Jump to content


1

Problem with Anyconnect to servers traffic via WCCP


14 replies to this topic

#1 ccie109

ccie109

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 14 thanks

Posted 04 November 2019 - 04:09 AM

Hi All,

Iam trying to access server1 http://192.168.101.3:8080 from Anyconnect PC and having problems accessing the page using both IE and FF. Seems like issue is on the WSA end.

Anyconnect ---ASA1V---R1--- NGIPS --- R2--- R3--- Server [192.168.101.3]
  
R2 is connected to WCCP.



NGIPS and WSA is properly configured as far as i can tell.
WSA is configured to allow Firefox and block IE traffic to this server.

I can see packets from Anyconnect client arriving on R2

Nov  4 03:50:23.721: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image:  list 111 permitted tcp 172.16.1.1(49418) -> 192.168.101.3(8080), 1 packet
Nov  4 03:50:23.982: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image:  list 111 permitted tcp 172.16.1.1(49419) -> 192.168.101.3(8080), 1 packet


I can see them being redirected to WCCP based on this debug and monitoring redirected packets in "sh ip wccp output"
R2#
Nov  4 03:50:28.524: WCCP-EVNT:IPv4:D50: updating wc 150.1.7.213 orig assign info (hash)
Nov  4 03:50:28.524: WCCP-PKT:IPv4:D50: Sending ISY to 150.1.7.213, rcv_id:590
Nov  4 03:50:28.524: WCCP-PKT:IPv4:D50: Sending 176 bytes from 150.1.7.232 to 150.1.7.213


R2# sh ip wccp all
Global WCCP information:
Router information:
Router Identifier:    150.1.7.232

Service Identifier: 50
Protocol Version: 2.01
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 107
  Process:    0
  CEF:    0
  Platform:   107
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: redirect
Total Packets Denied Redirect:    0
Total Packets Unassigned: 0

I captured on R3 and I see icmp packets sent to 192.168.101.3 but thats about it
*Nov  4 03:44:10.773: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image:  list 101 permitted icmp 10.1.23.2 -> 192.168.101.3 (3/1), 46 packets
*Nov  4 03:49:10.784: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image:  list 101 permitted icmp 10.1.23.2 -> 192.168.101.3 (3/1), 4 packets

Can someone help me fix this issue soon? Or help me understand the flow or any tips?

Thanks,

Edited by ccie109, 04 November 2019 - 04:16 AM.


#2 krishna79

krishna79

    Advanced Member

  • Members
  • PipPipPip
  • 118 posts
  • 17 thanks

Posted 04 November 2019 - 05:38 AM

View Postccie109, on 04 November 2019 - 04:09 AM, said:

Hi All,

Iam trying to access server1 http://192.168.101.3:8080 from Anyconnect PC and having problems accessing the page using both IE and FF. Seems like issue is on the WSA end.

Anyconnect ---ASA1V---R1--- NGIPS --- R2--- R3--- Server [192.168.101.3]
  
R2 is connected to WCCP.



NGIPS and WSA is properly configured as far as i can tell.
WSA is configured to allow Firefox and block IE traffic to this server.

I can see packets from Anyconnect client arriving on R2

Nov  4 03:50:23.721: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image:  list 111 permitted tcp 172.16.1.1(49418) -> 192.168.101.3(8080), 1 packet
Nov  4 03:50:23.982: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image:  list 111 permitted tcp 172.16.1.1(49419) -> 192.168.101.3(8080), 1 packet


I can see them being redirected to WCCP based on this debug and monitoring redirected packets in "sh ip wccp output"
R2#
Nov  4 03:50:28.524: WCCP-EVNT:IPv4:D50: updating wc 150.1.7.213 orig assign info (hash)
Nov  4 03:50:28.524: WCCP-PKT:IPv4:D50: Sending ISY to 150.1.7.213, rcv_id:590
Nov  4 03:50:28.524: WCCP-PKT:IPv4:D50: Sending 176 bytes from 150.1.7.232 to 150.1.7.213


R2# sh ip wccp all
Global WCCP information:
Router information:
Router Identifier:    150.1.7.232

Service Identifier: 50
Protocol Version: 2.01
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 107
  Process:    0
  CEF:    0
  Platform:   107
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: redirect
Total Packets Denied Redirect:    0
Total Packets Unassigned: 0

I captured on R3 and I see icmp packets sent to 192.168.101.3 but thats about it
*Nov  4 03:44:10.773: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image:  list 101 permitted icmp 10.1.23.2 -> 192.168.101.3 (3/1), 46 packets
*Nov  4 03:49:10.784: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image:  list 101 permitted icmp 10.1.23.2 -> 192.168.101.3 (3/1), 4 packets

Can someone help me fix this issue soon? Or help me understand the flow or any tips?

Thanks,
check the URL cat in the WSA

#3 ccie109

ccie109

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 14 thanks

Posted 04 November 2019 - 06:38 AM

You are right. url category was not tied to identification profile. I corrected it but still issue is not resolved.
did a clear ip wccp too. Same symptoms

#4 dyingbreath1

dyingbreath1

    Advanced Member

  • Members
  • PipPipPip
  • 131 posts
  • 2027 thanks
  • LocationOCEAN

Posted 04 November 2019 - 06:54 AM

reboot WSA/R2 and then try to access server1 and server2

#5 ccie109

ccie109

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 14 thanks

Posted 04 November 2019 - 07:11 AM

View Postdyingbreath1, on 04 November 2019 - 06:54 AM, said:

reboot WSA/R2 and then try to access server1 and server2

No luck

#6 ccie109

ccie109

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 14 thanks

Posted 04 November 2019 - 09:48 AM

Hi everyone,
Iam still unable to access server1 and server2 from Anyconnect client via WCCP

Here is some more info of my setup
Router config:
ip access-list standard WSA
permit 150.1.7.213
!
ip access-list extended redirect
permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080
permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq 8080
!
ip wccp 50 redirect-list redirect group-list WSA password 0 cisco

nterface GigabitEthernet2
ip address 10.1.12.2 255.255.255.0
ip wccp 50 redirect in

Screenshots from WCCP configs are attached.

Thanks,

Edited by ccie109, 04 November 2019 - 09:53 AM.


#7 derevko

derevko

    Member

  • Members
  • PipPip
  • 41 posts
  • 18 thanks

Posted 04 November 2019 - 10:07 AM

How about route to wsa IP on R3? Add static route if missing

#8 krishna79

krishna79

    Advanced Member

  • Members
  • PipPipPip
  • 118 posts
  • 17 thanks

Posted 04 November 2019 - 10:46 AM

View Postccie109, on 04 November 2019 - 09:48 AM, said:

Hi everyone,
Iam still unable to access server1 and server2 from Anyconnect client via WCCP

Here is some more info of my setup
Router config:
ip access-list standard WSA
permit 150.1.7.213
!
ip access-list extended redirect
permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080
permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq 8080
!
ip wccp 50 redirect-list redirect group-list WSA password 0 cisco

nterface GigabitEthernet2
ip address 10.1.12.2 255.255.255.0
ip wccp 50 redirect in

Screenshots from WCCP configs are attached.

Thanks,
check the DNS

#9 layer1layer1

layer1layer1

    Advanced Member

  • Members
  • PipPipPip
  • 103 posts
  • 995 thanks

Posted 04 November 2019 - 12:22 PM

I think there is no route back to 172.16.1.0/24 on R1/R2/R3. That prefix appears as V on ASA1v when AnyConnect client is connected
Somewhere in this forum I read that there is a static route pre-configured to that subnet on all 3 routers in lab.
Try to add static route to 172.16.1.0/24 towards ASA1v (or redistribute 172.16.1.0 on ASA1v to EIGRP)

#10 deeznutts

deeznutts

    Member

  • Members
  • PipPip
  • 14 posts
  • 1 thanks

Posted 04 November 2019 - 01:00 PM

Can you reach the server without wccp redirection?

#11 ccie109

ccie109

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 14 thanks

Posted 04 November 2019 - 06:36 PM

WCCP is redirecting packets to R3 but R3 is not responding back.

I applied acl on  intreface of R3 which connects with R2 to log packets. I see WCCP sending 8080 request to 101.3 The packets are sourced from WCCP ip, which is expected since wccp is expected to proxy the request, correct me if iam wrong.
ACL is applied in both directions and we can see there is no response from R3

ACL capture  on R3
   80 permit ip any any (91 matches)
R3#sh access-list 101
Extended IP access list 101
10 permit tcp host 192.168.101.3 eq 8080 172.16.1.0 0.0.0.255
20 permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080
30 permit tcp host 192.168.101.3 eq 8080 host 150.1.7.213
40 permit tcp host 150.1.7.213 host 192.168.101.3 eq 8080 (5 matches)
50 permit tcp any host 192.168.101.3 eq 8080 log
60 permit ip host 192.168.101.3 any
70 permit ip any host 192.168.101.3 log
80 permit ip any any (91 matches)
R3#

Routing table R3
R3#
R3#sh ip rou
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2
   i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
   ia - IS-IS inter area, * - candidate default, U - per-user static route
   o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
   a - application route
   + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

  10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D 10.1.11.0/24 [90/3328] via 10.1.23.2, 00:06:41, GigabitEthernet2
D 10.1.12.0/24 [90/3072] via 10.1.23.2, 00:06:41, GigabitEthernet2
D 10.1.22.0/24 [90/3328] via 10.1.23.2, 00:06:41, GigabitEthernet2
C 10.1.23.0/24 is directly connected, GigabitEthernet2
L 10.1.23.3/32 is directly connected, GigabitEthernet2
C 10.1.33.0/24 is directly connected, GigabitEthernet5
L 10.1.33.3/32 is directly connected, GigabitEthernet5
C 10.1.36.0/24 is directly connected, GigabitEthernet4
L 10.1.36.3/32 is directly connected, GigabitEthernet4
  150.1.0.0/32 is subnetted, 1 subnets
S 150.1.7.213 [1/0] via 10.1.23.2
  172.16.0.0/32 is subnetted, 1 subnets
D 172.16.1.1 [90/3584] via 10.1.23.2, 00:06:41, GigabitEthernet2
  192.168.101.0/32 is subnetted, 1 subnets
C 192.168.101.3 is directly connected, Loopback1
  192.168.102.0/32 is subnetted, 1 subnets
C 192.168.102.3 is directly connected, Loopback2
R3#

Loopback and http config is there on R3

interface Loopback1
ip address 192.168.101.3 255.255.255.255
!
interface Loopback2
ip address 192.168.102.3 255.255.255.255
!
rotocol nd
!
ip http server
ip http port 8080
no ip http secure-server

Edited by ccie109, 04 November 2019 - 06:41 PM.


#12 vantom85

vantom85

    Member

  • Members
  • PipPip
  • 17 posts
  • 119 thanks

Posted 04 November 2019 - 07:06 PM

try to isolate the issue :

1- Bypass WSA
2- confirm reachability via telnet from R2 to R3 loopback
3- confirm reachability from anyconnect towards R3 loopback interfaces
4-Make sure of NGIPS ,WSA rules
5-Reinitiate WSA from scratch

update us if it solved

Thanked by 1 Member:
ccie109

#13 ccie109

ccie109

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 14 thanks

Posted 04 November 2019 - 08:23 PM

View Postmurazhi, on 04 November 2019 - 07:16 PM, said:

True. In LAB, WSA did not work as expected.
You have to reboot as a final chance. But there is no guarantee whether the device will back. It's upto luck.

One of my friend had issue with ASDM, not installed and available nowhere.
FMC was not accessible.
Cluster had an issue.

There are many issues in pods itself especially Bangalore.

Moreover, you can't get any help from proctor at all. Always he would say that no issues in the device.
If anyone booked the lab at Bangalore, better don't waste your money and attempt. It's all about your fate.!

