Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to setup and troubleshoot Web Cache Communication Protocol Version (WCCP) redirection to Cisco Wide Areas Application Services (WAAS) devices with Cisco Expert Nicolas Fournier. Nicolas has worked in the Cisco Technical Assistance Center for six years where he is responsible for supporting full-time content technologies and focuses in the areas of Cisco Wide Area Application Services (WAAS) and TCP acceleration. He is a graduate of the Universite catholique de Louvain and holds CCIE #19944 Security certification.
Remember to use the rating system to let Nicolas know if you have received an adequate response.
Nicolas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through July 1st, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
I have WAAS modules installed on 3 sites and a CM to manage these. i see many pass-thru traffic in the WAAS and i want to see what are these traffic. can i see it any way ?
Hi Sandy Pan,
"Show stat conn" , should list the connection , pass through connections will be identified as PT, check for these port numbers. Also do a "show run |
I'm not aware of any way to see it from the Central Manager directly but you can easily see this from the CLI of your WAAS devices by issuing the following command:
show statistics pass-through
Taken from the config guide, here is an explanation of each entry you will find there:
Total number of connections passed through.
The connection is pass-through due to no peer WAE being found during TFO auto-discovery.
The connection is pass-through due to auto discovery finding that the peer WAE does not have the required capabilities.
The connection is pass-through due to auto discovery finding that the peer WAE does not have the required resources.
Rjct No License
Number of connections passed through due to no license.
Number of connections passed through due to policy configuration.
Number of connections passed through due to optimization being disabled globally.
Number of connections passed through due to asymmetric routing in the network (could be an interception problem).
Number of connections passed through due to connections seen by the WAE mid-stream.
Number of connections passed through because the WAE was in between two other WAEs.
Number of connections passed through due to miscellaneous internal errors such as memory allocation failures, and so on.
Number of connections passed through because an application accelerator requested the connection to be passed through.
Server Black List
Number of connections passed through due to the server IP being present in the black list.
AD Version Mismatch
Number of connections passed through due to auto discovery version incompatibility.
AD AO Incompatible
Number of connections passed through due application accelerator versions being incompatible.
AD AOIM Progress
Number of connections passed through due to ongoing peer negotiations.
DM Version Mismatch
Number of connections passed through because directed mode, though enabled locally, is not supported by the peer device.
Number of connections passed through due to an upstream serial peer handling optimization and telling this WAE not to optimize the connection.
Bad AD Options
Number of connections passed through due to invalid auto discovery options.
Number of connections passed through because the only peer found is configured as a non-optimizing serial peer.
Number of connections passed through due to an interception ACL denying them.
If you want to see which hosts are generating this traffic you can also use the following command:
show statistics connection pass-through
It will give you the list of all pass-through connections going through your device.
You can also filter this output using the following options:
WAE#show statistics connection pass-through ?
client-ip Display passthrough connection statistics for client ip address
client-port Display passthrough connection statistics for client port number
peer-id Display passthrough connection statistics for peer idenitifier
server-ip Display passthrough connection statistics for server-ip
server-port Display passthrough connection statistics for server port number
| Output Modifiers
I hope this is the info you were looking for but please let me know if there is anything else you would like to know.
We have two datacenters with the same LAN, with two line's "load sharing" with BGP and two WAE's, running:
|Interception Method:||WCCP TCP Promiscuous|
|Egress Method:||WCCP Negotiated Return|
Somethimes we get "asymmetric asymmetric routing is seen in the device" when we run the diagnostic tests for the WCCP and sometimes it's ok.
Where should we start to look?
I believe the diagnostic tool is having a look at the output of the show statistics connection pass-through command for Asymmetric sessions.
If you issue the command right after a failed diagnostic, you should see some of those and hopefully, it will help you identify the traffic which is bypassing your WAE's.
Thank for you reply.
Is there any special connection type for this issue?
As I have alot of passthrou, for diffrent reasons.
It should be triggered by PT Asym Client or PT Asym Server connections.
If you want to have a look at the list of all the different pass-through states you can see there and their explanation, you can have a look at this link: http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/waas/v421/command/reference/execmds.html#wp3113061
We have problem to see the traffic in our provider IDS system and from the netflow from our two provider core router's.
As we are using Redirect and Return Method: WCCP GRE and not beeing able to use WWCP L2 we are cannot see the GRE traffic from our provider two router's.
My solution was to send an netflow from the two WAE also to our provider IDS system on the WAN side, but we can't do that as the WAE have limit configuration possibilities on port and UDP for the flow.
Can you recommend any solution for this?
Regards Jan Rockstedt
Neflow support on the WAE is meant for sending the data to a NAM so unfortunately, there isn't much tweaking you can do with it.
Could you let me know why you cannot use the reporting values of the router when WAAS is used with GRE return and negotiated return?
You might be missing the destination interface of the flow because of CSCsl30451 but AFAIK you should still see the flows when they originally hit the router.
So maybe it have something to do with CSCsl30451.
If i do an trafic report from the IDS system on the hole subnet I can see alot of trafik on the WAE using GRE, it is on the top hosts.
If do on the specific host I can also see the trafic on that host, but I need to know as an first step, the trafic as an overview on the subnet.
Could it be the CSCsl30451?
Which version is running on your provider router?
Could you check if the version he is running is affected by "CSCsm35350 WCCP GRE return breaks IPsec traffic AND/OR creates phantom packet count"?
You can have a look at the bug description from the following link:
Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Then you are not facing CSCsm35350 since it is fixed in this version.
I did some researches on your issue and found two other possible candidates that might explain what you see:
If you are using Flexible Netflow:
CSCsl76763 FNF is double accounting WCCP GRE return packets
If you are using Traditional Netflow:
CSCti86131 2811 WAN usage reporting incorrect with WAAS
are network environment is planning to implement IPv6, we are using wccpv2 which at present does not support, will wccpv3 be coming out soon and will it support IPv6 and will it support Active and Passive FTP modes?
WCCP IPV6 support will be added in IOS 15.2(3)T which unfortunately doesn't have a committed date yet.
Regarding FTP support, are you asking if WCCP will become application aware and will be able to redirect the FTP data connection after redirecting the control channel only? If that is the case, I'm afraid the answer will be no as the other features that should be added with IPV6 should be configurable router-id as well as variable timers.
We have a few WAAS devices in our environment and we currently optimize http/https traffic. We are looking at the possibility of optimizing Video on our WAN.
If this is not the right place to discuss this where can I find more information about this subject?
The WAAS Video Accelerator was designed to perform what you want to achieve if you are using RTSP over TCP.
You'll need to get the Video license to be able to use it but once it is done, you can enable the accelerator and you should start getting benefit from the Video AO as soon as it is optimized.
Here is how it needs to be configured:
and here is an example of how it can be integrated with a DMS system for instance: