Cisco Application :: 3945 - WCCP Redirection For WAAS On Same Platform Using Different Service Group?
Nov 9, 2011
if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
seems like the priority value would come into play determining which service group gets handled first?
we currently do WCCP for WaaS on our 3945s.
I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
I currently have WCCP redirection setup on my ASA 5520 to redirect to an ironport on ip address 10.11.1.10. The ASA inside ip is 10.11.1.1 and the ironport is setup for transparent redirection to that IP. This all works well and the Service Identifier i'm using for WCCP is 95.I am now creating another WCCP group because on my ironport I have 4 interfaces so I wanted to use them for our admin network. So I created an ACL on the ASA for our admin traffic and I want to redirect that using Service Identifier 94 to the ip on the ironport of 10.11.1.22. But I can't get traffic to redirect.
I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp Global WCCP information: Router information: Router Identifier: 200.X.X.X Protocol Version: 2.0
I have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.The integration is working fine, except when a user PC sends a large packet (~1500 bytes).With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.
A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets. The 15 second delay is of course not acceptable.Users and Websense server are both on the Inside interface.
We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.
I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.
I have a Cisco 7206VXR running 12.4(24)T3 IOS. It is configured with WCCPv2 using L2 mask redirection. I am using service groups and associated extended ACLs to select which subnets I want to redirect port 80 traffic from.
It is working fine for the subnet 192.168.1.0/24....
int gi0/2 ip wccp 10 redirect in ip address 192.168.1.99 255.255.255.0
... however, there is OSPF running between the router and a Mikrotik device directly connected to this interface. The gateway addresses for all the client subnets are on the Mikrotik. Traffic from other subnets, e.g. 192.168.2.0/24, 192.168.3.0/24 come in on this interface and I want to redirect those too. But it appears that the redirection doesn't work for those subnets (I don't see any hits on the relevant ACL for any subnet except 192.168.1.0/24).
It seems like the router only wants to redirect traffic for subnets that it has an IP address in itself. Admittedly, all of the example configs i've found on cisco.com are for redirecting traffic from directly connected subnets but I can't find anything that denies thie possibility of redirecting any traffic that comes in on a given interface.
The question is, is this how WCCPv2 redirection works? i.e., the router must have an IP address in the subnet to be redirected?
We have several 474 and 594 class WAAS appliances in the field. When power is lost to a given location, almost all of the other devices we have at these sites will start themsleves back up upon the restoration of power. Since the 474 and 594 WAAS appliances are basically PC based devices they do not seem to have the ability to start themselves back up when power is restored. What we would like is to have a solution wherein the WAAS device powers up on its own once power is restored much like the routers, switches, servers and PBX devices at the same location.
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
I have CSS in single arm deployment model. I want to configure port redirection for the servers. Servers are actually running web service on port TCP 3636. Which is accessibale by VIP http://192.168.200.87:3636 but I dont want to give user this URL I want the user to use standard HTTP URL as mention below, I want user to open http://192.168.200.87 and once they access this URL automatically CSS redirect them to port 3636. How I can achive this. I am using IP addresses for the load balancing.
We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network.This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.
I am wondering if there is a method to redirect particular URLs to individual real servers in a server farm.Scenario: We have an url which is setup on our ACE4710s (A3 2.4) to load balancer to a particular server farm as per standard setup i.e.Customers access [URL] on an external VIP, this is then load balanced to a server farm "SF_WEBSITE" consisting of 2 real servers "Server_A" and "Server_B". Nothing difficult in this set up. However, I have eeen asked if it is possible to redirect certain urls to individual servers within the server farm "SF_WEBSITE": e.g.
Action 1 - Customers access [URL] is redirected to "Server_A" only
Action 2 - Customers access [URL] is redirected to "Server_B" only
Default Action - Customer access [URL] anything else is redirected to server farm "SF_WEBSITE" and is load balanced between "Server_A" and "Server_B"
The Standard Class Maps and Policy would be something like:
policy-map type loadbalance first-match SLB_WEBSITE class class-default serverfarm SF_WEBSITE
Where I thought I would need something like:
class-map type http loadbalance match-all CMAP_AREA1 description CMAP used to capture specific URL for area 1 2 match http url /area1 class-map type http loadbalance match-all CMAP_AREA2 description CMAP used to capture specific URL for area 2 2 match http url /area2
[code]...
I think the above method is ok for 1 instance, but if it test successfully, my company would want to to roll this out across dozens of server farm configurations each consisting of numerous real servers, which will make the administration and implementation time overheads massive, not to mention complicating and lengthening the configuration.
i have a 4710 appliance (one armed) and i am load balancing with two webservers. In the URL, there are links that need to be redirected to https:
[URL]
i am using the
rserver redirect REDIRECT-TO-HTTPS[URL]
The https is working but i have a problem. when i access the Main link "first" it is redirected to https to the Main link.But if i access one of the Sublinks directly(without having to click on the main link first) the page is redirected to https but to the Main Link. i have to click the Sublink again in order to get the page.How can i redirect to https and stay on the same page? What might be the general link in the webserver-redirection?
My problem is, it doesn’t seem like packets are making it to the linux/squid caching device, based on cache logs. Workstations that are being redirected in the router have no web browser access (they can ping 8.8.8.8 and google.com)
I have a linux box running squid successfully, which supports GRE WCCP. For the sake of argument, I will say that I am confident I have successfully configured that machine.
What’s really strange is this morning I came in and hind sight my test workstation looked like it may had restarted from an update. (maybe had internet access). The first thing I did was tweak the cisco config, as I was reading last night and saw:
“Be warned that if you are using NAT you MUST use the inbound interface otherwise the router only sees the NATted IP address as the source of your clients. This is bad, because the router is also therefore unable to see your cache engine and it will redirect the cache engine requests back upon itself.”
So I turned <ip cef> on and removed the <ip wccp web-cache redirect out> (I had in fa0/1 and out fa0/0 on overnight).
Then I proceeded to check the workstation and saw it had network access, I tested to see if it was in fact filtered by the proxy, and it was! (verified by cache logs aswell)
After some further successful testing, I made sure I saved any unsaved configuration changes, I rebooted the linux box and the router. Sadly the outcome was not good, I am back to where I was last night.
My router does routing/NAT and has two interfaces and is currently not running CEF
ip wccp web-cache redirect-list SQUID_PROXY ! interface FastEthernet0/0 description WAN ip address 1.2.3.4 255.255.255.248 ip nat outside ip virtual-reassembly max-reassemblies 64 speed 100 full-duplex(code)
Currently using WCCP with squid for content filtering. One of our sites we connect to needs to see the connection coming from our public IP address, not the proxy server IP. I've created a acl in squid for direct lookup, but the website gets angry with the X-Forwarder-Header squid attaches to each packet. Is there a way in a cisco ASA 5505 to bypass wccp for a specific public ip address or url?
My connection status icon has a big red x on it. I can't get on the internet. I tried the cmd stuff( ipconfig,netsh renewand release, and all the other jazz to do) my ip address starts with a 169 # I know that's not good. I go into my networks and I have no network. I go into my LAN ip4 and ip6and there are no addresses no were.I checked the LAN area status and it says not connected.
I've been working on my laptop recently, once finished i turned my computer off like most people do. After turning it back on hours later, i noticed that my laptop was connected to the internet router but had limited access which ment i could'nt get onto the internet ! So when I went onto Network and sharing center and nothing came up apart from ''the dependency service or group failed to start'' ...I don't want to use system restore or reset tools of windows
DHCP Client and Network Location Awareness aren't working. When I tried to start DHCP Client, I got Windows could not start the DHCP Client service on the Local Computer.Error 5: Access is denied. I checked the dependencies and all of them were on. For Network Location Awareness, I got the error Windows could not start the Network Location Awareness on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service cendor, and refer to service-specific error code -1073741288. One of its dependencies is fine, but I don't know how to check the other two, Ancillary Function Driver for Winsock and NetIO Legacy TDI Support Driver. Also, how do I check the event log?Everything on the list that was said to check is running expect these two the lisie was having problems with. I have not had anything with memory recently and have not been able to successfully go through a system restore. I have tried many of the suggestions and just am not sure what to do anymore. The computer works perfectly fine, minus it cannot get on the internet.
My roommate and I are trying to set up the internet, but my computer won't detect the Ethernet Cable. Whenever I go to Network and Sharing Center and try connecting to the internet, the computer simply says "Windows did not detect any networking hardware", even though the light is clearly on and should be working. The cable is also new so it should be fine. I've also been looking around on the internet a bit, and in trying to fix the problem it looks like some of my Services are turned off, which seems to be causing the problem. However, whenever I try and turn them on, I get an error message saying "The dependency service or group failed to start".
I am taking an introduction class to CCNA and we are focusing on the Application Layer,and I'm having some difficulty in understanding what is an Application Layer Service. Is the Application Layer Service the same as Application Layer Software?
We have a pair of ACE20-MOD-K9 in Fault Tolerant mode. They are running multiple contexts and we have a problem with one particular context which is running SSL off-loading. Despite the config being identical on both (accept for the peer addresses obviously) and both having the same SSL Key and Cert files loaded on both, the configuration will not sync between them. [code] All the Crypto files are identical as I copied them from one ACE to the other.
i have two CSS-11503 in redundant mode running 8.20 code. We had an incident in our network where a layer 2 loop caused some high traffic through the CSS' and had to shutdown some network gear(including the CSS) to clear the problem. When the CSS' were powered back up, the SSL service was suspended, why this would occur? There rest of the config appeared normal. I am the only person on these boxes, the configs were written, and I have never had a reason to suspend the ssl service.
some misconfiguration (?) may be the reason for an undesired behaviour we are experiencing with our Cisco CSS 11501s. Balancing mechanisms work fine, however if a service transitions to the "down" state, the corresponding flows remain "alive" leading to a temporary outage of our service. Subsequent client requests are still being sent to the "down" frontend which is unresponsive.
I have an ACE4710 with a few basic farms running and it works great however I now need to implement an SSL proxy service for the first time. The requirement is that clients who are already using FQDN's need to be sent to diffent real server IP addresses as each client will have their own VM. All the clients will use the same global IP address with different A records.
I have an ACE10-6500-K9 (Application Control Engine service module for Catalyst 6500) but I can't access it because I lost the admin password.I would like to know how to perform a Password Recovery Procedure on this device.Is it similar to the password recovery procedure on an ACE 4700 appliance?
Does ACE service module support SHA2(256) certificates? I see that private key generation defaults to SHA1 and does not provide any option, also the cipher suites in SSL parameters map do not show SHA2 options. Can it handle SHA2 in any software release? I am currently running A2(2.3) build 3.00
My ACE module ACE30-MOD-K9 crashed today, and at the show ver output i see "last boot reason: Service "cfgmgr" ".the curent version we running is Version A5(1.2) [build 3.0(0)A5(1.2).
After doing some research i found known bug that supposed to be fixed in this version: CSCtu36146
CSCtu36146—The ACE becomes unresponsive due to a configuration manager (Cfgmgr) process failure with the last boot reason: Service "cfgmgr."
i need to be able to find out what application/service is sending out net bios broadcasts on a network segment the requests are for machines that no longer are on the network but something is trying to obtain there ip address as they are not in dns any more i am assuming this is why they are resorting to netbios broadcasts i need to some how isolate what application or service is trying to find out.
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"? ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX AAA retrieved default group policy (GPnoAccess) for user = XXX