I had issue with cluster, it kept on flapping complaining about unstable port channel. I couldnt resolve it and it screwed the whole lab.
Iam still not sure what the problem was, iam assuming i did a mistake in following proper order or missed something which I couldnt catch at that time.  I think I shouldve tried disabling health check

Had issue with finding ASDM image as well, proctor told me to use cli.. [email protected]#

Edited by ccie109, 04 November 2019 - 08:28 PM.


#14 ccie109

ccie109

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 14 thanks

Posted 05 November 2019 - 03:03 AM

View Postvantom85, on 04 November 2019 - 07:06 PM, said:

try to isolate the issue :

1- Bypass WSA
2- confirm reachability via telnet from R2 to R3 loopback
3- confirm reachability from anyconnect towards R3 loopback interfaces
4-Make sure of NGIPS ,WSA rules
5-Reinitiate WSA from scratch

update us if it solved

Iam able to access servers from Anyconnect when i bypass WSA.
Rules seems fine on NGIPS and WSA

I did capture on ASA and i can see that Iam getting the responses back from WSA. However eventually gets a reset.


ASA1V(config)#
ASA1V(config)# sh cap test | in 192.168.101
   9: 02:39:04.691294    172.16.1.1.49638 > 192.168.101.3.8080: S 3722547209:3722547209(0) win 8192 <mss 1170,nop,wscale 2,nop,nop,sackOK>
  10: 02:39:04.696649    192.168.101.3.8080 > 172.16.1.1.49638: S 3906081352:3906081352(0) ack 3722547210 win 64000 <mss 1170,nop,wscale 6,sackOK,eol>
  11: 02:39:04.699289    172.16.1.1.49638 > 192.168.101.3.8080: . ack 3906081353 win 16672
  12: 02:39:04.701349    172.16.1.1.49638 > 192.168.101.3.8080: P 3722547210:3722547525(315) ack 3906081353 win 16672
  13: 02:39:04.718819    192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000
  22: 02:39:14.726952    172.16.1.1.49638 > 192.168.101.3.8080: . 3722547524:3722547525(1) ack 3906081353 win 16672
  23: 02:39:14.732384    192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000
  32: 02:39:24.741233    172.16.1.1.49638 > 192.168.101.3.8080: . 3722547524:3722547525(1) ack 3906081353 win 16672
  33: 02:39:24.748069    192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000
  43: 02:39:34.754492    172.16.1.1.49638 > 192.168.101.3.8080: . 3722547524:3722547525(1) ack 3906081353 win 16672
  44: 02:39:34.760290    192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000
  53: 02:39:44.768698    172.16.1.1.49638 > 192.168.101.3.8080: . 3722547524:3722547525(1) ack 3906081353 win 16672
  54: 02:39:44.773626    192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000
  60: 02:39:50.641446    192.168.101.3.8080 > 172.16.1.1.49638: R 3906081353:3906081353(0) ack 3722547525 win 1000
  61: 02:39:50.661800    172.16.1.1.49639 > 192.168.101.3.8080: S 3571166156:3571166156(0) win 8192 <mss 1170,nop,wscale 2,nop,nop,sackOK>
  62: 02:39:50.670085    192.168.101.3.8080 > 172.16.1.1.49639: R 0:0(0) ack 3571166157 win 0
  63: 02:39:50.902159    172.16.1.1.49640 > 192.168.101.3.8080: S 754283250:754283250(0) win 8192 <mss 1170,nop,wscale 2,nop,nop,sackOK>
  64: 02:39:50.909132    192.168.101.3.8080 > 172.16.1.1.49640: R 0:0(0) ack 754283251 win 0
  65: 02:39:51.180349    172.16.1.1.49639 > 192.168.101.3.8080: S 3881943768:3881943768(0) win 8192 <mss 1170,nop,wscale 2,nop,nop,sackOK>
  66: 02:39:51.191594    192.168.101.3.8080 > 172.16.1.1.49639: R 0:0(0) ack 3881943769 win 0

Based on captures, seems like WCCP is making the tcp connection on behalf of the server but its not sending the http page for some reason which is why connection gets resets eventually.

Edited by ccie109, 05 November 2019 - 03:16 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top