01-31-2018 10:56 AM - edited 03-08-2019 07:43 PM
WSA---->L3_SWITCH----->(inside)ASA(dmz)----
++ASA is not redirecting packets to WSA however i see The HELLOS are exchanged.
++L3 switch has a route to reach ASA DMZ interface.
++In WSA i have configured both inside and DMZ ip under WSA>transparent redirection>router ip address
WCCP-PKT:S00: Received valid Here_I_Am packet from 10.101.68.200 w/rcv_id 00000043
WCCP-PKT:S00: Sending I_See_You packet to 10.101.68.200 w/ rcv_id 00000044
Global WCCP information:
Router information:
Router Identifier: 192.168.243.254
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: wccp_traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: wccp-server
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Could you pls let me know if iam missing something
Appreciate your help!
01-31-2018 11:29 AM
01-31-2018 11:33 AM
Thanks for responding..
version:- 9.8(2)
Please feel free to let me know if you need any kind of information reg setup or config
01-31-2018 12:10 PM
FYI here is the config in ASA:-
WSA----L3_switch-----(inside)ASA(dmz)
WSA IP:-10.101.68.200
ASA inside ip:-10.101.71.65
ASA DMZ ip:-192.168.243.254 ---->Highest ip address
Configuration:-
-----------
wccp 90 redirect-list wccp_traffic group-list wccp-server
wccp interface inside 90 redirect in
access-list wccp-server extended permit ip host 10.101.68.200 any
access-list wccp_traffic extended permit tcp host 10.101.64.112 any eq www
access-list wccp_traffic extended permit tcp host 10.101.64.112 any eq https
access-list wccp_traffic extended deny ip any any
Show command output:-
--------------------
###sh wccp 90
Global WCCP information:
Router information:
Router Identifier: 192.168.243.254
Protocol Version: 2.0
Service Identifier: 90
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: wccp_traffic
Total Connections Denied Redirect: 1675
Total Packets Unassigned: 0
Group access-list: wccp-server
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
###sh wccp 90 detail:-
WCCP Cache-Engine information:
Web Cache ID: 10.101.68.200
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Hash Allotment: 0 (0.00%)
Packets Redirected: 0
Connect Time: 03:00:16
###sh wccp 90 view
WCCP Routers Informed of:
192.168.243.254
WCCP Cache Engines Visible:
10.101.68.200
WCCP Cache Engines NOT Visible:
-none-
##Dubugs hello packets
WCCP-PKT:D90: Sending I_See_You packet to 10.101.68.200 w/ rcv_id 00000417
WCCP-PKT:D90: Received valid Here_I_Am packet from 10.101.68.200 w/rcv_id 00000417
Configuration on WSA:-
--------------------
Allow GRE only for forward and return packet
Allow Hash only
router ip address: 192.168.243.254, 10.101.71.65
01-31-2018 02:19 PM
Looking at mine in production, the router identification is NOT the interface that is connected.
Its the highest IP on the ASA. Did a little digging, and I'm pretty sure that's just how the ASA works. (see my show wccp below)
My bug was in 9.1.1 (CSCue02226)... unrelated...
My WCCP config doesn't have a server list, I just use the password.
Are you trying to surf from 10.101.64.112
Global WCCP information:
Router information:
Router Identifier: 172.25.0.1
Protocol Version: 2.0
Service Identifier: 90
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 36880541
Redirect access-list: WCCP_Redirect
Total Connections Denied Redirect: 609
Total Packets Unassigned: 658
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 65925
02-01-2018 02:01 AM
yes. I'm trying to surf from 10.101.64.112.
Could you tell me if it using DMZ IP or Inside IP to contact WSA?
because the HELLOS are exchanged, but probably the engine is rejecting the wccp GRE packets from the router id or viceversa.
02-01-2018 04:20 PM
02-01-2018 09:05 PM
WSA-10.101.68.200---->L3_switch----->(inside-10.101.71.65)ASA(dmz-192.168.23.254)
I have turned on captures in ASA inside interface
I see WSA is communicating with both Inside and DMZ.
First capture:- WSA--communicating with---->Inside interface of ASA
============
1: 05:47:42.409005 10.101.68.200.2048 > 10.101.71.65.2048: udp 120
2: 05:47:42.409082 10.101.71.65.2048 > 10.101.68.200.2048: udp 140
3: 05:47:52.424569 10.101.68.200.2048 > 10.101.71.65.2048: udp 120
4: 05:47:52.424630 10.101.71.65.2048 > 10.101.68.200.2048: udp 140
5: 05:48:02.380153 10.101.68.200.2048 > 10.101.71.65.2048: udp 120
6: 05:48:02.380214 10.101.71.65.2048 > 10.101.68.200.2048: udp 140
Second capture:-WSA---communicating with--->DMZ interface of ASA -===>BOLOCKED
==============
packet tracer shows:- Drop-reason: (no-route) No route to host
1: 05:47:32.393366 10.101.68.200.2048 > 192.168.243.254.2048: udp 148
2: 05:47:42.408975 10.101.68.200.2048 > 192.168.243.254.2048: udp 148
3: 05:47:52.424523 10.101.68.200.2048 > 192.168.243.254.2048: udp 148
So why WSA is talking to DMZ interface then? As far as i know by design we cannot talk/communicate to ASA's other interface IP.
02-02-2018 02:54 AM
02-02-2018 03:55 AM - edited 02-02-2018 03:56 AM
I have Both inside and DMZ IP address in WSA
02-02-2018 04:48 AM
02-02-2018 03:58 AM
I gave both inside and DMZ ip address in WSA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide