cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
767
Views
0
Helpful
6
Replies

WAAS outbound http and inbound VPN problems with ASA

tpharis2112
Level 1
Level 1

Experiencing intermittent problems with outbound http Internet traffic that crosses an ASA (not in path of WAAS). Internal accelerated http has no problems. WAAS 4.1.5a with inline deployment at branch and data center (hosting Internet connection). Is there any specific config I need on the ASA? Everything I have seen posted regarding WAAS and ASA relates to ASA in the optimization path, which is not my case. Also having some problems with IPsec VPN client traffic terminated to ASA which would then be optimized by WAAS to access internal resources - http, CIFS and other applications.

1 Accepted Solution

Accepted Solutions

dstolt
Cisco Employee
Cisco Employee

Todd,

I would try a couple of things. First on your ASA, try configuring the "inspect waas" setting to see if it is not liking the tcp options being passed through to it. That also might be the issue with the VPN traffic. Also on the VPN traffic, there might possibly be some fragmentation issues there? Take a look and adjust the MSS lower on the WAAS if you see fragmentation.

See if that helps,

Dan

View solution in original post

6 Replies 6

dstolt
Cisco Employee
Cisco Employee

Todd,

I would try a couple of things. First on your ASA, try configuring the "inspect waas" setting to see if it is not liking the tcp options being passed through to it. That also might be the issue with the VPN traffic. Also on the VPN traffic, there might possibly be some fragmentation issues there? Take a look and adjust the MSS lower on the WAAS if you see fragmentation.

See if that helps,

Dan

Dan,

Thanks for the reply. We have previously tried 'inspect waas' without any improvement to either VPN or http. It is currently on. At this point http problems are with a limited number of sites - Yahoo mainly, sometimes Google, although when it happens pretty much no site will load from that browser session. Upgrading to the latest ASA code seems to help with http to the point where we can just create classifiers to exclude the problem sites and leave acceleration on globally, although we would like for it always work, obviously.

Fragmentation of the VPN traffic is a possibility so I will take a look and if I see anything lower MSS on the WAAS boxes.

Definitely an MSS issue. Found that my client was sending MSS of 1260 (Cisco VPN client defaults MTU of all adapters to 1300 when it installs) and when I dropped the MSS on the ASA (sysopt connection tcpmss 1260) problems with the websites disappeared.

I have not verified full optimization over the VPN conenctions now works as well but it seems obvious that is also due to the MSS. We will see if we also have to drop the MSS on the WAAS for the VPN clients to work.

Many thanks - I've been beating my head against a wall on this.

Todd,

Glad it helped.

Dan

rm2017
Level 1
Level 1

Todd,

When you say intermittent problems - does the traffic just not get optimized by the WAEs or does the traffic flow actually break?

Thanks.

Traffic flow would break, due to certain servers not honoring MSS - mainly noticed on Google and Yahoo sites. Things would sometimes work fine, other times loading pages would just hang and eventually time out - apparently some of their infrastructure honors MSS and some does not. No problems since lowering MSS on the ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: