The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides an overview of some of the verification and troubleshooting tools that can be used to complete the verification and any troubleshooting of the proxy deployment. It also provides a basic overview of some of the items on the Cisco WSA, infrastructure devices, and Windows Operations Systems to assist in basic verification and troubleshooting. However, it does not specifically prescribe action items as a result of the troubleshooting steps due to the fluidity of the deployment and potential architectural differences.
There are several methods of verifying and troubleshooting the deployment of the proxy and the associated redirection services in the infrastructure.
Verification of the functionality of WCCP and the Cisco WSA can occur within the web browser itself by testing some addresses that may or may not be blocked depending on the configuration of the Cisco WSA:
The Cisco WSA returns an error like that shown in Figure 4-1.
Some important items to note from the above error:
If the web request is not directed by the Cisco WSA, the web browser returns an error. An example with the Firefox browser returns an error similar to what is shown in Figure 4-2.
Figure 4-2 FireFox Connection Error
From the home page of the Cisco WSA, there are several reporting tools that are available for verification, log management, and troubleshooting. These tools can be used to verify if the deployment of the Cisco WSA was successful. The Cisco WSA inspects all traffic that is forwarded to it and organizes it into two categories, Suspect Transactions and Clean Transactions. Based on the configuration of the Cisco WSA and overall usage, the ratios of Suspect to Clean may vary.
Figure 4-3 shows the reporting details from the Cisco WSA home page detailing the summary of traffic and the details of the Suspect Transactions.
Figure 4-3 Web Proxy Reporting
Additional information is shown in the lower half of the home page of the Cisco WSA. This information provides a more granular overview of the top URL categories as well as the top users as shown in Figure 4-4.
Figure 4-4 URL and User Reporting
These reporting options and top application types contain hyperlinks that provide more details. For example, clicking the IP address 10.18.3.101 under the top users section would provide additional information (Figure 4-5). Additional granularity is provided for each user, such as the amount of bandwidth and time spent in each of the URL categories.
Similar to the previous page, this report on user 10.18.3.101 has additional hyperlinks that can provide more details about the content the user is viewing. In Figure 4-5, clicking one of the numbers in the transactions completed column will provide the URLs that were accessed by the user under each individual URL category.
Figure 4-6 shows the breakdown of the URLs that have been accessed by the user. Additional information, such as full URL, content type, destination IP address, and Cisco WSA independent tracking can be accessed by clicking the individual URLs.
There are many filtering options offered in the reporting and web tracking pages of the Cisco WSA to fine-tune and search specific URLs, actions, file sizes, etc.
Since most WCCP deployment will rely on Layer 2 redirection, a good first step in troubleshooting deployment issues is to ensure that the WCCP device is able to ping the Cisco WSA. Additionally, using debug tools for WCCP is uninstructive about the performance of the device due to the low number of messages that are generated. In addition to general debugging, the show commands can provide helpful information about the state of the deployment and the status of the current redirection service ID.
Note Some devices exclude the ip in the command. For example, the above command show ip wccp is valid on a Catalyst 4500X, but on the Cisco ASA 5525 the command is sh wccp.
|
|
---|---|
Displays proxy server and WCCP router statistics for a particular service group. |
|
Displays information about every WCCP packet received or sent by the router. |
Examples of the debug types of messages you will see are shown below:
– This indicates that if authentication (a password) is used for the WCCP service, there is a mismatch between the WCCP device and the Cisco WSA configuration.
– WCCP-PKT:D90: Sending I_See_You packet to 10.18.3.37 w/ rcv_id 00000001
– WCCP-EVNT: Adding NP rule to exclude WCCP redirection of web cache 10.18.3.37
– WCCP-PKT:D90: Received valid Here_I_Am packet from 10.18.3.37 w/rcv_id 00000001
– WCCP-EVNT:D90: Built new router view: 1 routers, 1 usable web caches, change # 00000002
– WCCP-PKT:D90: Sending I_See_You packet to 10.18.3.37 w/ rcv_id 00000002
|
|
---|---|
Displays whether web cache redirecting is enabled on an interface. |
|
Clears the counter displayed by the show ip wccp and show ip wccp web-caches. |
Using the sh wccp command, general information regarding the WCCP service can be viewed: