Solved: Re: can not establish the wccp2 with CISCO ASA5510

yao yu jiang · ‎04-15-2011

DEBUG WCCP PACKET

DEBUG WCCP EVENT

ON THE CISCO ASA, I GOT THE Following error

WCCP-EVNT:S00: Here_I_Am packet from 172.16.16.17 ignored; bad web-cache id

172.16.16.17 is IRROPORT

172.16.16.201 IS Cisco ASA

HERE IS MY asa config

wccp web-cache
wccp interface dmz web-cache redirect in

on the irroport

i added the wccpv2 router service, and use the standard web-cache ,port 80. adding router 172.16.16.201 , use eirhger gre or L2 for forwarding and return.

question:

I think this is vevy bacic standard config, why the cisco asa can not recognize the irroport ?

how to debug wccp packet/error on the ironport CLI console?

thanks in advance

Ken Stieers · ‎04-15-2011

What's the service ID set on the WSA??

That has to be referenced on the ASA.

My WSA:

My ASA

wccp 90 redirect-list WCCP_Redirect
wccp interface inside 90 redirect in

I used this as a guide when setting up my WSA (page 16 on paper, 19 in the PDF)

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/H1CY11/SBA_Mid_BN_WebSecurityDeploymentGuide-H1CY11.pdf

View solution in original post

edadios · ‎04-18-2011

The other way to look for possible solution is through KB.

https://ironport.custhelp.com

If you use the drop down

Search by Product > Web Security Appliance

Search by keyword > type > ASA

You may find answers.

Regards,

View solution in original post

Ken Stieers · ‎04-15-2011

What's the service ID set on the WSA??

That has to be referenced on the ASA.

My WSA:

My ASA

wccp 90 redirect-list WCCP_Redirect
wccp interface inside 90 redirect in

I used this as a guide when setting up my WSA (page 16 on paper, 19 in the PDF)

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/H1CY11/SBA_Mid_BN_WebSecurityDeploymentGuide-H1CY11.pdf

yao yu jiang · ‎04-15-2011

thanks, the problem has been resolved, the i use web-cache on both side, it does not work, but after I reboot both devices, it works, also, I did server id 2 and , it succeed too, just need reboot both device .

Ken Stieers · ‎04-15-2011

There was a fix in 8.2.1 or 8.2.2 of the ASA that part of the need for the reboot...

If you can't upgrade, you often can get away with doing a "wccp interface dmz 90 redirect in" (modify as appropriate for your interface and service number)

edadios · ‎04-18-2011

The other way to look for possible solution is through KB.

https://ironport.custhelp.com

If you use the drop down

Search by Product > Web Security Appliance

Search by keyword > type > ASA

You may find answers.

Regards,

yao yu jiang · ‎04-19-2011

thanks , I found teh "kick" CLI on WSA command is very helpful, with this ,i do

not need reboot the machine. the problem is resolved, I find ASA CAN not support group-list,

ALSO, my wccp is enabled in the dmz interface inbound,and the WSA IS in dmz zone too, so, it is ok, but I remember you said ASA does not support wccp in dmz, maybe you mean the wsa are in dmz, and the web traffic are from the inside, in that case,maybe you need enable the ASA rule, or it do not support this design, but as long as everyghing are from same zone, it is ok .

edadios · ‎04-19-2011

Here is a good post for you

https://supportforums.cisco.com/docs/DOC-12623

The client and the cache device, with ASA as WCCP, for now has to be on same interface. This is more a ASA current design implementation. Maybe with a future ASA code, it may change, but not for now.

Regards,