Hello Erfan,

eahmed007 · ‎05-17-2016

Hi All ,

We have configured WSA and placed the appliance in inside of the internet firewall .We have tested the connectivity and checked traffic flow configuring WSA as explicit proxy in client machine which was working fine and tested successfully .

However , Transparent proxy is not working when we configured WCCP in firewall . We have configured transparent redirection in WSA and given Firewall inside interface as Router identifier.

But after configuring Firewall for wccp features, We have seen that it is showing router identifier as a outside interface ip address of Firewall.

In addition , My observation is that client has core switch which has FWSM module and they are using different context for different subnet .In this scenario We put WAS in one context and user's in other context and there is no restriction from one context to other context.From core switch to firewall they have configured different transit network for connectivity.

Is there any issue to redirect http and https traffic from Firewall inside interface to WSA as I have seen that redirect method use GRE protocol.

we have checked wccp configuration from CLI and as well as from ASDM .Both output showing same message that redirection is being taken place increasing packet size but we are not getting page from client machine.We have followed cisco deployment guide for WSA configuration .

Anyway, I need your valuable inputs to configure WSA as a transparent proxy .

Thanks and regards

Erfan

Tao Yang · ‎05-17-2016

For WCCP in ASA, it can only use GRE and Hash. In addition the router identifier will always be the highest IP in the ASA which should NOT cause any issue for this issue.

Firstly please enable WCCP log in WSA and verify if the WCCP negotiation has been established.

eahmed007 · ‎05-17-2016

Hi Yang ,

Thanks for your valuable comments.

Can you advice me how to check whether wccp negotiation has been established or not .

Is it " grep" command to check access log .

Thanks and regards

Erfan

Tao Yang · ‎05-17-2016

By default, WCCP log in WSA is not enabled. Please log into WSA GUI>System Administration>Add log subscription and then select "WCCP Module Logs" and the submit it and commit changes.

You should be able to use "tail" command in WSA CLI to review this new log.

eahmed007 · ‎05-17-2016

Hi Yang ,

I am trying to enable the log and update you soon.

Thanks for your assistance .

Erfan

eahmed007 · ‎05-31-2016

Hi Yang ,

Hope that you are doing fine.

I have checked WSA using GUI but not getting WCCP Module Logs in GUI .

Please see the below info for more visibility as there is no wccp option .

WSA> advancedproxyconfig

Choose a parameter group:
- AUTHENTICATION - Authentication related parameters
- CACHING - Proxy Caching related parameters
- DNS - DNS related parameters
- EUN - EUN related parameters
- NATIVEFTP - Native FTP related parameters
- FTPOVERHTTP - FTP Over HTTP related parameters
- HTTPS - HTTPS related parameters
- SCANNING - Scanning related parameters
- PROXYCONN - Proxy connection header related parameters
- CUSTOMHEADERS - Manage custom request headers for specific domains
- MISCELLANEOUS - Miscellaneous proxy related parameters
- SOCKS - SOCKS Proxy parameters
[]>

Please assist me how can i check whether wccp in working or not .

I am waiting for your valuable comments.

Thanks and regards

Erfan

Tao Yang · ‎05-31-2016

Hello Erfan,

As mentioned, Please log into WSA GUI>System Administration>Add log subscription and then select "WCCP Module Logs" as by default it is not enabled.

Hope it helps.

WSA is not working as a transparent proxy after configuring wccp in ASA's inside interface