help about WAAS SSL optimized policy

Unanswered Question
Jun 8th, 2010

hi everyone

I enable SSL optimized function and it work fine

but I have a question

in my environment, most SSL tcp session size is under 10 KB

so when small size tcp session optimized by waas

it's optimized bytes is bigger than original byte

so, does waas have the function that if  the tcp session original size under 10KB

it only opimize in TFO or pass-through it

on the contrary, if tcp session original size is bigger than10KB

it will full optimzed

does waas has this function ??

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Zach Seils Tue, 06/08/2010 - 06:53

WAAS does not have the function you describe.

Can you provide the sh stat conn detail statistics from one of these connections?

Thanks,

Zach

Zach Seils Wed, 06/09/2010 - 06:04

Notice the highlighted line in the output you provided:

Core-WAE#sh stat con detail server-port 443


Connection Id:            852083
    Peer Id:                  00:14:5e:85:26:c3
    Connection Type:          EXTERNAL SERVER
    Start Time:               Tue Jun  8 09:29:29 2010
    Source IP Address:        2.2.2.2
    Source Port Number:       2930
    Destination IP Address:   1.1.1.1
    Destination Port Number:  443
    Application Name:         SSL
    Classifier Name:          HTTPS
    Map Name:                 basic
    Directed Mode:            FALSE
    Preposition Flow:         FALSE
    Policy Details:
           Configured:        TCP_OPTIMIZE + DRE + LZ
              Derived:        TCP_OPTIMIZE + DRE + LZ
                 Peer:        TCP_OPTIMIZE + DRE + LZ
           Negotiated:        TCP_OPTIMIZE + DRE + LZ
              Applied:        TCP_OPTIMIZE + DRE + LZ
    Accelerator Details:      None

                                    Original            Optimized
                        -------------------- --------------------
    Bytes Read:                       958333              1431050
    Bytes Written:                   1137856              1198434

    Total Reduction Ratio: 00.000%

This means that the SSL AO is not applied to this connection.  Are you sure this server is configured for SSL acceleration?  Can you please provide a copy of your configuration?

Thanks,

Zach

Zach Seils Wed, 06/09/2010 - 07:13

Can you please provide a copy of your configuration (WAAS devices on both sides of the link)?

Thanks,

Zach

kanechang Wed, 06/09/2010 - 08:38

I enable SSL in my LAB environment that's ok

and I can see SSL icon in device monitor connection statistics

 

but in user site, i cannot see the SSL icon

I think that's why Zach said no SSL policy apply to SSL connection

 

all device configuration are configure from AllDeviceGroup

 

my https web site ip address is 192.168.3.88:443

my configuration sequence is

1. open cms secure-store

2. create a cipher

3. create a SSL Accelerated service name "mega-www" and add my HTTPS web ip address 192.168.3.88 port 443, then import the web certificate and private key

4.my application is SSL and classifier is HTTPS, I add my web ip address 192.168.3.88 port 443 into HTTPS classifier

   application is full optimization and position is first

 

but it is stange, cause in my lab environment, it's ok, but in user site, it's not work

 

an appendix file is my core-wae and branch-wae show run config

 

is this issue related with web CA ?

 

thanks

Jan Rockstedt Thu, 06/10/2010 - 00:40

Do the Disk Encryption needs to be enable on all WAE to get the SSL to work?

If found this error.

WAAS03#show statistics accelerator ssl | inc Failed
   Total Failed Handshakes:                                           39086
   Total Failed Certificate Verifications:                            0
   Failed certificate verifications due to invalid certificates:      0
   Failed Certificate Verifications based on OCSP Check:              0
   Failed Certificate Verifications (non OCSP):                       0
   Total Failed Certificate Verifications due to Other Errors:        0
   Total Failed OCSP Requests:                                        0
   Total Failed OCSP Requests due to Other Errors:                    0
   Total Failed OCSP Requests due to Connection Errors:               0
   Total Failed OCSP Requests due to Connection Timeouts:             0
   Total Failed OCSP Requests due to Insufficient Resources:          0

Jan

kanechang Thu, 06/10/2010 - 02:33

it's needn't because my ssl opimization work fine in my lab environment without enable disk encryption

but why it is not work in user site

i'm waiting for Zach responce^^

Zach Seils Wed, 06/16/2010 - 07:27

Where are the client and server located relative to the configurations you provided?

Zach

Actions

This Discussion