Issue in WAE CM

Similar Messages

• WCCP inside VRF

  Hi Team,
  I have one issue with WCCP redirection inside VRF. Here is my scenario:
  PE router config (MPLS edge)
  ip vrf aaa
  rd 10:1
  route-target both 10:1
  int facing CE router
  ip vrf forwarding aaa
  ip address x.x.x.x x.x.x.x
  mpls bgp forwarding
  router bgp 10
  <classic MP-BGP config>
  address-family vpnv4 vrf aaa
    neighbor <CE router> remote-as 100
    neighbor <CE router> activate
    neighbor <CE router> send-label
  CE router (using VRF lite)
  ip vrf aaa
  rd 100:1
  route-target both 100:1
  ip wccp vrf aaa 61
  ip wccp vrf aaa 62
  int facing PE router
  ip vrf forwarding aaa
  ip address c.c.c.c c.c.c.c
  ip wccp vrf aaa 62 redirect in
  ip bgp mpls forwarding
  int facing WAAS
  ip vrf forwarding aaa
  ip address w.w.w.w w.w.w.w
  int LAN
  ip vrf forwarding aaa
  ip address l.l.l.l l.l.l.l
  ip wccp vrf aaa 61 redirect in
  router bgp 100
  address-family vpnv4 vrf aaa
  neighbor <PE router> remote-as 10
  neighbor <PE router> activate
  neighbor <PE router> send-label
  <classic network advertising>
  WAE config is classis WCCP with hash assignment and negotiated GRE return method. CE router does not have any issues detecting WAE appliance.
  Now the mentioned issue:
  Traffic from LAN to PE is being redirected OK. No issues here. But return traffic from PE router is not redirected to WAE appliance despite the fact that WCCP "redirect in" command is configured under CE WAN interface. When I remove "neighbor <CE router> send-label" command under "
  address-family vpnv4 vrf aaa" on PE router, CE router starts to redirect traffic from PE to WAE appliance (but I loose label information on CE). When I configure this command back, redirection stops.
  So my question is why this command is causing CE router not to redirect traffic from PE to LAN on its WAN interface? I was not able to find any restrictions regarding VRF lite and WCCP. I am using 15.2(3)T1 IOS version.
  Many thanks for any inputs.
  Regards,
  Stan

  hi Stan,
  I´m not really into VRF troubleshooting but you should check this info;
  If a Cisco WAAS NME-WAE network module or Cisco WAE appliance is used at a branch location and the service provider cannot strip off the labels, WCCP can be used with a route-leaking option as long as there are no overlapping IP addresses. ( that sounds like your design)
  look for  WCCP Deployment
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_C11-560131.pdf
  good luck!

• WAE FTP and offline Issue

  Hello All,
  I have really simple question for you.
  1>   So once the WAE devices are taken offline ( Disabling WCCP) 
  è  WAN traffic will continue flow has normal. However the current connections will be lost. Am I right ?
  è  Also even thought we restart the WAE devices once they are offline it will not impact the current WAN  traffic ?
  2>  So the other day I was trying to upload the 1.1.3b version to my WAE device which runs the CM ( Control Manager ) thru FTP however I got the time out error ( both thru the software and also thrui CLI ) here are the logs from the TFTP software. Also when i tried to upload the IOS image to the other WAE devices they had no issue.
  Connection received from 172.30.209.220 on port 10003 [25/06 22:45:28.365]
  Read request for file <WAAS_4.1.3b.9-K9.bin>. Mode octet [25/06 22:45:28.381]
  Using local port 2404 [25/06 22:45:28.381]
  TIMEOUT waiting for Ack block #65536  [25/06 22:46:18.797]
  Connection received from 172.30.209.220 on port 10003 [25/06 22:51:15.020]
  Read request for file <WAAS_4.1.3b.9-K9.bin>. Mode octet [25/06 22:51:15.020]
  Using local port 2409 [25/06 22:51:15.020]
  TIMEOUT waiting for Ack block #65536  [25/06 22:52:05.148]
  Connection received from 172.30.209.220 on port 10003 [25/06 23:15:58.221]
  Read request for file <WAAS-4.1.5f.2-K9.bin>. Mode octet [25/06 23:15:58.236]
  Using local port 2437 [25/06 23:15:58.236]
  TIMEOUT waiting for Ack block #65536  [25/06 23:16:48.737]
  Connection received from 172.30.209.220 on port 10003 [25/06 23:27:57.961]
  Read request for file <WAAS-4.1.5f.2-K9.bin>. Mode octet [25/06 23:27:57.977]
  Using local port 2443 [25/06 23:27:57.977]
  TIMEOUT waiting for Ack block #65536  [25/06 23:28:51.368]
  Thank you for all the help in advance,
  Soofi

  Hi Soofi,
  When you disable WCCP through the CLI, there is a graceful shut down period during which existing connections will continue to be handled by WAAS while new connections will be returned to the intercepting device for normal forwarding.  Once the graceful shutdown period as expired, optimized connections will be reset while pass-through connections will continue to flow normally.  Once you re-enable WCCP, existing connections will be handled as pass-through, while new connections will be optimized.
  For the upgrade problem you are having, how are you trying to copying the image to the CM?  Can you please provide the exact steps you are taking?
  Thanks,
  Zach

• WAE 674 booting issues

  I am having issues with my WAE 674.
  Powered on for the first time and was hanging at the booting the kernel screen.
  Then used the software recovery CD waas-rescue-cdrom-4.4.1.12-npe-k9.iso, it went through all the steps of installation.
  After reboot it hangs at booting the kernel, it does not move from this point. Nothing on the hyperterminal.
  I have attached the screenshot.
  Any ideas?
  Thanks,
  Suhail.

  Hi Suhail,
  How are you connected to the WAE?
  If you are directly connected to the WAE through a screen/keyboard, I believe that what you see is expected: the WAAS software stop redirecting it's console output on the screen after booting it's kernel and move it to the serial port.
  This is explained in the hardware specs of your device:
  You can connect a keyboard to any USB port and  connect a monitor to the video connector to troubleshoot the BIOS boot  process. However, video output is for troubleshooting only during the  BIOS boot process. The video output stops displaying when the serial  port becomes active. To monitor the boot process in normal operation,  use the serial console port.
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/wae/installation/7341-7371/guide/7300intr.html#wp1040565
  Could you have a look at the boot sequence from the serial port and see if everything looks fine from there?
  Regards,
  Nicolas

• When I issue the 'Force group Settings' command what effect will this have on existing flows? Do I need to disable WCCP prior to issuing this command on the affected WAE's?

  Hi WAAS Experts,
  I have a query, when I issue the 'Force group Settings' command what effect will this have on existing flows? Do I need to disable WCCP prior to issuing this command on the affected WAE's?
  Thanks,
  Shankar K

  Hi Shankar,
  A change of classifier/policy on the WAE is not affecting the existing flows so you shouldn't need to disable WCCP if you want to force group settings there.
  Regards,
  Nicolas

• WAE-512 issue

  Dear ,
  I have site A and Site B.In site A I have AWe 512 is installed,at site B there is a WAE 512 and WAAS as a CM installed.
  All the applications were working fine between site A and site B.All of a sudden applications are not working like RDP,Accessin file server and all not accessible at site A to site B.When I check the connectivity ,it is reachable from site A to site B.
  Even telnet from site A to site B to all servers with the  port 3389 is connecting.When I check through netstat -an it shows from site A source address to site B destination address to that port 3389 is established.
  When mstc to that server is hanging,and \\x.x.x.x\ to remote is not able to open.
  Please guide me to resolve.
  Regards,

  Hi Venkat,
  Looking at your issue, are you sure this is WAAS issue? Can you please apply pass thru policy for this traffic and see if it works.
  You can also use cli command: show stat conn | in to see if the connection is going thru WAAS and is being optimized. If it shows up as optimized, try putting a pass thru policy for this client and verify the functionality.
  Further, is this issue limited to one client / one site / multiple sites? Depending on that you want to focus either on hub site or branch site or single client.
  Please also provide us the software version and hardwares you are using at the affected sites.
  Feel free to let us know if you think it is WAAS related.
  Hope this helps,
  Regards.
  PS: if this resolves the problem, please mark this as Answered.

• WAE IRQ Routing Issue

  Hi,
  Has anyone come across the issue with the IRQ for routing on the WAE?
  My edge box in our customer demo lab stopped routing traffic and only starts once you er-apply the gateway statments back in. Then network connectivity is restored and the WAE thinks its passing traffic to be acceleration process but in fact the traffic is worse than native across the WAN. This is on a 512 with an inline module running either 4.0.15b6 and or 4.0.17b14
  Cheers
  Rob

  Rob,
  Which "gateway statements" are you referring to? Obviously performance shouldn't be worse than native when WAAS is deployed. Can you please verify what speed/duplex the inline ports are configured/running as?
  Thanks,
  Zach

• WAE Issues

  Dear ,
  I have two sites connected through MPLS cloud.Site A to MPLS cloud is 10 Mb Link,Site B to MPLS 100 Mb Link.At Side A  Cisco WAE is installed,and site B WAE and WAAS (Central Manager) is connected.
  There are servers like Fileserver and ACS servers are placed at Side B.Now WAE is compressing and decompressing between Side A and Side B and vise versa.
  It was working fine.No configuration changes made.But all of a sudden from Side A to Side B the services are not working.Like, From side A trying to access the ACS server through RDP is not working.It is hanging.At the same time ICMP ping is perfect,no drop,then telnet with 3389 is connecting,meantime Netstat -an shows clearly the 3389 is established.
  But RDP is not working,I am not able to open the Fileserver to download and upload (Copying).
  For time being I have disconnected the WAE at site A.Now without WAE it is working fine.
  Please help me to resolve this issue.
  Thansk and Regards,
  S.Venkat

  Sure, with WAE, it adds extra TCP option and that increase the packet size, and typically the overall packet is more than 1500 bytes, therefore, the connectivity fails. If we lower the MTU MSS negotiated, the overall packet after the option addition will be no more than 1500 bytes, and will pass through the network just fine. Ethernet MTU is normally 1500 bytes.
  Hope that answers your question.

• WAE and N7K issue

  Issue Details- WAAS Optimizers were not optimizing traffic between two locations, drastically dropping performance on FTP connections and also seeing disconnection WAE from CM.There is somthing which is being pushed from CM that causing WCCP disconnect but not sure about it.
  Jun 14 01:58:46 APDC4R10-NWAE02 wccp: %WAAS-WCCP-5-500024: Removing router 0.0.0.0 from router table.
  Issue is sporadic in nature, SR has been open and TAC has given action plan when issue come again but, i am sure same issue happened earlier somewhere and solution must be in place rather reactive approch to wait for issue to come.
  Appreciate if any one has already know the solution on this.
  Tkx

  Hello Kiran,
  Because your  WCCP tunnel is going randomly down, I  believe this is  either  a design issue or a WCCP configuration  problem.
  Because is randomly  happening  is hard to run captures at the same time of failure but we can still review the captures when it is actually working.
  There are four WCCP V2 messages:
     * Here I AM
     * I See You
     * Redirect Assign
     * Removal Query
  Each WCCP message comprises a WCCP Message Header followed by a number of message components, for example if the length value  or any  component header is not set as expected one might expect to see WCCP errors.
  here are Nexus WCCP compatibilities notes:
  -Assignment methods supports only mask assisments. this is the  same as saying that the Nexus and the WAAS device are L2 connected and  should be properly configure to run mask assigments .. not hash.
  -In addition any packets being " bypass return" should  go via L2.
  -Packet egress redirection goes via IP forwarding and negotiated L2 return as well.
  -WCCP GRE return is not supported, WCCP GRE  redirection is not supported
  It will be nice if you  upgrade to a newer WAAS version  you're  about 30 versions away from the latest one, there  have been many open/fix caveats for WCCP/WAAS previous codes, in   addition to the enhacements you're missing.
  good luck,

• Upgrade Failed in WAE's from 4.1.5f to ver 4.2.3c with SSL Error.

