Jump to content
ccie109

Problem with Anyconnect to servers traffic via WCCP

Recommended Posts

Hi All,

 

Iam trying to access server1 http://192.168.101.3:8080 from Anyconnect PC and having problems accessing the page using both IE and FF. Seems like issue is on the WSA end.

 

Anyconnect ---ASA1V---R1--- NGIPS --- R2--- R3--- Server [192.168.101.3]

 

R2 is connected to WCCP.

 

 

 

NGIPS and WSA is properly configured as far as i can tell.

WSA is configured to allow Firefox and block IE traffic to this server.

 

I can see packets from Anyconnect client arriving on R2

 

Nov 4 03:50:23.721: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 111 permitted tcp 172.16.1.1(49418) -> 192.168.101.3(8080), 1 packet

Nov 4 03:50:23.982: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 111 permitted tcp 172.16.1.1(49419) -> 192.168.101.3(8080), 1 packet

 

 

I can see them being redirected to WCCP based on this debug and monitoring redirected packets in "sh ip wccp output"

R2#

Nov 4 03:50:28.524: WCCP-EVNT:IPv4:D50: updating wc 150.1.7.213 orig assign info (hash)

Nov 4 03:50:28.524: WCCP-PKT:IPv4:D50: Sending ISY to 150.1.7.213, rcv_id:590

Nov 4 03:50:28.524: WCCP-PKT:IPv4:D50: Sending 176 bytes from 150.1.7.232 to 150.1.7.213

 

 

R2# sh ip wccp all

Global WCCP information:

Router information:

Router Identifier: 150.1.7.232

 

Service Identifier: 50

Protocol Version: 2.01

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets Redirected: 107

Process: 0

CEF: 0

Platform: 107

Service mode: Open

Service Access-list: -none-

Total Packets Dropped Closed: 0

Redirect access-list: redirect

Total Packets Denied Redirect: 0

Total Packets Unassigned: 0

 

I captured on R3 and I see icmp packets sent to 192.168.101.3 but thats about it

*Nov 4 03:44:10.773: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list 101 permitted icmp 10.1.23.2 -> 192.168.101.3 (3/1), 46 packets

*Nov 4 03:49:10.784: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list 101 permitted icmp 10.1.23.2 -> 192.168.101.3 (3/1), 4 packets

 

Can someone help me fix this issue soon? Or help me understand the flow or any tips?

 

Thanks,

Edited by ccie109

Share this post


Link to post
Share on other sites

Hi All,

 

Iam trying to access server1 http://192.168.101.3:8080 from Anyconnect PC and having problems accessing the page using both IE and FF. Seems like issue is on the WSA end.

 

Anyconnect ---ASA1V---R1--- NGIPS --- R2--- R3--- Server [192.168.101.3]

 

R2 is connected to WCCP.

 

 

 

NGIPS and WSA is properly configured as far as i can tell.

WSA is configured to allow Firefox and block IE traffic to this server.

 

I can see packets from Anyconnect client arriving on R2

 

Nov 4 03:50:23.721: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 111 permitted tcp 172.16.1.1(49418) -> 192.168.101.3(8080), 1 packet

Nov 4 03:50:23.982: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 111 permitted tcp 172.16.1.1(49419) -> 192.168.101.3(8080), 1 packet

 

 

I can see them being redirected to WCCP based on this debug and monitoring redirected packets in "sh ip wccp output"

R2#

Nov 4 03:50:28.524: WCCP-EVNT:IPv4:D50: updating wc 150.1.7.213 orig assign info (hash)

Nov 4 03:50:28.524: WCCP-PKT:IPv4:D50: Sending ISY to 150.1.7.213, rcv_id:590

Nov 4 03:50:28.524: WCCP-PKT:IPv4:D50: Sending 176 bytes from 150.1.7.232 to 150.1.7.213

 

 

R2# sh ip wccp all

Global WCCP information:

Router information:

Router Identifier: 150.1.7.232

 

Service Identifier: 50

Protocol Version: 2.01

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets Redirected: 107

Process: 0

CEF: 0

Platform: 107

Service mode: Open

Service Access-list: -none-

Total Packets Dropped Closed: 0

Redirect access-list: redirect

Total Packets Denied Redirect: 0

Total Packets Unassigned: 0

 

I captured on R3 and I see icmp packets sent to 192.168.101.3 but thats about it

*Nov 4 03:44:10.773: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list 101 permitted icmp 10.1.23.2 -> 192.168.101.3 (3/1), 46 packets

*Nov 4 03:49:10.784: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list 101 permitted icmp 10.1.23.2 -> 192.168.101.3 (3/1), 4 packets

 

Can someone help me fix this issue soon? Or help me understand the flow or any tips?

