ā02-15-2013 01:42 AM
Hi all,
i'm trying to set up WCCP between a Cisco 1941 router and my ironport S170 appliance.
This is the WCCP configuration on router side :
!
ip access-list extended WCCPRedirect
permit tcp <my internal LAN> any eq www
permit tcp <my internal LAN> any eq 443
permit tcp <my internal LAN> any eq ftp
!
ip access-list standard IronPort
permit <IronPort IP Address>
!
ip wccp web-cache redirect-list WCCPRedirect group-list IronPort
ip wccp 60 redirect-list WCCPRedirect group-list IronPort
ip wccp 70 redirect-list WCCPRedirect group-list IronPort
!
interface GigabitEthernet0/1
ip address <my internal Address> <my Subnet Mask>
ip wccp web-cache redirect in
ip wccp 60 redirect in
ip wccp 70 redirect in
!
The problem is that when i set up transparent redirection in my IronPort Appliance WCCP does not work.
These are and WCCP logs of the IronPort Appliance :
Fri Feb 15 09:52:09 2013 Warning: WCCP : - : ERROR:repeated capabilities
Fri Feb 15 09:52:09 2013 Warning: WCCP : - : ERROR:ISY: cap error
Fri Feb 15 09:52:19 2013 Warning: WCCP : - : ERROR:repeated capabilities
Fri Feb 15 09:52:19 2013 Warning: WCCP : - : ERROR:ISY: cap error
Fri Feb 15 09:52:24 2013 Warning: WCCP : - : ERROR:repeated capabilities
Fri Feb 15 09:52:24 2013 Warning: WCCP : - : ERROR:ISY: cap error
Fri Feb 15 09:52:25 2013 Warning: WCCP : - : ERROR:repeated capabilities
Fri Feb 15 09:52:25 2013 Warning: WCCP : - : ERROR:ISY: cap error
So i think it's a problem about WCCP capabilities.
This is "method" configuration on IronPort side
This is output of "sh ip wccp capabilities" on router side :
Capability Setting
Supported forwarding methods GRE & L2
Supported return methods GRE & L2
Supported assignment methods Hash & Mask
Accelerated forwarding methods L2
Accelerated return methods GRE & L2
Accelerated assignment methods Mask
Accelerated Mode CLI Off, CLI Disabled
Supported redirection types Input & Output
Check Outbound ACL CLI CLI Enabled
Check All Services CLI CLI Enabled
Closed Service Suport Supported
VRF Support Supported
Supported service groups 256
There's something wrong on method configuration of IronPort appliance or in router side WCCP configuration?
IronPort appliance model is S170 with AsyncOS 7.1.3-021
Router is Cisco 1941 with IOS c1900-universalk9-mz.SPA.152-3.T.bin
Thankyou in advance
ā02-15-2013 08:38 AM
Hi Alessandro,
Please set the Load-Balancing method to Hash , Forwrding Method to GRE, Return Method to GRE submit and commit your changes. Also in the GUI -> System Administration -> Log Subscriptions -> Add or modify the WCCP logs to trace level until we have resolved this issue. Once this issue is resolved set the logging level to informational. In order to view the WCCP logs on the WSA use putty to SSH into the WSA. Issue the tail command and then pick the number that corresponds to the WCCP logs. Paste some of the logs into this thread from the WSA and once again paste the sh ip wccp output as well from the router.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
ā02-18-2013 01:49 AM
Hi Erik,
i applied configuration you suggested me and modified wccp logs to trace level.
This is the output of sh ip wccp web-cache detail on ISR router :
WCCP Client information:
WCCP Client ID: 192.168.120.19
Protocol Version: 2.00
State: NOT Usable (Initializing)
Redirection: None
Packet Return: None
Assignment: None
Connect Time: 00:00:24
I also lunched debug ip wccp events and packets on ISR router and this is the output (192.168.120.19 is WSA ip address, 192.168.120.40 is ISR router ip address) :
*Feb 18 09:29:37.967: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 910)
*Feb 18 09:29:37.967: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:911
*Feb 18 09:29:37.967: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:43.015: WCCP-PKT:IPv4:S0: Sending RQ to 192.168.120.19, rcv_id:912
*Feb 18 09:29:43.015: WCCP-PKT:IPv4:S0: Sending 64 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:43.967: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 912)
*Feb 18 09:29:43.967: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:913
*Feb 18 09:29:43.967: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:44.987: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 913)
*Feb 18 09:29:44.987: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:914
*Feb 18 09:29:44.987: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:46.007: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 914)
*Feb 18 09:29:46.007: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:915
*Feb 18 09:29:46.007: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:47.979: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 915)
*Feb 18 09:29:47.979: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:916
*Feb 18 09:29:47.979: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:48.015: WCCP-EVNT:IPv4:S0: Cache removal timer expired (192.168.120.19)
*Feb 18 09:29:48.015: WCCP-EVNT:IPv4:S0: deallocated wc 192.168.120.19 orig assign info (hash)
On WSA a launched tail command on wccp subscription (30) and this is the output :
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.120.40 -- 42 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:ISY received from 192.168.120.40.(136 bytes)
Mon Feb 18 10:32:58 2013 Warning: WCCP : - : ERROR:repeated capabilities
Mon Feb 18 10:32:58 2013 Warning: WCCP : - : ERROR:ISY: cap error
Note that the ISR router ip address is 192.168.120.40. I've also WCCP service active on two other L3 switches (two Cisco 3560G-24TS-S) so in logs above you can see wccp requests come from 192.168.208.10 and 192.168.208.20. On those switches WCCP works fine.
I noticed that ther's a difference on time settings between WSA and ISR router, can this be cause of malfunction?
Thankyou so much.
Best Regards.
Alessandro
ā02-15-2013 08:42 AM
Hi Alessandro,
Also since this is an ISR router the timing for WCCP is set to a default of 30 seconds where as the WSA is set to 10 seconds. I will provide you with the command to modify this default value on the ISR in order to have the ISR router establish its neighborship with the WSA.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
ā02-15-2013 08:46 AM
Hi Alessandro,
Use the following command on your ISR to change the default value from 30 seconds to 10 seconds:
wccp tcp failure-detection 10
Then provide me with the output from sh wccp ip ( service ID ) detail command.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
ā02-16-2013 12:57 PM
Hi Erik,
thankyou for replies. Regarding the command above i tried to submit it in all context but i think is not supported by the router.
Next monday i'll apply the settings you suggested me and paste some wccp logs from WSA.
Thankyou so much.
Regards.
Alessandro
Sent from Cisco Technical Support iPad App
ā02-25-2013 07:14 AM
Hi Erik,
i solved the issue upgrading IronPort Appliance from AsyncOS 7.1.3-021 to AsyncOS 7.5.0-833.
i hope this help someone!
Thanks
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide