This document describes a problem that is encountered when the Web Cache Communication Protocol (WCCP) does not work between the Cisco Adaptive Security Appliance (ASA) and the Cisco Web Security Appliance (WSA).
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
- Cisco WSA Versions 7.x and 8.x
- Cisco ASA Version 8.x
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The WCCP does not work between the ASA and the WSA. When this problem occurs, these Debug wccp events log messages appear on the ASA:
Here_I_Am packet from X.X.X.X w/bad rcv_id 00000000
Here_I_Am packet from X.X.X.X w/bad web-cache ID
Also, when this problem occurs, the WSA Proxy logs reveal an incrementing I See You outstanding counter:
INFO : PROXY : - : wccp: INFO:HIA sent to A.B.C.D -- 15 ISY(s) outstanding
The problem that is described in this document does not have a single, specific resolution. The WCCP services might need to be reconfigured on both the ASA and the WSA. Sometimes, a reconfiguration of the WCCP service on either the ASA or the WSA might resolve this issue.
When you reconfigure the WCCP service on the WSA, ensure that you apply these settings:
- Load Balancing Method: Allow Hash Only
- Forwarding Method: Allow GRE Only
- Return Method: Allow GRE Only
Once the WCCP services are reconfigured, you might be required to kick the proxy in order to initialize the WCCP negotiation between the appliances:
wsa.example (SERVICE)> diagnostic
Choose the operation you want to perform:
- NET - Network Diagnostic Utility.
- PROXY - Proxy Debugging Utility.
- REPORTING - Reporting Utilities.
- SNAP - Take a snapshot of the proxy
- OFFLINE - Take the proxy offline (via WCCP)
- RESUME - Resume proxy traffic via (via WCCP)
- CACHE - Clear proxy cache
> kick (hidden command, type as shown)
Kick the proxy?
Are you sure you want to proceed? [N]> Y