The policy trace is only a "Suppose if" scenario to check your policies. It does not show you what is really going on. The packet capture is more helpful here. Just make sure that you do not have any filters on your captures in WSA. Question: is it only traffic that is coming from branche offices that are not redirected? put a log on your ACL and make sure that logs go up when testing your connection. You need to locate where your packets are being dropped, because if you do not have any filters on you WSA packet capture then the packets are being dropped before.
... View more
Hello everyone First time writing in the support community. So exiting!!!! I am trying to have a transparent WSA (7.5) with a CAT6509 SXF7 WCCP. between them there is a Firewall/router. so I built the WCCP with GRE/L3. so far so good. WCCP GRE tunnel is there. However cannot surf the internet. After much troubleshooting (wireshark mainly) I believe I know where the problem is. Client want to surf the Internet (http) Client sends a SYN request to the IP of the website (after resolving DNS) CAT6500 tunnels the request with GRE to WSA WSA receives request and sends to SYN packet to the webpage. Webpage sends a SYN ACK to WSA (no spoofing) PROBLEM: WSA then sends the SYN ACK without GRE to client with in turn does not go through the FW Client does not receive SYN ACK, sends another SYN and then another until he gives up. Question: How can I force the WSA to return traffic through the GRE tunnel. I already chose return method as "alloow GRE only" under WCCPv2 Service So look forward to receive some help
... View more