WAAS 4.0.13 over IPSec VPN

Unanswered Question
Oct 30th, 2007

Hello All,

We've just deployed a scenario with CM/Core in our Main office and Edge in remote office. We're using DMPVN between offices with lowered MTU/MSS over the tunnels (1400/1360 respectively). The traffic itself between the offices works just fine - we're able to do what we need, however, WAAS doesn't work. Adjusting WAE TCP settings on both ends to match the settings of the Tunnel doesn't help much - we still have a lot of error in the logs:

The connection of session: [SessionImpl: id=1040563853, clusterId=1040563853, clusterName=ams-nw-wacc01.eu.acncorp.com, inetAddress=ams-nw-wacc01.eu.acncorp.com/10.130.10.251, initiator=false, state=3] has been lost.

And if we redirect traffic via WCCP (using redirect-list), users cannot access the remote network. The connection just seem to hang. errolog-tcpproxy on both ends contain similar messages:

Tue Oct 30 16:16:19 2007: 10.130.12.108:139 - 10.141.12.2:1282 - received hup event from network while waiting to read: Connection reset by peer(err=104)

Tue Oct 30 16:16:21 2007: 10.130.12.101:139 - 10.141.12.2:1272 - received hup event from network while waiting to read: Connection reset by peer(err=104)

Tue Oct 30 16:16:28 2007: 10.141.12.100:4690 - 10.130.12.114:80 - received hup event from network while waiting to read: Connection reset by peer(err=104)

Tue Oct 30 16:16:28 2007: 10.141.12.100:4690 - 10.130.12.114:80 - net_reset:1260: Entering (reset code=5, Opt socket error close while waiting to read)

Tue Oct 30 16:16:35 2007: 10.141.12.2:1227 - 10.130.12.101:139 - received hup event from network while waiting to read: Connection reset by peer(err=104)

Tue Oct 30 16:16:35 2007: 10.141.12.2:1227 - 10.130.12.101:139 - net_reset:1260: Entering (reset code=5, Opt socket error close whil

e waiting to read)

Has anyone have any idea what could be the problem here?

Thx.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jasobrown Wed, 10/31/2007 - 07:31

Are you running IOS FW on the DMVPN routers?

I've seen this type of issue with Pix FW's and the only thing that would "fix" it was to set the MTU on the WAE interface to 1200.

HTH

mathias.lindgre... Thu, 11/01/2007 - 06:35

Hi what IOS are you running?

We have had the same problems for some weeks as well, but after we applied the following IOS it now works perfectly:

c2800nm-advipservicesk9-mz.124-11.T3.bin..

Rgds

Mathias

acneurope Fri, 11/02/2007 - 05:03

Hi,

I forgot to mention that we have WAE's connected to the core switches instead of DMVPN routers (this solution had been suggested by Cisco Pre-Sales so we went ahead with it).

Thx, Serge

acneurope Fri, 11/02/2007 - 02:04

Hello and thanks for an answer,

We run ISO 12.4(17) (not a T-train, had some issues with it before) on both DMVPN routers. However, WAE's itself connected to the core switches:

Main site Catalyst 65xx (IOS 12.2(33)SXH)

Branch site Catalyst 3750 (IOS 12.2(40)SE)

I'll set MTU on WAE's to 1200 and will let you know.

Update:

Change MTU on WAE's interfaces to 1200, rebooted the devices (just in case), Edge WAAS still cannot connect to the Core WAAS. Test preposition fails with "Network initialization error, retrying in 30sec" messages.

Opened a ticket with TAC, awaiting for reply.

acneurope Tue, 11/06/2007 - 06:59

Ok, to update this topic. After some traffic capturing and analysis we came to conclusion that the problem is not WCCP or MTU in that case but the CBAC firewall in DMVPN routers. Since we have 12.4 (non-T train), they don't support ip inspect WAAS command to passthrough WAAS traffic. The routers need to be upgraded to a T-train IOS with this command implemented (12.4(11)T2).

Thx.

Actions

This Discussion