09-11-2008 06:04 AM
I have a customer who is deploying waas on their wan links. They currently have their serial interfaces configured to encrypt traffic in IPSEC tunnels from the client networks at each site into the home office location. Here is an example configuration:
interface Serial0/0/0.1 point-to-point
ip address x.x.0.2 255.255.255.252
no ip redirects
no ip unreachables
ntp disable
no cdp enable
frame-relay interface-dlci 701 IETF
class fr-class-voip2
crypto map combined
The WAE is attached to a seperate subnet via a 4ESW. I am using WCCPv2 redirection to redirect traffic on the client network and the serial interface to the WAE.
my wccp return method is ip forwarding.
When we enabled redirection yesterday all tcp based traffic was broken. Is the problem with the crytpo map being applied to the interface? Does wccp redirect the actual IPSEC packet before decapsulating it?
Any ideas?
09-11-2008 09:01 AM
Can you outline how you implemented WCCP? It sounds like a loop issue (re-intercepting the traffic leaving the WAE), but can't be sure until we see more info.
If you are doing redirect-out, then you probably need a ip redirect exclude in statement on the WAE interface. If not, it could be something else, but we probably need more data.
Dan
09-11-2008 10:17 AM
Dan,
I am using three interfaces, 1 LAN and 1 WAN with a 3rd interface for the WAE, all routed. I am using WCCP redirect in on the LAN/WAN interfaces 61 and 62 respectively. I am using redirect exclude in on the 3rd WAE interface.
The issue goes away when we remove the cryptomap command.
09-11-2008 11:24 AM
Did you enable WCCP on the physical interface or the subinterface? Also, what version of IOS are you running and what platform?
Another thing you can try if you are using a software based router is to run 61 (in) and 62(out) on the LAN interface and see if that comes up OK. You are already using exclude in, so that will prevent re-interception.
Dan
09-11-2008 12:02 PM
Dan,
here is the relevant configuration
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp 61 redirect in
ip wccp 62 redirect out
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
interface Integrated-Service-Engine1/0
ip address 10.x.1.17 255.255.255.248
ip wccp redirect exclude in
service-module ip address 10.x.1.18 255.255.255.248
service-module ip default-gateway 10.x.1.17
no keepalive
interface Serial0/0/0.1 point-to-point
description frame-relay to BellSouthMPLS
ip address 192.168.0.18 255.255.255.252
no ip redirects
no ip unreachables
no cdp enable
frame-relay interface-dlci 705 IETF
class fr-class-voip2
crypto map combined
When i apply the ip wccp 61 and ip wccp 62 commands i lose TCP at the site.
09-12-2008 07:04 AM
What version of IOS are you running? Can I also see the running config of the WAE?
thanks, Dan
09-12-2008 07:34 AM
Dan,
The customer is running 12.4(9)T AdvIPservices. Can i email you the configuration on the WAE. I would rather not post it.
Mike
09-15-2008 12:32 PM
You can email it to me at dstolt@cisco.com.
Dan
09-23-2008 10:11 PM
We had the same problem with WAAS in conjunction with IP-Sec. Even in in-path deployment.
The solution was to configure a smaller MTU on the WAE, because of the IP-Sec/GRE Overhead.
There is a point in the Configuration Menu of the CM where you can fix that.
04-01-2009 09:13 AM
Hello,
Could you please explain the problem more, and why the mtu is a problem ?
do you know what is the best value of the mtu on the WAAS ?
Thanks & BR
Moamen
04-01-2009 09:35 AM
I was recently at a Cisco WAAS presentation where the SE said that the order of operations for interfaces with crypto and WAAS have been configured has been changed to allow WCCP to be processed before encryption. Today we had to run WCCP 61 and 62 on the LAN interface since it would not work when applied to the serial interface with Crypto map applied. Has this been resolved? If so what release of code for the ISR addresses this issue?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: