Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4343
Views
5
Helpful
13
Replies

WCCP Redirection ISSUE for WSA

Go to solution
hashimwajid1
Level 3
Level 3

‎07-03-2019 11:29 AM

hi guys

 

i am trying to do WCCP redirection on catalyst 9500 switch for 2 x WSA but after configuring WCCP on Switch i am not able to redirect traffic.

 

when we do "sh ip wccp 50 detail" 

 

its gives error 

 

not usable (incompatible redirection method)

 

  i do not  see any GRE tunnel coming up

 

my wccp configuration are below

 

Access-list 110 permit tcp 172.27.27.0 0.0.0.255 any eq 80

 

ip access-list standard WSA_IP

permit 172.28.0.4

permit 172.28.0.5

 

Ip wccp 50 redirect-list 110 group-list list WSA_IP password cisco

 

Int vlan 270

Ip wccp 50 redirect in

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to hashimwajid1

‎07-04-2019 04:43 AM

Look at the Guide lines and configuration  for the Cat 9500

 

The Layer 2 rewrite forwarding method is supported, but generic routing encapsulation (GRE) is not.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-8/configuration_guide/ip/b_168_ip_9500_cg/b_168_ip_9500_cg_chapter_01000.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

13 Replies 13

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-03-2019 02:16 PM

Can you post - 

show ip wccp web-cache detail
show version

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to balaji.bandi

‎07-04-2019 02:56 AM

Hi Balaji,

 

PFB

 

show ip wccp web-cache detail
The WCCP service specified does not exist.

 

 

show version
Cisco IOS XE Software, Version 16.09.03
Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.9.3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Wed 20-Mar-19 08:02 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2019 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON
BOOTLDR: System Bootstrap, Version 16.9.1r [FC2], RELEASE SOFTWARE (P)

DTCM-Core-SW uptime is 7 weeks, 3 days, 14 hours, 58 minutes
Uptime for this control processor is 7 weeks, 3 days, 15 hours, 2 minutes
System returned to ROM by Reload Command
System restarted at 22:49:16 GMT Sun May 12 2019
System image file is "flash:packages.conf"
Last reload reason: Reload Command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
--More--  to comply with U.S. and local laws, return this product immediately.
--More--  
--More--  A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.


Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
dna-advantage Subscription Smart License dna-advantage


Smart Licensing Status: UNREGISTERED/EVAL MODE

cisco C9500-40X (X86) processor with 1419496K/6147K bytes of memory.
Processor board ID FCW2250F0DB
40 Virtual Ethernet interfaces
96 Ten Gigabit Ethernet interfaces
4 Forty Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
16777216K bytes of physical memory.
1638400K bytes of Crash Files at crashinfo:.
11264000K bytes of Flash at flash:.
0K bytes of WebUI ODM Files at webui:.
1638400K bytes of Crash Files at crashinfo-2:.
11264000K bytes of Flash at flash-2:.

Base Ethernet MAC Address : 00:2f:5c:03:12:00
Motherboard Assembly Number : 73-18140-03
Motherboard Serial Number : FOC22490QLM
Model Revision Number : D0
Motherboard Revision Number : B0
--More--  Model Number : C9500-40X


Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 50 C9500-40X 16.9.3 CAT9K_IOSXE INSTALL
2 50 C9500-40X 16.9.3 CAT9K_IOSXE INSTALL


Switch 02
---------
Switch uptime : 7 weeks, 3 days, 15 hours, 1 minute

Base Ethernet MAC Address : 00:2f:5c:02:b0:00
Motherboard Assembly Number : 73-18140-03
Model Revision Number : D0
Motherboard Revision Number : B0
Model Number : C9500-40X

Configuration register is 0x102

 

sh ip wccp 

Global WCCP information:
Router information:
Router Identifier: 192.168.128.1

Service Identifier: 50
Protocol Version: 2.01
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets Redirected: 0
Process: 0
CEF: 0
Platform: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: 110
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: WSA_IP
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0

