03-16-2009 04:00 AM
Hello,
I have a question, is there any document that clarify the TCP changes while traffic passing via the WAAS .
as I know the first WAE will increase the seq number with 2 bilions, but I need to know if the second WAE will decrease it before sending to the dest.
also if I have Firewall ( not in the path ) , should it be affected with the TCP changes so it may drop the traffic.
Thanks & BR
Moamen
03-16-2009 10:55 AM
The first thing that happens is that the WAEs add a TCP option (0x21) to the TCP Syn/Syn-ack during the session setup for WAE autodiscovery. These options are sent to both the client and the server to attempt to discover WAEs further up the line.
Once the WAEs discover each other, there is a seq number jump (as you referred) of 2 billion. This is only between the WAEs after they have negotiated optimization. Between the WAEs and the hosts (client and server), the seq number stays normal, this is to prevent optimized traffic from getting to a host if there is a WAE outage. The host received a huge jump in seq number and resets the connection preventing data issues with compressed payloads, etc.
Firewalls usually don't like unknown TCP options and seq number jumps, so firewalls can cause issues if they are between the WAEs attempting to optimization. Cisco Firewalls have options in the software to detect and allow WAAS optimizations so if you are using Cisco firewalls with newer code versions, you can integrate them with WAAS in your environment.
Hope that helps,
Dan
03-19-2009 11:04 AM
Dan / anybody
Is there a way to manually configure what the âinspect waasâ does on newer releases? I'm running ASA 7.0(8) because stability is a must. Would it be possible to apply a tcp-map allowing tcp options and disabling sequence number randomization? Am I missing something?
example:
!
class-map WAE-TCPopt
match access-list WAE-TCPopt
!
class-map VoIP
match access-list VoIP-RTP
!
class-map inspection_default
match default-inspection-traffic
!
tcp-map WAE
tcp-options range 6 7 allow
tcp-options range 9 255 allow
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect tftp
inspect netbios
inspect mgcp
class WAE-TCPopt
set connection random-sequence-number disable
set connection advanced-options WAE
class VoIP
priority
!
access-list VoIP-RTP line 1 extended permit udp any range 16384 32767 any range 16384 32767
!
access-list WAE-TCPopt extended permit ip 10.0.0.0 255.0.0.0 any
access-list WAE-TCPopt extended permit ip 172.16.0.0 255.240.0.0 any
access-list WAE-TCPopt extended permit ip 192.168.0.0 255.255.0.0 any
access-list WAE-TCPopt extended permit ip any 10.0.0.0 255.0.0.0
access-list WAE-TCPopt extended permit ip any 172.16.0.0 255.240.0.0
access-list WAE-TCPopt extended permit ip any 192.168.0.0 255.255.0.0
!
Thanks!
Guido
05-05-2009 08:58 AM
Have you got any workaround for your problem. I have the same issue. Can you please tell me. its urgent
05-05-2009 12:10 PM
I think the only way with ASA prior to 7.2.3 would be to use directed mode on WAAS and manually premit the TCP Options, see the following.
Â
PIX/ASA with 7.0 or above (v7.0, v7.1, v7.2 prior to 7.2.3, v8.0 prior to 8.0.3)
It requires manually permit 'TCP Options' and enable Directed-mode on WAE will help WAAS to optimize using UDP tunnel 4050
To permit options manually on  PIX/ASA with 7.0+
------------------------------------
access-list TCPTRAFFIC extended permit tcp any any
!
tcp-map WAASOPTIONS
tcp-options range 33 33 allow
!
class-map WAAS
 match access-list TCPTRAFFIC
!
policy-map global_policy
 class WAAS
   set connection advanced-options WAASOPTIONS
------------------------------------
Hope that gives you what you need. Directed mode is available in 4.1.x.
Dan
05-05-2009 12:53 PM
Hello
We couldn't solve it with 7.0(8). We did some sniffing, policies to permit TCP options and disabled SEC number randomization. We didn't want though to use legacy mode on WAAS. Finally we upgraded to 7.2(4) which was a TAC recommendation because they couldn't fix it either. As far as I'm concern, it cannot be done with 7.0(8).
Regards
Guido
05-05-2009 02:10 PM
Guido,
That is good info, thanks for your update. I will put that in my notes.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide