Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WAAS 4.0.13 over IPSec VPN

Hello All,

We've just deployed a scenario with CM/Core in our Main office and Edge in remote office. We're using DMPVN between offices with lowered MTU/MSS over the tunnels (1400/1360 respectively). The traffic itself between the offices works just fine - we're able to do what we need, however, WAAS doesn't work. Adjusting WAE TCP settings on both ends to match the settings of the Tunnel doesn't help much - we still have a lot of error in the logs:

The connection of session: [SessionImpl: id=1040563853, clusterId=1040563853, clusterName=ams-nw-wacc01.eu.acncorp.com, inetAddress=ams-nw-wacc01.eu.acncorp.com/10.130.10.251, initiator=false, state=3] has been lost.

And if we redirect traffic via WCCP (using redirect-list), users cannot access the remote network. The connection just seem to hang. errolog-tcpproxy on both ends contain similar messages:

Tue Oct 30 16:16:19 2007: 10.130.12.108:139 - 10.141.12.2:1282 - received hup event from network while waiting to read: Connection reset by peer(err=104)

Tue Oct 30 16:16:21 2007: 10.130.12.101:139 - 10.141.12.2:1272 - received hup event from network while waiting to read: Connection reset by peer(err=104)

Tue Oct 30 16:16:28 2007: 10.141.12.100:4690 - 10.130.12.114:80 - received hup event from network while waiting to read: Connection reset by peer(err=104)

Tue Oct 30 16:16:28 2007: 10.141.12.100:4690 - 10.130.12.114:80 - net_reset:1260: Entering (reset code=5, Opt socket error close while waiting to read)

Tue Oct 30 16:16:35 2007: 10.141.12.2:1227 - 10.130.12.101:139 - received hup event from network while waiting to read: Connection reset by peer(err=104)

Tue Oct 30 16:16:35 2007: 10.141.12.2:1227 - 10.130.12.101:139 - net_reset:1260: Entering (reset code=5, Opt socket error close whil

e waiting to read)

Has anyone have any idea what could be the problem here?

Thx.

5 REPLIES
New Member

Re: WAAS 4.0.13 over IPSec VPN

Are you running IOS FW on the DMVPN routers?

I've seen this type of issue with Pix FW's and the only thing that would "fix" it was to set the MTU on the WAE interface to 1200.

HTH

New Member

Re: WAAS 4.0.13 over IPSec VPN

Hi what IOS are you running?

We have had the same problems for some weeks as well, but after we applied the following IOS it now works perfectly:

c2800nm-advipservicesk9-mz.124-11.T3.bin..

Rgds

Mathias

New Member

Re: WAAS 4.0.13 over IPSec VPN

Hi,

I forgot to mention that we have WAE's connected to the core switches instead of DMVPN routers (this solution had been suggested by Cisco Pre-Sales so we went ahead with it).

Thx, Serge

New Member

Re: WAAS 4.0.13 over IPSec VPN

Hello and thanks for an answer,

We run ISO 12.4(17) (not a T-train, had some issues with it before) on both DMVPN routers. However, WAE's itself connected to the core switches:

Main site Catalyst 65xx (IOS 12.2(33)SXH)

Branch site Catalyst 3750 (IOS 12.2(40)SE)

I'll set MTU on WAE's to 1200 and will let you know.

Update:

Change MTU on WAE's interfaces to 1200, rebooted the devices (just in case), Edge WAAS still cannot connect to the Core WAAS. Test preposition fails with "Network initialization error, retrying in 30sec" messages.

Opened a ticket with TAC, awaiting for reply.

New Member

Re: WAAS 4.0.13 over IPSec VPN

Ok, to update this topic. After some traffic capturing and analysis we came to conclusion that the problem is not WCCP or MTU in that case but the CBAC firewall in DMVPN routers. Since we have 12.4 (non-T train), they don't support ip inspect WAAS command to passthrough WAAS traffic. The routers need to be upgraded to a T-train IOS with this command implemented (12.4(11)T2).

Thx.

703
Views
0
Helpful
5
Replies