Question:
Why does WCCP negotiation fail with error: WCCP debug message: Here_I_Am packet from x.x.x.x w/bad fwd method 00000001, was offered 00000002?
Environment:
- Cisco Web Security Appliance (WSA)
- Cisco Catalyst 4948 Series Switch
- WCCP
Symptoms:
WCCP is not working on Cisco Catalyst 4948 with IOS 12.2. Running 'debug ip wccp events' shows:
000104: 3w0d: WCCP-EVNT:wccp_update_assignment_status: enter
000105: 3w0d: WCCP-EVNT:wccp_update_assignment_status: exit
000106: 3w0d: WCCP-EVNT:S00: Here_I_Am packet from 10.158.116.13 w/bad fwd method 00000001, was offered 00000002
000107: 3w0d: WCCP-EVNT:S00: Here_I_Am packet from 10.158.116.13 with incompatible capabilites
On the Catalyst 'debug ip wccp packets', displays:
000162: 3w0d: WCCP-PKT:S00: Sending I_See_You packet to 10.158.116.13 w/ rcv_id
On WSA, proxy log shows:
16/Apr/2007:19:03:58 +0800 INFO : prox::INFO: Wccp2_i_see_you received from 10.158.116.10 120 bytes
16/Apr/2007:19:03:58 +0800 INFO : prox::INFO: Wccp2_here_i_am sent to router 10.158.116.10 120 bytes
Per the following Cisco support article, the Cisco Catalyst 4948 switch does NOT support WCCPv2 with the GRE encapsulation forwarding method:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_9592.html
Excerpt from the article:
For WCCP version 2, the following are not supported:
- GRE encapsulation forwarding method
- Hash bucket based assignment method
- Redirection on an egress interface (redirection out)
- Redirect-list ACL
WSA will need to be configured to specifically use L2 redirection instead of GRE. This can be configured from the WebUI of the appliance using the below steps:
- GUI > Network > Transparent Redirection.
- <WCCP Service Name> > Advanced > Forwarding Method > L2
- <WCCP Service Name> > Advanced > Return Method > L2
- Submit and commit the changes