Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Firewall Integration

Hi all,

We are testing an 574 with inlinecard togeter with ASA version 8.

Here is the flow "Router <-> WAE <-> ASA <-> Switch" is this right or should we have it between the switch and the ASA?

We have enabled inspect WAAS in the ASA, anything else that need to configure in the ASA or WAE?

The issue we have is if we are using win file copy, in one direction it is cache and in one not.

No interface error's inte WAE.

Jan

  • Wide Area Application Services (WAAS)
13 REPLIES
Cisco Employee

Re: Firewall Integration

Jan,

I understand that WAE is inline before the next hop router.

Can you check if you're seeing this on ASA for connections both ways:

%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.

Also in ASA's connection table see if the W flag is present next to connection.
Short of that "no" you don't need more from the ASA.
Marcin

New Member

Re: Firewall Integration

Hi,

The WAAS is after the WAN router and before "outside" the ASA .

I can see in the syslog %ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed, but I dont see any UOW flags when I am runing sh conn det

Could this be becouse the WAE is not on the "inside" of the ASA?

Jan

Cisco Employee

Re: Firewall Integration

Jan,

Very possible, I don't have a lab setup to test this.

Anything else in logs on the ASA during transfer?  How about disbaling randomization of ISN?

BTW since you're talking about cache'ing - are we talking about ACNS or WAAS? on ACNS there's HTTP stats about misses etc.

Marcin

New Member

Re: Firewall Integration

Hi,

We are talking about WAAS.

How do I disable the random ISN?

Jan

Cisco Employee

Re: Firewall Integration

Jan,

It's really a long shot but:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1080757

basically - define a flow via access-list or particular port.

Apply the access-list or port in class-map

Apply the class-map in global policy

set connection random dis 

That's it ... but IMHO it might not be related.

How exactly are you checking that there is no cacheing ?

Marcin

New Member

Re: Firewall Integration

Hi,

I will wait with disable the ISN and move the WAE to the inside of the firewall.

LAN admin is testing with windows file copy, the second time he copy an file it should be cached in the WAE.

Download on remote CIFS is ok, but the upload on the same remote CIFS is not cache the second time.

Jan

Cisco Employee

Re: Firewall Integration

Jan,

Do you have connection stats for this particular connection?

Why not do WCCP instead of inline or is the router a non-cisco device.

Marcin

New Member

Re: Firewall Integration

The router is an Cisco device, but it is not ours and enable WCCP is not that easy for the provider.

That is why we use inline.

I have done any sh stats on the particular connection.

I will move the WAE and get if it dosen't work i will back.

Thank you Jan

Re: Firewall Integration

Jan,

The CIFS cache is only effective on the download at the client location.  If the same client uploaded a previoulsy downloaded file you will not see "lan" like performance on this upload since there is no CIFS cache on the server side WAE for this scenario.  However, you will be taking full advantage of the DRE cache on both client and server side WAEs.  Thus, I would expect the performance of the upload to be better than without WAAS, but not as good as a download being served from the client WAE CIFS cache.


So, as long as the connection is showing as T,C,D,L on both WAEs (show stat conn | inc ) your FW is not striping options or preventing this connection from being accelerated.

Cheers,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

450
Views
0
Helpful
13
Replies
This widget could not be displayed.