 

Thanks,

check the URL cat in the WSA

Share this post


Link to post
Share on other sites

You are right. url category was not tied to identification profile. I corrected it but still issue is not resolved.

did a clear ip wccp too. Same symptoms

Share this post


Link to post
Share on other sites

Hi everyone,

Iam still unable to access server1 and server2 from Anyconnect client via WCCP

 

Here is some more info of my setup

Router config:

ip access-list standard WSA

permit 150.1.7.213

!

ip access-list extended redirect

permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080

permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq 8080

!

ip wccp 50 redirect-list redirect group-list WSA password 0 cisco

 

nterface GigabitEthernet2

ip address 10.1.12.2 255.255.255.0

ip wccp 50 redirect in

 

Screenshots from WCCP configs are attached.

 

Thanks,

Edited by ccie109

Share this post


Link to post
Share on other sites

Hi everyone,

Iam still unable to access server1 and server2 from Anyconnect client via WCCP

 

Here is some more info of my setup

Router config:

ip access-list standard WSA

permit 150.1.7.213

!

ip access-list extended redirect

permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080

permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq 8080

!

ip wccp 50 redirect-list redirect group-list WSA password 0 cisco

 

nterface GigabitEthernet2

ip address 10.1.12.2 255.255.255.0

ip wccp 50 redirect in

 

Screenshots from WCCP configs are attached.

 

Thanks,

check the DNS

Share this post


Link to post
Share on other sites

I think there is no route back to 172.16.1.0/24 on R1/R2/R3. That prefix appears as V on ASA1v when AnyConnect client is connected

Somewhere in this forum I read that there is a static route pre-configured to that subnet on all 3 routers in lab.

Try to add static route to 172.16.1.0/24 towards ASA1v (or redistribute 172.16.1.0 on ASA1v to EIGRP)

Share this post


Link to post
Share on other sites

WCCP is redirecting packets to R3 but R3 is not responding back.

 

I applied acl on intreface of R3 which connects with R2 to log packets. I see WCCP sending 8080 request to 101.3 The packets are sourced from WCCP ip, which is expected since wccp is expected to proxy the request, correct me if iam wrong.

ACL is applied in both directions and we can see there is no response from R3

 

ACL capture on R3

80 permit ip any any (91 matches)

R3#sh access-list 101

Extended IP access list 101

10 permit tcp host 192.168.101.3 eq 8080 172.16.1.0 0.0.0.255

20 permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080

30 permit tcp host 192.168.101.3 eq 8080 host 150.1.7.213

40 permit tcp host 150.1.7.213 host 192.168.101.3 eq 8080 (5 matches)

50 permit tcp any host 192.168.101.3 eq 8080 log

60 permit ip host 192.168.101.3 any

70 permit ip any host 192.168.101.3 log

80 permit ip any any (91 matches)

R3#

 

Routing table R3

R3#

R3#sh ip rou

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

 

Gateway of last resort is not set

 

10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks

D 10.1.11.0/24 [90/3328] via 10.1.23.2, 00:06:41, GigabitEthernet2

D 10.1.12.0/24 [90/3072] via 10.1.23.2, 00:06:41, GigabitEthernet2

D 10.1.22.0/24 [90/3328] via 10.1.23.2, 00:06:41, GigabitEthernet2

C 10.1.23.0/24 is directly connected, GigabitEthernet2

L 10.1.23.3/32 is directly connected, GigabitEthernet2

C 10.1.33.0/24 is directly connected, GigabitEthernet5

L 10.1.33.3/32 is directly connected, GigabitEthernet5

C 10.1.36.0/24 is directly connected, GigabitEthernet4

L 10.1.36.3/32 is directly connected, GigabitEthernet4

150.1.0.0/32 is subnetted, 1 subnets

S 150.1.7.213 [1/0] via 10.1.23.2

172.16.0.0/32 is subnetted, 1 subnets

D 172.16.1.1 [90/3584] via 10.1.23.2, 00:06:41, GigabitEthernet2

192.168.101.0/32 is subnetted, 1 subnets

C 192.168.101.3 is directly connected, Loopback1

192.168.102.0/32 is subnetted, 1 subnets

C 192.168.102.3 is directly connected, Loopback2

R3#

 

Loopback and http config is there on R3

 

interface Loopback1

ip address 192.168.101.3 255.255.255.255

!

interface Loopback2

ip address 192.168.102.3 255.255.255.255

!

rotocol nd

!

ip http server

ip http port 8080

no ip http secure-server

Edited by ccie109

Share this post


Link to post
Share on other sites

try to isolate the issue :

 

1- Bypass WSA

2- confirm reachability via telnet from R2 to R3 loopback

3- confirm reachability from anyconnect towards R3 loopback interfaces

4-Make sure of NGIPS ,WSA rules

5-Reinitiate WSA from scratch

 

update us if it solved

  • Like 1

Share this post


Link to post
Share on other sites

True. In LAB, WSA did not work as expected.

You have to reboot as a final chance. But there is no guarantee whether the device will back. It's upto luck.

 

One of my friend had issue with ASDM, not installed and available nowhere.

FMC was not accessible.

Cluster had an issue.

 

There are many issues in pods itself especially Bangalore.

 

Moreover, you can't get any help from proctor at all. Always he would say that no issues in the device.

If anyone booked the lab at Bangalore, better don't waste your money and attempt. It's all about your fate.!

 

I had issue with cluster, it kept on flapping complaining about unstable port channel. I couldnt resolve it and it screwed the whole lab.

Iam still not sure what the problem was, iam assuming i did a mistake in following proper order or missed something which I couldnt catch at that time. I think I shouldve tried disabling health check

 

Had issue with finding ASDM image as well, proctor told me to use cli.. [email protected]#

Edited by ccie109

Share this post


Link to post
Share on other sites

try to isolate the issue :

 

1- Bypass WSA

2- confirm reachability via telnet from R2 to R3 loopback

3- confirm reachability from anyconnect towards R3 loopback interfaces

4-Make sure of NGIPS ,WSA rules

5-Reinitiate WSA from scratch

 

update us if it solved

 

Iam able to access servers from Anyconnect when i bypass WSA.

Rules seems fine on NGIPS and WSA

 

I did capture on ASA and i can see that Iam getting the responses back from WSA. However eventually gets a reset.

 

 

ASA1V(config)#

ASA1V(config)# sh cap test | in 192.168.101

9: 02:39:04.691294 172.16.1.1.49638 > 192.168.101.3.8080: S 3722547209:3722547209(0) win 8192 <mss 1170,nop,wscale 2,nop,nop,sackOK>

10: 02:39:04.696649 192.168.101.3.8080 > 172.16.1.1.49638: S 3906081352:3906081352(0) ack 3722547210 win 64000 <mss 1170,nop,wscale 6,sackOK,eol>

11: 02:39:04.699289 172.16.1.1.49638 > 192.168.101.3.8080: . ack 3906081353 win 16672

12: 02:39:04.701349 172.16.1.1.49638 > 192.168.101.3.8080: P 3722547210:3722547525(315) ack 3906081353 win 16672

13: 02:39:04.718819 192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000

22: 02:39:14.726952 172.16.1.1.49638 > 192.168.101.3.8080: . 3722547524:3722547525(1) ack 3906081353 win 16672

23: 02:39:14.732384 192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000

32: 02:39:24.741233 172.16.1.1.49638 > 192.168.101.3.8080: . 3722547524:3722547525(1) ack 3906081353 win 16672

33: 02:39:24.748069 192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000

43: 02:39:34.754492 172.16.1.1.49638 > 192.168.101.3.8080: . 3722547524:3722547525(1) ack 3906081353 win 16672

44: 02:39:34.760290 192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000

53: 02:39:44.768698 172.16.1.1.49638 > 192.168.101.3.8080: . 3722547524:3722547525(1) ack 3906081353 win 16672

54: 02:39:44.773626 192.168.101.3.8080 > 172.16.1.1.49638: . ack 3722547525 win 1000

60: 02:39:50.641446 192.168.101.3.8080 > 172.16.1.1.49638: R 3906081353:3906081353(0) ack 3722547525 win 1000

61: 02:39:50.661800 172.16.1.1.49639 > 192.168.101.3.8080: S 3571166156:3571166156(0) win 8192 <mss 1170,nop,wscale 2,nop,nop,sackOK>

62: 02:39:50.670085 192.168.101.3.8080 > 172.16.1.1.49639: R 0:0(0) ack 3571166157 win 0

63: 02:39:50.902159 172.16.1.1.49640 > 192.168.101.3.8080: S 754283250:754283250(0) win 8192 <mss 1170,nop,wscale 2,nop,nop,sackOK>

64: 02:39:50.909132 192.168.101.3.8080 > 172.16.1.1.49640: R 0:0(0) ack 754283251 win 0

65: 02:39:51.180349 172.16.1.1.49639 > 192.168.101.3.8080: S 3881943768:3881943768(0) win 8192 <mss 1170,nop,wscale 2,nop,nop,sackOK>

66: 02:39:51.191594 192.168.101.3.8080 > 172.16.1.1.49639: R 0:0(0) ack 3881943769 win 0

 

Based on captures, seems like WCCP is making the tcp connection on behalf of the server but its not sending the http page for some reason which is why connection gets resets eventually.

Edited by ccie109

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...