Hi Dan

Thanks for the response

- yes i do have wccp service 61 and 62 intercepting in opposite directions as well

- There is no firewall in the path, so no traffic drop

- PT connections says "no peers do display"

-I have applied the default polices to both WAE core and WAE edge

I think the issues no peers. but iam not getting the clue to fix the issue.

I can reach to WAE-core from the WAE-edge without any issues.

Thanks

Ravi

If you are getting PT no peers, that means the other WAE isn't seeing the traffic. Do you see the traffic on both WAEs? Do they both have all the traffic as PT no peers?

Can you post your wae configs as well as your router configs? Also a network diagram would be helpful. I also do traceroutes from clients to servers and back to ensure there is no network path un-accounted for. There is something we are missing here.

Dan

Hi Dan

Please find the following details with the attachment

1) Network diagram

2) WAE-Core Configuration

3) Core switch Configuration

4) WAE-Edge Configuration

5) Branch router configuration

6) Status of TFO connections at WAE-Core and WAE-Edge

both the sides it shows the connections but says no peers.

and traceroute is clean from both the ends.

Regards

Ravi

Ravi,

Thanks for the diagram and configs. Both WAEs see your connection but the autodiscovery options are not making it through so I think the IPS is stripping out the options. I found this internally, see if it helps.

Dan

In general, IPS hardware needs to be outside of the optimization path so that non-compressed payload can be inspected by IPS.

When IPS/IDS are implemented in the optimized path, modifications on IPS/IDS are required for WAAS to work.

Disable below signatures on IPS/IDS or modify action to "produce alert only"

To permit Options:

Sig ID 1306 : TCP Option Other

To permit TCP Sequence jump:

Sig ID 1330(12) : TCP Drop - Segment Out Of Order

Sig ID 1330(18) : TCP Drop - Segment out of window

Sig ID 1330(17) : TCP Drop - Segment out state order

Sig ID 1330(19) : TCP timestamp option detected when not expected

Alternatively, disable 'Sig 1306' on IPS/IDS and enable 'DIRECTED-MODE' on WAE with WAAS 4.1 or later code.

Hi Dan,

Thanks for your support.

I disabled all the signatures in IPS. After disabling i couldn't access any pages.

Then i put the IPS in bypass mode. WAAS optimization is happening after putting IPS in bypass mode.

Now i may have to place the IPS in promiscous mode. Please suggest if there is way out to keep the IPS in inline mode and still get the waas working.

Thanks

Ravi

Ravi,

I'm glad we found the source of your issue. I would maybe either take a look at the code level of the IPS to see if that helps or move your WCCP at the core to the 7206 or try to use directed mode with the single signiture disabling.

From my earlier post, optimization between the WAEs should be outside the IPS for the best results. So moving the core WAE would probably work, however you are moving from a hardware based redirection platform to a software based platform, so I'd keep an eye on your CPU.

On the IPS, I'm not sure that code level will work or not, however it's worth looking at.

Directed mode is a new feature in 4.1.1 where we use autodiscovery and then switch to UDP encapsulation for optimized traffic.

Hope that helps,

Dan