WCCP redirect access-list configuration in ASA is not working with an object-group

Available Languages

Download Options

PDF (6.3 KB)
View with Adobe Reader on a variety of devices

Updated:August 12, 2014

Document ID:118239

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Question:

Why is WCCP redirect access-list configuration on ASA, to redirect traffic to WSA, not working with an object-group?

Environment:

Cisco Web Security Appliance (WSA)
Cisco ASA
WCCP redirect 'access-list' configued with 'object-group'

Symptoms:

ASA doesn't redirect traffic to the WSA or redirection breaks after sometime if WCCP redirect access-list is configured with an object-group

WCCP redirect 'access-list' configuration does not support more than 64 characters per line.

When an object-group is included, it will most likely exceed the 64 character limit and make the WCCP ACL invalid. This would typically cause the WCCP redirection to not work.

Below is an excerpt of the "redirect-list" option from Cisco's documentation:

Redirect list (Optional): Used with an access list that controls traffic redirected to this service group. The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list.

Below documentation provides information on all options available in the 'wccp' command on ASA

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1573973