WAAS Rjct Resources and conditions for asymmetric traffic

Unanswered Question
Oct 15th, 2009

Hello,

I have a customer network of 30 WAE's connected to an MPLS cloud. Interception method is inline for all WAE, and WCCP for NM-WAE.

Of those WAE's (running 4.1.1c), I have 3 that are connected in Datacenters, as such they are expected to receive most of the traffic and have been dimensioned as OE7341 appliances.

It is my impression that this network statistics are not as good as they should be: Some of the optimizations factor are at 1.2 or 1.3X and most are simply 1.0X.

My impression is that there is a lot of passthrough traffic, and although some of it is configured as so on the application policies, when I check statistics pass-through on several WAE's on the network I see that the Rjct Resources is very high in a particular WAE in a Datacenter - that has a 7341 Box (12Gb RAM!) - and I also do get non-zero counters on other boxes.

Is there any way to see on a given moment how many connections are going through the box so that I understand if I'm really facing a box capacity issue? The initial shows I did didn't look as there were that many connections running through the box, but if I checked them live I saw about 65 Rjct Resource connection at a given time.

Can anybody shed some light on this particular statistic?

sghmansin--17w#

sh statistics pass-through

Outbound

----------------------

PT Client:

Bytes 4081578138946

Packets 11567591648

PT Server:

Bytes 8833662508567

Packets 13797553929

Active Completed

---------------------- ----------------------

Overall 0 0

No Peer 7 141742513

Rjct Capabilities 0 0

Rjct Resources 65 273669865

App Config 6 25610854

Global Config 0 0

Asymmetric 1 1597096

In Progress 97 453847516

Intermediate 0 0

Overload 0 0

Internal Error 0 478

App Override 0 0

Server Black List 0 150553

AD Version Mismatch 0 0

sghmansin--17w#

One other observation is that pass-through through asymetric is also very frequent. Given that the customer is mostly using inline interception, even if a connection comes through a WAN/LAN interface pair and exits through another, the optimization should still be done.

The datacenter designs are dual-homed active/passive, and traffic goes through the same (and only) WAE box. The customer assures me that there is no asymetrical traffic.

Can anybody explain to me how is the decision made to mark a given flow as asymmetrical (and them pass-through it)?

Thanks

Gustavo Novais

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dstolt Thu, 10/15/2009 - 08:41

Gustavo,

A connection is marked as asymmetrical when the device only sees half of the tcp handshake for the connection(syn or syn/ack). If it doesn't get the entire handshake syn, syn/ack, ack, then it marks the connection as asymetrical and puts it in the PT list. Your asymetric count is much lower then your rejected resource count, which is what I would be more concerned with. This would point me to believe the box is either over it's supported 12,000 connections or there is some other problem like DDTS CSCsu04285 - Passthrough reason shown as PT Rjct Resources when no license configured.

Try doing a show license and make sure that you have the appropriate license configured. DDTS CSCsu04285 is fixed in 4.1.3, and you may want to take a look at upgrading to either 4.1.3b or 4.1.5a to take advantage of the other fixes that have been posted in those trains.

Hope that helps,

Dan

Gustavo Novais Thu, 10/15/2009 - 10:16

Hi Dan, Thank you for your reply.

That show was just from one of the boxes, in this case on the Datacenter.

For instance I also see asymetricals in NM-WAE's configured for WCCP. But the number is not that substantial, which makes me believe the interception is well configured (unfortunately the routers are managed by a third party, and I am yet to have access to their config).

All boxes on this network have Enterprise License activated.

How can I check on a given moment all connections count on the box? is there any MIB oid pollable to check that?

Do passthrough connections count to the overall limit?

While doing the diagnostics on the WAAS devices there was in deed a WAAS device marked as having asymetrical traffic, but many others have PT Asym connections and have not been marked as such by the diagnostics?

How does the diagnostic work? Is it a instantaneous dianostic (i.e. checks connection table at time T to see if any of the current connections is PT Asym )?

If on the far end of a connection we do have an asymetrical network topology, does the near end also mark the same connection as PT Asym, or will it simply say No Peer?

thanks

Thanks

Gustavo Novais Fri, 10/16/2009 - 06:10

Just to add a small detail.

How come I managed to find a connection marked as asymetric, if I see both legs of the connection? This is inline interception, using all four interfaces of the inline card.

205.235.107.131:1179 10.254.114.65:1352 N/A PT Asymmetric

10.254.114.65:1352 205.235.107.131:1179 N/A PT Asymmetric

Is it a bug? I read clearly on cisco's site that it didn't matter on which interface the connections came in or out, they would still be optimized.

Thanks

Gustavo

Actions

This Discussion