cancel
Showing results for 
Search instead for 
Did you mean: 
nick.olson
Level 9

Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Good morning,

I'm using a Cisco AG3560 to run my wccp re-direct and have MWG 7.3.  The MWG is ste to use "Proxy (Optional WCCP)"

However, we are having the damnest time getting it to redirect traffic.  It had been working for over a year, then out of the blue it just stopped working.

My IP for the web gateway is 10.1.252.19, and my wccp router is 10.1.252.10.

For whatever reason the web gateway is able to see the router and the "here i am packets" but I cannot get anything to redirect to it.

My wccp config is below.

ip wccp 51 redirect-list 120

!

interface Loopback0

ip address 10.1.254.17 255.255.255.255

!

interface GigabitEthernet0/21

description McAfee web gateway

switchport access vlan 1001

switchport mode access

!

interface GigabitEthernet0/26

no switchport

ip address 10.1.252.10 255.255.255.252

ip wccp 51 redirect in

load-interval 30

!

interface Vlan1001

ip address 10.1.252.17 255.255.255.240

!

access-list 120 permit ip any any

Also here is my output for ip wccp view.

#sh ip wccp 51 view

WCCP Routers Informed of:

10.1.254.17

WCCP Clients Visible:

10.1.252.19

WCCP Clients NOT Visible:

-none-

I have the Web Gateway setup with process 51 and my wccp router on the MWG is 10.1.252.10.

I opened a ticket with McAfee support and the engineer was very helpful and examined our configs and feedback files.  Here is the McAfee Engineer's response in red:

Everything on your Web Gateway configuration looks good,and the Cisco config seems OK as well.

Ultimately, we can see that the router sends 'I See You'packets to the Web Gateway, but does not assign any buckets to the WebGateway.  As such, your router is notsending web traffic to the Web Gateway.

Take a look at the attached screenshot.  We can see that, indeed the Router sends 'ISee You' packets back to the Web Gateway.

We see that the 'Receive ID' is valid, as it isincrementing properly each time.

The Forwarding method matches what you have defined inyour Web Gateway configuration, which looks OK.

However, there is an 'Unknown Capability Element' thatappears to be the result of a mismatch in configuration somewhere.

As a result, we don't ever see 'bucket assigments' in the'I See You' packets, and the router is not sending us data.

We are still waiting to hear back from Cisco on this as well.

I've attached screenshots of the configs

Any ideas?

We've been working on this for nearly two weeks now trying to get it working and I have a feeling it is going to be something extremely silly.  (Isn't it always something silly on problems that take forever to resolve?)

Thanks!

0 Kudos
1 Solution

Accepted Solutions
trishoar
Level 11

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Is the proxy server listening on ip 0.0.0.0? They made a change between 7.1 and 7.2 (that was not in the release notes) to how the IPtables rules are built which menas you must listen on 0.0.0.0 for the redirect to work.

Tris

20 Replies
McAfee Employee

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Hi Nick,

The unknown capability element is could just wireshark not interpreting the protocol. Try a newer version of wireshark and you should see more information. That is where the mask assignment information should show up.

Otherwise, see below commands you can use for debugging on the cisco device:

# Turn on debugging for events:

debug ip wccp events

# Turn on debugging for packets:

debug ip wccp packets

# Turn off debugging for events:

no debug ip wccp events

# Turn off debugging for packets:

no debug ip wccp packets

#To output to the screen you may need to type:

term mon

#To turn off all possible debugging, you can use the following command:

u all

# General service commands:

sh ip wccp 51 service

sh ip wccp 51 detail

sh ip wccp 51 view

sh ip wccp 51

If you get any useful output post it here and send it in to the case.

As I was typing this, I found your SR, I'll see what I can do with my colleague you've been working with. Ultimatley though I think Cisco will have a better idea of what they dont like about what we're putting down (in terms of WCCP), and they will have an idea of how to correct it.

Best,

Jon

0 Kudos
McAfee Employee

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

I was wrong about the unknown capability. I just tried a newer version of wireshark and it says the same thing.

Try the above Cisco commands and lets see the output.

Best,

Jon

0 Kudos
nick.olson
Level 9

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Alright, here are the responses of those commands:

#sh ip wccp 51 service

WCCP service information definition:

        Type:          Dynamic

        Id:            51

        Priority:      0

        Protocol:      6

        Options:       0x00000012

        --------

            Mask/Value sets:  1

            Value elements :  64

            Dst Ports: 80 443 0 0 0 0 0 0

#sh ip wccp 51 detail

WCCP Client information:

        WCCP Client ID:          10.1.252.19

        Protocol Version:        2.0

        State:                   Usable

        Redirection:             L2

        Packet Return:           GRE

        Assignment:              MASK

        Connect Time:            01:59:55

        Redirected Packets:

          Process:               0

          CEF:                   0

        GRE Bypassed Packets:

          Process:               0

          CEF:                   0

        Mask Allotment:          64 of 64 (100.00%)

        Mask  SrcAddr    DstAddr    SrcPort DstPort

        ----  -------    -------    ------- -------

        0000: 0x00000000 0x00001741 0x0000  0x0000

        Value SrcAddr    DstAddr    SrcPort DstPort

        ----- -------    -------    ------- -------

        0000: 0x00000000 0x00000000 0x0000  0x0000

        0001: 0x00000000 0x00000001 0x0000  0x0000

        0002: 0x00000000 0x00000040 0x0000  0x0000

        0003: 0x00000000 0x00000041 0x0000  0x0000

        0004: 0x00000000 0x00000100 0x0000  0x0000

        0005: 0x00000000 0x00000101 0x0000  0x0000

        0006: 0x00000000 0x00000140 0x0000  0x0000

        0007: 0x00000000 0x00000141 0x0000  0x0000

        0008: 0x00000000 0x00000200 0x0000  0x0000

        0009: 0x00000000 0x00000201 0x0000  0x0000

        0010: 0x00000000 0x00000240 0x0000  0x0000

        0011: 0x00000000 0x00000241 0x0000  0x0000

        0012: 0x00000000 0x00000300 0x0000  0x0000

        0013: 0x00000000 0x00000301 0x0000  0x0000

        0014: 0x00000000 0x00000340 0x0000  0x0000

        0015: 0x00000000 0x00000341 0x0000  0x0000

        0016: 0x00000000 0x00000400 0x0000  0x0000

        0017: 0x00000000 0x00000401 0x0000  0x0000

        0018: 0x00000000 0x00000440 0x0000  0x0000

        0019: 0x00000000 0x00000441 0x0000  0x0000

        0020: 0x00000000 0x00000500 0x0000  0x0000

        0021: 0x00000000 0x00000501 0x0000  0x0000

        0022: 0x00000000 0x00000540 0x0000  0x0000

        0023: 0x00000000 0x00000541 0x0000  0x0000

        0024: 0x00000000 0x00000600 0x0000  0x0000

        0025: 0x00000000 0x00000601 0x0000  0x0000

        0026: 0x00000000 0x00000640 0x0000  0x0000

        0027: 0x00000000 0x00000641 0x0000  0x0000

        0028: 0x00000000 0x00000700 0x0000  0x0000

        0029: 0x00000000 0x00000701 0x0000  0x0000

        0030: 0x00000000 0x00000740 0x0000  0x0000

        0031: 0x00000000 0x00000741 0x0000  0x0000

        0032: 0x00000000 0x00001000 0x0000  0x0000

        0033: 0x00000000 0x00001001 0x0000  0x0000

        0034: 0x00000000 0x00001040 0x0000  0x0000

        0035: 0x00000000 0x00001041 0x0000  0x0000

        0036: 0x00000000 0x00001100 0x0000  0x0000

        0037: 0x00000000 0x00001101 0x0000  0x0000

        0038: 0x00000000 0x00001140 0x0000  0x0000

        0039: 0x00000000 0x00001141 0x0000  0x0000

        0040: 0x00000000 0x00001200 0x0000  0x0000

        0041: 0x00000000 0x00001201 0x0000  0x0000

        0042: 0x00000000 0x00001240 0x0000  0x0000

        0043: 0x00000000 0x00001241 0x0000  0x0000

        0044: 0x00000000 0x00001300 0x0000  0x0000

        0045: 0x00000000 0x00001301 0x0000  0x0000

        0046: 0x00000000 0x00001340 0x0000  0x0000

        0047: 0x00000000 0x00001341 0x0000  0x0000

        0048: 0x00000000 0x00001400 0x0000  0x0000

        0049: 0x00000000 0x00001401 0x0000  0x0000

        0050: 0x00000000 0x00001440 0x0000  0x0000

        0051: 0x00000000 0x00001441 0x0000  0x0000

        0052: 0x00000000 0x00001500 0x0000  0x0000

        0053: 0x00000000 0x00001501 0x0000  0x0000

        0054: 0x00000000 0x00001540 0x0000  0x0000

        0055: 0x00000000 0x00001541 0x0000  0x0000

        0056: 0x00000000 0x00001600 0x0000  0x0000

        0057: 0x00000000 0x00001601 0x0000  0x0000

        0058: 0x00000000 0x00001640 0x0000  0x0000

        0059: 0x00000000 0x00001641 0x0000  0x0000

        0060: 0x00000000 0x00001700 0x0000  0x0000

        0061: 0x00000000 0x00001701 0x0000  0x0000

        0062: 0x00000000 0x00001740 0x0000  0x0000

        0063: 0x00000000 0x00001741 0x0000  0x0000

#sh ip wccp 51 view 

    WCCP Routers Informed of:

        10.1.254.17

    WCCP Clients Visible:

        10.1.252.19

    WCCP Clients NOT Visible:

        -none-

#sh ip wccp 51    

Global WCCP information:

    Router information:

        Router Identifier:                   10.1.254.17

        Protocol Version:                    2.0

    Service Identifier: 51

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            0

          Process:                           0

          CEF:                               0

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                -none-

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   -none-

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

0 Kudos
nick.olson
Level 9

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Here is what the log is showing for wccp events and packets:

22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7045

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7046

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7047

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7048

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7049

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7050

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7051

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7052

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7053

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7054

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7055

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7056

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7057

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7058

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7059

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7060

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7061

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7062

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7063

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7064

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7065

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7066

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7067

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7068

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7069

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7070

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7071

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7072

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7073

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7074

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7075

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7076

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7077

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7078

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7079

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7080

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7081

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7082

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7083

4d22h: WCCP-EVNTSmiley Very Happy51: updating wc orig assign info

4d22h: WCCP-EVNTSmiley Very Happy51: reuse wc orig mask info (28 bytes)

4d22h: WCCP-EVNTSmiley Very Happy51: wc assignment validated

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7084

4d22h: WCCP-EVNTSmiley Very Happy51: updating wc orig assign info

4d22h: WCCP-EVNTSmiley Very Happy51: reuse wc orig mask info (28 bytes)

4d22h: WCCP-EVNTSmiley Very Happy51: wc assignment validated

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7085

4d22h: WCCP-EVNTSmiley Very Happy51: updating wc orig assign info

4d22h: WCCP-EVNTSmiley Very Happy51: reuse wc orig mask info (28 bytes)

4d22h: WCCP-EVNTSmiley Very Happy51: wc assignment validated

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7086

4d22h: WCCP-EVNTSmiley Very Happy51: updating wc orig assign info

4d22h: WCCP-EVNTSmiley Very Happy51: reuse wc orig mask info (28 bytes)

4d22h: WCCP-EVNTSmiley Very Happy51: wc assignment validated

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7087

4d22h: WCCP-EVNTSmiley Very Happy51: updating wc orig assign info

4d22h: WCCP-EVNTSmiley Very Happy51: reuse wc orig mask info (28 bytes)

4d22h: WCCP-EVNTSmiley Very Happy51: wc assignment validated

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7088

4d22h: WCCP-EVNTSmiley Very Happy51: updating wc orig assign info

4d22h: WCCP-EVNTSmiley Very Happy51: reuse wc orig mask info (28 bytes)

4d22h: WCCP-EVNTSmiley Very Happy51: wc assignment validated

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7089

4d22h: WCCP-EVNTSmiley Very Happy51: updating wc orig assign info

4d22h: WCCP-EVNTSmiley Very Happy51: reuse wc orig mask info (28 bytes)

4d22h: WCCP-EVNTSmiley Very Happy51: wc assignment validated

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7090

4d22h: WCCP-EVNTSmiley Very Happy51: updating wc orig assign info

4d22h: WCCP-EVNTSmiley Very Happy51: reuse wc orig mask info (28 bytes)

4d22h: WCCP-EVNTSmiley Very Happy51: wc assignment validated

4d22h: WCCP-PKTSmiley Very Happy51: Sending ISY to 10.1.252.19, rcv_id:7091

0 Kudos
McAfee Employee

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Please also do the packet and event debugging (just let it run a little bit). Based on the above output the Cisco device see's the MWG as "Usable", yet its not forwarding packets.

Best,

jon

0 Kudos
nick.olson
Level 9

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Is that enough in the above log or should I let it run some more?

0 Kudos
McAfee Employee

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Sorry I wrote while you were posting it. That output doesnt tell me much unfortunatley, based on all the infromation presented I would guess that traffic would be flowing to the MWG.

Are we sure there isnt any problems with the ACLs that are in place to redirect the traffic?

Best,

Jon

Message was edited by: jscholte on 11/1/12 1:27:47 PM CDT
0 Kudos
nick.olson
Level 9

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

The ACLs look to be correct.

The ACL we are using for wccp redirect is named "120"

ACL details on that list show as follows:

Extended IP access list 120

     permit IP any any

From the config it shows as:

access-list 120 permit ip any any

0 Kudos
McAfee Employee

Re: Problems with MWG 7.2 & 7.3 WCCP

Jump to solution

Yeah, I'm not sure at this point, so I'd wonder what Cisco has to say or if anyone else has anyone else has any ideas.

Best,

Jon

0 Kudos