192.168.100.1 to 192.168.100.254 *Feb 2 10:50:22.426: WCCP-EVNT:IPv4:D70: updating wc 192.168.100.254 orig assign info (hash) *Feb 2 10:50:22.426: WCCP-PKT:IPv4:D70: Sending ISY to 192.168.100.254, rcv_id:14932 *Feb 2 10:50:22.426: WCCP-PKT:IPv4:D70: Sending 176 bytes from 192.168.100.1 to 192.168.100.254 *Feb 2 10:50:22.426: WCCP-EVNT:IPv4:S0: updating wc 192.168.100.254 orig assign info (hash) *Feb 2 10:50:22.426: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.100.254, rcv_id:14932 *Feb 2 10:50:22.426: WCCP-PKT:IPv4:S0: Sending 176 bytes from 192.168.100.1 to 192.168.100.254
Here's the relevant configuration from the router:
ip dhcp excluded-address 10.10.0.0 10.10.0.255 ! ip dhcp pool Guests network 10.10.0.0 255.255.0.0 default-router 10.10.0.1 dns-server 8.8.8.8 8.8.4.4 domain-name mod-guest.local ! ip domain name network.local ip cef ip wccp web-cache password 0 xxxxxxxx ip wccp 70 password 0 xxxxxxxx no ipv6 cef ! class-map type inspect match-all any match access-group name ANY ! policy-map type inspect dmz_to_self class class-default pass policy-map type inspect self_to_dmz class class-default pass policy-map type inspect guests_to_dmz class type inspect any inspect class class-default drop policy-map type inspect guests_to_internet class type inspect any inspect class class-default drop policy-map type inspect dmz_to_internet class type inspect any inspect class class-default drop log policy-map type inspect internet_to_self class class-default drop log ! zone security internet zone security guests zone security dmz zone-pair security internet_to_self source internet destination self service-policy type inspect internet_to_self zone-pair security guests_to_internet source guests destination internet service-policy type inspect guests_to_internet zone-pair security guests_to_dmz source guests destination dmz service-policy type inspect guests_to_dmz zone-pair security dmz_to_internet source dmz destination internet service-policy type inspect dmz_to_internet zone-pair security dmz_to_self source dmz destination self service-policy type inspect dmz_to_self zone-pair security self_to_dmz source self destination dmz service-policy type inspect self_to_dmz ! interface GigabitEthernet0/0 ip address 10.10.0.1 255.255.0.0 ip wccp web-cache redirect in ip wccp 70 redirect in ip nat inside ip virtual-reassembly in zone-member security guests duplex auto speed auto ! interface GigabitEthernet0/1 description Internet ip address nnn.nnn.nnn.nnn 255.255.255.248 ip nat outside ip virtual-reassembly in zone-member security internet duplex auto speed auto ! interface GigabitEthernet0/2 ip address 192.168.100.1 255.255.255.0 ip wccp redirect exclude in ip nat inside ip virtual-reassembly in zone-member security dmz duplex auto speed auto ! interface GigabitEthernet0/2.100 encapsulation dot1Q 100 ip address 172.30.aaa.aaa 255.255.254.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source list 100 interface GigabitEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 nnn.nnn.nnn.nnn ip ssh version 2 ! ip access-list extended ANY permit ip any any ! access-list 100 permit ip 10.10.0.0 0.0.255.255 any access-list 100 permit ip 192.168.100.0 0.0.0.255 any
Everything looks good in the WCCP summary:
#sh ip wccp summary WCCP version 2 enabled, 2 services Service Clients Routers Assign Redirect Bypass ------- ------- ------- ------ -------- ------ Default routing table (Router Id: nnn.nnn.nnn.nnn): web-cache 1 1 HASH GRE GRE 70 1 1 HASH GRE GRE
And for the web-cache service:
#sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: nnn.nnn.nnn.nnn Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Service mode: Open Service Access-list: -none- Total Packets Dropped Closed: 0 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 8652 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 15 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 GRE tunnel interface: Tunnel1
Here's the detail:
#sh ip wccp web-cache detail WCCP Client information: WCCP Client ID: 192.168.100.254 Protocol Version: 2.00 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Connect Time: 19:24:16 Redirected Packets: Process: 0 CEF: 0 GRE Bypassed Packets: Process: 0 CEF: 0 Hash Allotment: None Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: None
But there are no assignments:
#sh ip wccp web-cache assignment Assignment Method: HASH Assignment Key: UNKNOWN, 0 Assignments Received: 0 (duplicates): 0 (invalid): 0 XX| 0 1 2 3 4 5 6 7 8 9 A B C D E F --|------------------------------------------------- 00| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 10| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 20| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 40| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 50| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 60| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 70| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 80| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 90| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- A0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- B0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- C0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- D0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- E0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- F0| -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Key: Target WCCP Client Address ------ ------------------- -- NOT ASSIGNED
Does anyone know what would prevent the router assigning a WCCP client to the requests?
Many thanks in advance,
Neil.
02-02-2018 05:10 AM
Neil
I am glad that you have made some progress. I wish I saw something in this data that you posted that looked like an issue but I am not seeing any obvious issue. Are there any messages on Sophos that might shed light on what is going on?
HTH
Rick
02-06-2018 09:51 AM
Hi Rick,
I wish you saw something, too! :-) I'm currently trying to get this raised as a support call as we should have software support on the 4331 (definitely not on the 2921 as it was in the scrap/spares pile)!
If/when I get a solution I'll post it here.
Bizarrely the Sophos appliance is complaining "Unable to communicate with the following WCCP routers: 192.168.100.1 (HTTPS server), 192.168.100.1 (HTTP service)"! However the router shows the Sophos appliance as a WCCP client!
Many thanks for spending the time to have a look at this problem.
Neil.
02-06-2018 10:29 AM
Hello Neil,
I have a feeling that the ZBF is the culprit. I know that in XE, layer 2 redirection is not supported at all, and you have to configure WCCP GRE redirection. On the 2921, I don't know if GRE redirection is possible at all, you might want to give it a try (or temporarily disable the ZBF in order to confirm that this is actually the problem).
Here is the link to the configuration guide for WCCP GRE redirection:
02-06-2018 02:52 PM
When I read the suggestion from Georg about ZBF my first reaction was to agree with it. But then I looked at the original post from Neil and found this "To rule out the Zone Based Firewall, I've removed all of its configuration. I still can't get WCCP to work!".
Neil does talk about testing WCCP on 2821 using L2 redirection. Was this also with ZBF?
I also found these comments "With the 2921 running 15.1(4)M4 (which was on it when it came out of stock), L2 mode worked as it did on the 2821. GRE mode wouldn't work"
I don't know if it is significant but I wonder how Sophos defines service70.
HTH
Rick
02-08-2018 09:04 AM
Hi Rick,
Yes, I definitely removed the ZBF from my configuration as I feared that it was preventing things from working. Sadly it didn't improve matters. I will give it a try now that the 'bad rcv_id' errors are no longer present and will report back.
The 2821 doesn't have the ZBF (I'm pretty sure that it doesn't) and I certainly never tried it at the time of the proof of concept. As it was behind a NATing router I didn't feel the need to configure the ZBF (if available) or any ACLs for router protection (I wish I had tried now)! We only used it for a controlled demonstration to our internal customer.
Sophos documentation states to use service group 70 for HTTPS:
This option requires that there be two WCCP service groups on the selected router. The required groups are group 0 for HTTP, and group 70 for HTTPS.
The full document is here: http://swa.sophos.com/webhelp/swa/tasks/ConfigNetWCCP.html
I have a port aggregator and have inserted it between the router (2921) and Sophos appliance so can see all the traffic and see the regular 'here I am' from the Sophos appliance and 'I see you' in response from the router. Nothing looks to be out of the ordinary!
I'll report back shortly from my next test, back with the 4331.
Many thanks,
Neil.
02-08-2018 09:18 AM
Neil
Thanks for the update confirming that at least some of the testing of WCCP was done with no ZBF. Also for confirming that Sophos specifies service group 70 for HTTPS. That eliminates one more possible cause of problems.
It looks like the initial negotiation is successful and that there is agreement on using GRE redirection. So I am puzzled at what is causing the problem.
HTH
Rick
02-08-2018 10:38 AM
Hi Rick,
I'm rather puzzled too! I have the 4331 back in place, no ZBF whatsoever but still no packets being redirected to the Sophos appliance (the good news is that there's still no 'bad rcv_id' messages being logged):
#sh ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.100.1 Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 0 Process: 0 CEF: 0 Platform: 0 Service mode: Open Service Access-list: -none- Total Packets Dropped Closed: 0 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 1477 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 Platform: 0 GRE tunnel interface: Tunnel1
Do you think there would there be any benefit for me to capture the initial handshake between the router and Sophos appliance, now that I have the port aggregator in place?
Unfortunately I'm still waiting for internal confirmation of how to raise the support ticket with Cisco so haven't been able to do that yet.
Many thanks,
Neil.
02-08-2018 11:36 AM
Neil
I really do not think that ZBF caused the problem. But I am a big believer in keeping things simple while testing. So I suggest that you leave ZBF alone while we test and put it back after we have WCCP working.
It would not hurt to capture the initial exchange. But I am not optimistic that it will reveal much since it appears that negotiation between router and Sophos is successful.
Can you verify that while testing that there was a mix of HTTP and HTTPS traffic sent through the router?
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: