policy 2 is permit ip any any

WCCP

- L2 WCCP

- perform diag wccp with positive result

- cache server wccp status is ready

Config

config system wccp

edit "90" set router-id 10.10.10.254 set group-address 0.0.0.0 set server-list 10.10.10.212 255.255.255.255 set authentication disable set forward-method L2 set return-method L2 set assignment-method HASH next end

Interface also done wccp enable

Hi All,

Debug log

before

id=20085 trace_id=2077 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:50315->157.240.10.35:443) from internal1. flag , seq 2021934820, ack 0, win 8192" id=20085 trace_id=2077 func=init_ip_session_common line=4631 msg="allocate a new session-000fd017" id=20085 trace_id=2077 func=iprope_dnat_check line=4633 msg="in-[internal1], out-[]" id=20085 trace_id=2077 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=2077 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.10.10.254 via wan1" id=20085 trace_id=2077 func=iprope_fwd_check line=630 msg="in-[internal1], out-[wan1], skb_flags-00800000, vid-0" id=20085 trace_id=2077 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=4" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-1, ret-no-match, act-accept" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-10, ret-matched, act-accept" id=20085 trace_id=2077 func=__iprope_user_identity_check line=1668 msg="ret-matched" id=20085 trace_id=2077 func=__iprope_check line=2043 msg="gnum-4e20, check-f8afca50" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2077 func=__iprope_check line=2062 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=2077 func=get_new_addr line=2759 msg="find SNAT: IP-10.10.10.254(from IPPOOL), port-50315" id=20085 trace_id=2077 func=__iprope_check_one_policy line=2014 msg="policy-10 is matched, act-accept" id=20085 trace_id=2077 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-10" id=20085 trace_id=2077 func=iprope_reverse_dnat_check line=800 msg="in-[internal1], out-[wan1], skb_flags-00800000, vid-0" id=20085 trace_id=2077 func=fw_forward_handler line=686 msg="Allowed by Policy-10: SNAT"

Enable WCCP on policy 10

FGT60D# config firewall policy 10 FGT60D(policy) # edit 10 FGT60D(10) # set wccp enable FGT60D(10) # end

Diag debug show hit policy 11

id=20085 trace_id=2099 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:50331->157.240.10.35:443) from internal1. flag , seq 3202453016, ack 0, win 8192" id=20085 trace_id=2099 func=init_ip_session_common line=4631 msg="allocate a new session-000fd0ce" id=20085 trace_id=2099 func=iprope_dnat_check line=4633 msg="in-[internal1], out-[]" id=20085 trace_id=2099 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=2099 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.10.10.254 via wan1" id=20085 trace_id=2099 func=iprope_fwd_check line=630 msg="in-[internal1], out-[wan1], skb_flags-00800000, vid-0" id=20085 trace_id=2099 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=4" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-1, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-10, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833a msg="checked gnum-100004 policy-11, ret-matched, act-accept" id=20085 trace_id=2099 func=__iprope_user_identity_check line=1668 msg="ret-matched" id=20085 trace_id=2099 func=__iprope_check line=2043 msg="gnum-4e20, check-f8afca50" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check line=2062 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=2099 func=get_new_addr line=2759 msg="find SNAT: IP-10.10.10.254(from IPPOOL), port-50331" id=20085 trace_id=2099 func=__iprope_check_one_policy line=2014 msg="policy-11 is matched, act-accept" id=20085 trace_id=2099 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-11" id=20085 trace_id=2099 func=iprope_reverse_dnat_check line=800 msg="in-[internal1], out-[wan1], skb_flags-00800000, vid-0" id=20085 trace_id=2099 func=fw_forward_handler line=686 msg="Allowed by Policy-11: SNAT"

Oh  okay let's start;

Q: what traffic  are you trying to   send to WCCP proxy?  service-group 90 as you shown above is not for HTTP or HTTPS  or 443  so I'm guessing it's a custom  service-group.

next,  s ? Is service-grp 90 actually on the wccp-server? Is the wccp service reachable from that lan interface ?

reference;

set router-id 10.10.10.254  <----YOUR FW

set server-list 10.10.10.212 255.255.255.255   <---YOUR WCCP SREVER for group 90

Did you  run any diag test app wccpd  and what doe the wccp server show & for service-group  100?

Are you sure the wccp-server is set for L2 and not GRE? ( again diag debug and  statistics from the wccp-server )

And last, did you  check for  any system global wccp disabled

clid cmd;  show full  sys global | grep wccp

Too me it would sound like WCCP is not up, client_servers are wrong, or  service-group is not honored. I would also  reset the  fwpolicy just for   HTTP or HTTPS if that's what your trying todo

config firewall policy

   edit 0

         set srcaddr  "LOCALLANCLIENTNET"

         set dstaddr  ALL

         set srcint internal1

         set dstaddr WAN    <---set the real outgoing interface where your internet seats

         set service HTTP HTTPS

         set action accept

         set logtraffic all

         set schedule always

         set wccp enable

( do not enable NAT )

         end

config firewall address

       edit LOCALLANCLIENTNET

              set subnet xxx.xxx.xxx.xxx/xxx

              set comment " HERE'S MY internal lan clients that needs WCCP intercept"

end

Move  the new fwpolicy to the top of the list

Ken

emnoc wrote:

Q: what traffic  are you trying to   send to WCCP proxy?  service-group 90 as you shown above is not for HTTP or HTTPS  or 443  so I'm guessing it's a custom  service-group.

Yup, we tried to send it to cache server. 

Do you mean there is a custom service group for HTTP and HTTPS ?

WCCP output, we verified the WCCP server receive Here I am and I See you

FG60 # diagnose test application wccpd 3

service-90 in vdom-root: num=1, usable=1 cache server ID: len=44, addr=10.10.10.212, weight=0, status=0 rcv_id=32937, usable=1, fm=2, nq=0, dev=7(k7), to=10.10.10.254 ch_no=0, num_router=1: 10.10.10.254

FG60 # diagnose test application wccpd 32

vdom-root: work mode:router working NAT first_phy_id=7 interface list: intf=internal1, gid=7 phy_id=7 service list: service: 90, router_id=10.10.10.254, group=0.0.0.0, auth(no) access access:10.10.10.212/255.255.255.255) forward=2 return=2, assign=1. erouter_id=10.10.10.254

FG60 # diagnose test application wccpd 24wccp2_handle_here_i_am()-827

service-90 in vdom-root: total_servers=1, usable_servers=1, assign_m=1, rtun_m=2, wcid_len=48, rcv_id=32938, ch_no=1 ID=90, type=1, pri=0, pro=6 f=00000031 Port: 80 443 num-routers=1: 10.10.10.254

FG60 #

FG60 #

FG60 #

FG60 # diagnose test application wccpd 45

service-90 in vdom-root: installed

key: ip=10.10.10.212, change-number=3 cache_list: 1 0. 10.10.10.212 primary assignment: key=10.10.10.212 change-number=3 num_routers=1 router element[0]: router_id=10.10.10.254, receive_id=5, ch_no=1 cache-server-num=1, format=not standard: 10.10.10.212 buckets: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

FG60 #

FG60 #

FG60 #

FG60 #

FG60 # wccp2_handle_here_i_am()-827

FG60 #

FG60 # wccp2_handle_here_i_am()-827

FG60 # diagnose test application wccpd 53

service-90 in vdom-root: num=1, usable=1 cache server ID: len=44, addr=10.10.10.212, weight=0, status=0 rcv_id=32940, usable=1, fm=2, nq=0, dev=7(k7), to=10.10.10.254 ch_no=0, num_router=1: 10.10.10.254

FG60 # wccp2_handle_here_i_am()-827 wccp2_handle_here_i_am()-827 wccp2_handle_here_i_am()-827 wccp2_handle_here_i_am()-827

FG60 #

Too me it would sound like WCCP is not up, client_servers are wrong, or  service-group is not honored. I would also  reset the  fwpolicy just for   HTTP or HTTPS if that's what your trying todo

Service group not honored mean ?

We tested with service set to http and https but still unable match the policy

NATTED or without nat still same result

NATTED

http://kb.fortinet.com/kb....do?externalId=FD32926

Hmm, it looks good on what  you provided

What do you see when you  do  the following;

 diag test  application  wccpd 5

diag  debug application  wccpd -1

Hi EMNOC,

Go through the proxy KB, the port unable support WCCP although allow to configure and the WCCP is up.

By change the proxy port, it shown up

Thanks