A request failure may occur when the routing device expects the Edge SWG (ProxySG) appliance to use the configured "Return Method" (GRE or L2), when responding to the client or when connecting to the upstream/OCS.

Example
An Edge SWG appliance located in a DMZ zone has WCCP traffic redirected to it by a firewall. The WCCP service group is configured to use GRE as its forwarding and return method. The Edge SWG appliance has no way of reaching the client or Internet without going through those firewalls.

The firewall expects the response from ProxySG to the client to use the GRE forwarding method negotiated rather than directly sending the response back to client IP.  The firewall keeps the connection state of  previous requests, which is GRE encapsulated with the source IP of the firewall and destination IP of the Edge SWG rather than direct communication from the Edge SWG which has the source as the OCS (Original Content Server) IP address when deployed transparently.

Edge SWG configured with WCCP redirection and a WCCP "Return Method" configured.

By default, the Edge SWG (ProxySG) appliance will use a routing table lookup when responding to a client or when connecting to the upstream/OCS.

The default behavior can be overwritten using a feature called "Router-Affinity".  With "Router-Affinity" enabled the Edge SWG uses the configured "Return Method" when responding to the client or when connecting to the OCS bypassing the default routing table lookup behavior.

This feature adds additional CPU overhead on the router because of the need to process the GRE packets. In addition, the Edge SWG appliance and the router will use a smaller maximum transmission unit (MTU) for GRE packets, which reduces the amount of data that can be transferred per packet.

For more information see the WCCP section in the Admin Guide.