WCCP Problem

alessandro.s · ‎02-15-2013

Hi all,

i'm trying to set up WCCP between a Cisco 1941 router and my ironport S170 appliance.

This is the WCCP configuration on router side :

!

ip access-list extended WCCPRedirect

permit tcp <my internal LAN> any eq www

permit tcp <my internal LAN> any eq 443

permit tcp <my internal LAN> any eq ftp

!

ip access-list standard IronPort

permit <IronPort IP Address>

!

ip wccp web-cache redirect-list WCCPRedirect group-list IronPort

ip wccp 60 redirect-list WCCPRedirect group-list IronPort

ip wccp 70 redirect-list WCCPRedirect group-list IronPort

!

interface GigabitEthernet0/1

ip address <my internal Address> <my Subnet Mask>

ip wccp web-cache redirect in

ip wccp 60 redirect in

ip wccp 70 redirect in

!

The problem is that when i set up transparent redirection in my IronPort Appliance WCCP does not work.

These are and WCCP logs of the IronPort Appliance :

Fri Feb 15 09:52:09 2013 Warning: WCCP : - : ERROR:repeated capabilities

Fri Feb 15 09:52:09 2013 Warning: WCCP : - : ERROR:ISY: cap error

Fri Feb 15 09:52:19 2013 Warning: WCCP : - : ERROR:repeated capabilities

Fri Feb 15 09:52:19 2013 Warning: WCCP : - : ERROR:ISY: cap error

Fri Feb 15 09:52:24 2013 Warning: WCCP : - : ERROR:repeated capabilities

Fri Feb 15 09:52:24 2013 Warning: WCCP : - : ERROR:ISY: cap error

Fri Feb 15 09:52:25 2013 Warning: WCCP : - : ERROR:repeated capabilities

Fri Feb 15 09:52:25 2013 Warning: WCCP : - : ERROR:ISY: cap error

So i think it's a problem about WCCP capabilities.

This is "method" configuration on IronPort side

This is output of "sh ip wccp capabilities" on router side :

Capability Setting

Supported forwarding methods        GRE & L2
Supported return methods            GRE & L2
Supported assignment methods        Hash & Mask
Accelerated forwarding methods      L2
Accelerated return methods          GRE & L2
Accelerated assignment methods      Mask
Accelerated Mode CLI                Off, CLI Disabled
Supported redirection types         Input & Output
Check Outbound ACL CLI              CLI Enabled
Check All Services CLI              CLI Enabled
Closed Service Suport               Supported
VRF Support                         Supported
Supported service groups            256

There's something wrong on method configuration of IronPort appliance or in router side WCCP configuration?

IronPort appliance model is S170 with AsyncOS 7.1.3-021

Router is Cisco 1941 with IOS c1900-universalk9-mz.SPA.152-3.T.bin

Thankyou in advance

Erik Kaiser · ‎02-15-2013

Hi Alessandro,

Please set the Load-Balancing method to Hash , Forwrding Method to GRE, Return Method to GRE submit and commit your changes. Also in the GUI -> System Administration -> Log Subscriptions -> Add or modify the WCCP logs to trace level until we have resolved this issue. Once this issue is resolved set the logging level to informational. In order to view the WCCP logs on the WSA use putty to SSH into the WSA. Issue the tail command and then pick the number that corresponds to the WCCP logs. Paste some of the logs into this thread from the WSA and once again paste the sh ip wccp output as well from the router.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

alessandro.s · ‎02-18-2013

Hi Erik,

i applied configuration you suggested me and modified wccp logs to trace level.

This is the output of sh ip wccp web-cache detail on ISR router :

WCCP Client information:

WCCP Client ID: 192.168.120.19

Protocol Version: 2.00

State: NOT Usable (Initializing)

Redirection: None

Packet Return: None

Assignment: None

Connect Time: 00:00:24

I also lunched debug ip wccp events and packets on ISR router and this is the output (192.168.120.19 is WSA ip address, 192.168.120.40 is ISR router ip address) :

*Feb 18 09:29:37.967: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 910)
*Feb 18 09:29:37.967: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:911
*Feb 18 09:29:37.967: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:43.015: WCCP-PKT:IPv4:S0: Sending RQ to 192.168.120.19, rcv_id:912
*Feb 18 09:29:43.015: WCCP-PKT:IPv4:S0: Sending 64 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:43.967: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 912)
*Feb 18 09:29:43.967: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:913
*Feb 18 09:29:43.967: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:44.987: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 913)
*Feb 18 09:29:44.987: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:914
*Feb 18 09:29:44.987: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:46.007: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 914)
*Feb 18 09:29:46.007: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:915
*Feb 18 09:29:46.007: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:47.979: WCCP-EVNT:IPv4:S0: HIA from 192.168.120.19 with bad rcv_id 0 (expected 915)
*Feb 18 09:29:47.979: WCCP-PKT:IPv4:S0: Sending ISY to 192.168.120.19, rcv_id:916
*Feb 18 09:29:47.979: WCCP-PKT:IPv4:S0: Sending 136 bytes from 192.168.120.40 to 192.168.120.19
*Feb 18 09:29:48.015: WCCP-EVNT:IPv4:S0: Cache removal timer expired (192.168.120.19)
*Feb 18 09:29:48.015: WCCP-EVNT:IPv4:S0: deallocated wc 192.168.120.19 orig assign info (hash)

On WSA a launched tail command on wccp subscription (30) and this is the output :

Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.120.40 -- 42 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.20 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:send_HIA called
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:HIA sent to 192.168.208.10 -- 29 ISY(s) outstanding
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:### Timestamp 382 ###
Mon Feb 18 10:32:58 2013 Debug: WCCP : - : INFO:ISY received from 192.168.120.40.(136 bytes)
Mon Feb 18 10:32:58 2013 Warning: WCCP : - : ERROR:repeated capabilities
Mon Feb 18 10:32:58 2013 Warning: WCCP : - : ERROR:ISY: cap error

Note that the ISR router ip address is 192.168.120.40. I've also WCCP service active on two other L3 switches (two Cisco 3560G-24TS-S) so in logs above you can see wccp requests come from 192.168.208.10 and 192.168.208.20. On those switches WCCP works fine.

I noticed that ther's a difference on time settings between WSA and ISR router, can this be cause of malfunction?

Thankyou so much.

Best Regards.

Alessandro

Erik Kaiser · ‎02-15-2013

Hi Alessandro,

Also since this is an ISR router the timing for WCCP is set to a default of 30 seconds where as the WSA is set to 10 seconds. I will provide you with the command to modify this default value on the ISR in order to have the ISR router establish its neighborship with the WSA.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Erik Kaiser · ‎02-15-2013

Hi Alessandro,

Use the following command on your ISR to change the default value from 30 seconds to 10 seconds:

wccp tcp failure-detection 10

Then provide me with the output from sh wccp ip ( service ID ) detail command.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

alessandro.s · ‎02-16-2013

Hi Erik,
thankyou for replies. Regarding the command above i tried to submit it in all context but i think is not supported by the router.
Next monday i'll apply the settings you suggested me and paste some wccp logs from WSA.

Thankyou so much.
Regards.
Alessandro

Sent from Cisco Technical Support iPad App

alessandro.s · ‎02-25-2013

Hi Erik,

i solved the issue upgrading IronPort Appliance from AsyncOS 7.1.3-021 to AsyncOS 7.5.0-833.

i hope this help someone!

Thanks

Regards