Firewall Integration

Unanswered Question
Jun 11th, 2010

Hi all,

We are testing an 574 with inlinecard togeter with ASA version 8.

Here is the flow "Router <-> WAE <-> ASA <-> Switch" is this right or should we have it between the switch and the ASA?

We have enabled inspect WAAS in the ASA, anything else that need to configure in the ASA or WAE?

The issue we have is if we are using win file copy, in one direction it is cache and in one not.

No interface error's inte WAE.

Jan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Sat, 06/12/2010 - 00:38

Jan,

I understand that WAE is inline before the next hop router.

Can you check if you're seeing this on ASA for connections both ways:

%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.

Also in ASA's connection table see if the W flag is present next to connection.
Short of that "no" you don't need more from the ASA.
Marcin
Jan Rockstedt Mon, 06/14/2010 - 04:54

Hi,

The WAAS is after the WAN router and before "outside" the ASA .

I can see in the syslog %ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed, but I dont see any UOW flags when I am runing sh conn det

Could this be becouse the WAE is not on the "inside" of the ASA?

Jan

Marcin Latosiewicz Mon, 06/14/2010 - 05:56

Jan,

Very possible, I don't have a lab setup to test this.

Anything else in logs on the ASA during transfer?  How about disbaling randomization of ISN?

BTW since you're talking about cache'ing - are we talking about ACNS or WAAS? on ACNS there's HTTP stats about misses etc.

Marcin

Marcin Latosiewicz Mon, 06/14/2010 - 06:17

Jan,

It's really a long shot but:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1080757

basically - define a flow via access-list or particular port.

Apply the access-list or port in class-map

Apply the class-map in global policy

set connection random dis 

That's it ... but IMHO it might not be related.

How exactly are you checking that there is no cacheing ?

Marcin

Jan Rockstedt Mon, 06/14/2010 - 06:26

Hi,

I will wait with disable the ISN and move the WAE to the inside of the firewall.

LAN admin is testing with windows file copy, the second time he copy an file it should be cached in the WAE.

Download on remote CIFS is ok, but the upload on the same remote CIFS is not cache the second time.

Jan

Marcin Latosiewicz Mon, 06/14/2010 - 06:30

Jan,

Do you have connection stats for this particular connection?

Why not do WCCP instead of inline or is the router a non-cisco device.

Marcin

Jan Rockstedt Mon, 06/14/2010 - 06:46

The router is an Cisco device, but it is not ours and enable WCCP is not that easy for the provider.

That is why we use inline.

I have done any sh stats on the particular connection.

I will move the WAE and get if it dosen't work i will back.

Thank you Jan

Michael Korenbaum Mon, 06/14/2010 - 06:44

Jan,

The CIFS cache is only effective on the download at the client location.  If the same client uploaded a previoulsy downloaded file you will not see "lan" like performance on this upload since there is no CIFS cache on the server side WAE for this scenario.  However, you will be taking full advantage of the DRE cache on both client and server side WAEs.  Thus, I would expect the performance of the upload to be better than without WAAS, but not as good as a download being served from the client WAE CIFS cache.


So, as long as the connection is showing as T,C,D,L on both WAEs (show stat conn | inc ) your FW is not striping options or preventing this connection from being accelerated.

Cheers,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

Jan Rockstedt Tue, 06/15/2010 - 01:42

Mike,

We are seeing the "right" performance of the CIFS upload and download "lan like" on other sites that we have up and running with WAAS.

But on this site with an ASA we see an performance issue on one traffic direction for the CIFS.

So are you sure about the "CIFS cache is only effective on the download at the client location"?

Jan

Michael Korenbaum Tue, 06/15/2010 - 05:30

Jan,

My response was based on your description of the problem

("Download on remote CIFS is ok, but the upload on the same remote CIFS is not cache the second time.")

The question remains are the upload transfers better with or without WAAS?

Also, is this consistent behavior (e.g. every CIFS transfer at this branch in the upload direction has poor performance)?

Another thing to consider is when there is better performance in one direction, a speed or duplex problem in the path could exist?

Another test would be to do a non-CIFS transfer (e.g. HTTP) in both directions download and upload to see if the performance is dramatically different in one direction.  If so, this would point to a speed/duplex issue some where in the path.

Note, the assumption with all of these transfers is that they are showing up optimized via the correct policy on the show stat conn output (e.g. T,C,D,L for CIFS connections no matter what direction, T,H,D,L for HTTP, etc.).

Hope this helps,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

Jan Rockstedt Tue, 06/15/2010 - 05:49

Thank you Mike I will check.

We have the same speed with an without WAAS for the upload.

The speed is normal.

It is consistent behavior.

I will check all devices for speed and duplex missmatch.

Jan

Actions

This Discussion