×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

WAAS, ASA, IPSEC: Problem with optimization

Unanswered Question
Jun 11th, 2008
User Badges:

Hello,


we have Problems to work with WAAS (4.0.17b14) in conjunction with ASA (8.03) and VPN-Router (12.4(15)T5).

The flow is:


Cat6509 (122-18.SXF14) with wccp v2 configured and GRE-redirect - one arm-

-> ASA (8.03) with inspect waas -> L2l-Tunnel -> CSC 876 with GRE-redirect and FW-Feature on Dieler and LAN-Interface.


Problem: If I configure wccp redirect 61 in and wccp 62 out on the LAN-interface and redirect exclude for the WAE-Interface nothing works over the router. WCCP-Peers established and "sh ip wccp" shows rising counters on the 876. After configuration wccp 62 in on the Dialer-Interface (with ipsec and FW-inspection) it works for users, but no policy will bound to the connections (see attachments). The "show tfo connection" shows no entries. All policies are configured for default.


Are there any ideas to solve this problem?


Kind Regards.


Volker



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
bwilmoth Tue, 06/17/2008 - 06:35
User Badges:
  • Silver, 250 points or more

The DF bit with IPSec tunnels feature lets you specify whether the security appliance can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. The DF bit within the IP header determines whether a device is allowed to fragment a packet.


Use the crypto ipsec df-bit command in global configuration mode to configure the security appliance to specify the DF bit in an encapsulated header.


When encapsulating tunnel mode IPSec traffic, use the clear-df setting for the DF bit. This setting lets the device send packets larger than the available MTU size. Also this setting is appropriate if you do not know the available MTU size.


Examples


The following example, entered in global configuration mode, specifies sets

the IPSec DF policy to clear-df:


hostname(config)# crypto ipsec df-bit clear-df inside


http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/c5_711.html



Volker Janusch Tue, 06/17/2008 - 22:53
User Badges:

Thank you for this detailed information. Yesterday I solved the problem as follows:


Disableing the FW-Feature on the branch-router, because it was not needed for user-traffic.


Additional I configured "inspect waas" on the ASA to avoid removing option 33.

Actions

This Discussion