ProxySG not establishing WCCP connection with Cisco Nexus 7000 switch

book

Article ID: 168166

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Cisco Nexus 7000 NX-OS has a bug with WCCP that prevents the ProxySG from establishing a WCCP session with the Nexus 7000. The ProxySG will not establishing a WCCP session when the ProxySG's WCCP configuration is using defined port numbers for redirection. If Web-Cache (Port 80 only) is used, WCCP is established correctly and redirection works for port 80.

  • Cisco Nexus 7000 NX-OS versions with the known WCCP bug: 4.2 though 4.2(2a). Cisco has identified this as bug #: CSCtg76473

Symptom:

HIM with ZERO (0x0) Recieve ID from WCCP Client where ISY show recieve ID increment. WCCP service will not come up on N7K.

ProxySG reports the following in WCCP Debug Log:

7595.321 WCCP0.C873FD4: Service Group 'Dynamic/91' service mismatch
7595.321 WCCP0.C873FD4: tt=4, tl=20, len=68, buffer_length=120
7595.321 WCCP0.C873FD4: tt=2, tl=20, len=44, buffer_length=120
7595.321 WCCP0.C873FD4: tt=1, tl=24, len=16, buffer_length=120
7595.321 WCCP0.C873FD4: tt=0, tl=4, len=8, buffer_length=120
7595.320 WCCP0.C873FD4: 1148 bytes sent to 10.50.128.1
7595.320 WCCP0.C873FD4: Build_mask_value_set(64), total_weight=0
7595.320 WCCP: Service Group 'Dynamic/91/v2' Timer timeout.

Cisco Nexus 7000 reports this in WCCP debug:

Nexus7K# debug ip wccp events
Nexus7K# debug ip wccp packets

Nexus7K#
2010 May  3 13:21:39.352364 wccp: WCCP-PKT: vrf default service 91: Received valid Here_I_Am packet from 10.50.128.10 w/ Receive ID: 0x0
2010 May  3 13:21:39.352949 wccp: WCCP-PKT: vrf default service 91: Sending I_See_You packet to 10.50.128.10 w/ Receive ID 0x634d
2010 May  3 13:21:49.352300 wccp: WCCP-PKT: vrf default service 91: Received valid Here_I_Am packet from 10.50.128.10 w/ Receive ID: 0x0
2010 May  3 13:21:49.352766 wccp: WCCP-PKT: vrf default service 91: Sending I_See_You packet to 10.50.128.10 w/ Receive ID 0x634e
2010 May  3 13:21:59.352280 wccp: WCCP-PKT: vrf default service 91: Received valid Here_I_Am packet from 10.50.128.10 w/ Receive ID: 0x0
2010 May  3 13:21:59.352841 wccp: WCCP-PKT: vrf default service 91: Sending I_See_You packet to 10.50.128.10 w/ Receive ID 0x634f

Resolution

There is NO workaround to Cisco's WCCP problem if defined port numbers must be used. The only solution is to upgrade the Cisco Nexus 7000 to a fixed version of NX-OS.

Cisco Nexus 7000 NX-OS WCCP bug is Fixed-In:

4.2(6.40)S0
4.2(6)S11
5.0(3)S6
5.1(0.159)S18
5.1(0.172)S6
5.1(0.180)S0

Note: The reported versions of NX-OS that has the fix has not been tested by Blue Coat. The reported versions with the fix are from Cisco's Bug Details for bug number CSCtg76473 .

If the problem is still happening after upgrading, try changing the WCCP MASK bit setting on the proxy. Cisco also has a problem when a large number of mask bits are used. Try setting the number of MASK bits from 6 to 1 to see if it resolves the problems.

The ProxySG’s default mask 0x3F is applied to the IP address or the port’s least significant bits. Newer ProxySG SGOS 5.5.x and 6.x gives the administrator the ability to configure a custom mask value for the mask assignment. The new mask-value option is only settable in the ‘Install WCCP Settings’ field under the WCCP tab. The ProxySG WCCP mask value command is mask-value 0x[hex string].

The number of bits specified for the mask determines the number of address buckets created for the assignment pool (2^n). The number of bits used in the mask must provide enough buckets to be apportioned to each ProxySG assigned to the service group, taking into account the load balancing weight assigned to each device. A 1-bit mask can support only 2 ProxySG devices (2^1 = 2) while a 5-bit (or more) mask can support 32 ProyxSG devices (2^5 = 32), the maximum number allowed in a service group. ProxySG uses 6 bits for its default mask 0x3F.

Example:
wccp enable
wccp version 2
service-group 15
forwarding-type L2
multicast-ttl 1
priority 0
protocol 6
interface 0:0
primary-hash-weight 0:0 0
home-router 10.78.57.233
assignment-type mask
mask-scheme source-ip
mask-value 0x1
end