Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1632
Views
0
Helpful
3
Replies

WCCPv2 and IronPort S160 issues

Group IT
Level 1
Level 1

‎08-02-2011 03:31 AM - edited ‎03-07-2019 01:30 AM

Hi all,

I have an IronPort S160 which has been working fine as an explicit proxy for a while, but I want to start using WCCPv2 instead (via a Cisco 1801 router).

I have followed so many guides and manuals but I jus can't get it to work. When all is activated, my clients just time-out when they attempt to access the internet.

I would be very grateful if anyone could lend some assistance.

On the IronPort I have:

  • Enabled WCCPv2 under 'Network'...'Transparent Redirection'.
  • Created a 'Service Profile Name' labelled 'web_cache' and configured it as 'Standard Service ID: web-cache (destination port 80)'.
  • Assigned router addresses of 10.11.1.254, 10.11.22.254, 10.11.23.254.

+----------+

| IRONPORT |

+----------+

  | | |                              

  | | +-M1: 10.11.23.240------+     +----------+      

  | |                         +-----|          |

  | +---P1: 10.11.1.250-------------|   CORE   |

  |                           +-----| SWITCHES |               +--------+

  +-----P2: 10.11.2.249-------+     |          |--10.11.2.250--| WWW GW |

                                    |          |               +--------+

                                    +----------+

                                      | | | |

   +-------------[vlan1]10.11.1.254---+ | | |

   |                                    | | |

+-------------+                         | | |

| 1801 ROUTER |--[vlan2]10.11.2.254-----+ | |

+-------------+                           | |

|     |                                  | |

|     +---------[vlan23]10.11.23.254-----+ |

|                                          |

|                                          |

+---------------[vlan22]10.11.22.254-------+

My Cisco 1801 router config is as follows:

----------------------------------------------------------------------------

Building configuration...

Current configuration : 3862 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname rtr-hq1-2

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

enable secret 5 $1$jDxW$9C6g05.A8TT2xhmyFmVzX/

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication enable default enable

aaa authorization exec default local

!

aaa session-id common

!

resource policy

!

ip wccp web-cache

!

!

ip cef

!

!

!

!

crypto pki trustpoint TP-self-signed-1093762028

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1093762028

revocation-check none

rsakeypair TP-self-signed-1093762028

!

!

crypto pki certificate chain TP-self-signed-1093762028

certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31303933 37363230 3238301E 170D3131 30363230 31303531

  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30393337

  36323032 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CCB9 C9A85C7B AA02244C 6EFE8B7E A76382C9 E830F40D 49903E07 B087E432

  04658712 417FBA35 36063274 780AACB7 6FF535A6 A699D012 7690F484 0E71E471

  E74F318F AC96A75A 39916AB3 31972A6F E4475252 E030BFD0 E0172937 9E7C8D03

  CC498443 E937615A 9DCE36FB 45E8B17B F01B3E0A AFC7091C 779B9A73 B3D16957

  43A30203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603

  551D1104 0B300982 07687132 2D727472 301F0603 551D2304 18301680 1420B0B5

  EB9D1E93 F93C9DAA 78E22A47 A093A06E 8F301D06 03551D0E 04160414 20B0B5EB

  9D1E93F9 3C9DAA78 E22A47A0 93A06E8F 300D0609 2A864886 F70D0101 04050003

  818100AD 0B3D4707 0856AC6D C0F51A1B A780CCDF F71C1573 03C988FD 6A20AF2B

  17C1B427 77227F7C 568B7AB5 5B88D39F AA33835F FC6457F4 284AA738 20C14A1A

  5520C943 17937BDD DA1B6E3F CAF812F9 26FE66EF 4D62BE34 817E6C4C BAE1E19E

  AC875506 BDF2A5EA A4CB7D8C 97351B08 2134C732 ED21E8CD 57EEB153 BE23DB0E 3B25DE

  quit

username ejohnson privilege 15 secret 5 $1$oUkZ$6uPrTcKxfAninwA32Q5Rx.

username sas-admin privilege 15 secret 5 $1$y8xH$BqdEH.vNU0XpEvwtTBI2m1

!

!

!

!

!

!

interface FastEthernet0

description $ETH-LAN$

ip address 10.11.200.100 255.255.255.0

shutdown

speed auto

half-duplex

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn point-to-point-setup

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

switchport access vlan 2

!

interface FastEthernet6

switchport access vlan 22

!

interface FastEthernet7

switchport access vlan 23

!

interface FastEthernet8

shutdown

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface Vlan1

ip address 10.11.1.254 255.255.255.0

ip helper-address 10.11.254.1

ip wccp web-cache redirect in

!

interface Vlan2

ip address 10.11.2.254 255.255.255.0

ip helper-address 10.11.254.1

ip wccp web-cache redirect out

!

interface Vlan22

ip address 10.11.22.254 255.255.255.0

ip helper-address 10.11.254.1

ip wccp web-cache redirect in

!

interface Vlan23

ip address 10.11.23.254 255.255.255.0

ip helper-address 10.11.254.1

ip wccp web-cache redirect in

!

ip route 0.0.0.0 0.0.0.0 10.11.2.250 permanent

ip route 10.11.0.0 255.255.0.0 10.11.1.249 permanent

!

!

no ip http server

ip http secure-server

!

access-list 10 permit 10.11.1.250

access-list 121 permit tcp 10.11.0.0 0.0.255.255 any eq www

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

!

!

!

!

!

control-plane

!

!

line con 0

privilege level 15

line aux 0

line vty 0 4

!

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

----------------------------------------------------------------------------

Thanks in advance.

Best Regards,

Elliot

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎08-02-2011 10:38 AM

Elliot

I think that on the Iron Port that you only need to specify one address for the router. But I do not know that having multiple addresses for the same router would cause problems.

Your drawing show the router and core switches but does not tell us much about their relationship. Are the core switches just layer 2 or are they layer2/layer 3? And in particular - is all inter vlan routing done on the router or is it possible that some routing is done on the core switches?

What output do you get for show ip wccp on the router?

HTH

Rick

HTH

Rick
0 Helpful

Group IT
Level 1
Level 1
In response to Richard Burts

‎08-03-2011 02:06 AM

Hi Rick,

Thank you very much for your reply.

I will try to answer your questions as best I can.

1) The switches are just layer 2, as far as I am aware.

2) Inter vlan routing is only done on the router.

I have since changed the interface facing the internet from a vlan (vlan2) to a layer 3 port (fe0), just incase WCCP had some inssue with operating on a vlan port.

My new config looks as follows:

+----------+

| IRONPORT |

+----------+

  | | |                             

  | | +-M1: 10.11.23.250------+     +----------+

  | |                         +-----|          |

  | +---P1: 10.11.1.250-------------|   CORE   |

  |                           +-----| SWITCHES |               +--------+

  +-----P2: 10.11.2.249-------+     |          |--10.11.2.250--| WWW GW |

                                    |          |               +--------+

                                    +----------+

                                      | | | |

   +-------------[fe0]10.11.1.254-----+ | | |

   |                                    | | |

+-------------+                         | | |

| 1801 ROUTER |--[vlan2]10.11.2.254-----+ | |

+-------------+                           | |

|     |                                  | |

|     +---------[vlan23]10.11.23.254-----+ |

|                                          |

|                                          |

+---------------[vlan22]10.11.22.254-------+

When WCCPv2 is acivated on the IronPort and router, I see the following results on the router:

rtr-hq1-2#show ip wccp

Global WCCP information:

   Router information:

       Router Identifier:                   10.11.23.254

       Protocol Version:                   2.0

   Service Identifier: web-cache

       Number of Service Group Clients:     1

       Number of Service Group Routers:     1

       Total Packets s/w Redirected:       2221

         Process:                           127

         Fast:                             0

         CEF:                               2094

       Redirect access-list:               -none-

       Total Packets Denied Redirect:       0

       Total Packets Unassigned:           34

       Group access-list:                   -none-

       Total Messages Denied to Group:     0

       Total Authentication failures:       0

       Total Bypassed Packets Received:     0

rtr-hq1-2#show ip wccp web-cache detail

WCCP Client information:

        WCCP Client ID:          10.11.1.250

        Protocol Version:        2.0

        State:                   Usable

        Initial Hash Info:       00000000000000000000000000000000

                                 00000000000000000000000000000000

        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

        Hash Allotment:          256 (100.00%)

        Packets s/w Redirected:  705

        Connect Time:            00:01:53

        Bypassed Packets

          Process:               0

          Fast:                  0

          CEF:                   0

The "Total Packets s/w Redirected" seem to increase quite quickly, which I would guess suggests that the router is forwarding the requests out, but it's as though they're not reaching the IronPort.

Any further assistance is extremely well received.

Best Regards,

0 Helpful

Group IT
Level 1
Level 1
In response to Group IT

‎08-03-2011 03:35 AM

Here is a slightly more detailed breakdown of the immediate network revolving around the IronPort and router:

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card