help about WAAS SSL optimized policy

Unanswered Question
Jun 8th, 2010
User Badges:

hi everyone

I enable SSL optimized function and it work fine

but I have a question

in my environment, most SSL tcp session size is under 10 KB

so when small size tcp session optimized by waas

it's optimized bytes is bigger than original byte

so, does waas have the function that if  the tcp session original size under 10KB

it only opimize in TFO or pass-through it

on the contrary, if tcp session original size is bigger than10KB

it will full optimzed

does waas has this function ??


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Zach Seils Tue, 06/08/2010 - 06:53
User Badges:
  • Cisco Employee,

WAAS does not have the function you describe.

Can you provide the sh stat conn detail statistics from one of these connections?



Zach Seils Wed, 06/09/2010 - 06:04
User Badges:
  • Cisco Employee,

Notice the highlighted line in the output you provided:

Core-WAE#sh stat con detail server-port 443

Connection Id:            852083
    Peer Id:                  00:14:5e:85:26:c3
    Connection Type:          EXTERNAL SERVER
    Start Time:               Tue Jun  8 09:29:29 2010
    Source IP Address:
    Source Port Number:       2930
    Destination IP Address:
    Destination Port Number:  443
    Application Name:         SSL
    Classifier Name:          HTTPS
    Map Name:                 basic
    Directed Mode:            FALSE
    Preposition Flow:         FALSE
    Policy Details:
           Configured:        TCP_OPTIMIZE + DRE + LZ
              Derived:        TCP_OPTIMIZE + DRE + LZ
                 Peer:        TCP_OPTIMIZE + DRE + LZ
           Negotiated:        TCP_OPTIMIZE + DRE + LZ
              Applied:        TCP_OPTIMIZE + DRE + LZ
    Accelerator Details:      None

                                    Original            Optimized
                        -------------------- --------------------
    Bytes Read:                       958333              1431050
    Bytes Written:                   1137856              1198434

    Total Reduction Ratio: 00.000%

This means that the SSL AO is not applied to this connection.  Are you sure this server is configured for SSL acceleration?  Can you please provide a copy of your configuration?



Zach Seils Wed, 06/09/2010 - 07:13
User Badges:
  • Cisco Employee,

Can you please provide a copy of your configuration (WAAS devices on both sides of the link)?



kanechang Wed, 06/09/2010 - 08:38
User Badges:

I enable SSL in my LAB environment that's ok

and I can see SSL icon in device monitor connection statistics


but in user site, i cannot see the SSL icon

I think that's why Zach said no SSL policy apply to SSL connection


all device configuration are configure from AllDeviceGroup


my https web site ip address is

my configuration sequence is

1. open cms secure-store

2. create a cipher

3. create a SSL Accelerated service name "mega-www" and add my HTTPS web ip address port 443, then import the web certificate and private key application is SSL and classifier is HTTPS, I add my web ip address port 443 into HTTPS classifier

   application is full optimization and position is first


but it is stange, cause in my lab environment, it's ok, but in user site, it's not work


an appendix file is my core-wae and branch-wae show run config


is this issue related with web CA ?



Jan Rockstedt Thu, 06/10/2010 - 00:40
User Badges:

Do the Disk Encryption needs to be enable on all WAE to get the SSL to work?

If found this error.

WAAS03#show statistics accelerator ssl | inc Failed
   Total Failed Handshakes:                                           39086
   Total Failed Certificate Verifications:                            0
   Failed certificate verifications due to invalid certificates:      0
   Failed Certificate Verifications based on OCSP Check:              0
   Failed Certificate Verifications (non OCSP):                       0
   Total Failed Certificate Verifications due to Other Errors:        0
   Total Failed OCSP Requests:                                        0
   Total Failed OCSP Requests due to Other Errors:                    0
   Total Failed OCSP Requests due to Connection Errors:               0
   Total Failed OCSP Requests due to Connection Timeouts:             0
   Total Failed OCSP Requests due to Insufficient Resources:          0


kanechang Thu, 06/10/2010 - 02:33
User Badges:

it's needn't because my ssl opimization work fine in my lab environment without enable disk encryption

but why it is not work in user site

i'm waiting for Zach responce^^

Zach Seils Wed, 06/16/2010 - 07:27
User Badges:
  • Cisco Employee,

Where are the client and server located relative to the configurations you provided?



This Discussion