we are installing WAAS demo for A customer has two sites are connected via Microsoft site-to-site over internet , and ISA servers terminate the VPN in the two sites (and not working as a firewall) , the WAAS devices are connected inline mode behind the ISA where all traffic coming in and out must pass through the WAE 's , the problem that they don't do any LZ compression or DRE caching ,it just TFO , the default policies are applied and I am sure that the CIFS is enabled on the WAE 's , the most important traffic is Oracle application and it is just TFO optimized although the default policies state full optimization , I even created an explicit policy with highest priority to full optimize the traffic destined to or sourced from the oracle servers and I made sure it transferred to all WAE 's but it didn't work
It is possible that ISA will not allow traffic other than TFO traffic to go through it. DRE LZ and CIFS optimization modify the traffic quite a bit, which can be problematic for devices that then analyze the flow of traffic. This is why it is always recommended to have that such devices located after WAAS, and not before it.
Thanks a lot for your sharing... It's obvious from my question that the ISA blocks the DRE packets and i asked for a soulution not a total topology conversion due to a problem like this.
First of all you can't put the WAEs after the ISA as the WAEs will not optimize properly due to encryption and compression of the ISA as it uses PPTP in our situation.
Second we made a policy on the ISA to pass all traffic from any IP to any IP with any port and it also didn't work.
Third we did here a Lab that simulated the customer topology and the same thing happend.. only TFO and on the ISA monitoring tool we found that the ISA blocks the https (port 443) between the CM and the WAES and any packet with high port range (due to DRE optimization) it is also blocked as the ISA thinks it's a type of attack.
Finally...The solution of this problem is to dig an UDP tunnel between the two WAEs to through the optimized packets into it and to enable port 4050 in the ISA servers which allow this tunnel to pass through the ISA.
This tunnel is established using a mode that is called Direct-Mode on the two WAEs as the inlinegroups take an IP which is used for the tunnel establishment.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...