Re: WCCP does not work between WSA and ASA

k.solomatin · ‎12-22-2009

I have configured WCCPv2 between WSA S160 ( 6.3.1-025) and ASA5540 (8.2(1)109).

Everything seems to be OK by "show wccp *" on ASA and showing wccp debugging messages (level 4) on S160. Despite of it, WCCP redirection does not work.
If I use packet-capture I figure out that S160 receives GRE packets with TCP SYN from particular LAN host to WWW sites but S160 does not handle them and does not send anything back to ASA.

It is an Exempt from authentication for this LAN host and in Forward proxy mode everything works well.

I have attached an example of a packet-capture (S160.txt - renamed from .cap) and debugging messages from S160 & "show" from ASA.

Does anybody have any idea what the problem is and how I can resolve it ?

chuckbrantley · ‎12-29-2009

I have setup WCCP v2 on the ASA with 8.0.4 train of ASA code, but not the 8.2.1 train. The 8.04 train works perfectly. I'll lok at your zip files and see if I notice anything.

chuckbrantley · ‎12-29-2009

I see you have a redirect list and a group list. Have you tried removing the group list. What are you using the group list for? In my implementation, I only used the redirect list and it works fine.

k.solomatin · ‎12-29-2009

IronPort Support team helped me to find the trouble:

If I wish to handle specific port's (80, 8080, etc.) traffic by the transparent proxy I need to configure this port like a listener for the FORWARD proxy

("Security Services" -> "Proxy Settings" -> "HTTP Ports to Proxy")

The WSA guide doesn't clearly say about it.

So the Discussion can be closed ...

daniel.sandstrom · ‎01-14-2010

Also, maybe you should take the time to upgrade to ASA 8.2.2 released 11th of January, fixes this bug in 8.2.1 :

CSCsy82260

ASA fails to redirect traffic to WCCP cache server