10-13-2009 09:03 AM
Experiencing intermittent problems with outbound http Internet traffic that crosses an ASA (not in path of WAAS). Internal accelerated http has no problems. WAAS 4.1.5a with inline deployment at branch and data center (hosting Internet connection). Is there any specific config I need on the ASA? Everything I have seen posted regarding WAAS and ASA relates to ASA in the optimization path, which is not my case. Also having some problems with IPsec VPN client traffic terminated to ASA which would then be optimized by WAAS to access internal resources - http, CIFS and other applications.
Solved! Go to Solution.
10-15-2009 09:02 AM
Todd,
I would try a couple of things. First on your ASA, try configuring the "inspect waas" setting to see if it is not liking the tcp options being passed through to it. That also might be the issue with the VPN traffic. Also on the VPN traffic, there might possibly be some fragmentation issues there? Take a look and adjust the MSS lower on the WAAS if you see fragmentation.
See if that helps,
Dan
10-15-2009 09:02 AM
Todd,
I would try a couple of things. First on your ASA, try configuring the "inspect waas" setting to see if it is not liking the tcp options being passed through to it. That also might be the issue with the VPN traffic. Also on the VPN traffic, there might possibly be some fragmentation issues there? Take a look and adjust the MSS lower on the WAAS if you see fragmentation.
See if that helps,
Dan
10-15-2009 03:17 PM
Dan,
Thanks for the reply. We have previously tried 'inspect waas' without any improvement to either VPN or http. It is currently on. At this point http problems are with a limited number of sites - Yahoo mainly, sometimes Google, although when it happens pretty much no site will load from that browser session. Upgrading to the latest ASA code seems to help with http to the point where we can just create classifiers to exclude the problem sites and leave acceleration on globally, although we would like for it always work, obviously.
Fragmentation of the VPN traffic is a possibility so I will take a look and if I see anything lower MSS on the WAAS boxes.
10-16-2009 07:58 AM
Definitely an MSS issue. Found that my client was sending MSS of 1260 (Cisco VPN client defaults MTU of all adapters to 1300 when it installs) and when I dropped the MSS on the ASA (sysopt connection tcpmss 1260) problems with the websites disappeared.
I have not verified full optimization over the VPN conenctions now works as well but it seems obvious that is also due to the MSS. We will see if we also have to drop the MSS on the WAAS for the VPN clients to work.
Many thanks - I've been beating my head against a wall on this.
10-19-2009 11:19 AM
Todd,
Glad it helped.
Dan
11-12-2009 01:18 PM
Todd,
When you say intermittent problems - does the traffic just not get optimized by the WAEs or does the traffic flow actually break?
Thanks.
11-12-2009 01:26 PM
Traffic flow would break, due to certain servers not honoring MSS - mainly noticed on Google and Yahoo sites. Things would sometimes work fine, other times loading pages would just hang and eventually time out - apparently some of their infrastructure honors MSS and some does not. No problems since lowering MSS on the ASA.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: