Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WAAS interception access list

Hello,

I am trying to configure a basic access list on a branch WAE. I wish to only accelerate traffic going to net 10.10.10.0/24. When I enter this command however it blocks all inbound traffic as well. Am I doing something very stupid ? Also, There is a RTT of 600ms. This keeps dropping the connection to the CM saying the device status is offline. Is there a specific timer I can use tomake this more robust.

ip access-list extended tennet

  permit ip any 10.10.10.0 255.255.255.0

interface InlineGroup 1/1
ip access-group tennet out

Best regards

Stephen

1 ACCEPTED SOLUTION

Accepted Solutions

WAAS interception access list

Hi Stephen,

I'm not aware of any specific timers that will fix this.

If you're remote WAE constantly show up as offline, this migth indicate som other problems.

600 ms RTT (satellite ??) shouldn't itself be of any major concern unless you're loosing a lot of packets.

Do you have any possibility of ensuring that CM<->WAE traffic (i.e. tcp port 443) get prioritised by QoS ?

Enabling fast offline detection will ensure that devices are detected offline faster, but I don't think this will fix you problem.

I've previously created a WAAS setup running across a satellite network with RTTs btw. 700 and 1500 ms and never encountered these kind of problem.

Never used Secure Store though as this requires CM connectivity more or less constantly.

regards

Finn

3 REPLIES

WAAS interception access list

Hi Stephen,

What you have done is to configure an Interface ACL, which controls the access to/through the device (like a router ACL).

I think you need to use an Interception ACL which controls the "interception".

Check this :

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v441/configuration/guide/ipacl.html#wp1054042

and CLI :

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v441/command/reference/glob_cfg.html#wp1932611

So you'll need to configure this globally :

interception access-list tennet

and remove it from the inline ports config.

Best regards

Finn

New Member

WAAS interception access list

Hello Finn,

Thank you very much. That was exactly it.

Do you have any idea about the secondary question regarding the timers. This is very frustrating, The CM gets a ping timeout so I cannot open the secure store from the remote WAE. The branch WAE always shows as offline in the CM. I need to know which timers I can set. As a reminder, the RTT is +/- 600ms.

Best regards

Stephen

WAAS interception access list

Hi Stephen,

I'm not aware of any specific timers that will fix this.

If you're remote WAE constantly show up as offline, this migth indicate som other problems.

600 ms RTT (satellite ??) shouldn't itself be of any major concern unless you're loosing a lot of packets.

Do you have any possibility of ensuring that CM<->WAE traffic (i.e. tcp port 443) get prioritised by QoS ?

Enabling fast offline detection will ensure that devices are detected offline faster, but I don't think this will fix you problem.

I've previously created a WAAS setup running across a satellite network with RTTs btw. 700 and 1500 ms and never encountered these kind of problem.

Never used Secure Store though as this requires CM connectivity more or less constantly.

regards

Finn

1385
Views
0
Helpful
3
Replies
CreatePlease login to create content