 

sh ip wccp 50 detail
WCCP Client information:
WCCP Client ID: 172.28.0.4
Protocol Version: 2.01
State: NOT Usable (Incompatible redirection method)
Redirection: GRE
Packet Return: GRE
Assignment: MASK
Connect Time: 20:17:01
Mask Allotment: None

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to hashimwajid1

‎07-04-2019 04:43 AM

Look at the Guide lines and configuration  for the Cat 9500

 

The Layer 2 rewrite forwarding method is supported, but generic routing encapsulation (GRE) is not.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-8/configuration_guide/ip/b_168_ip_9500_cg/b_168_ip_9500_cg_chapter_01000.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
hashimwajid1
Level 3
Level 3
In response to balaji.bandi

‎07-07-2019 12:38 AM - edited ‎07-07-2019 12:58 AM

hi Balaji,

 

you are right, i enabled L2 Forwarding and it started redirecting toward WSA, however i am facing one issue although all HTTP and HTTPS traffic is redirecting toward WSA but WSA still Blocking and when i do trace on WSA i am getting below error 

 

 

User Information
User Name: None
Authentication Realm Group Membership: None
Secure Group Tag Membership: None
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Policy Match
Cisco Data Security policy: None
Decryption policy: None
Routing policy: None
Identification Profile: TEST_Profile
Access policy: TEST_Policy
Final Result
Request blocked
Details: Protocol blocked based on applications settings in Access policy
Trace session complete
 
i checked on Access policies and access policies is using default allow (all is monitored)
 
 
 

Access Policy WSA.PNG

 

Web Tracking 2.PNG

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to hashimwajid1

‎07-07-2019 12:57 AM - edited ‎07-07-2019 01:20 AM

we need to look on console with grep command what process is blocking.

EDIT

we need to look what policy blocking.

 

check the config as per deployment guide :

 

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sba_webSec_dg.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to balaji.bandi

‎07-07-2019 02:03 AM

Hi Balaji,

 

here is the detail of Logs

 

