cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1150
Views
0
Helpful
1
Replies

WAAS and Juniper Netscreen Interoperability

AJAZ NAWAZ
Level 5
Level 5

I've been doing a dig on historical posts relating to WAAS deployed through firewalls.


I am working on a deployment with Juniper Netscreens & ASA5520 sitting between WAE's. IP connectivity is fine. I can ssh to remote device etc. but users cannot login (XP). The login scripts calls upon CIFS etc and I suspect this is being broken through the fw's.


When I disable WAAS for this flow - it all works fine i.e. users can login and access full set of corporate resources. I suspect the firewalls but would appreciate any leads..


thanks

Ajaz

1 Reply 1

rvavale
Cisco Employee
Cisco Employee


Hi Ajaz,

WAAS adds TCP Option 0x21 and increments TCP packet sequence number during TCP handshake. FW needs to be configured to allow
these changes.

On the latest PIX/ASA a new command "ip inspect waas" has been added to allow above changes by wae. You might want to check
Netscreen config guide on command to disable TCP sequence number checking.

If SSH to Servers is working fine then it might not be FW dropping packets. However to confirm it might be best to use
tcpdump/tethereal on both WAEs and to sniff the traffic on whether its being dropped along the path by the FW.

Few questions:
- Whats the version running on WAEs?
- Is it only CIFS traffic which is affected? Try disabling CIFS AO if its enabled and then test.


Hope this helps,

Best Regards,
Rahul Vavale

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: