Ironport not allowing different subnet using cisco dhcp

TM13 · ‎09-08-2011

Recently i configured new vlan on remote site and directed it to backup link, but strange thing is our wireless clients proxy is working and lan connected pcs proxy is not working,

Ironport is working on default vlan, microsoft dhcp server but i created different vlan and configured dhcp on cisco but it is not allowing access that subnet. using wccp redirect on the interface.

we configured NTLM authentication connecting to AD, the problem is the clients which are different vlan is not in AD, and AD pc in different vlan is working only non AD denied actually we configured guest on authenticaion, and also that subnet is placing remote site and our main site's unknown pcs are accessing throught guest no problem, 2nd thing is main vlan uses MS server 2003 dhcp pool and working non AD users, im using switch own dhcp pool for vlan 200, is it conflict? and when i put ironport ip on IE's proxy setting it is working

How to fix it?

edadios · ‎09-08-2011

Try to eliminate what is causing the issue.

We know it is related to WCCP, since you said forward works from the same pc.

It looks like the issue is with guest user, coming from the remote vlan.

So it will be a good idea, to check for auth log, and the accesslog, when you are trying to send traffic form the problem pc, and that may tell us further. If not, then see what packet captures shows.

You should already know if you have conlcting ip address, but otherwise, it does not seem related to addressing, as you say forward mode works. since forward mode works, that means the WSA knwos how to route back to that other vlan200 you are talking about.

so try to check what you get from logs, and otherwise, try to see what your packet captures shows, on where it is being broken.

Regards,

Eric

TM13 · ‎10-10-2011

Is that Gre Tunnel affecting to that? Because that backup link we using Gre Tunnel.

Ken Stieers · ‎10-11-2011

A couple thoughts come to mind:

What are you using to do WCCP? Are there any limitations on that box as to where this new vlan is coming in (ex. WCCP on an ASA happens at ingress, so the WSA has to be reachable via the port that the ingress happening on, the WCCP traffic can't cross the ASA... is there a similar issue with whatever you are using? )

Did you add the new vlan to the access list that WCCP is using to redirect data to the WSA?

Ken

TM13 · ‎10-12-2011

Network Side:

---->Cisco 2800-1 (Gre Configured) --> Sat Link-->Cisco 2800-2(Gre Configured)--->

End Users->1-L3-> ---->L3-2(WCCP)---Ironport

---->Cisco 2800-3 (MPLS Configured ) --> Sat Link-->Cisco 2800-4(MPLS Configured)--->

Our network is like this, so through MPLS everything is working fine. The problem is on backup.

End users --> VLAN 1, VLAN 200 and VLAN 1 is default and our AD users, AD users working okay but looks like depending on some operating system Win XP, Win 7 some of them not working, and for VLAN 200 is all unknown pc.

1-L3 doing only routing role.

Cisco 2800-1 and 2800-2 both also configured routing and Gre tunnel.

Cisco 2800-1 Configs

crypto isakmp policy 2

encr 3des

authentication pre-share

crypto isakmp key *** address 10.1.9.254

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile VPN

set transform-set 3DES-SHA

interface Loopback0

ip address 1.2.2.1 255.255.255.252

!

interface Tunnel0

bandwidth 1024

ip address 10.1.9.250 255.255.255.252

ip mtu 1300

tunnel source 10.2.9.254

tunnel mode ipsec ipv4

tunnel destination 10.1.9.254

tunnel protection ipsec profile VPN

service-policy output QoSTunnel

!

interface GigabitEthernet0/0

description Connected to Satellite Modem

bandwidth 1024

ip address 10.2.9.254 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Connected to L3-Switch

ip address 10.2.5.253 255.255.255.240

ip nbar protocol-discovery

duplex auto

speed auto

service-policy input block-p2p

!

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 Tunnel0

ip route 1.2.1.1 255.255.255.255 Tunnel0

ip route 10.1.0.0 255.255.224.0 Tunnel0

ip route 10.1.5.240 255.255.255.240 Tunnel0

ip route 10.1.5.254 255.255.255.255 10.1.5.253

on the WCCP configuration L3-2

sh ip wccp

Global WCCP information:

Router information:

Router Identifier: 192.168.0.1

Protocol Version: 2.0

Service Identifier: web-cache

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 4

Process: 2

CEF: 2

Redirect access-list: -none-

Total Packets Denied Redirect: 0

Total Packets Unassigned: 2970

Group access-list: -none-

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total Bypassed Packets Received: 0

sh ip wccp int

WCCP interface configuration:

Vlan6

Output services: 0

Input services: 1

Mcast services: 0

Exclude In: FALSE

Vlan7

Output services: 0

Input services: 1

Mcast services: 0

Exclude In: FALSE

Vlan8

Output services: 0

Input services: 1

Mcast services: 1

Exclude In: FALSE

interface Vlan6

ip address 10.1.0.254 255.255.224.0

no ip redirects

ip wccp web-cache redirect in

ip access-list standard wccp_grp_list

permit 10.1.7.253 ## Ironport IP ##

ip access-list extended wccp_redir_list

permit tcp 10.1.0.0 0.0.31.255 any eq www

permit tcp 10.2.0.0 0.0.31.255 any eq www

permit tcp 10.2.1.0 0.0.0.255 any eq www ## VLAN 1 Users ##

permit tcp 10.2.11.0 0.0.0.255 any eq www ## VLAN 200 Users ##

and Static routings on L3-2.

On Ironport.

connected NTLM to Domain server

Service Profile Name:

Service:

Standard service ID: 0 web-cache (destination port 80)

wccp_redir_list

Router ip address: 10.1.7.254

Load Balancing : Allow hash and mask

Forwarding method: Allow GRE or L2

Return method: Allow GRE or L2

Default Route : to Router IP

And configured Guest privileged so if unknown pc will connect it should go through Guest privilege.

Global Authentication Settings

Action if Authentication Service Unavailable: Block all traffic if authentication fails

Failed Authentication Handling: Log Guest User by: IP Address

Re-authentication: Disabled

Basic Authentication Token TTL: 18000

Transparent Proxy Mode Authentication Settings

Credential Encryption: Disabled

Redirect Hostname: proxy

Credential Cache Options: Surrogate Timeout: 3600 seconds

Client IP Idle Timeout: 3600 seconds

Cache Size: 8192 entries

User Session Restrictions: Disabled

Secure Authentication Certificate: Common name: IronPort Appliance Demo Certificate

Organization: IronPort Systems, Inc.

Organizational Unit:

Country: US

Expiration Date:

Basic Constraints: Not Critical

Enable Identity

Name:

(e.g. my IT policy)

Description:

Insert Above:

Membership Definition

Membership is defined by any combination of the following options. All criteria must be met for the policy to take effect.

Define Members by Subnet:

(examples: 10.1.1.1, 10.1.1.0/24, 10.1.1.1-10)

Define Members by Protocol:

All protocols

HTTP/HTTPS Only

Native FTP Only

Define Members by Authentication:

Select a Realm or Sequence:

Select a Scheme: Scheme setting applies to HTTP/HTTPS only.

If a user fails authentication: Support Guest privileges

Authorization of specific users and groups is defined in subsequent policy layers

(see Web Security Manager > Decryption Policies, Routing Policies and Access Policies).

Authentication Surrogate for Transparent Proxy Mode: Surrogate Type:

IP Address

Persistent Cookie

Session Cookie

Explicit Forward Request: Apply same surrogate settings to explicit forward requests

If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.

Advanced

Use the Advanced options to define or edit membership by proxy port, destination (URL Category), or User Agents.

The following advanced membership criteria have been defined:

Proxy Ports: None Selected

URL Categories: None Selected

User Agents: None Selected

Use: NTLMSSP

Identity Policies: Global Group

Settings for Global Policy

Define Members by Authentication: Require authentication

Select a Realm or Sequence: NTLMSSP

Select a Scheme: Scheme setting applies to HTTP/HTTPS only.

If a user fails authentication: Support Guest privileges

Authorization of specific users and groups is defined in subsequent policy layers

(see Web Security Manager > Decryption Policies, Routing Policies and Access Policies).

Authentication Surrogate for Transparent Proxy Mode: Surrogate Type:

IP Address

Persistent Cookie

Session Cookie

Explicit Forward Request: Apply same surrogate settings to explicit forward requests

If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.

But the problem is it is not forwarding Guest privilege and browser stuck when loading .