cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
970
Views
0
Helpful
13
Replies

Firewall Integration

Jan Rockstedt
Level 1
Level 1

Hi all,

We are testing an 574 with inlinecard togeter with ASA version 8.

Here is the flow "Router <-> WAE <-> ASA <-> Switch" is this right or should we have it between the switch and the ASA?

We have enabled inspect WAAS in the ASA, anything else that need to configure in the ASA or WAE?

The issue we have is if we are using win file copy, in one direction it is cache and in one not.

No interface error's inte WAE.

Jan

13 Replies 13

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Jan,

I understand that WAE is inline before the next hop router.

Can you check if you're seeing this on ASA for connections both ways:

%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.

Also in ASA's connection table see if the W flag is present next to connection.
Short of that "no" you don't need more from the ASA.
Marcin

Hi,

The WAAS is after the WAN router and before "outside" the ASA .

I can see in the syslog %ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed, but I dont see any UOW flags when I am runing sh conn det

Could this be becouse the WAE is not on the "inside" of the ASA?

Jan

Jan,

Very possible, I don't have a lab setup to test this.

Anything else in logs on the ASA during transfer?  How about disbaling randomization of ISN?

BTW since you're talking about cache'ing - are we talking about ACNS or WAAS? on ACNS there's HTTP stats about misses etc.

Marcin

Jan Rockstedt
Level 1
Level 1

Hi,

We are talking about WAAS.

How do I disable the random ISN?

Jan

Jan,

It's really a long shot but:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1080757

basically - define a flow via access-list or particular port.

Apply the access-list or port in class-map

Apply the class-map in global policy

set connection random dis 

That's it ... but IMHO it might not be related.

How exactly are you checking that there is no cacheing ?

Marcin

Hi,

I will wait with disable the ISN and move the WAE to the inside of the firewall.

LAN admin is testing with windows file copy, the second time he copy an file it should be cached in the WAE.

Download on remote CIFS is ok, but the upload on the same remote CIFS is not cache the second time.

Jan

Jan,

Do you have connection stats for this particular connection?

Why not do WCCP instead of inline or is the router a non-cisco device.

Marcin

The router is an Cisco device, but it is not ours and enable WCCP is not that easy for the provider.

That is why we use inline.

I have done any sh stats on the particular connection.

I will move the WAE and get if it dosen't work i will back.

Thank you Jan

Jan,

The CIFS cache is only effective on the download at the client location.  If the same client uploaded a previoulsy downloaded file you will not see "lan" like performance on this upload since there is no CIFS cache on the server side WAE for this scenario.  However, you will be taking full advantage of the DRE cache on both client and server side WAEs.  Thus, I would expect the performance of the upload to be better than without WAAS, but not as good as a download being served from the client WAE CIFS cache.


So, as long as the connection is showing as T,C,D,L on both WAEs (show stat conn | inc ) your FW is not striping options or preventing this connection from being accelerated.

Cheers,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

My bad I actually thought we were talking about DRE.

Prepositioning is always an option.

Mike,

We are seeing the "right" performance of the CIFS upload and download "lan like" on other sites that we have up and running with WAAS.

But on this site with an ASA we see an performance issue on one traffic direction for the CIFS.

So are you sure about the "CIFS cache is only effective on the download at the client location"?

Jan

Jan,

My response was based on your description of the problem

("Download on remote CIFS is ok, but the upload on the same remote CIFS is not cache the second time.")

The question remains are the upload transfers better with or without WAAS?

Also, is this consistent behavior (e.g. every CIFS transfer at this branch in the upload direction has poor performance)?

Another thing to consider is when there is better performance in one direction, a speed or duplex problem in the path could exist?

Another test would be to do a non-CIFS transfer (e.g. HTTP) in both directions download and upload to see if the performance is dramatically different in one direction.  If so, this would point to a speed/duplex issue some where in the path.

Note, the assumption with all of these transfers is that they are showing up optimized via the correct policy on the show stat conn output (e.g. T,C,D,L for CIFS connections no matter what direction, T,H,D,L for HTTP, etc.).

Hope this helps,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

Thank you Mike I will check.

We have the same speed with an without WAAS for the upload.

The speed is normal.

It is consistent behavior.

I will check all devices for speed and duplex missmatch.

Jan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: