Question:
Why is WCCP redirect access-list configuration on ASA, to redirect traffic to WSA, not working with an object-group?
Environment:
- Cisco Web Security Appliance (WSA)
- Cisco ASA
- WCCP redirect 'access-list' configued with 'object-group'
Symptoms:
- ASA doesn't redirect traffic to the WSA or redirection breaks after sometime if WCCP redirect access-list is configured with an object-group
WCCP redirect 'access-list' configuration does not support more than 64 characters per line.
When an object-group is included, it will most likely exceed the 64 character limit and make the WCCP ACL invalid. This would typically cause the WCCP redirection to not work.
Below is an excerpt of the "redirect-list" option from Cisco's documentation:
Redirect list (Optional): Used with an access list that controls traffic redirected to this service group. The access-list argument should consist of a string of no more than 64 characters (name or number) that specifies the access list.
Below documentation provides information on all options available in the 'wccp' command on ASA
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1573973