  Hi all,
  I am in the process upgarding the OS from 4.1.5f to 4.2.3c . There was no issue upgarding the central manger.
  While upgarding the other WAE's from the CM and also from the CLI there is an Alarm as below.
          Alarm ID                 Module/Submodule               Instance
     1 mstore_key_retrieval      cms                          ssl_mstore_key
     2 mstore_key_failure        sslao                        mstore_key_failure
  Also the central manager shows that devices offline.
  Thanks for your help
  Dhana

  Hi Dhana,
  Please apply following commands from CLI on the WAEs that are hsowing up this error:
  1. cms disable on WAE. commnd: CM deregister OR CMS deregister force
  2. delete the device from CM
  4.Apply following commands to WAE:
  WAE-674-1(config)#no accelerator ssl  enable
  Disabled ssl accelerator.
  WAE-674-1(config)#end
  WAE-674-1#crypto pki managed-store initialize
  All certificate/private keys in SSL managed store will be deleted and optimized SSL traffic will be interrupted. Are you sure you want to continue(yes/no)? [no]:yes
  SSL managed store token file not present. Continuing with deletion of certificates in SSL managed store
  Restarting SSL accelerator. Done.
  WAE-674-1#conf t
  WAE-674-1(config)# accelerator ssl  enable
  Enabled ssl accelerator
  WAE-674-1(config)#cms enable
  Hope this helps.
  Regards.
  PS: Please mark this Answered, if it resolves the issue.

• Dual WAE's in mixed return methods?

  Today we have a single 7341 attached directly to the router's Gi0/1.  The original WAE uses Forwarded return.  Lastweek we received a second 7341 (and 15 other WAE boxes for branch sites). Since we can not connect a second WAE directly to the router without adding a switch between them, we planned on eventually moving both 7341's to our internal LAN segment.  Our new 7341 will be provisioned on the internal LAN and will use GRE Negotiated Return to the routers Loopback interface.  Once the new 7341 is up and running we plan on moving our original 7341 to that same architecture.
  Does this present an issue?  Will the router have an issue with service group 61 and 62 having two WCCP clients, using different return mechanisms?
  7341#1 = Forwarded Return (Directly connected to router, L2)
  7341#2 = GRE Negotiated Return (On Internal LAN, Routed)

  Just to clarify, both of these 7341 boxes will be in the same WCCP service groups. (61 LAN & 62 WAN).  The "Return method" is GRE for both.
  "However please note that the packet return method should be the same."
  7341#1
  wccp router-list 8 10.X.X.1 (Gi0/1 on router)
  wccp tcp-promiscuous service-pair 61 62 failure-detection 30
  wccp tcp-promiscuous service-pair 61 62 router-list-num 8
  wccp version 2
  7341#2
  wccp router-list 1 10.X.X.129 (Loopback1 on same router)
  wccp tcp-promiscuous service-pair 61 62 failure-detection 30
  wccp tcp-promiscuous service-pair 61 62 router-list-num 1
  wccp version 2
  egress-method negotiated-return intercept-method wccp

• WAAS WAE Alarm 'mstore_key_retrieval'

  Hello,
  I am supporting an environment that has 30+ remote WAEs deployed with a CM at the HQ.
  All remote WAE's Versions = Cisco Wide Area Application Services (universal-k9) Software Release 4.2.3b (build b4 Oct  4 2010)
  HQ's CM version = Cisco Wide Area Application Services (universal-k9) Software Release 4.4.3 (build b4 Aug 22 2011)
  On 4 of these WAEs, I currently am receiving encryption key alarms:
  WAE#show alarms detail support
  Critical Alarms:
          Alarm ID                 Module/Submodule               Instance
     1 mstore_key_retrieval      cms                          ssl_mstore_key          
       Apr 11 18:36:16.026 CDT, Processing Error Alarm, #000002, 3000:700008
       Unable to generate and/or retrieve SSL managed store encryption key from the Key Manager
       /alm/crit/cms/mstore_key_retrieval_failure:
           CMS/Management agent failed to generate and/or retrieve SSL managed store encryption key from Key Manager.
       Explanation:
           This alarm indicates one of following issues: Central
           Manager device(s) is not reachable.  Secure store on
           Central Manager is initialized but not open.  Key Manager
           process on Central Manager device is not running or failing
           to respond.  Key Manager is unable to process key
           generation or retrieval request.   If this issue is
           present, the WAE device will not be able to process  a
           configuration update received from the Central Manager if
           it  contains SSL certificate/key information.
       Action:
           Check if Central Manager device is reachable (TCP
           connections from the WAE to the Central Manager on port
           443) Check following log files for additional information
           about the error: /local1/errorlog/kc.log on WAE
           /local1/errorlog/km/km.log on CM
     2 mstore_key_failure        sslao                        mstore_key_failure      
       Apr 11 18:39:07.518 CDT, Processing Error Alarm, #000006, 26000:26002
       Failed to open SSL store due to failure in getting key from Central Manager.
       /alm/crit/sslao/mstore_key_failure:
           SSL managed secure store key retrieval failure.
       Explanation:
           The SSL accelerator is unable to get the SSL secure store
           key from the Central Manager.
       Action:
           Check the connection with the Central Manager.
  The explanations and actions match the alarm book , but in addition to that, in the Cisco WAAS Monitoring Guide, it also states:
  Alarm 700008 (mstore_key_retrieval_failure) CMS/Management agent failed to generate and/or retrieve SSL managed store encryption key from Key Manager.
  Severity: Critical
  Category: Processing
  Description: This alarm indicates one of following issues:
  –The WAAS Central Manager device is not reachable
  –Secure store on WAAS Central Manager is initialized but not open
  –The Key Manager process on the WAAS Central Manager device is not running or failing to respond
  –Key Manager cannot process key generation or retrieval request. If this issue is present, the WAAS device cannot process a configuration update received from WAAS Central Manager if it contains SSL certificate and key pair information.
  Action: Check to see if the WAAS Central Manager device is reachable (TCP connections from the WAE to the WAAS Central Manager on port 443). Check the following log files for additional information about the error:
  –On WAE: /local1/errorlog/kc.log on WAE
  –On WAAS Central Manager: /local1/errorlog/km/km.log
  Action: Fix the clock on the device or the primary WAAS Central Manager.
  For a complete list of alarm conditions, see the Alarm Book located in the WAAS 4.2.1 Software Download area on Cisco.com.
  Using this information, I've checked the following:
  TCP 443 is reachable from the WAE to the CM (I can telnet from each WAE to the CM on TCP 443)
  Time is correct on the WAEs and CM ('show ntp status' and 'show clock' are consistent)
  Secure store on CM is open ('show cms secure-store' on the CM shows that the mode is in 'Open' state),
  Verified that the key manager process is running (Looking at the CM's KM log shows plenty of action that it's working for other WAEs)
  Here is some information I gathered from the WAEs' kc.log files and the CM's km.log (slightly scrubbed):
  From the WAEs' kc.log files:
  pool-1-thread-1] INFO  CommClientAbstractRPC - Send key retrieval request to CM 10.x.x.x for token d1b77e45-ce60-4332-a92d-3d3cb17d35cf
  pool-1-thread-1] WARN  CommClientAbstractRPC - Received error response from KM(20,No key found for token d1b77e45-ce60-4332-a92d-3d3cb17d35cf from device 17111)
  From the CM's km.log file:
  [pool-1-thread-4] INFO - retrieveKey request, token=d1b77e45-ce60-4332-a92d-3d3cb17d35cf from device WAE1/17111
  [pool-1-thread-4] INFO - Checking secure store open
  [pool-1-thread-4] INFO - Loading KEK from data server
  [pool-1-thread-4] INFO - ticket 17111 (1327767406332, 1327767392433, 13899, 10000)
  [pool-1-thread-4] WARN - No key found for token d1b77e45-ce60-4332-a92d-3d3cb17d35cf from device 17111
  *** Going through these logs, I've seen other devices have the same issue, and eventually a WAE records the following:
  [main] ERROR DeviceInfo - /state/node.dat (No such file or directory)
  java.io.FileNotFoundException: /state/node.dat (No such file or directory)
  at java.io.FileInputStream.open(Native Method)
  at java.io.FileInputStream.<init>(Unknown Source)
  at java.io.FileInputStream.<init>(Unknown Source)
  at com.cisco.waas.kc.DeviceInfo.retrieveNodeInfo(DeviceInfo.java:65)
  at com.cisco.waas.kc.DeviceInfo.<init>(DeviceInfo.java:47)
  at com.cisco.waas.kc.DeviceInfo.getInstance(DeviceInfo.java:37)
  at com.cisco.waas.kc.comm.CommClientAbstractRPC.retrieveKey(CommClientAbstractRPC.java:149)
  at com.cisco.waas.kc.RetrieveKeyCommand.execute(RetrieveKeyCommand.java:43)
  at com.cisco.waas.cli.CLICommand.execute(CLICommand.java:114)
  at com.cisco.waas.cli.AbstractCLI.process(AbstractCLI.java:28)
  at com.cisco.waas.kc.KeyClient.main(KeyClient.java:40)
  [main] ERROR DeviceInfo - /state/node.dat (No such file or directory)
  java.io.FileNotFoundException: /state/node.dat (No such file or directory)
  at java.io.FileInputStream.open(Native Method)
  at java.io.FileInputStream.<init>(Unknown Source)
  at java.io.FileInputStream.<init>(Unknown Source)
  at com.cisco.waas.kc.DeviceInfo.retrieveNodeInfo(DeviceInfo.java:65)
  at com.cisco.waas.kc.DeviceInfo.<init>(DeviceInfo.java:47)
  at com.cisco.waas.kc.DeviceInfo.getInstance(DeviceInfo.java:37)
  at com.cisco.waas.kc.comm.CommClientAbstractRPC.initKey(CommClientAbstractRPC.java:40)
  at com.cisco.waas.kc.InitKeyCommand.execute(InitKeyCommand.java:40)
  at com.cisco.waas.cli.CLICommand.execute(CLICommand.java:114)
  at com.cisco.waas.cli.AbstractCLI.process(AbstractCLI.java:28)
  at com.cisco.waas.kc.KeyClient.main(KeyClient.java:40)
  *** Followed with what appears to be a new SSL key being generated ***:
  [main] INFO  DeviceInfo - loaded device info, hash  H04Fer5il3b/9oanDZXx/7aBnIo=
  [pool-1-thread-1] DEBUG CMProber$ProbeWorker - Sending CM probe request to CM 10.x.x.x
  [pool-1-thread-1] DEBUG CMProber$ProbeWorker - CM 10.x.x.x returned :primary:4.4.3.0.4
  [pool-1-thread-1] DEBUG CMProber$ProbeWorker - Primary CM address 10.x.x.x version 4.4.3.0.4
  [main] DEBUG CommClientAbstractRPC - CM version 4.4.3
  [main] INFO  CommClientAbstractRPC - Send key initialization request to CM 10.x.x.x key type SSL
  [main] INFO  CommClientAbstractRPC - Received new token for generated key SSL/cbe3d6fc-875e-4b61-baeb-528c55cb3597
  [main] INFO  DeviceInfo - loaded device info, hash  H04Fer5il3b/9oanDZXx/7aBnIo=
  [pool-1-thread-1] INFO  CommClientAbstractRPC - Send key retrieval request to CM 10.0.65.234 for token cbe3d6fc-875e-4b61-baeb-528c55cb3597
  [main] INFO  CommClientAbstractRPC$1 - Successfully retrieved key from CM for token cbe3d6fc-875e-4b61-baeb-528c55cb3597
  *** And the CM records the following ***:
  [pool-1-thread-4] INFO - initKey request from device WAE2/30129 key type SSL
  [pool-1-thread-4] INFO - Checking secure store open
  [pool-1-thread-4] INFO - Loading KEK from data server
  [pool-1-thread-4] INFO - Return crypto of type : 0
  [pool-1-thread-4] INFO - Checking secure store open
  [pool-1-thread-4] INFO - Loading KEK from data server
  [pool-1-thread-4] INFO - Loading KEK from data server
  [pool-1-thread-4] INFO - Generated new key WAE2/SSL token cbe3d6fc-875e-4b61-baeb-528c55cb3597
  I'm wanting to know why this occurs on some boxes and not others, and what triggers the process for a WAE to stop repeatedly sending key retrieval requests with a token that the CM has repeatedly replies with the key not being found and performing an initial key request.
  Thanks!

  Hi all, I got into the same issue and looking at a solution I found a way to clear those alarms whithout re-registering the WAE/WAVE. Here it goes...
  WAE##sh accelerator
  Accelerator     Licensed        Config State    Operational State
  cifs            Yes             Enabled         Running
  epm             Yes             Enabled         Running
  http            Yes             Enabled         Running
  mapi            Yes             Enabled         Running
  nfs             Yes             Enabled         Running
  ssl             Yes             Enabled         Disabled  ---> your SSL AO is probably down due the issue
  video           No              Enabled         Shutdown
  WAE#sh alarms
  Critical Alarms:
          Alarm ID                 Module/Submodule               Instance
     1 mstore_key_retrieval      cms                          ssl_mstore_key
     2 mstore_key_failure        sslao                        mstore_key_failure
  Major Alarms:
  None
  Minor Alarms:
  None
  WAE#crypto pki managed-store initialize
  All certificate/private keys in SSL managed store will be deleted and optimized SSL traffic will be interrupted. Are you sure you want to continue(yes/no)? [no]:yes
  Restarting SSL accelerator. Done.
  After a couple of minutes alarms will be cleared and SSLAO will be back UP.
  WAE#sh accelerator
  Accelerator     Licensed        Config State    Operational State
  cifs            Yes             Enabled         Running
  epm             Yes             Enabled         Running
  http            Yes             Enabled         Running
  mapi            Yes             Enabled         Running
  nfs             Yes             Enabled         Running
  ssl             Yes             Enabled         Running
  video           No              Enabled         Shutdown
  WAE#sh alarms
  Critical Alarms:
  None
  Major Alarms:
  None
  Minor Alarms:
  None
  In case you have the issue in the Core WAE (where the cms secure-store is opened), you might need to initialize it.
  Regards,
  Fernando

• NME-WAE-502-K9 does not come up on 3925 router

  Hello,
  I have a 3925 ISR G2 router equipped with the following:
  NAME: "CISCO3925-CHASSIS", DESCR: "CISCO3925-CHASSIS"
  PID: CISCO3925-CHASSIS , VID: V03 , SN: FCZ151920TA
  NAME: "Cisco Services Performance Engine 100 for Cisco 3900 ISR on Slot 0", DESCR: "Cisco Services Performance Engine 100 for Cisco 3900 ISR"
  PID: C3900-SPE100/K9   , VID: V03 , SN: FOC15060R5V
  NAME: "9 Port FE Switch on Slot 0 SubSlot 1", DESCR: "9 Port FE Switch"
  PID: HWIC-D-9ESW       , VID: V01 , SN: FOC1508029Y
  NAME: "C3900 AC Power Supply 1", DESCR: "C3900 AC Power Supply 1"
  PID: PWR-3900-AC       , VID: V02 , SN: QCS1517P0BR
  The router is also equipped with the following two modules:
  NME-WAE-502-K9
  SM-NM-ADPTR which is needed to support the NME-WAE-502-K9 on 3925 ISR G2 routers.
  The issue is that both of the above modules are not showing up in "show inventory", "show version" and "show diag".
  The router is running the following IOS version:
  15.0(1)M5
  The router has the following licenses installed:
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        C3900-SPE100/K9       FOC15060R5V    
  Technology Package License Information for Module:'c3900'
  Technology    Technology-package          Technology-package
                Current       Type          Next reboot 
  ipbase        ipbasek9      Permanent     ipbasek9
  security      securityk9    Permanent     securityk9
  uc            None          None          None
  data          None          None          None
  I also tried to install the "diagk9" license for evaluation, which did not solve the issue.
  I also tried to reboot the router, also did not solve the issue.
  It seems to me, per Cisco's documentation, that the router is meeting the minimum requirements.
  Please advise if you know how to solve this issue.
  I'm attaching "show tech-support" output from the router, and also a screenshot of the rear side of the router.
  Thanking in advance, Udi Dahan.

  Hello Ehud,
  Looks like this could be hardware issue. Do you see the power on the NME module when you put it in?
  There could be two problems:
  1. The NME-WAE-502-K9 is bad. Try putting this in a different router and see if it shows up to make sure the NME module is good.
  2. The SM-NM-ADPTR is bad. Try to use different adapter with NME module and see if that shows up.
  3. The router slot itself is bad. try putting the adapter and NME module in different router to verify if it works.
  If nothing above works, you may want to open up a TAC case for RMA creation.

• WAAS CM Configuration Issue

  I have a WAE running 4.1.3 that registered successfully to the CM but is failing to pull the config from the CM (also at 4.1.3).
  It shows up as activated and online, but nothing shows up under the Services column within CM - where you typically see Application Accelerator.
  Debugging CMS on the edge WAE showed 'Failed to Connect to CMS configuration consumer. Unable to connect.'
  Has anyone experienced this? All other WAE's in my environment have registed and been able to pull config from CM w/o issue.

  I would recommend that you try to do a cms deregister force on the accelerator, and delete it from the central manager GUI. Then try re-registering to the CM and see if that will fix the issues.
  Thanks,
  Dan

• WAAS EMAP Optimization issue

  Dear Team,
  In WAAS Setup we are not seeing any Optimized EMAPI connection and below error is showing in Alarm section  for all Edge WAE devices.
  Wansecure encountered a peering service configuration error: ssl peering service configuration mismatch with peer device id 88:f0:31:b3:6e:c8. The following protocol acceleration can fail: SSL-AO, ICA (if using Wansecure) and Encrypted MAPI.
  We have verified the SSL peering configuration between Edge and core device and not found found any mismatch between them. Please suggest how we can resolve this issue.
  Regards,
  Ranjith

  Hi,
  Try the following on all the WAAS devices participating in the flow. (Core + edge)'
  WAAS #sh acc wansecure
  Accelerator Licensed Config State Operational State
  wansecure Yes Enabled Running
  WAN Secure:
  Accelerator Config Item Mode Value
  SSL AO User enabled
  Secure store User enabled
  Peer SSL version User default
  Peer cipher list User configured
  Peer cert User default <<<<Should be same for all devices
  Peer cert verify User enabled
  Follow the doc below.
  http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v501/configuration/guide/cnfg/policy.html#wp1156757
  Hope that resolves the issue.
  Regards,
  Abhishek
  CCIES 35269