WAAS DISCOVERS NO PEER

Unanswered Question
Sep 3rd, 2008

Hello,

I have two waas boxe, one in the data centre as teh core and the other as the edge. They both register with the central manager and they both see traffic but everything is passthrough as no policies are applied. They are in the same device group so that is not the problem. The issue is the two devices dont peer with each other. What could be the problem as the configs on the waes are standard and have been used successfully before in pervious deployments. Could it be one of the boxes have a problem and how can i check?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dstolt Wed, 09/03/2008 - 10:13

Have you verified that both WAEs are seeing traffic? Do you see all the connections in both under "sh tfo con sum"? If so, what are the PT reasons they list?


Thanks,

Dan

CSCO11117246 Thu, 09/04/2008 - 00:15

Hi Dan,

Yes.Both WAEs see traffic. The reasons listed are PT in progress and PT no peer. As a result there are not blue boxes on the topology page.

dstolt Thu, 09/04/2008 - 04:07

Do both WAEs see the same traffic in the connection lists?


How are you intercepting? Can you share your topology?

kmr Thu, 09/04/2008 - 06:42

I am having the same issue after upgrading to 4.1.1. I opened a TAC case over an hour ago but have not received a return call.

Can you detail what commands in CLI to use to provide the information you are requesting?

UPDATE: sh auto-discovery list

E: Established, S: Syn, A: Ack, F: Fin, R: Reset

s: sent, r: received, O: Options, P: Passthrough


Src-IP:Port Dst-IP:Port Orig-St Term-St


Edge WAE is not performing auto-discovery? Core WAE is performing auto-discovery.

dstolt Fri, 09/05/2008 - 10:23

The commands in 4.1 have changed to more reflect parity across the show commands and other new feature commands.


Have you got what you needed from the TAC?


Dan

kmr Fri, 09/05/2008 - 10:38

TAC was able to point me in the right direction.

kmr Tue, 09/16/2008 - 05:04

For me, changes were made to routing. Multiple routes existed for the redirected traffic, it was not being intercepted properly and peer discovery was not occuring properly.

miwitte Wed, 09/17/2008 - 16:04

I am having the same issue. How did you find the multiple routes and what were they to? Where there multiple routes from the edge to the core or core to edge? I am going to the client tommorow hopefully thats it.

SHANNON WYATT Thu, 09/18/2008 - 03:54

I was able to resolve my issue by changing the access list for the WCCP. I guess this is something to do with the changes when going to transperent mode. Previously I had an access list with a permit on the core to the edge networks, and at the edge I had an access list with a permit from the edge to the core networks. After the change to the transparent I had to put a permit on both sides.


So before I had an access list similar to this:

access-list 120 permit ip 192.168.1.0 0.0.255.255 192.168.2.0 0.0.255.255

access-list 120 deny ip any any


Now I have something like:

access-list 120 permit ip 192.168.1.0 0.0.255.255 192.168.2.0 0.0.255.255

access-list 120 permit ip 192.168.2.0 0.0.255.255 192.168.1.0 0.0.255.255

access-list 120 deny ip any any


A quick way to test this is just to change the WCCP to not use an access list by using the commands:

ip wccp 61

ip wccp 62


Obviously this doesn't apply if you are using WAAS inline.



miwitte Thu, 09/18/2008 - 05:13

we have this on the edge, where 10.32.1.0/25 is the lan side of the remote


access-list 100 permit ip 10.32.1.0 0.0.0.127 any

access-list 100 permit ip any 10.32.1.0 0.0.0.127


and this on the core so it should be good.

access-list 100 permit ip 10.32.1.0 0.0.0.127 any

access-list 100 permit ip any 10.32.1.0 0.0.0.127



However i do agree on taking the acl off to see if that it.


miwitte Mon, 09/22/2008 - 04:34

Just a FYI that we had rebooted both the cores one at a time and that seems to have fixed it. Weird.

CSCO11117246 Thu, 09/04/2008 - 10:00

yes they see the same traffic in the connection lists. Please see

below


CORE


10.12.14.7:445 10.12.20.14:4955 PT No Peer

10.12.20.69:3049 10.2.50.103:80 PT No Peer

10.12.29.158:4427 10.12.14.73:1144 PT In Progress

10.12.14.11:8080 10.12.20.62:1855 PT Server Blackli

10.12.14.14:1199 10.12.20.89:3620 PT No Peer

10.12.20.62:1785 10.12.14.7:445 PT In Progress

10.12.29.21:1256 10.2.50.97:80 PT In Progress

10.12.29.33:2248 10.12.14.6:135 PT App Cfg

10.12.29.83:4882 10.2.50.97:80 PT No Peer

10.12.14.9:1142 10.12.29.33:2241 PT In Progress

10.12.14.4:1025 10.12.20.62:1758 PT In Progress

10.12.14.14:1199 10.12.29.28:2361 PT No Peer

10.12.20.33:3448 10.12.14.3:1202 PT In Progress

10.12.20.66:4486 10.12.14.6:135 PT In Progress

10.2.50.97:80 10.12.29.83:4882 PT No Peer

10.12.14.7:445 10.12.20.90:3666 PT In Progress

10.12.29.220:2749 10.12.1.179:1433 PT In Progress

10.12.20.78:3915 10.12.14.14:80 PT No Peer

10.12.20.14:4891 10.12.14.9:1142 PT In Progress

10.12.29.25:4487 10.12.14.14:80 PT No Peer

10.2.50.97:80 10.12.29.85:4612 PT In Progress

10.12.29.56:4305 10.12.14.6:1025 PT In Progress



EDGE


10.12.20.113:3178 10.2.50.103:80 PT No Peer

10.12.14.14:1199 10.12.20.89:3620 PT No Peer

10.12.14.14:1199 10.12.20.32:1489 PT In Progress

10.12.20.62:1887 10.12.14.11:8080 PT In Progress

10.12.14.11:8080 10.12.20.62:1887 PT In Progress

10.12.20.54:1849 10.12.14.3:1202 PT In Progress

10.12.14.14:1199 10.12.20.188:3845 PT In Progress

10.12.14.236:80 10.12.20.78:3918 PT No Peer

10.12.14.4:1025 10.12.20.69:3025 PT In Progress

10.15.1.3:1154 10.12.20.35:50478 PT No Peer

10.12.14.9:1142 10.12.20.75:2770 PT In Progress

10.12.20.75:2773 10.12.14.9:1035 PT No Peer

10.12.14.7:445 10.12.20.63:1492 PT No Peer

10.12.20.75:2767 10.12.14.9:1142 PT No Peer

10.9.1.13:1390 10.12.20.13:2597 PT In Progress

10.12.14.14:1199 10.12.20.69:3055 PT In Progress

10.12.20.78:3915 10.12.14.14:80 PT No Peer

10.2.50.119:8085 10.12.20.62:1903 PT No Peer

10.12.14.9:1142 10.12.20.75:2771 PT In Progress

10.12.20.75:2680 10.9.1.13:1390 PT In Progress

10.12.20.14:4891 10.12.14.9:1142 PT No Peer

10.9.1.13:1390 10.12.20.75:2680 PT In Progress

10.12.14.11:8080 10.12.20.62:1904 PT Server Blacklist

10.12.20.78:3918 10.12.14.236:80 PT No Peer



The core wae is in a separate subnet hanging off the WAN aggregation

router and intercepting traffic using wccp

The edge wae is using wccp egress method to intercept traffic at the remote site


i am running version 4.0.17 and i dont have the command sh auto-discovery list

is there a way out here?

dstolt Fri, 09/05/2008 - 10:21

Do you have any firewalls in between the edges and cores? The fact that your connections are not seeing any peers and some blacklisting may show that something is blocking autodiscovery, possibly due to the TCP options during the syn/syn-ack.


Another thing to look at is if you are intercepting on all of your WAN egress points? Possibly some asynchronise routes where you are not doing interception? Doing traceroutes from the client and server side will assist in tracking something like that down.


The command in 4.0 is "sh tfo auto-discovery list". Another good on is to do "edge-fe1#sh tfo auto-discovery blacklist" to see if you are getting a lot of hits on connections that are getting dumped by firewalls or other deep packet inspection technology.


Dan

Actions

This Discussion