Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
5
Helpful
4
Replies

Can WAAS work over VPN, if yes please help with registration errors

zheka_pefti
Level 2
Level 2

‎01-15-2009 03:27 PM

Hi folks,

I've reached the point when I started to pull my hair. The WAAS deployment never seems to be ending. We do a pilot deployment for customer of two WAE devices in the remote sites connected via IPSec VPN. There's a perfect IP connectivity between all WAE appliances but whenever I try to register the WAE with the CM by running "cms enable" I end up with errors. Find please attached files showing what I see when I capture the traffic both on the WAE and the CM.

The main stumbling point is that the WAE never seems to receive SYN, ACK packet from the CM and reports about lost TCP segment:

[TCP ACKed lost segment]

Please help or refer me to the right document or source that could shed some light on this problem.

Sincerely

Eugene

Labels:
Preview file
2 KB
Preview file
4 KB
0 Helpful
4 Replies 4

ropethic
Level 4
Level 4

‎01-19-2009 05:19 PM

Looks like packet is being dropped. Check to see if firewall is not allowing 443.

What error message are you getting on the CM log and the remote WAE?

Try "cms deregister force" on CM and then remote WAES.

0 Helpful

zheka_pefti
Level 2
Level 2
In response to ropethic

‎01-19-2009 05:59 PM

Thanks, man for an answer.

I figured that it doesn't have anything to do with WAE at all at least cms registration wise.

The traffic passes three network devices one of them is ASA firewall. But for now I got suprised that after I added this global command on the 2611 router (IOS 12.4.11T) "ip inspect WAAS enable" it worked. I mean only cms registration worked, i.e. connections to port 443 were successful and WAE finally registered with the CM.

Now then I have more problems with other traffic being generated at the remote site.

I see similar errors while doing captures on the WAE while trying to access some network resources from the remote PC. The errors are:

TCP [TCP ACKed lost segment] [TCP Previous segment lost]

I think I have to look into the ASA (software version 7.2(2) ) and the way it handles tcp packets. Any suggestions to start with?

Eugene

0 Helpful

JHaynes4
Level 1
Level 1
In response to zheka_pefti

‎01-21-2009 06:57 AM

The WAAS adds a very large number to the TCP sequence number and will cause issues with firewalls. This is why your command (ip inspect WAAS enable) fixed the issue on the 2611. The ASA will need an inspect WAAS class-map added to it mst likely as well.

zheka_pefti
Level 2
Level 2
In response to JHaynes4

‎01-21-2009 10:36 AM

That was added to the ASA but WAAS optimization didn't work until we reduced mss values on WAE devices. Since the traffic between the remote site and the HQ passed via MPLS cloud inside IPSec tunnel we had to lower tfo tcp optimized-mss to 1320.

Thanks to all of you guys, anyways.

I hope this post is informative to everyone.

Eugene

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents