We deployed WAAS in our network as described in the attached diagram, each datacentre WAE's have wccp neighbourship with adjacent DC router only .
It was working fine with single tunnel to datacentre and almost all traffics were optimizing properly.
But after we broughtup both links to dataceter , we found that all packets were not optimizing properly and suspect its due to the asymmetric routing form the branch offices .
I tried some options as per the below cisco document,
registered all the 4 datacentre WAE's with both datacntre routers and configured egress method as negotiated return. But after that normal http and application traffic are not at all going to branch but at the same time I have the IP reachability (ping)
could you please help us to find a solution for this asymmetric issue ?Rgds
It seems like there are several things to check/verify:
Have you verified you have asymetric routing occuring?
Does a traceroute from the data center towards the remote not follow the same path as from the remote to the data center?
If so, do the remote sites not know about specific netblocks within each data center?
What are the WAAS units reporting?
What is the output of a command like 'show stat conn' show? Do you see connections in progress or partial?
Hi Chris ,
Thanks for the reply ,
Answer is 'Yes' for the first three questions. we can see almost half of the connections are in PT In progress with no peer . we are using 7341 as the WAE's in Datacenter and NME's in Branches
Did this issue just start happening? In other words did it ever work?
I haven't worked with the NM-WAEs yet, so I'm not sure what anomolies can occur out at the remotes.
Since you said you see the WAEs registered in WCCP, the next thing I'd likely check would the the WCCP Access-Lists in the data centers. Are they properly calling the TCP source and destination addresses for the interception?
It works fine with single tunnel to datacenter and we could see almost all the traffics are optimizing properly.
The problem happened only when we brought up both links (tunnels) to datacenter.
Since it works perfectly with single tunnel, that means the access-lists and interception methods are correct.
Now we are looking for a solution to overcome this asymmetric routing issue.
On data center WAE, do u have both the wccp routers listed in the config? Generally it would be physical interface,loopback interface of local router and loopback interface of remote wccp router in remote data center. If it is not like that then please configure it. Could u provide configs of data center WAE and wccp router?
Is there a particular reason for configuring a separate wccp router list for the physical interface of immediate wccp routers?
wccp router-list 1 172.16.251.238 172.16.251.239
wccp router-list 8 172.16.159.33
Why ip address 172.16.159.33 not mentioned in wccp router-list 1?
There seems to be no visibility for the WAE to your physical interface but both the loopback ip's are visible. Would u be able to mention the physical interface IP in the same router-list 1.
Could you please also send a diagram of your network. I see that you are using DMVPN's to connect your WAN sites. What is the connection between the data centers, I need to understand the physical layout. Also can u run the following command on WAE and send the output:
find match “Routing Loop” syslog.txt
show tfo filtering
Also mention "ip wccp redirect exclude in" on interfaces connected to WAE's in data centers
Can u also paste the output of show wccp gre command from WAE?
Hmm, i have
We have also different tunnels pointing to our datacenter, both of them are optimized.
Our scenario works fine.
So we need to figure out the differences, and maybe this will bring us to a solution.
First of all, have you tried to configure service group 61 and 62 on the same interface?
I've configured it as followed:
description DE-US GRE over MPLS to XXXXXXXXX
ip address 10.10.209.9 255.255.255.252
ip accounting output-packets
ip mtu 1400
ip wccp 61 redirect out
ip wccp 62 redirect in
ip route-cache flow
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel destination xxxxxxxxxxx
service-policy output Tunnel_QOS_Policy_OUT
I could imagine that there is something wrong if packets will be redirected in different wccp groups.