03-12-2009 03:40 AM
Hi Friends,
I have configured the WAAS boxes in my network. Iam using the WCCP method to redirect the traffic to the WAEs. Traffic is getting redirect to WAE, but the traffic optimization is not happening, it just passes through the WAAS boxes. I have enabled the default policies on the waas boxes, tried to test with http downloads. For none of the traffic optimization is happening.
All the WAAS boxes have same version of software
can someone help on this
03-12-2009 05:53 AM
Start with a few low level checks:
- Double check your interception (do you have wccp service 61 and 62 intercepting in opposite directions?).
- Do you have firewalls that are dropping traffic between the WAEs?
- Does the PT Connnections give you an idea (no peer, asynch client/server, etc.)
- Have you applied the default policies to the AllDeviceGroup and pushed it down?
Just some things to look at for starters. Big clues will be in the PT connections, and then go from there. It sounds like asynch connections or similar.
Dan
03-12-2009 06:41 AM
Hi Dan
Thanks for the response
- yes i do have wccp service 61 and 62 intercepting in opposite directions as well
- There is no firewall in the path, so no traffic drop
- PT connections says "no peers do display"
-I have applied the default polices to both WAE core and WAE edge
I think the issues no peers. but iam not getting the clue to fix the issue.
I can reach to WAE-core from the WAE-edge without any issues.
Thanks
Ravi
03-12-2009 09:37 PM
If you are getting PT no peers, that means the other WAE isn't seeing the traffic. Do you see the traffic on both WAEs? Do they both have all the traffic as PT no peers?
Can you post your wae configs as well as your router configs? Also a network diagram would be helpful. I also do traceroutes from clients to servers and back to ensure there is no network path un-accounted for. There is something we are missing here.
Dan
03-13-2009 02:08 AM
Hi Dan
Please find the following details with the attachment
1) Network diagram
2) WAE-Core Configuration
3) Core switch Configuration
4) WAE-Edge Configuration
5) Branch router configuration
6) Status of TFO connections at WAE-Core and WAE-Edge
both the sides it shows the connections but says no peers.
and traceroute is clean from both the ends.
Regards
Ravi
03-13-2009 12:23 PM
Ravi,
Thanks for the diagram and configs. Both WAEs see your connection but the autodiscovery options are not making it through so I think the IPS is stripping out the options. I found this internally, see if it helps.
Dan
In general, IPS hardware needs to be outside of the optimization path so that non-compressed payload can be inspected by IPS.
When IPS/IDS are implemented in the optimized path, modifications on IPS/IDS are required for WAAS to work.
Disable below signatures on IPS/IDS or modify action to "produce alert only"
To permit Options:
Sig ID 1306 : TCP Option Other
To permit TCP Sequence jump:
Sig ID 1330(12) : TCP Drop - Segment Out Of Order
Sig ID 1330(18) : TCP Drop - Segment out of window
Sig ID 1330(17) : TCP Drop - Segment out state order
Sig ID 1330(19) : TCP timestamp option detected when not expected
Alternatively, disable 'Sig 1306' on IPS/IDS and enable 'DIRECTED-MODE' on WAE with WAAS 4.1 or later code.
03-14-2009 04:09 AM
Hi Dan,
Thanks for your support.
I disabled all the signatures in IPS. After disabling i couldn't access any pages.
Then i put the IPS in bypass mode. WAAS optimization is happening after putting IPS in bypass mode.
Now i may have to place the IPS in promiscous mode. Please suggest if there is way out to keep the IPS in inline mode and still get the waas working.
Thanks
Ravi
03-14-2009 06:31 PM
Ravi,
I'm glad we found the source of your issue. I would maybe either take a look at the code level of the IPS to see if that helps or move your WCCP at the core to the 7206 or try to use directed mode with the single signiture disabling.
From my earlier post, optimization between the WAEs should be outside the IPS for the best results. So moving the core WAE would probably work, however you are moving from a hardware based redirection platform to a software based platform, so I'd keep an eye on your CPU.
On the IPS, I'm not sure that code level will work or not, however it's worth looking at.
Directed mode is a new feature in 4.1.1 where we use autodiscovery and then switch to UDP encapsulation for optimized traffic.
Hope that helps,
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide