Thursday, April 10, 2014

We are bitten, again! Fortigate as WCCP client as ASA as WCCP server

After much troubleshooting, tracing and head scratching, we found out why!

Unlike Squid, Fortigate as WCCP client can only do GRE return mode.     ASA’s WCCP server implementation, on the other hand, do not support GRE return mode.

Well, Fortigate as WCCP client can also do both L2 forward & return mode, but ASA can't do L2 mode at all.   

So, in essence, **they** don’t talk.     At least, for the time being, you can’t deploy ASA as WCCP server and have Fortigate as WCCP client.

Note: BlueCoat as a WCCP client can do all of those modes, L2, Return directly to client and GRE return.

Other links of interest

“….WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance….”