Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
5
Replies

ASA WCCP Redirection with 2 WSA Appliances

iwearing
Level 1
Level 1

‎03-21-2019 06:42 AM

I'd like to use ASA WCCP to redirect to a couple of Cisco WSA appliances for redundancy. I want to have a dedicated Primary WSA appliance which will service all WCCP requests and a Backup WSA appliance only to be used If the Primary fails.

 

I have both WSA in the same service group. WCCP requests are randomly being load balanced across both WSA's. I have tried manipulating the WCCP weights on the WSA's and traffic still load balances.

 

I also tried a separate service group for each WSA and the traffic is still being load balanced.

 

Is it possible to redirect all WCCP packets to a Primary WSA and only use the backup in the event of a primary WSA failure.

 

Any thoughts appreciated.

 

Ian

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎03-21-2019 06:48 AM - edited ‎03-21-2019 06:49 AM

here is the example guide for your requirement :

https://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/guide/asa-wccp.html

 

Look also some caveats also, why not implement Active/Active ?

when the device fails WCCP automatically remove from List.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

iwearing
Level 1
Level 1
In response to balaji.bandi

‎03-21-2019 07:28 AM

Hi BB,

 

Thanks for your update. Within the document I cannot find ta solution that would give me an active/standby WCCP for my WSA appliances.

 

The WSA are in different DC's and the bandwidth between DC's is limited. Therefor I would prefer to use the WSA in the Primary DC and only use the Standby WSA in DC2 in the event of a WSA failure in DC1.

 

thanks

 

Ian

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to iwearing

‎03-21-2019 09:13 AM

Do you have any high level topology to look, how your failover exiting enviroment works ? so we can advise best possible way to deploy.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Josiane de Barros Silva
Level 1
Level 1
In response to balaji.bandi

‎04-01-2019 07:26 AM

WSA- GUI

Transparent Redirection Device - > Edit Device - >Choose WCCP -. Summit ->Commit

Add Service -
Dynamic service ID : 90
Port number: 80, 443

option :
-Redirect based on destination port
-Load balance based on server address

Router IP Address : 192.168.60.179

Advanced -
Load-Balacing method (Allow Hash only)
Forwarding Method (Allow GRE only)
Return Method (Allow GRE only)

Summit - > Commit

WSA-CLI
advancedproxyconfig
WCCP


ASA
access-list WCCP_REDIRECT_IN line 1 extended permit tcp 192.168.60.0 255.255.255.0 any eq www
access-list WCCP_REDIRECT_IN line 2 extended permit tcp 192.168.60.0 255.255.255.0 any eq 443
wccp 90 redirect-list WCCP_REDIRECT_IN
wccp interface inside ?
wccp interface inside 90 redirect in

sh wccp

 

0 Helpful

lanlanlan
Level 1
Level 1

‎03-21-2019 08:32 PM

good
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents