Showing results for 
Search instead for 
Did you mean: 

WSA is not getting WCCP traffic and cant browse any websites

Level 1
Level 1


We have WSA configured for central office users web traffic control and its working fine. We also want to use the branch users to controler their web traffic using the same WSA. We have added the branch network subnets to existing WCCP ACL which is configured on 6509 core switch and could see http/https hits coming from branch subnets.

We have created new Identity (with no authentication) and added the branch subnet to it and created new access policy and use the same identity. However users are not able to browse any website when we added the branch subnets to existing WCCP ACL. When we did packet capture on WSA for one of the PCs IP address on branch network there is no packet reaching on WSA. However when we did policy trace on WSA for the same branch IP address we could see the it was hitting correct policy and identity where allowed website is passing and blocked site is blocked. However users are not able to browse for any websites.

Not sure where the problem is and appreciate if someone can guide us or give some troubleshooting steps to verify the configuration.

thanks in advance.

8 Replies 8

Tony Gharib
Level 1
Level 1

do you have the command:

IP wccp WCCPMUNMBER redirect in

on the interface where the branch traffic is coming?

Hi Tony,

Thanks for your response. Actually IP WCCP redirect out is already there on the interface connecting to firewall. Since we cant have WCCP redirect in on every users SVI we have used the firewal connecting interface as one gateway.

Since we already use wccp redirect out we can't use the wccp redirect in connection on the WAN connecting interface. I have attached the network topolgy for better understanding. Also attached is the policy-trace output where I could see its hitting the correct Access policy. However im not sure what there's no packets found on the packet-capture output taken from WSA.

the issue is that while the policy are intact, when I add the branch router to wccp ACL they cant access any of the websites. Not sure whether issue on WSA policy or WCCP config...??



The policy trace is only a "Suppose if" scenario to check your policies. It does not show you what is really going on.

The packet capture is more helpful here. Just make sure that you do not have any filters on your captures in WSA.

Question: is it only traffic that is coming from branche offices that are not redirected?

put a log on your ACL and make sure that logs go up when testing your connection.

You need to locate where your packets are being dropped, because if you do not have any filters on you WSA packet capture then the packets are being dropped before.

Hi Tony,

Many thanks for your response once a gain..

I did not make any filters and packet capture was taken given the source ip from one of the PCs in the branch network.

Yes, only traffic that is coming from branch office is not redirected and HO traffic and the policies in WSA working perfectly. As mentioned earlier I have added branch subnets to existing WCCP ACL and when I check show access-list wccpacl I could see hits from on those subnets.

I can add ACL (permit tcp any eq www log and permit tcp any any eq www) and add it to the interface where WSA is connected and see packets are reaching to WSA interface..

is there any other option that i can see where the packets are being dropped..?. Do you think rebooting the WSA will help if there's no issue with my config.?

appreciate your advise further..

Hang on! Traffic is hitting the ACL that is attached to the WSA but when you do a packet capture on the WSA, you see nothing! That does  not sound right. That is basically the same wire!

Hi Tony,

No, I mean to say that we can apply a ACL on WSA interface and check the traffic is hitting on that.. but not yet checked as did not get a time with my client to troubleshoot it. When I get chance I will do the same and verify both ACL hits as well as packet capture as well.

Do you have any other troubleshooting options left, appreciate if you can let me know please..

Thanks a lot for all your feedbacks.

Not really. The principle is to first locate where the traffic is being dropped.

Hi Tony,

We had some chance to check this issue again. What we noticed as before WSA is trying to go through the correct policy, however users can't browse internet when we add the new branch subnet to WCCP ACL. Packet capture also was taken on WSA given one of the branch IP addresses and was able to see SYN/SYN,ACK between the server/client and also some TCP retransmission from the server to client.

We also rebooted the both WSA devices but still no luck. 

Can you please let us know any other troubleshooting steps to find the exact issue or base on this troubleshooting what do you think where the problem is exists.?

Thanks in advance.