Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

WAAS, ASA, IPSEC: Problem with optimization


we have Problems to work with WAAS (4.0.17b14) in conjunction with ASA (8.03) and VPN-Router (12.4(15)T5).

The flow is:

Cat6509 (122-18.SXF14) with wccp v2 configured and GRE-redirect - one arm-

-> ASA (8.03) with inspect waas -> L2l-Tunnel -> CSC 876 with GRE-redirect and FW-Feature on Dieler and LAN-Interface.

Problem: If I configure wccp redirect 61 in and wccp 62 out on the LAN-interface and redirect exclude for the WAE-Interface nothing works over the router. WCCP-Peers established and "sh ip wccp" shows rising counters on the 876. After configuration wccp 62 in on the Dialer-Interface (with ipsec and FW-inspection) it works for users, but no policy will bound to the connections (see attachments). The "show tfo connection" shows no entries. All policies are configured for default.

Are there any ideas to solve this problem?

Kind Regards.



Re: WAAS, ASA, IPSEC: Problem with optimization

The DF bit with IPSec tunnels feature lets you specify whether the security appliance can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. The DF bit within the IP header determines whether a device is allowed to fragment a packet.

Use the crypto ipsec df-bit command in global configuration mode to configure the security appliance to specify the DF bit in an encapsulated header.

When encapsulating tunnel mode IPSec traffic, use the clear-df setting for the DF bit. This setting lets the device send packets larger than the available MTU size. Also this setting is appropriate if you do not know the available MTU size.


The following example, entered in global configuration mode, specifies sets

the IPSec DF policy to clear-df:

hostname(config)# crypto ipsec df-bit clear-df inside

Community Member

Re: WAAS, ASA, IPSEC: Problem with optimization

Thank you for this detailed information. Yesterday I solved the problem as follows:

Disableing the FW-Feature on the branch-router, because it was not needed for user-traffic.

Additional I configured "inspect waas" on the ASA to avoid removing option 33.

CreatePlease to create content