Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WAAS over IPSec

Hello,

 

I have a scenario with 16 WAAS (274, 294 and 574) + 1 CM (274). All the WAAS have communication between then trough a VPN IP MPLS except 3 of then that communicate with the VPN IP MPLS trough IPSec tunnel. All the WAAS are configured in inline interception, installed between the local LAN and the router of this LAN.

The WAAS the are in the VPN IP MPLS don't have any problem and optimize the traffic with no problem. The 3 WAAS the are in site connected with IPSec tunnel don't optimize the traffic. the connection appear with the stat of PT no peer or PT in progress.

 

Why the connection are not optimized in the 3 sites with IPSec tunnel? how can i resolve this problem.

 

Best Regards

Celio Soares

2 REPLIES

Hey You need to "inspect WAAS

Hey

 

You need to "inspect WAAS" in your firewall (as i presume your IPsec terminates on a firewall ?)

<snip>

By default, WAAS transparently sets up new TCP connections to peer WAEs, which can cause firewall traversal issues when a WAAS device tries to optimize the traffic. If a WAE device is behind a firewall that prevents traffic optimization, you can use the directed mode of communicating to a peer WAE. In directed mode, all TCP traffic that is sent to a peer WAE is encapsulated in UDP, which allows a firewall to either bypass the traffic or inspect the traffic (by adding a UDP inspection rule).

Any firewall between two WAE peers must be configured to pass UDP traffic on port 4050, or whatever custom port is configured for directed mode if a port other than the default is used. Additionally, because the WAAS automatic discovery process uses TCP options before directed mode begins sending UDP traffic, the firewall must be configured to pass the TCP options. Cisco firewalls can be configured to allow TCP options by using the ip inspect waas command (for Cisco IOS Release 12.4(11)T2 and later releases) or the inspect waas command (for FWSM 3.2(1) and later releases and PIX 7.2(3) and later releases).

<! snip>

http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v541/configuration/guide/cnfg/network.html

 

New Member

Hello,In one site i have

Hello,

In one site i have router Cisco 881-k9 with IOS Data-Universalk9-M 15.1(4)M4. The router connect to the inline interface of the WAE 294 and the WAE connect to the Local LAN. I have tested with the IOS firewall of the router disabled and the connection are not optimized.

 

In second site I have a router Cisco 1811 with IOS AdvIPServicesK9 12.4(15)T17 is connect to the inline interface of the WAE 274 that connect to the local LAN. Also haved disable IOS firewall and test the optimization of the connection with no success.

In the 2 site with the firewall disable the ip inspect command is necessary? why the WAE don´t optimize the connection with the firewall disable?

 

the 3 site have a router draytek 2960 connect to the inline interface. It is possible in this model of router configure the ip inspect waas or a similar command?

 

 

Best regard

 

 

234
Views
0
Helpful
2
Replies