proxy1.dtcmdomain.com> grep

Currently configured logs:
1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll
2. "amp_logs" Type: "AMP Engine Logs" Retrieval: FTP Poll
3. "archiveinspect_logs" Type: "ArchiveInspect Logs" Retrieval: FTP Poll
4. "audit_logs" Type: "Audit Logs" Retrieval: FTP Poll
5. "authlogs" Type: "Authentication Framework Logs" Retrieval: FTP Poll
6. "avc_logs" Type: "AVC Engine Logs" Retrieval: FTP Poll
7. "bypasslogs" Type: "Proxy Bypass Logs" Retrieval: FTP Poll
8. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
9. "configdefragd_logs" Type: "Configuration Logs" Retrieval: FTP Poll
10. "dca_logs" Type: "DCA Engine Logs" Retrieval: FTP Poll
11. "external_auth_logs" Type: "External Authentication Logs" Retrieval: FTP Poll
12. "feedback_logs" Type: "Feedback Logs" Retrieval: FTP Poll
13. "feedsd_logs" Type: "Feedsd Logs" Retrieval: FTP Poll
14. "fips_logs" Type: "FIPS Logs" Retrieval: FTP Poll
15. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
16. "gui_logs" Type: "GUI Logs" Retrieval: FTP Poll
17. "haystackd_logs" Type: "Haystack Logs" Retrieval: FTP Poll
18. "httpslog" Type: "HTTPS Logs" Retrieval: FTP Poll
19. "hybridd_logs" Type: "Hybrid Service Logs" Retrieval: FTP Poll
20. "idsdataloss_logs" Type: "Data Security Logs" Retrieval: FTP Poll
21. "logderrorlogs" Type: "Logging Logs" Retrieval: FTP Poll
22. "mcafee_logs" Type: "McAfee Logs" Retrieval: FTP Poll
23. "musd_logs" Type: "AnyConnect Secure Mobility Daemon Logs" Retrieval: FTP
Poll
24. "ocspd_logs" Type: "OCSP Logs" Retrieval: FTP Poll
25. "pacd_logs" Type: "PAC File Hosting Daemon Logs" Retrieval: FTP Poll
26. "policyinspectord_logs" Type: "Policy Inspector Logs" Retrieval: FTP Poll
27. "proxylogs" Type: "Default Proxy Logs" Retrieval: FTP Poll
28. "reportd_logs" Type: "Reporting Logs" Retrieval: FTP Poll
29. "reportqueryd_logs" Type: "Reporting Query Logs" Retrieval: FTP Poll
30. "saas_auth_log" Type: "SaaS Auth Logs" Retrieval: FTP Poll
31. "shd_logs" Type: "SHD Logs" Retrieval: FTP Poll
32. "sl_usercountd_logs" Type: "SL Usercount Logs" Retrieval: FTP Poll
33. "smartlicense" Type: "Smartlicense Logs" Retrieval: FTP Poll
34. "snmp_logs" Type: "SNMP Logs" Retrieval: FTP Poll
35. "sntpd_logs" Type: "NTP Logs" Retrieval: FTP Poll
36. "sophos_logs" Type: "Sophos Logs" Retrieval: FTP Poll
37. "sse_connectord_logs" Type: "SSE Connector Daemon Logs" Retrieval: FTP Poll
38. "status" Type: "Status Logs" Retrieval: FTP Poll
39. "system_logs" Type: "System Logs" Retrieval: FTP Poll
40. "trafmon_errlogs" Type: "Traffic Monitor Error Logs" Retrieval: FTP Poll
41. "trafmonlogs" Type: "Traffic Monitor Logs" Retrieval: FTP Poll
42. "uds_logs" Type: "UDS Logs" Retrieval: FTP Poll
43. "updater_logs" Type: "Updater Logs" Retrieval: FTP Poll
44. "upgrade_logs" Type: "Upgrade Logs" Retrieval: FTP Poll
45. "wbnp_logs" Type: "WBNP Logs" Retrieval: FTP Poll
46. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll
47. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll
48. "webtapd_logs" Type: "Webtapd Logs" Retrieval: FTP Poll
49. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval: FTP
Poll
Enter the number of the log you wish to grep.
[]> 1

Enter the regular expression to grep.
[]> express.com

Do you want this search to be case insensitive? [Y]>

Do you want to search for non-matching lines? [N]>

Do you want to tail the logs? [N]>

Do you want to paginate the output? [N]>

1562478703.918 3 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562478704.035 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562480147.922 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562480147.936 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562480148.904 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562480148.916 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483801.229 377 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483801.229 376 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483801.315 26 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483801.315 25 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483809.373 26 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483809.373 26 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.521 25 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.521 25 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.735 213 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.784 49 172.27.27.10 TCP_DENIED_SSL/403 0 GET https://www.express.com:443/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.867 0 172.27.27.10 TCP_DENIED_SSL/403 0 GET https://www.express.com:443/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.154 1324 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.157 1326 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.376 217 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.427 50 172.27.27.10 TCP_DENIED_SSL/403 0 GET https://www.express.com:443/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.509 50 172.27.27.10 TCP_DENIED_SSL/403 0 GET https://www.express.com:443/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562487005.377 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562487005.453 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562487005.605 229 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
proxy1.dtcmdomain.com>

proxy1.dtcmdomain.com>

proxy1.dtcmdomain.com>

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to balaji.bandi

‎07-07-2019 02:06 AM

Hi Balaji,

 

here is the detail of Logs

 

proxy1.dtcmdomain.com> grep

Currently configured logs:
1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll
2. "amp_logs" Type: "AMP Engine Logs" Retrieval: FTP Poll
3. "archiveinspect_logs" Type: "ArchiveInspect Logs" Retrieval: FTP Poll
4. "audit_logs" Type: "Audit Logs" Retrieval: FTP Poll
5. "authlogs" Type: "Authentication Framework Logs" Retrieval: FTP Poll
6. "avc_logs" Type: "AVC Engine Logs" Retrieval: FTP Poll
7. "bypasslogs" Type: "Proxy Bypass Logs" Retrieval: FTP Poll
8. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
9. "configdefragd_logs" Type: "Configuration Logs" Retrieval: FTP Poll
10. "dca_logs" Type: "DCA Engine Logs" Retrieval: FTP Poll
11. "external_auth_logs" Type: "External Authentication Logs" Retrieval: FTP Poll
12. "feedback_logs" Type: "Feedback Logs" Retrieval: FTP Poll
13. "feedsd_logs" Type: "Feedsd Logs" Retrieval: FTP Poll
14. "fips_logs" Type: "FIPS Logs" Retrieval: FTP Poll
15. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
16. "gui_logs" Type: "GUI Logs" Retrieval: FTP Poll
17. "haystackd_logs" Type: "Haystack Logs" Retrieval: FTP Poll
18. "httpslog" Type: "HTTPS Logs" Retrieval: FTP Poll
19. "hybridd_logs" Type: "Hybrid Service Logs" Retrieval: FTP Poll
20. "idsdataloss_logs" Type: "Data Security Logs" Retrieval: FTP Poll
21. "logderrorlogs" Type: "Logging Logs" Retrieval: FTP Poll
22. "mcafee_logs" Type: "McAfee Logs" Retrieval: FTP Poll
23. "musd_logs" Type: "AnyConnect Secure Mobility Daemon Logs" Retrieval: FTP
Poll
24. "ocspd_logs" Type: "OCSP Logs" Retrieval: FTP Poll
25. "pacd_logs" Type: "PAC File Hosting Daemon Logs" Retrieval: FTP Poll
26. "policyinspectord_logs" Type: "Policy Inspector Logs" Retrieval: FTP Poll
27. "proxylogs" Type: "Default Proxy Logs" Retrieval: FTP Poll
28. "reportd_logs" Type: "Reporting Logs" Retrieval: FTP Poll
29. "reportqueryd_logs" Type: "Reporting Query Logs" Retrieval: FTP Poll
30. "saas_auth_log" Type: "SaaS Auth Logs" Retrieval: FTP Poll
31. "shd_logs" Type: "SHD Logs" Retrieval: FTP Poll
32. "sl_usercountd_logs" Type: "SL Usercount Logs" Retrieval: FTP Poll
33. "smartlicense" Type: "Smartlicense Logs" Retrieval: FTP Poll
34. "snmp_logs" Type: "SNMP Logs" Retrieval: FTP Poll
35. "sntpd_logs" Type: "NTP Logs" Retrieval: FTP Poll
36. "sophos_logs" Type: "Sophos Logs" Retrieval: FTP Poll
37. "sse_connectord_logs" Type: "SSE Connector Daemon Logs" Retrieval: FTP Poll
38. "status" Type: "Status Logs" Retrieval: FTP Poll
39. "system_logs" Type: "System Logs" Retrieval: FTP Poll
40. "trafmon_errlogs" Type: "Traffic Monitor Error Logs" Retrieval: FTP Poll
41. "trafmonlogs" Type: "Traffic Monitor Logs" Retrieval: FTP Poll
42. "uds_logs" Type: "UDS Logs" Retrieval: FTP Poll
43. "updater_logs" Type: "Updater Logs" Retrieval: FTP Poll
44. "upgrade_logs" Type: "Upgrade Logs" Retrieval: FTP Poll
45. "wbnp_logs" Type: "WBNP Logs" Retrieval: FTP Poll
46. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll
47. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll
48. "webtapd_logs" Type: "Webtapd Logs" Retrieval: FTP Poll
49. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval: FTP
Poll
Enter the number of the log you wish to grep.
[]> 1

Enter the regular expression to grep.
[]> express.com

Do you want this search to be case insensitive? [Y]>

Do you want to search for non-matching lines? [N]>

Do you want to tail the logs? [N]>

Do you want to paginate the output? [N]>

1562478703.918 3 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562478704.035 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562480147.922 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562480147.936 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562480148.904 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562480148.916 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483801.229 377 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483801.229 376 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483801.315 26 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483801.315 25 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483809.373 26 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483809.373 26 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.521 25 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.521 25 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.735 213 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.784 49 172.27.27.10 TCP_DENIED_SSL/403 0 GET https://www.express.com:443/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562483811.867 0 172.27.27.10 TCP_DENIED_SSL/403 0 GET https://www.express.com:443/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.154 1324 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.157 1326 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.376 217 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WBRS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.427 50 172.27.27.10 TCP_DENIED_SSL/403 0 GET https://www.express.com:443/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562486377.509 50 172.27.27.10 TCP_DENIED_SSL/403 0 GET https://www.express.com:443/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562487005.377 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/ - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562487005.453 0 172.27.27.10 TCP_DENIED/403 0 GET http://www.express.com/favicon.ico - NONE/- - BLOCK_ADMIN_PROTOCOL_12-TEST_Policy-TEST_Profile-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
1562487005.605 229 172.27.27.10 TCP_MISS_SSL/200 0 TCP_CONNECT 23.208.229.214:443 - DIRECT/www.express.com - DECRYPT_WARS_7-TEST-TEST_Profile-NONE-NONE-NONE-DefaultGroup-NONE <IW_shop,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_shop,-,"-","Shopping","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
proxy1.dtcmdomain.com>

proxy1.dtcmdomain.com>

proxy1.dtcmdomain.com>

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to balaji.bandi

‎07-07-2019 03:02 AM

Hi Balaji,

 

this issue solved, actually Port was blocked in Protocol and user Agent by default and i was using Global Setting wo it was being denied.

 

i'have 2 queries

 

1- we have 2 proxies, can we do Active and Standby in WCCP/transparent Scenario ?

 

2- we want to do only Users Identitification not the authentication,but i dont see any option for User Identification only 

 

Thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to hashimwajid1

‎07-07-2019 07:49 AM

Glad it was working as expected your requirement.

 

1- we have 2 proxies, can we do Active and Standby in WCCP/transparent Scenario ?

 

I do not believe you will get this working, instead i have only tested lab with small downtime.

you can run the script eem or externl scrept keep checking active proxy availability and when it fails change the WCCP ACL to secondary (in product i will not recomend but it works - with small air gap while changing other WSA in WCCP.)

 

 

2- we want to do only Users Identitification not the authentication,but i dont see any option for User Identification only 

 

user identification can only possible against authentication or else each user can have fixed IP address to identify.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to balaji.bandi

‎07-07-2019 09:31 PM

Hi Balaji,

Thanks for detailed answers.

With https decryption enabled, Sites are opening but images are not downloading. With http its fine but issue with https decryption that images not downloading

Is this normal behaviour of https decryption ?
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to hashimwajid1

‎07-08-2019 12:30 AM

Again look at what images that are in the log which was blocked in any policy ?

 

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118152-technote-wsa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to balaji.bandi

‎07-10-2019 12:32 AM

Hi Balaji,

 

Thanks for the advise,

 

is there any way that i can make policy on Perimeter Firewall for the subnets (LAN/Original Subnet) which is coming via WSA.

 

we want to make some PBR on the base of Original subnets which are coming via Proxy (usually Perimeter Firewall only knows WSA IP)

 

is their any configuration to achieve this on WSA so its sends original source as well ?

Thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to hashimwajid1

‎07-10-2019 09:48 AM

No Proxy intercept the all the traffic, so you need to have FW allow WSA IP to internet, since you trusting the WSA as proxy.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents