[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5935
  • Last Modified:

Help me get WCCP working between Cisco and Blue Coat

This is in a lab.  As you can see it looks like it should be working. It shows that the releationship is established and also that my traffic is hitting the correct Access List. I also tried it with out defining a access list for redirection which the documentation says should redirect all traffic.

So my redirected counter never increases.
My Test website never says that I'm coming from the proxy.

What am I doing wrong here?  Please help.

BlueCoat Config:
____________________________________________
wccp enable
wccp version 2
service-group 10
forwarding-type L2
priority 1
protocol 6
service-flags destination-ip-hash
service-flags ports-defined
ports 80 0 0 0 0 0 0 0
interface 2
home-router 10.5.13.67
end



Cisco Router Info:
____________________________________________
SF1#show ip wccp 10
Global WCCP information:
    Router information:
        Router Identifier:                   10.5.13.67
        Protocol Version:                    2.0

    Service Identifier: 10
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        0
          Process:                           0
          CEF:                               0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect Access-list:                WCCP-LIST
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group Access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
____________________________________________
SF1#show ip wccp 10 view
    WCCP Routers Informed of:
        10.5.13.67

    WCCP Clients Visible:
        10.5.13.71

    WCCP Clients NOT Visible:
        -none-
____________________________________________
SF1#show ip wccp 10 detail
WCCP Client information:
        WCCP Client ID:          10.5.13.71
        Protocol Version:        2.0
        State:                   Usable
        Redirection:             L2
        Packet Return:           L2
        Assignment:              HASH
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:          256 (100.00%)
        Packets s/w Redirected:  0
        Connect Time:            00:14:54
        Bypassed Packets
          Process:               0
          CEF:                   0
          Errors:                0
____________________________________________
SF1#show access-lists
Standard IP access list WCCP-CACHES
    10 permit 10.5.13.71
Extended IP access list 100
    10 permit ip any 224.0.0.0 0.255.255.255
    20 deny ip any any
Extended IP access list WCCP-LIST
    10 deny ip host 10.5.13.8 any
    20 permit ip any any (117 matches)
Extended IP access list mcast
    10 permit ip 224.0.0.0 0.255.255.255 224.0.0.0 0.255.255.255
    20 deny ip any any
____________________________________________
SF1#show conf
Using 1947 out of 196600 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname SF1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384 informational
enable secret 5 $1$6Y4J$cDPIDTalgIAPIk7.IHR1Q0
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
!
!
dot11 syslog
ip source-route
ip wccp 10 redirect-list WCCP-LIST
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name gw.chicken.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.5.13.2 255.255.255.192
 duplex auto
 speed auto
 standby 0 priority 10
 standby 0 preempt
 standby 10 ip 10.5.13.1
!
interface FastEthernet0/1
 ip address 10.5.13.67 255.255.255.224
 ip wccp 10 redirect out
 duplex auto
 speed auto
 standby 0 priority 10
 standby 0 preempt
 standby 20 ip 10.5.13.69
!
router eigrp 65100
 network 10.5.13.0
 no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list standard WCCP-CACHES
 permit 10.5.13.71
!
ip access-list extended WCCP-LIST
 deny   ip host 10.5.13.8 any
 permit ip any any
ip access-list extended mcast
 permit ip 224.0.0.0 0.255.255.255 224.0.0.0 0.255.255.255
 deny   ip any any
!
access-list 100 permit ip any 224.0.0.0 0.255.255.255
access-list 100 deny   ip any any
!
!
!
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
 exec-timeout 60 0
 password 7 04570A04
 login
 transport preferred none
 escape-character 3
line aux 0
line vty 0 4
 exec-timeout 60 0
 password 7 0507070D
 login
 transport preferred none
 escape-character 3
!
scheduler allocate 20000 1000
end
0
Dooglave
Asked:
Dooglave
  • 7
  • 6
1 Solution
 
DooglaveAuthor Commented:
Very simple config:


10.1.1.9/24 (Windows Client)
|
10.1.1.1/24
(Cisco 831)
10.5.13.15/26
|
10.5.13.2/26              10.5.13.8/26
(Cisco 2801) ----------(Web Cache)
10.5.13.67/27            10.5.13.71/27
|
10.5.13.65/27
(Cisco 831)
4.1.1.1/24
|
4.1.1.10 (Web Server)
0
 
JFrederick29Commented:
You only need one interface on the Blue Coat.  I would use the 10.5.13.8 interface and set the default gateway/route on the blue coat to 10.5.13.1.  Since you are using a router that supports GRE forwarding/return, I would use GRE.

On the Blue Coat:

wccp enable
wccp version 2
service-group 10
forwarding-type GRE
priority 1
protocol 6
service-flags destination-ip-hash
service-flags ports-defined
ports 80 0 0 0 0 0 0 0
interface 2            <-----------make sure you change the interface to the 10.5.13.8 interface
home-router 10.5.13.67
end
0
 
DooglaveAuthor Commented:
Why choose GRE over L2, documentation says L2 has less overhead and we are expecting a lot of traffic. I understand if L2 is problematic. Just curious what you have experienced.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
JFrederick29Commented:
I have used GRE and L2.  GRE on ASA and Routers and L2 on 3560's.  Yes, L2 has less overhead but you shouldn't notice it with a 2800.  GRE is more flexible as the proxy doesn't have to be directly L2 connected to the router.  I had to work through a bunch of flaky issues getting L2 to work on a 3560 (doesn't support GRE) yet the GRE setup was always simple and flawless which is the only reason I suggest GRE.  Could have been specific to the 3560 and perhaps L2 with a 2800 is a breeze...
0
 
DooglaveAuthor Commented:
I think I found the issue but I did not see this in the documentation when I read it. Time to go back and see if I just missed it or not.

For interface FastEthernet0/0
I added: ip wccp 10 redirect in
0
 
JFrederick29Commented:
The "ip wccp 10 redirect out" on the Fa0/1 interface accomplishes the same thing.
0
 
DooglaveAuthor Commented:
yeah but it wasn't working for me. Driving me crazy.

I did try all of your other suggestions and I still was getting the same results as before.  Now I need to figure out why the redirect out wasn't working.
0
 
JFrederick29Commented:
Oh, wait, did you actually enable the HTTP proxy service on the Blue Coat?  By default, it is set to "bypass".
0
 
DooglaveAuthor Commented:
Yes, it's set to intercept
intercept.JPG
0
 
JFrederick29Commented:
Did you enable logging on the Blue Coat?

If so, if you go to "statistics" access log and click "tail log", do you see your connection attempt?

Can you post your current running-config from the 2800.  Do you have a single blue coat interface now?  What is it's default gateway?

0
 
DooglaveAuthor Commented:
Man I'm all mixed up at the moment trying to get other stuff done in parallel. I think I lied earlier. I removed the "redirect in" and it still works.  I changed the interface in the bluecoat config for wccp to 10.5.13.8 and I think that's what made it work. I changed it back it breaks, change it to 10.5.13.8 and it works.

I looked through the docs again and I don't see them specific what the "interface" should be, inbound or outbound. I'm sure they didn't think someone would set it up with two interfaces like we are.

In this case it only works when the interface is set to the outbound. wccp protocol is talking on the other interface, i'll call it inbound.

This is the way I was asked to set it up. I don't recall why. the traffic is going in a loop creating a worm hole in the universe.


10.1.1.9/24 (Windows Client)
|
10.1.1.1/24
(Cisco 831)
10.5.13.15/26
|
10.5.13.2/26 (inbound) <-- default gateway <-- 10.5.13.8/26 (outbound)
(Cisco 2801) ----------(Web Cache)
10.5.13.67/27 (outbound) --> forwards to --> 10.5.13.71/27 (inbound) (wccp protocol communication)
|
10.5.13.65/27
(Cisco 831)
4.1.1.1/24
|
4.1.1.10 (Web Server)
0
 
JFrederick29Commented:
A single IP interface is all that is needed.  If you were to put the Blue Coat inline, you would use the bridging NIC but still only have one IP address.  If you have two IP interfaces, you are asking for problems and ultimately the Blue Coat will only use one anyway.  Remove the 10.5.13.71 interface and only use the 10.5.13.8 interface with a single default gateway of 10.5.13.1.  The redirect out is perfectly fine.  Are you using GRE or L2 still?  Use a redirect access-list to exclude the proxy IP (10.5.13.8).
0
 
DooglaveAuthor Commented:
Thanks for your help man. I realize a single interface is best but due to the load we are trying to split the work of the interfaces up a little. I got it to work by configuring the outbound in unicast and both in multicast. We'll see if it blows up or not.

Stay tuned I have a new problem between L2 and GRE, another one against your advice ;)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now