So Cisco TAC said the web gui could be slow due to wccp configuration.

IN our ASA anything related to wccp is as follows:

wccp web-cache redirect-list proxylist group-list wsa-farm password *****
wccp 70 redirect-list proxylist-https group-list wsa-farm password *****
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in

access-list wsa-farm extended permit ip host 10.1.0.4 any
access-list proxylist extended deny ip host 10.1.0.4 any
access-list proxylist extended permit tcp object-group LANPC any eq www

access-list proxylist-https extended deny ip host 10.1.0.4 any
access-list proxylist-https extended permit tcp object-group KIOSK any eq https

Does this look correct?  Obviously the object-group's are defined with ip ranges and subnets.  HTTPS was origonally just kiosk machines, but now it evolved into much more as we expand on rolling out https filtering.  Eventually one day it will just be changed to look at object-group LANPC (all of our end users subnets across our sites).

Cisco TAC said traffic coming into our webfilter when I go to manage it at 10.1.0.4 could be redirected via wccp to the firewall and then back to the webfilter in a loop, which causes delays and slowness.  I didn't think this would be the case since I'm not hitting the firewall unless I want to access something on one of our DMZ's or go out to the public internet.

If your WSA management is via the management port on a separate net/not going through the firewall, its not being WCCP'd...

Just because the 300V has a bunch of nics, it doesn't mean you have to use them... Mine aren't even "connected".  I just use the management port and P1

As far as L4TM, you could leave the S170 in place to do that...

Our S170 is on 10.1.1.  I downloaded and I'm testing the S300v which is 10.5.1.  It barfs trying to load the config from the S170 at the certificate.  I take that out.  It complains about something else.  I take that out, rinse and repeat.

If I want to test the virtual appliance performance with all the same settings, I may have to get TAC involved, even if its just a short demo instance.

I tried that cisco config tool.  No dice.

c:\Cisco\ConfigMigration>ConfigMigration.bat -i S170.xml -o S300V.xml -d S300V
config_migration_tool:CRITICAL: Error in conversion: Bad XML config, missing Version number

c:\Cisco\ConfigMigration>ConfigMigration.bat -i S170.xml -o S300V.xml -s 10.1.1 -d S300V
Config for model: S170, version: 10.1.1
config_migration_tool:CRITICAL: Error in conversion: Unable to find conversion for Model: S170, Version: 10.1.1

c:\Cisco\ConfigMigration>ConfigMigration.bat -i S170.xml -o S300V.xml -s 10.1.x -d S300V
Config for model: S170, version: 10.1.x
config_migration_tool:CRITICAL: Error in conversion: Unable to find conversion for Model: S170, Version: 10.1.x

I started with the save version VM as I was running (also 10.1.1)

Get the S300V up and running with a new set of IP.

Get all of the security services to update, so the version numbers under Security Services/Acceptable Use Controls match. (For example the category list has to match, the types of apps in AVC have to match....)

Once those lined up, I could do the import.

Currently running 10.5.1 in production and have a couple of issues open with TAC. 

Importing an ECC root cert to Network/Cert management won't work.(needed to do ISE integration since my enterprise CA is ECC (elliptical curve)

It throws an alert regularly "Exception occurred in CloudEventWatcher Thread"

Do you have your physical WSA still up and running so you can move it in as a backup or do L4TM?  I take it the licencing guidelines allow you to run a physical appliance and a virtual appliance legally?

I just requested the virtual licence, a process that I never really enjoyed to do, but I just received the file in my email.

I do have it up on the network, different IP of course, I got the config to load after I took out everything it complained about (mostly certificates), but once it does update I'll try to reload the config again.  I'd rather not have to go back in and load certificates again.

I may create a group in the ASA and just have MY web traffic go through it when its all said and done, to fully test it and vet it out before swapping IP's with the current physical S170.

Yes, I have my 170 up.  The license on the VMs is you can spin up as many as you want... you're licensed per user for WSAv and ESAv, so you can spin up as many of whichever size you need..

You use the same license file for all of your VMs, so keep that handy.  When you renew, you'll get a new one (I always have to go to GLO to get that done...)

Sounds good.  I have all my features activated now.  I'll let it update.  Going through both side by side, it seems it took 99% of my configuration file.  After everything is on the same version I will try to import the config again just for good measure.

I guess I could get creative and do some wccp load balancing or fail-over with this.  The only thing we have to remember is when we are making changes to the webfilter, to do it to both the VM and the Physical appliance.  

Or maybe I'll keep the physical one doing http and make the virtual one do https, or vice versa.  I can think of a few different ways to utilize it.  Or heck make the virtual do everything as a priority but have the ASA fail over wccp requests if the virtual cannot be contacted.  Still we would need to keep the configs in sync.

I saw you can create vrrp between two WSA's on a YouTube video.  However you have to allow promiscuous mode on the ESXi servers network adapter where the virtual WSA is running.  I'm not sure how I feel about that.  Maybe we will just keep the S170 as a "secondary" fail over. 

Thank you for all of your input as always.  Its great insight!