Not all equipment supports all modes, but here goes.
Every time a new request comes through the router looks up in it's hash table to determine which cache to send the traffic to. At the moment for you, that cache determination is done via both Source IP and Destination IP which is almost the worst of all worlds as you can't guarantee which cache a specific user will use and can't guarantee which cache all users will use for a specific destination.
User A + Site A may go to cache 1
User A + Site B may go to cache 2
User B + Site A may go to cache 2
User B + Site B may go to cache 1
Not ideal. It's not quite the worst option as at least you can keep track of the User/Destination pairs if you wanted to, but still a pain.
If you weren't authenticating and you were attempting to save bandwidth (not generally a concern in this day and age) you would probably want to hash just based on destination IP. That way regardless of the user, they would use the same cache which may have already cached that content. This used to be useful but is of limited use with web 2.0 stuff/dynamic sites and certainly looks odd if you are doing auth or troubleshooting.
Source IP + Source port is what you want to use if everyone is coming from the same IP address as each new connection would use some arbitrary high port. In this case it will be completely random as to which cache a user will end up using from request to request.
Source IP will just split the requests coming in across the caches based on the client's IP. That way assuming they don't change addresses and the cache pool is static, they use the same proxy.
It's a good thing for authentication, it's a good thing for troubleshooting and you should consider it.
On a side note, you should be able to switch it with almost no interruption of service basically by changing the options for WCCP on the MWGs. However, if you can, I would probably disable WCCP on all MWGs, change the settings and then rejoin with the router(s).
Very good explanation. We are using Hash...but I believe we have to use Mask in order for the Source IP to actually matter.
Right now it is set to hash and I believe the WCCP ASA comes up with the hash and it doesn't matter what IP or Destination IP is.
From the MWG Product Guide:
Input for load
(The main item does not appear in the list, but is visible in the Add and Edit windows. The
four elements shown below are related to it, specifying what is used in a data packet as the
criteria for load distribution.)
When running multiple appliances, load distribution can be configured for the proxies on
them. Data packets can be distributed to these proxies based on the masking of source or
destination IP addresses and port numbers or on a hash algorithm.
• Source IP — When selected, load distribution relies on the masking of source IP
• Destination IP — When selected, load distribution relies on the masking of destination
• Source port — When selected, load distribution relies on the masking of source port
• Destination port — When selected, load distribution relies on the masking of the
destination port numbers.
Assignment method (The main item does not appear in the list, but is visible in the Add and Edit windows. The
two elements shown below are related to it, specifying the method used for load
• Assignment by mask — When selected, masking of the parameter specified above is
used for load distribution.
• Assignment by hash — When selected, a hash algorithm is used for load distribution.
Mask does not work with my Cisco ASA. I put it back to Hash and selected only Source IP and it works like it should. I was only hitting one proxy instead of both back and forth like it was. This is definitely better for authentication and log purposes.
Thanks for the help.
That documentation is a little misleading. Hash and mask are just slightly different mechanisms for coming up with the load distribution. Both support source IP only (and the other options for that matter). Basically the ASA/Router take whatever pairs you give it (source|destination IP|Port, or all iterations) and either hashes that value to determine which cache gets the traffic, or looks at a mask table of all the possibilities. You were using the default (maybe it shouldn't be) source ip + destination ip.
I believe hash is supposed to be a little smarter (which is why all modern Cisco equipment only supports it) especially when the pairs are all right next to each other.
After some modifications, I have com up with this as being the best way to load balance with a .pac file. Notice I have replaced "if (myseg==Math.floor(myseg/2)*2)" which takes more time to process and used the MOD.
//Find the 4th octect
var myIp = myIpAddress();
var ipBits = myIp.split(".");
var mySeg = parseInt(ipBits);
if((mySeq % 2) == 0) //Check to see if 4th octect is EVEN
return "PROXY ed-proxy1:8080; PROXY ed-proxy2:8080; DIRECT";
else //If ODD
return "PROXY ed-proxy2:8080; PROXY ed-proxy1:8080; DIRECT";