The ProxySG appliance is not using the WCCP return method (GRE or L2) when responding to the client or when connecting to upstream/OCS

book

Article ID: 166984

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

By default, the ProxySG appliance will use a routing table lookup when responding to a client or when connecting to the upstream/OCS.

This can cause a failure when the routing device expects the ProxySG appliance to use the configured "Return Method" when responding to the client or when connecting to the upstream/OCS.

Example
A ProxySG appliance located in a DMZ zone has WCCP traffic redirected by a firewall. The WCCP service group is configured to use GRE as its forwarding and return method. The ProxySG appliance has no way of reaching the client or going to the OCS/Internet without going through that specific Firewall.

The firewall would expect the response from ProxySG to the client would use the GRE forwarding method negotiated rather than directly sending the response back to client IP as the Firewall only remembers the previous traffic, which is GRE encapsulated with a source IP=Firewall and destination=ProxySG rather than the direct communication which has the source=OCS IP address.

 

Resolution

This is the default behavior of ProxySG, however since SGOS5.5, this default behavior can be overwritten using a new feature called "Router-Affinity" where the ProxySG would now use the configured "Return Method" when responding to the client or when connecting to upstream/OCS, bypassing the default routing table lookup behavior.

Document SGOS 5.5 WCCP Reference Guide on how to enable this feature (Requires BTO Access)

Document SGOS 5.5.x Upgrade/Downgrade Feature Change Reference lists  "Router-Affinity" as a new feature introduced in this version (Requires BTO Access)

ProxySG appliances that are running on older SGOS version must be upgraded to the latest SGOS5.5.x in order to use this feature.

Take note that this feature would add additional CPU overhead on the router due to the need to de-capsulate the GRE packets. In addition, the ProxySG appliance and the router will use a reduced maximum transmission unit (MTU) for GRE packets, which reduces the amount of data that can be transferred per packet.