WAAS TCP sequnce number

Unanswered Question
Mar 16th, 2009

Hello,


I have a question, is there any document that clarify the TCP changes while traffic passing via the WAAS .


as I know the first WAE will increase the seq number with 2 bilions, but I need to know if the second WAE will decrease it before sending to the dest.


also if I have Firewall ( not in the path ) , should it be affected with the TCP changes so it may drop the traffic.


Thanks & BR

Moamen

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
dstolt Mon, 03/16/2009 - 10:55

The first thing that happens is that the WAEs add a TCP option (0x21) to the TCP Syn/Syn-ack during the session setup for WAE autodiscovery. These options are sent to both the client and the server to attempt to discover WAEs further up the line.


Once the WAEs discover each other, there is a seq number jump (as you referred) of 2 billion. This is only between the WAEs after they have negotiated optimization. Between the WAEs and the hosts (client and server), the seq number stays normal, this is to prevent optimized traffic from getting to a host if there is a WAE outage. The host received a huge jump in seq number and resets the connection preventing data issues with compressed payloads, etc.


Firewalls usually don't like unknown TCP options and seq number jumps, so firewalls can cause issues if they are between the WAEs attempting to optimization. Cisco Firewalls have options in the software to detect and allow WAAS optimizations so if you are using Cisco firewalls with newer code versions, you can integrate them with WAAS in your environment.


Hope that helps,

Dan

ggalteroo Thu, 03/19/2009 - 11:04

Dan / anybody

Is there a way to manually configure what the “inspect waas” does on newer releases? I'm running ASA 7.0(8) because stability is a must. Would it be possible to apply a tcp-map allowing tcp options and disabling sequence number randomization? Am I missing something?


example:


!

class-map WAE-TCPopt

match access-list WAE-TCPopt

!

class-map VoIP

match access-list VoIP-RTP

!

class-map inspection_default

match default-inspection-traffic

!

tcp-map WAE

tcp-options range 6 7 allow

tcp-options range 9 255 allow

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect tftp

inspect netbios

inspect mgcp

class WAE-TCPopt

set connection random-sequence-number disable

set connection advanced-options WAE

class VoIP

priority

!

access-list VoIP-RTP line 1 extended permit udp any range 16384 32767 any range 16384 32767

!

access-list WAE-TCPopt extended permit ip 10.0.0.0 255.0.0.0 any

access-list WAE-TCPopt extended permit ip 172.16.0.0 255.240.0.0 any

access-list WAE-TCPopt extended permit ip 192.168.0.0 255.255.0.0 any

access-list WAE-TCPopt extended permit ip any 10.0.0.0 255.0.0.0

access-list WAE-TCPopt extended permit ip any 172.16.0.0 255.240.0.0

access-list WAE-TCPopt extended permit ip any 192.168.0.0 255.255.0.0

!


Thanks!

Guido


talha_490 Tue, 05/05/2009 - 08:58

Have you got any workaround for your problem. I have the same issue. Can you please tell me. its urgent

dstolt Tue, 05/05/2009 - 12:10

I think the only way with ASA prior to 7.2.3 would be to use directed mode on WAAS and manually premit the TCP Options, see the following.

 

PIX/ASA with 7.0 or above (v7.0, v7.1, v7.2 prior to 7.2.3, v8.0 prior to 8.0.3)

It requires manually permit 'TCP Options' and enable Directed-mode on WAE will help WAAS to optimize using UDP tunnel 4050

To permit options manually on  PIX/ASA with 7.0+

------------------------------------

access-list TCPTRAFFIC extended permit tcp any any

!

tcp-map WAASOPTIONS

tcp-options range 33 33 allow

!

class-map WAAS

 match access-list TCPTRAFFIC

!

policy-map global_policy

  class WAAS

    set connection advanced-options WAASOPTIONS

------------------------------------



Hope that gives you what you need. Directed mode is available in 4.1.x.


Dan

ggalteroo Tue, 05/05/2009 - 12:53

Hello

We couldn't solve it with 7.0(8). We did some sniffing, policies to permit TCP options and disabled SEC number randomization. We didn't want though to use legacy mode on WAAS. Finally we upgraded to 7.2(4) which was a TAC recommendation because they couldn't fix it either. As far as I'm concern, it cannot be done with 7.0(8).


Regards

Guido

dstolt Tue, 05/05/2009 - 14:10

Guido,


That is good info, thanks for your update. I will put that in my notes.


Dan

Actions

This Discussion