WCCP Problem between Cisco 6500 and Bluecoat ASG S200

Hello Experts
i'm trying to set up WCCP between a Cisco 6500 router  and Bluecoat ASG-S200

This is the WCCP configuration on 6500 side :


access-list 150 permit tcp any any eq www
access-list 150 permit tcp any any eq 443

ip wccp web-cache
ip wccp 90 redirect list 150

int vlan 100
description << Client VLAN >>
ip wccp 150 redirect in

Open in new window



[b]sh ip wccp 90 detail [/b]
        No information is available for the service

Open in new window



Debugging on Cisco 6500

8385566: 20w4d: WCCP-EVNT:D150: Here_I_Am packet from 10.1.150.2: service not active

Open in new window


Thanking in advance
LVL 3
cciedreamerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
you need to setup the GRE tunnel that will handle the WCCP setup of the connection that based on that will divert and apply your access-list 150.  In the current setup, the WCCP is not setup between the 6500 and the Bluecoat ASG S200 which is why the Access list does not apply.

Have you had a chance to configure the WCCP interaction to the Symantec?

not sure it applies to you, but you
https://support.symantec.com/en_US/article.DOC10109.html
0
cciedreamerAuthor Commented:
Hi Arnold,

Can you please provide the relevant config to apply GRE
0
arnoldCommented:
Please look at what you have on the ASG 200 that accepts the WCCP peering session.

WCCP works in such a way, the redirect on the cisco to the proxy will only work when the WCCP session to the peer is established, when the WCCP peer is inaccessible, the cisco will by pass the access-list 150 you want it to enforce.
This is why the user is non-the wiser until and unless they are warned that an attempt to access a site was denied by....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Craig BeckCommented:
int vlan 100
description << Client VLAN >>
ip wccp 150 redirect in

Use...

Ip wccp 90 redirect in
0
cciedreamerAuthor Commented:
Hi Craigbeck
I have tried it but no luck

On Bluecoat, what router IP address should I provide from the config ?
0
cciedreamerAuthor Commented:
Hi Arnold.

This is bluecoat configuration

Service Group: 150
Ports to Redirect: 80,443
Forwarding Type: L2
Returning Type: L2
Assignment Type: Mask
Mask Value
0x1
0
arnoldCommented:
Check whether the proxy server is configured to establish a wccp session to your Cisco router.
This is what your router reports, no wccp services...


https://thejimmahknows.com/proxy-wccp-cisco-asa-squid-3-4/
This provides a complete wccp setup using an ASA and a squid proxy.
The cisco is configured with the handling when a wccp peer establishes a vonnection in the absence of which the Cisco will allow the clients direct access....
0
cciedreamerAuthor Commented:
Please find my attached design.
I am pulling my hair now to make this work :(
PROXY-DESIGN.png
0
arnoldCommented:
The proxy needs to be configured to establish a wccp gre connection to the peer, Cisco 6500
Once the proxy sets up the wccp connection, and your command on the Cisco sh ip wccp 90 detail
Returns the bluecoat as the peer.
Port 80 from clients will ve refirected to the proxy.
You need to exempt the bluecoat ip from matching the redirect rule or you will create a loop..

The document from Symantec supposed to be a guide on configuring their proxy to setup the wccp session.

Your bluecoat config, does not include as far as I can tell that it shoukd establish a wccp and who is the wccp peer.
0
arnoldCommented:
Based on your image

Client accesses a web site, the packet destined to port 80 hits the Cisco, the Cisco checks whether it has a web-cache peer, wccp active session, seeing none, it allows the packet out through the Internet gateway.
Until such time that the bluecoat asg establishes a wccp session to the 6500, the access-list 150 will not be enforced on the Cisco 6500 to refirect the web destined packet, to the bluecoat asg through the wccp tunnel.
0
cciedreamerAuthor Commented:
I've already expemted from the access-list on Cisco but no luck
Can you please provide me a working config between Cisco 6500 and Bluecoat. I'll appreciate that

Just one more concern, what router IP address I need to add on Bluecoat ? May I provided wrong IP
0
arnoldCommented:
I've not worked with bluecoat asg.

You need to configure blue coat to get an affirmative answer to running sh ip wccp 90 detail on the router, 6500
For the access list to apply.

Usually the access-list 150 deny TCP <bluecoat ip> any as the first line to exempt bluecoat from hitting this redirect.

Note your Cisco config besides the missing exemption for bluecoat, is properly setup for wccp.
8385566: 20w4d: WCCP-EVNT:D150: Here_I_Am packet from 10.1.150.2: service not active

Note sure why you are redirecting port 443, as all the proxy will do is setup a vonnection through which .......
0
arnoldCommented:
You might want to add port 8080 as those too are common web server, tomcat ......

Try using one client, explicitly directing it to use bluecoat asg as the proxy, validate the setup, config to be functional and pergorm as expected, before pushing it onto .....
0
cciedreamerAuthor Commented:
Finally, the peering is established between 6500 and SG,
I provided wrong Service Group on Bluecoat, it was 150.

However the client is not able to access the internet, the access-list is hitting https traffic

sh ip access-lists 150
Extended IP access list 150
    10 deny ip host 10.1.128.2 10.0.0.0 0.255.255.255
    11 deny ip any 10.0.0.0 0.255.255.255
    12 permit tcp any any eq www
    13 permit tcp any any eq 443 (2 matches)
    20 permit tcp 10.1.128.0 0.0.0.255 any eq www
    30 permit tcp 10.1.128.0 0.0.0.255 any eq 443
0
arnoldCommented:
I do not understand where this access list is applied.

you have vlan 200 for the clients, you have VLAN 100 for the bluecoat ASG.
usually they will not have the same IP segments


I am uncertain I understand the flow, one is client on the VLAN 200 segment hitting the 6500 meeting the conditions of going to www or 443, the packet is then redirected to the wccp peer IP which is on the VLAN 100
the blue coat on vlan 100 should not be meeting the redirect rule and thus should be allowed out to get the response that it would then forward to the client via the 6500 wccp feed to the VLAN 200

your wccp redirect should only apply to the VLAN 200 clients.

Does using the bluecoat ASG proxy directly work?

i.e. client in VLAN 200 is configured with http proxy to ASG port anything other than 80,443 (you may have bluecoat configured with ports that would preclude the direct use of the Proxy directly, unless you exempt the port 80/443 access attempts from any to the blluecoat IP within the access list 150.

First thing is to make sure that the bluecoat asg can access the outside on any port and not hitting the redirect to itself. check the asg's logs to see whether it sees a loop. i.e. it will see a packet from itself.
0
cciedreamerAuthor Commented:
Finally got it working as follows

ip wccp web-cache
ip wccp 90 redirect-list 150

int vlan 200
 ip wccp 90 redirect in     ------ > as craigbeck suggested.
0
arnoldCommented:
That is what you had, your VLAN labels were switched, you were applying the wccp rule onto the bluecoat ASG versus on the client ....

Glad we could help.
0
cciedreamerAuthor Commented:
Thanks Arnold and Craigbeck

Last question,

How I do apply redirection to bluecoat for all VLANS instead of applying policy vlan by vlan ?

Thanks
0
arnoldCommented:
In your scenario, You would apply it on the trunk interface feeding all VLANs but then you have to exempt the bluecoat based on IP.


The diagram you have
port A from 6500 trunk feeds a switch  that has vlans configured?

you would instead of applying the WCCP on a VLAn, you would apply it on the interface that feeds the downstream switch and where all the vlans are identified as permitted to enter that trunk...

While it might make more entries, it also will be easier to read. i.e. looking at the config, each vlan has a rule.
The other you will be chasing down the packet until you see the rule at the top of the Trunk interface.....

how many vlan's do you have on which you would need to apply this rule?

on the bluecoat do you have different rules depending on the source/vlan from which each request comes in?
0
cciedreamerAuthor Commented:
I have a separate VLAN between Bluecoat and Core
Separate VLAN between Firewall and Core
There is a default route on Core Switch pointing to Firewall.

Firewall is feeding internet to Bluecoat
0
arnoldCommented:
The diagram you provided has one feed to clients, vlan 200 is that a single switch port and vlan 100 to blue coat is another switch port?

or do you have router swithcport A to switchport 1 on SwitchA defined as a trunk where vlan 1, 200,100,...etc can enter
the swithA has port B VLAN 100 Feeding BlueCoat Port C VLAN 200 feeding clientA, port D vlan X feeding client2?

you have a try
Router
Top
You can apply the rule at the trunk, top rule, but here you have to exempt, exclude packets from the proxy to avoid creating a loop. i.e. using your existing setup, the access-list 150 first line will be to deny bluecoat originating traffic destinged to port 80 or 443  (any traffic) from entering the wccp tunnel.
Switch(virtual VLAN)
    branch
   You can apply the rule per branch/vlan
0
cciedreamerAuthor Commented:
Or I can just apply redirect on vlan interface between Core and Firewall
Any traffic coming from client will be redirected to Bluecoat ?
0
arnoldCommented:
though in your case, the 6500 switch, you would apply the reroute before it leaves the interface on the way to the internet gateway as that is the single point out.


i.e. interface outside you would redirect web traffic to the proxy before it leaves this port. on the way out.
The following may cover and explain the considerations.

https://learningnetwork.cisco.com/thread/40843

The same applies, you would need to exclude the bluecoat ASG IP/s from being caught by this rule, potentially if you have VLAN of servers, you might want to exempt them as well ......
0
arnoldCommented:
Without the full picture of what you mean, it is hard to answer as what I might think you have based on what you said might not be what you meant or my interpretation of what you described is different.

The main point, the redirect has to occur on the switch/device to which the bluecoat ASG establishes the WCCP session.
                                         Bluecoat ASG
                                                ^
                                               ||
                                                v
Internet  <=> core <=> switches

You can not apply a rule on the core, as it will never apply because the WCCP session is not there and it will get the same notice,

8385566: 20w4d: WCCP-EVNT:D150: Here_I_Am packet from 10.1.150.2: service not active
0
cciedreamerAuthor Commented:
Bluecoat is establishing the session with Core
0
arnoldCommented:
how is the core configured.
you can apply the rule per VLAN as you have it
or you can apply it on the physical interface that feeds the rest if a single trunk, if the core feeds multiple switches, and you do not want to apply a per interface redirect in rule,
you would need to find the single point where all the packets hit and that could be the single outgoing port to the internet gateway in which case the redirect will be based on applying to traffic on the way OUT

                                                                                                                   
                                                                                                                      |                                                                                                                      
                                                                                                                      V
Client web access request => Switch => Core_port via outgoing port => Internet Gateway

You would redirect the traffic with the exception of that from the bluecoat ASG ip, before it is allowed out to the internet gateway

For a single entry, you have to find the single choke point.
0
cciedreamerAuthor Commented:
I'd apply it on the vlan that is between firewall (out) with a deny statement excluding bkuecoat IP

I suppose that would work
0
arnoldCommented:
Test first, vlan?
You either apply on vlans, or interfaces.

You will be placing the out rule on the uplink interface from core to Internet feed/gateway
0
cciedreamerAuthor Commented:
Thank you Arnold and Craigbeck, everything is working as desired.
Appreciating your great support
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.