Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3215
Views
0
Helpful
15
Replies

Unable to get WCCP working on an ISR4331

neil.hillard
Level 1
Level 1

‎01-23-2018 09:41 AM - edited ‎03-05-2019 09:48 AM

Hi,

 

I've been having major issues getting WCCP and the Zone Based Firewall working together on an ISR4331. To rule out the Zone Based Firewall, I've removed all of its configuration.  I still can't get WCCP to work!

 

Clients are on 10.10.0.0/16, the Sophos web appliance is on 192.168.100.254 and the Internet connection is currently behind a NATing device as I'm reluctant to connect the router to the Internet without being able to defend itself although ultimately it will have a direct Internet connection.

 

I had this setup running on a Cisco 2821 (out of the scrap pile, no firewall though) as a proof of concept but using L2 WCCP as that's all that would work with the 2821. Everything worked fine (and still does when I plug the POC router back in)! With the ISR4331 I can't even get L2 WCCP working but I understand that I really need it to be GRE in order to play nicely with the ZBFW (and I really want the ZBFW to keep the router protected).  The Sophos appliance can be configured for either L2 or GRE but not both.

 

Here are the relevant parts of the config from the ISR4331:

boot-start-marker
boot system flash bootflash:isr4300-universalk9.16.06.02.SPA.bin
boot-end-marker
!
ip dhcp excluded-address 10.10.0.1 10.10.0.255
!
ip dhcp pool Guests
network 10.10.0.0 255.255.0.0
dns-server 8.8.8.8 8.8.4.4
domain-name xxx-guest.local
default-router 10.10.0.1
lease 0 4
!
ip wccp web-cache mode closed password 7 xxxxxxxxxxxxxxxxxx
ip wccp 70 password 7 xxxxxxxxxxxxxxxxxx
!
license boot suite FoundationSuiteK9
!
redundancy
mode none
!
interface GigabitEthernet0/0/0
description Internet
ip address 192.168.1.251 255.255.255.0
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description Guests
ip address 10.10.0.1 255.255.0.0
ip nat inside
ip wccp web-cache redirect in
ip wccp 70 redirect in
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description DMZ
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip wccp redirect exclude in
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 172.30.101.101 255.255.254.0
negotiation auto
!
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 remark Addresses to NAT
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.100.0 0.0.0.255 any

When the Sophos appliance is configured with L2 WCCP, I see:

#sh ip wccp summ
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: 192.168.1.251):
web-cache   1         1         MASK        L2         L2
70          1         1         MASK        L2         L2

#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.1.251

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
          Platform:                          0
        Service mode:                        Closed
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        4
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
          Platform:                          0

And with GRE WCCP:

#sh ip wccp summ
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: 192.168.1.251):
web-cache   1         1         HASH        GRE        GRE
70          1         1         HASH        GRE        GRE

#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.1.251

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
          Platform:                          0
        Service mode:                        Closed
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        64
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
          Platform:                          0
        GRE tunnel interface:                Tunnel1

#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.1.251   YES manual up                    up
GigabitEthernet0/0/1   10.10.0.1       YES NVRAM  up                    up
GigabitEthernet0/0/2   192.168.100.1   YES NVRAM  up                    up
GigabitEthernet0       172.30.101.101  YES NVRAM  up                    up
Tunnel0                192.168.100.1   YES unset  up                    up
Tunnel1                192.168.100.1   YES manual up                    up

Because web-cache is "Closed" I can't get to HTTP sites (which is how it should be if the Sophos appliance is not available).  I can however ping sites over the Internet so I know that the routing is setup correctly and if I remove the WCCP redirects on Gi0/0/1 then my access starts working.

 

Does anyone have any ideas?  Many, many thanks in advance,

 

 

Neil.

Labels:
0 Helpful
15 Replies 15

neil.hillard
Level 1
Level 1
In response to Georg Pauwen

‎02-08-2018 08:51 AM

Hi Georg,

 

Many thanks for the reply.  I'm trying to get WCCP GRE to work with the ZBF as I'd read that L2 wouldn't work (unfortunately we had to use L2 for our proof of concept as all I had available was a 2821 that doesn't support GRE).  The 2921 definitely supports GRE (this is the output from the 2921):

 

#sh ip wccp summary
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: nnn.nnn.nnn.nnn):
web-cache   1         1         HASH        GRE        GRE
70          1         1         HASH        GRE        GRE

The configuration is as above and I can't spot anything that I've missed!

 

Regards,

 

 

Neil.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card