Jump to content


Photo

Redirection fails when using WCCP on a Cisco ASA

Started by Charles Graff , 19 May 2013 - 05:58 PM
3 replies to this topic

Best Answer Owen Dai , 21 May 2013 - 01:13 AM

ASA can only support WCCPv2 with GRE, not WCCP-L2 mode and WCCP redirection does not work when Repeater and client network are behind different interfaces of the redirecting ASA.
Due to the secure nature of Cisco firewalls, they treat each interface as a separate security zone. This creates certain unique limitations to how WCCP redirection can be performed.

WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance.

So, ASA cannot be acting WCCP server in your topology with Repeater.

Charles Graff Members

Charles Graff
  • 19 posts

Posted 19 May 2013 - 05:58 PM

Hello everyone,

We're experiencing an issue with trying to use WCCP redirection with the Branch Repeaters directly attached to our Cisco ASA. We have a site-to-site VPN between these two locations. Due to some of the complexities of the WAN topology, inline is not really practical for this deployment. We also do not have a router inside the network at one of these locations, so we need to attach the Repeater directly to the ASA. We placed the Repeater in its own VLAN.

Looking at the status on the ASA and the Repeater, the WCCP connection is made. The problem is that as soon as we turn on WCCP redirection on an interface on the ASA, we are seeing dropped traffic and nothing flows through the Repeaters. The two repeaters never partner.

We see this message in the ASA as well as soon as redirection is turned on:
IPSEC: Received an ESP packet (SPI= 0xE726DD3A, sequence number= 0x2415) from AAA.AAA.AAA.AAA (user= AAA.AAA.AAA.AAA) to BBB.BBB.BBB.BBB. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.80.22, its source as 192.168.144.2, and its protocol as gre. The SA specifies its local proxy as 192.168.144.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.220.0/255.255.255.0/ip/0.

AAA and BBB are the external ISP IP addresses for the site-to-site VPN
.220 is the remote subnet
.144 is the local subnet
.80 is the VLAN for the repeater

We have implemented the troubleshooting steps in these articles with no luck:
http://support.citrix.com/article/CTX128879
http://support.citrix.com/article/CTX112401
https://supportforums.cisco.com/docs/DOC-15128

Are we configuring something wrong? Does the Branch Repeater need to be on a different subnet than where we have it now? Is this a supported configuration?

Any help would be appreciated.



paolor Citrix Employees

Paolo Rodriguez
  • 37 posts

Posted 20 May 2013 - 08:38 PM

Hello -

From what it looks like from this document - https://supportforums.cisco.com/docs/DOC-12623

It seems ASA has a limitation (compared to Cisco Router/switches) where it require the WCCP cache engine (Branch Repeater (BR) in this case) to communicate directly with the clients.

BR is configured in WCCP where it will need to receive/forward packets to WCCP router/switch. You may want to work with Cisco if there are other options for ASA that is in line to BR WCCP configuration. Hope this helps.



Owen Dai Citrix Employees

Owen Dai
  • 2 posts

Posted 21 May 2013 - 01:13 AM

ASA can only support WCCPv2 with GRE, not WCCP-L2 mode and WCCP redirection does not work when Repeater and client network are behind different interfaces of the redirecting ASA.
Due to the secure nature of Cisco firewalls, they treat each interface as a separate security zone. This creates certain unique limitations to how WCCP redirection can be performed.

WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance.

So, ASA cannot be acting WCCP server in your topology with Repeater.


Best Answer

Charles Graff Members

Charles Graff
  • 19 posts

Posted 21 May 2013 - 01:41 PM

Thanks for the answer Owen. Not exactly what I was hoping to hear, but at least I can stop banging my head against the wall.