04-15-2011 01:31 PM
DEBUG WCCP PACKET
DEBUG WCCP EVENT
ON THE CISCO ASA, I GOT THE Following error
WCCP-EVNT:S00: Here_I_Am packet from 172.16.16.17 ignored; bad web-cache id
WCCP-EVNT:S00: Here_I_Am packet from 172.16.16.17 ignored; bad web-cache id
172.16.16.17 is IRROPORT
172.16.16.201 IS Cisco ASA
HERE IS MY asa config
wccp web-cache
wccp interface dmz web-cache redirect in
on the irroport
i added the wccpv2 router service, and use the standard web-cache ,port 80. adding router 172.16.16.201 , use eirhger gre or L2 for forwarding and return.
question:
I think this is vevy bacic standard config, why the cisco asa can not recognize the irroport ?
how to debug wccp packet/error on the ironport CLI console?
thanks in advance
Solved! Go to Solution.
04-15-2011 01:50 PM
What's the service ID set on the WSA??
That has to be referenced on the ASA.
My WSA:
My ASA
wccp 90 redirect-list WCCP_Redirect
wccp interface inside 90 redirect in
I used this as a guide when setting up my WSA (page 16 on paper, 19 in the PDF)
04-18-2011 11:32 PM
The other way to look for possible solution is through KB.
If you use the drop down
Search by Product > Web Security Appliance
Search by keyword > type > ASA
You may find answers.
Regards,
04-15-2011 01:50 PM
What's the service ID set on the WSA??
That has to be referenced on the ASA.
My WSA:
My ASA
wccp 90 redirect-list WCCP_Redirect
wccp interface inside 90 redirect in
I used this as a guide when setting up my WSA (page 16 on paper, 19 in the PDF)
04-15-2011 02:22 PM
thanks, the problem has been resolved, the i use web-cache on both side, it does not work, but after I reboot both devices, it works, also, I did server id 2 and , it succeed too, just need reboot both device .
04-15-2011 02:50 PM
There was a fix in 8.2.1 or 8.2.2 of the ASA that part of the need for the reboot...
If you can't upgrade, you often can get away with doing a "wccp interface dmz 90 redirect in" (modify as appropriate for your interface and service number)
04-18-2011 11:32 PM
The other way to look for possible solution is through KB.
If you use the drop down
Search by Product > Web Security Appliance
Search by keyword > type > ASA
You may find answers.
Regards,
04-19-2011 06:06 AM
thanks , I found teh "kick" CLI on WSA command is very helpful, with this ,i do
not need reboot the machine. the problem is resolved, I find ASA CAN not support group-list,
ALSO, my wccp is enabled in the dmz interface inbound,and the WSA IS in dmz zone too, so, it is ok, but I remember you said ASA does not support wccp in dmz, maybe you mean the wsa are in dmz, and the web traffic are from the inside, in that case,maybe you need enable the ASA rule, or it do not support this design, but as long as everyghing are from same zone, it is ok .
04-19-2011 04:27 PM
Here is a good post for you
https://supportforums.cisco.com/docs/DOC-12623
The client and the cache device, with ASA as WCCP, for now has to be on same interface. This is more a ASA current design implementation. Maybe with a future ASA code, it may change, but not for now.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide