Solved: Re: WCCP ACL not redirecting traffic to McAfee Web Gateway

klopez138 · ‎10-10-2018

We currently have WCCP configured on a Cisco 4500X switch. We have an ACL (REDIRECT_CLIENTS) where hosts and ranges are configured to filter which hosts get proxied to the McAfee Web Gateway (MWG). We have not seen any hits on the ACL for traffic being redirected to the MWG nor do we see traffic when doing a live trace from the MWG console. I've posted sample configs and several outputs from wccp show commands below (Addresses have been scrubbed for security). Any help with this issue is greatly appreciated. Thanks.

ip wccp source-interface Vlan777
ip wccp 51 redirect-list REDIRECT_CLIENTS

interface Vlan136
ip address XXX.XXX.36.1 XXX.XXX.XXX.XXX
ip helper-address XXX.XXX.0.80 (for DHCP)
ip helper-address XXX.XXX.0.81 (for DHCP)
ip wccp 51 redirect in

interface Vlan151
ip address XXX.XXX.32.1 XXX.XXX.XXX.XXX
ip helper-address XXX.XXX.0.80 (for DHCP)
ip helper-address XXX.XXX.0.81 (for DHCP)
ip wccp 51 redirect in

ip access-list extended REDIRECT_CLIENTS
permit tcp host XXX.XXX.36.147 any eq www
permit tcp host XXX.XXX.36.147 any eq 443
permit tcp host XXX.XXX.32.69 any
permit tcp host XXX.XXX.32.70 any eq www
permit tcp host XXX.XXX.32.70 any eq 443

sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   XXX.XXX.34.17
        Configured source-interface:         Vlan777
        Protocol Version:                    2.0

    Service Identifier: 51
        Number of Service Group Clients:     1
        Number of Service Group Routers:     2
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
          Platform:                          0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                REDIRECT_CLIENTS
        Total Packets Denied Redirect:       16662
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
          Platform:                          0

sh ip wccp summary
WCCP version 2 enabled, 1 service

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: XXX.XXX.34.17):
51          1         1         MASK        L2         GRE

sh ip wccp interfaces
WCCP interface configuration:
    Vlan136
        Output services: 0
        Input services: 1
        Mcast services: 0
        Exclude In:      FALSE

    Vlan151
        Output services: 0
        Input services: 1
        Mcast services: 0
        Exclude In:      FAL

klopez138 · ‎10-11-2018

Thanks for the reply but it appears that our issue was due to cables being moved on the ESXi host where the MWG virtual appliance was hosted. Cables were moved, port channels were reconfigured, and arp tables were not cleared. Our WCCP access list is now seeing hits and sending traffic to the MWG.

View solution in original post

Mohammed al Baqari · ‎10-10-2018

You are using GRE redirection. Change it to L2 redirection and let me know
if it fixes. it. You can change it from MGW

klopez138 · ‎10-11-2018

Thanks for the reply but it appears that our issue was due to cables being moved on the ESXi host where the MWG virtual appliance was hosted. Cables were moved, port channels were reconfigured, and arp tables were not cleared. Our WCCP access list is now seeing hits and sending traffic to the MWG.