Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WAAS outbound http and inbound VPN problems with ASA

Experiencing intermittent problems with outbound http Internet traffic that crosses an ASA (not in path of WAAS). Internal accelerated http has no problems. WAAS 4.1.5a with inline deployment at branch and data center (hosting Internet connection). Is there any specific config I need on the ASA? Everything I have seen posted regarding WAAS and ASA relates to ASA in the optimization path, which is not my case. Also having some problems with IPsec VPN client traffic terminated to ASA which would then be optimized by WAAS to access internal resources - http, CIFS and other applications.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: WAAS outbound http and inbound VPN problems with ASA

Todd,

I would try a couple of things. First on your ASA, try configuring the "inspect waas" setting to see if it is not liking the tcp options being passed through to it. That also might be the issue with the VPN traffic. Also on the VPN traffic, there might possibly be some fragmentation issues there? Take a look and adjust the MSS lower on the WAAS if you see fragmentation.

See if that helps,

Dan

6 REPLIES
Cisco Employee

Re: WAAS outbound http and inbound VPN problems with ASA

Todd,

I would try a couple of things. First on your ASA, try configuring the "inspect waas" setting to see if it is not liking the tcp options being passed through to it. That also might be the issue with the VPN traffic. Also on the VPN traffic, there might possibly be some fragmentation issues there? Take a look and adjust the MSS lower on the WAAS if you see fragmentation.

See if that helps,

Dan

New Member

Re: WAAS outbound http and inbound VPN problems with ASA

Dan,

Thanks for the reply. We have previously tried 'inspect waas' without any improvement to either VPN or http. It is currently on. At this point http problems are with a limited number of sites - Yahoo mainly, sometimes Google, although when it happens pretty much no site will load from that browser session. Upgrading to the latest ASA code seems to help with http to the point where we can just create classifiers to exclude the problem sites and leave acceleration on globally, although we would like for it always work, obviously.

Fragmentation of the VPN traffic is a possibility so I will take a look and if I see anything lower MSS on the WAAS boxes.

New Member

Re: WAAS outbound http and inbound VPN problems with ASA

Definitely an MSS issue. Found that my client was sending MSS of 1260 (Cisco VPN client defaults MTU of all adapters to 1300 when it installs) and when I dropped the MSS on the ASA (sysopt connection tcpmss 1260) problems with the websites disappeared.

I have not verified full optimization over the VPN conenctions now works as well but it seems obvious that is also due to the MSS. We will see if we also have to drop the MSS on the WAAS for the VPN clients to work.

Many thanks - I've been beating my head against a wall on this.

Cisco Employee

Re: WAAS outbound http and inbound VPN problems with ASA

Todd,

Glad it helped.

Dan

New Member

Re: WAAS outbound http and inbound VPN problems with ASA

Todd,

When you say intermittent problems - does the traffic just not get optimized by the WAEs or does the traffic flow actually break?

Thanks.

New Member

Re: WAAS outbound http and inbound VPN problems with ASA

Traffic flow would break, due to certain servers not honoring MSS - mainly noticed on Google and Yahoo sites. Things would sometimes work fine, other times loading pages would just hang and eventually time out - apparently some of their infrastructure honors MSS and some does not. No problems since lowering MSS on the ASA.

302
Views
0
Helpful
6
Replies
CreatePlease to create content