WCCP router affinity feature not working as expected

book

Article ID: 168220

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Let's say for example you have client side router affinity enabled. In a packet capture you
see that the proxy is not replying to the client using the return method (for example, GRE)
like so:

This is the redirected SYN packet from the router via IP GRE:

160  10.763378 10.128.1.155 -> 171.161.203.100 TCP 90 3757 > 443 [SYN] Seq=1872937827 Win=64240 Len=0 MSS=1460 SACK_PERM=1

Internet Protocol Version 4, Src: 10.128.1.250 (10.128.1.250), Dst: 10.155.180.20 (10.155.180.20)
Generic Routing Encapsulation (WCCP)
    Protocol Type: WCCP (0x883e)
    Redirect Header
        0... .... = Dynamic Service: Well-known service
        .0.. .... = Alternative bucket used: Primary bucket used
        Service ID: HTTP (0)
        Alternative Bucket: 0
        Primary Bucket: 0
Internet Protocol Version 4, Src: 10.128.1.155 (10.128.1.155), Dst: 171.161.203.100 (171.161.203.100)

but the ProxySG responds directly, not via GRE, even though router affinity is enabled:

161  10.763723 171.161.203.100 -> 10.128.1.155 TCP 62 443 > 3757 [SYN, ACK] Seq=3544807442 Ack=1872937828 Win=65535 Len=0 MSS=1420 SACK_PERM=1

Internet Protocol Version 4, Src: 171.161.203.100 (171.161.203.100), Dst: 10.128.1.155 (10.128.1.155)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 48
    Identification: 0x7754 (30548)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x0000 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 171.161.203.100 (171.161.203.100)
    Destination: 10.128.1.155 (10.128.1.155)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 3757 (3757), Seq: 3544807442, Ack: 1872937828, Len: 0

As you can see above, the SYN-ACK packet was not returned to the router via IP-GRE.

Cause

By design, the Proxy SG will not honor the Router Affinity settings for WCCP if the Router Identity Element
differs from the home router IP set in the WCCP configuration on the proxy.

For example, if the I_SEE_YOU from the router to proxy shows this:

Router to Proxy
 24   1.507517 10.155.180.1 -> 10.155.180.20 WCCP 1230 2.0 I see you

Web Cache Communication Protocol
    WCCP Message Type: 2.0 I see you (11)
    WCCP Version: 0x0200
    Length: 1180
    Message Component (Security Info)
        Type: Security Info (0)
        Length: 4
        Security Option: None (0)
    Message Component (Service Info)
        Type: Service Info (1)
        Length: 24
        Service Type: Dynamic service (1)
        Service ID: Unknown (64)
        Priority: 0
        Protocol: 6
        Flags: 0x00000010
            .... .... .... .... .... .... .... ...0 = Source IP address in primary hash: Not used
            .... .... .... .... .... .... .... ..0. = Destination IP address in primary hash: Not used
            .... .... .... .... .... .... .... .0.. = Source port in primary hash: Not used
            .... .... .... .... .... .... .... 0... = Destination port in primary hash: Not used
            .... .... .... .... .... .... ...1 .... = Ports: Defined
            .... .... .... .... .... .... ..0. .... = Ports refer to: Destination port
            .... .... .... .... .... ...0 .... .... = Source IP address in secondary hash: Not used
            .... .... .... .... .... ..0. .... .... = Destination IP address in secondary hash: Not used
            .... .... .... .... .... .0.. .... .... = Source port in secondary hash: Not used
            .... .... .... .... .... 0... .... .... = Destination port in secondary hash: Not used
        Port: 80
        Port: 443
        Port: 0
        Port: 0
        Port: 0
        Port: 0
        Port: 0
        Port: 0
    Message Component (Router Identity Info)
        Type: Router Identity Info (2)
        Length: 20
        Router Identity Element: IP address 10.155.185.1
            IP Address: 10.155.185.1 (10.155.185.1)
            Received ID: 93054
        Sent To IP Address: 10.155.185.1 (10.155.185.1)
        Number of Received From IP addresses: 1
        Received From IP Address: Received From IP Address 0: 10.155.180.20

we can see the Router Identity Element: IP address is 10.155.185.1

If the WCCP home router IP is not the same on the proxy SG, router affinity will not be used. 

The reason for this logic is to ensure that the traffic is not redirected to the wrong router, and to avoid the possibility of lost or intercepted data.

Resolution

Make sure that the WCCP home router IP matches the Router Identity Element: IP address that is being sent in
the router's WCCP message I_SEE_YOU either by changing the home router IP in the WCCP settings on the proxy or by changing the Router Identity Element IP on the Cisco router (please contact Cisco support for help with router
configuration and WCCP support on the router).