WAAS and Juniper Netscreen Interoperability

Unanswered Question
Mar 12th, 2010
User Badges:
  • Silver, 250 points or more

I've been doing a dig on historical posts relating to WAAS deployed through firewalls.


I am working on a deployment with Juniper Netscreens & ASA5520 sitting between WAE's. IP connectivity is fine. I can ssh to remote device etc. but users cannot login (XP). The login scripts calls upon CIFS etc and I suspect this is being broken through the fw's.


When I disable WAAS for this flow - it all works fine i.e. users can login and access full set of corporate resources. I suspect the firewalls but would appreciate any leads..


thanks

Ajaz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rvavale Fri, 03/12/2010 - 16:42
User Badges:
  • Cisco Employee,


Hi Ajaz,


WAAS adds TCP Option 0x21 and increments TCP packet sequence number during TCP handshake. FW needs to be configured to allow
these changes.


On the latest PIX/ASA a new command "ip inspect waas" has been added to allow above changes by wae. You might want to check
Netscreen config guide on command to disable TCP sequence number checking.


If SSH to Servers is working fine then it might not be FW dropping packets. However to confirm it might be best to use
tcpdump/tethereal on both WAEs and to sniff the traffic on whether its being dropped along the path by the FW.


Few questions:
- Whats the version running on WAEs?
- Is it only CIFS traffic which is affected? Try disabling CIFS AO if its enabled and then test.



Hope this helps,


Best Regards,
Rahul Vavale

Actions

This Discussion