09-08-2011 07:03 AM
Recently i configured new vlan on remote site and directed it to backup link, but strange thing is our wireless clients proxy is working and lan connected pcs proxy is not working,
Ironport is working on default vlan, microsoft dhcp server but i created different vlan and configured dhcp on cisco but it is not allowing access that subnet. using wccp redirect on the interface.
we configured NTLM authentication connecting to AD, the problem is the clients which are different vlan is not in AD, and AD pc in different vlan is working only non AD denied actually we configured guest on authenticaion, and also that subnet is placing remote site and our main site's unknown pcs are accessing throught guest no problem, 2nd thing is main vlan uses MS server 2003 dhcp pool and working non AD users, im using switch own dhcp pool for vlan 200, is it conflict? and when i put ironport ip on IE's proxy setting it is working
How to fix it?
09-08-2011 06:42 PM
Try to eliminate what is causing the issue.
We know it is related to WCCP, since you said forward works from the same pc.
It looks like the issue is with guest user, coming from the remote vlan.
So it will be a good idea, to check for auth log, and the accesslog, when you are trying to send traffic form the problem pc, and that may tell us further. If not, then see what packet captures shows.
You should already know if you have conlcting ip address, but otherwise, it does not seem related to addressing, as you say forward mode works. since forward mode works, that means the WSA knwos how to route back to that other vlan200 you are talking about.
so try to check what you get from logs, and otherwise, try to see what your packet captures shows, on where it is being broken.
Regards,
Eric
10-10-2011 03:22 AM
Is that Gre Tunnel affecting to that? Because that backup link we using Gre Tunnel.
10-11-2011 05:54 PM
A couple thoughts come to mind:
What are you using to do WCCP? Are there any limitations on that box as to where this new vlan is coming in (ex. WCCP on an ASA happens at ingress, so the WSA has to be reachable via the port that the ingress happening on, the WCCP traffic can't cross the ASA... is there a similar issue with whatever you are using? )
Did you add the new vlan to the access list that WCCP is using to redirect data to the WSA?
Ken
10-12-2011 06:03 PM
Network Side:
---->Cisco 2800-1 (Gre Configured) --> Sat Link-->Cisco 2800-2(Gre Configured)--->
End Users->1-L3-> ---->L3-2(WCCP)---Ironport
---->Cisco 2800-3 (MPLS Configured ) --> Sat Link-->Cisco 2800-4(MPLS Configured)--->
Our network is like this, so through MPLS everything is working fine. The problem is on backup.
End users --> VLAN 1, VLAN 200 and VLAN 1 is default and our AD users, AD users working okay but looks like depending on some operating system Win XP, Win 7 some of them not working, and for VLAN 200 is all unknown pc.
1-L3 doing only routing role.
Cisco 2800-1 and 2800-2 both also configured routing and Gre tunnel.
Cisco 2800-1 Configs
crypto isakmp policy 2
encr 3des
authentication pre-share
crypto isakmp key *** address 10.1.9.254
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set 3DES-SHA
interface Loopback0
ip address 1.2.2.1 255.255.255.252
!
interface Tunnel0
bandwidth 1024
ip address 10.1.9.250 255.255.255.252
ip mtu 1300
tunnel source 10.2.9.254
tunnel mode ipsec ipv4
tunnel destination 10.1.9.254
tunnel protection ipsec profile VPN
service-policy output QoSTunnel
!
interface GigabitEthernet0/0
description Connected to Satellite Modem
bandwidth 1024
ip address 10.2.9.254 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Connected to L3-Switch
ip address 10.2.5.253 255.255.255.240
ip nbar protocol-discovery
duplex auto
speed auto
service-policy input block-p2p
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 1.2.1.1 255.255.255.255 Tunnel0
ip route 10.1.0.0 255.255.224.0 Tunnel0
ip route 10.1.5.240 255.255.255.240 Tunnel0
ip route 10.1.5.254 255.255.255.255 10.1.5.253
on the WCCP configuration L3-2
sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.0.1
Protocol Version: 2.0
Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 4
Process: 2
CEF: 2
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 2970
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
sh ip wccp int
WCCP interface configuration:
Vlan6
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
Vlan7
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
Vlan8
Output services: 0
Input services: 1
Mcast services: 1
Exclude In: FALSE
interface Vlan6
ip address 10.1.0.254 255.255.224.0
no ip redirects
ip wccp web-cache redirect in
ip access-list standard wccp_grp_list
permit 10.1.7.253 ## Ironport IP ##
ip access-list extended wccp_redir_list
permit tcp 10.1.0.0 0.0.31.255 any eq www
permit tcp 10.2.0.0 0.0.31.255 any eq www
permit tcp 10.2.1.0 0.0.0.255 any eq www ## VLAN 1 Users ##
permit tcp 10.2.11.0 0.0.0.255 any eq www ## VLAN 200 Users ##
and Static routings on L3-2.
On Ironport.
connected NTLM to Domain server
Service Profile Name:
Service:
Standard service ID: 0 web-cache (destination port 80)
wccp_redir_list
Router ip address: 10.1.7.254
Load Balancing : Allow hash and mask
Forwarding method: Allow GRE or L2
Return method: Allow GRE or L2
Default Route : to Router IP
And configured Guest privileged so if unknown pc will connect it should go through Guest privilege.
Global Authentication Settings
Action if Authentication Service Unavailable: Block all traffic if authentication fails
Failed Authentication Handling: Log Guest User by: IP Address
Re-authentication: Disabled
Basic Authentication Token TTL: 18000
Transparent Proxy Mode Authentication Settings
Credential Encryption: Disabled
Redirect Hostname: proxy
Credential Cache Options: Surrogate Timeout: 3600 seconds
Client IP Idle Timeout: 3600 seconds
Cache Size: 8192 entries
User Session Restrictions: Disabled
Secure Authentication Certificate: Common name: IronPort Appliance Demo Certificate
Organization: IronPort Systems, Inc.
Organizational Unit:
Country: US
Expiration Date:
Basic Constraints: Not Critical
Enable Identity
Name:
(e.g. my IT policy)
Description:
Insert Above:
Membership Definition
Membership is defined by any combination of the following options. All criteria must be met for the policy to take effect.
Define Members by Subnet:
(examples: 10.1.1.1, 10.1.1.0/24, 10.1.1.1-10)
Define Members by Protocol:
All protocols
HTTP/HTTPS Only
Native FTP Only
Define Members by Authentication:
Select a Realm or Sequence:
Select a Scheme: Scheme setting applies to HTTP/HTTPS only.
If a user fails authentication: Support Guest privileges
Authorization of specific users and groups is defined in subsequent policy layers
(see Web Security Manager > Decryption Policies, Routing Policies and Access Policies).
Authentication Surrogate for Transparent Proxy Mode: Surrogate Type:
IP Address
Persistent Cookie
Session Cookie
Explicit Forward Request: Apply same surrogate settings to explicit forward requests
If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.
Advanced
Use the Advanced options to define or edit membership by proxy port, destination (URL Category), or User Agents.
The following advanced membership criteria have been defined:
Proxy Ports: None Selected
URL Categories: None Selected
User Agents: None Selected
Use: NTLMSSP
Identity Policies: Global Group
Settings for Global Policy
Define Members by Authentication: Require authentication
Select a Realm or Sequence: NTLMSSP
Select a Scheme: Scheme setting applies to HTTP/HTTPS only.
If a user fails authentication: Support Guest privileges
Authorization of specific users and groups is defined in subsequent policy layers
(see Web Security Manager > Decryption Policies, Routing Policies and Access Policies).
Authentication Surrogate for Transparent Proxy Mode: Surrogate Type:
IP Address
Persistent Cookie
Session Cookie
Explicit Forward Request: Apply same surrogate settings to explicit forward requests
If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.
But the problem is it is not forwarding Guest privilege and browser stuck when loading .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: