Waas and Cat4500

Similar Messages

• WAAS and IP SLA operation

  we are currently using the IP SLA udp jitter measurement to monitor our voice paths accross the WAN. If we implement a partial WAAS across the same WAN the voice traffic will be acellerated but not the IP SLA jitter measurement. Does this mean that when WAAS is implemented IP SLA is limited in its use?

  Hi Steve,
  The answer to your question depends on 1) how you deploy WAAS and 2) how you use IP SLA.  If you deploy WAAS using WCCP for interception, UDP traffic will never be intercepted.  If the WAAS device is deployed inline, all traffic flows through the WAAS device, so an IP SLA probe using UDP will be subject to WAAS pass-through handling behavior.
  What are you trying to measure with regards to WAAS?
  Zach

• WAAS and Juniper Netscreen Interoperability

  I've been doing a dig on historical posts relating to WAAS deployed through firewalls.
  I am working on a deployment with Juniper Netscreens & ASA5520 sitting between WAE's. IP connectivity is fine. I can ssh to remote device etc. but users cannot login (XP). The login scripts calls upon CIFS etc and I suspect this is being broken through the fw's.
  When I disable WAAS for this flow - it all works fine i.e. users can login and access full set of corporate resources. I suspect the firewalls but would appreciate any leads..
  thanks
  Ajaz

  Hi Ajaz,
  WAAS adds TCP Option 0x21 and increments TCP packet sequence number during TCP handshake. FW needs to be configured to allow
  these changes.
  On the latest PIX/ASA a new command "ip inspect waas" has been added to allow above changes by wae. You might want to check
  Netscreen config guide on command to disable TCP sequence number checking.
  If SSH to Servers is working fine then it might not be FW dropping packets. However to confirm it might be best to use
  tcpdump/tethereal on both WAEs and to sniff the traffic on whether its being dropped along the path by the FW.
  Few questions:
  - Whats the version running on WAEs?
  - Is it only CIFS traffic which is affected? Try disabling CIFS AO if its enabled and then test.
  Hope this helps,
  Best Regards,
  Rahul Vavale

• WAAS and TACACS

  We are trying to get our WAAS environment to authenticate against TACACS and then fall over to local if TACACS is unavailable. For engineer logins everything is working as expected. However we are seeing several thousand failures against the TACACS server from a username of "CMS". This user is not configured in the CM or in TACACS. So we log the failed login and CMS logs into the WAE due to the failover to local mechanism. Looking at packet captures, and debugging aaa on the WAE's it is definitely a CMS user that logs in but shows 127.0.0.1 as its "from" host. I am fairly confident this is automation within the WAE syncing with the CM or vice versa. Does anyone know how to get WAAS and TACACS to work together without a mass amount of login failures? Is there a way this CMS user can be cloned/duplicated on the tacacs server? What is the password for this automation user?
  Thanks in advance.

  Hi Stan,
  WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.
  There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.
  On TACACS side:
  1. Please make sure to create right username.
  2. Please make sure to verify if you are using ASCII password authentication.
  3. Try to use less than 15 letters - Alphanumeric TACACS password.
  4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.
  5. Verify if this user needs level 15 (admin equivalent account).
  On WAE CM side:
  1. Please make sure to select right authentication method as primary and secondary.
  2. Please make sure to enable the check box for authentication methods.
  You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.
  I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings
  Hope this helps.
  Regards.
  PS: Please mark this as Answered, if this resolves your issue.

• WAAS and Symantec Vertitas Volume Replicator

  Hi,
  We are forwarding Symantec replication traffic via our WAAS infrastructure over a 20Mb WAN link. The CM appears to register the traffic but does not optimize it at all. Has anyone had any experience with WAAS and Symantec Veritas Volume Replicator (VVR) 4.3?

  I tested with VVR in the lab. VVR default uses UDP and using the nerd knob in the GUI did not force VVR to start using TCP. To get VVR to use TCP, I had to input these commands:
  vrport data 1999-1999
  vrport heartbeat 2000-2000
  or use what ever ports you want to use. The previous answer was asking if you were seeing TCP sessions in the WAE's. This can be seen by telneting to the WAE and issueing a "show tfo connection summary". Can you post the output of that command?

• WAAS and 512 Deployment

  Attach is the Visio as well as config for the India site. The Visio has 2 tabs (POC-WAAS and Proposed-WAAS). The POC (Proof of Concept) tab does not have the spare 3660 installed yet but I plan to do that soon. The "Proposed WAAS" is where we would want to be. However, my question will most likely address POC tab with the preparation to move to the Proposed tab.
  Current assumptions:
  Since we have a Manager in India, we will be getting another Manager in Calif, If so, I would like to setup a Primary/Standby deployment for redundancy.
  Questions:
  1. For Calif Primary WAE, the visio shows a Management interface but do I need a management interface or is it better to go with a standby interface instead as well as use MHSRP?
  2. Since we have a high speed link (4 Mb Internet for VPN in POC but 10mb WAN for proposed), should we tune the buffers to the max? If so how?
  3. Is this a recommend design for California? for India?
  4. Is my configs a recommend configs for California 3660 in POC? If so, what do I need to change in 3825 in Proposed?

  Zach
  After reading the SRND, I believe the best design is to move the 512 to the Cores. Please see the updated Visio and planned configs. Here's my updated requirements:
  1. Calif is hub
  2. All traffic to India (10.2/10.26) should go through the VPN tunnel through (ASA5520)
  3. All traffic to 10.3 and 10.5 should go through WAN via (R-Voice2)
  4. Latency to India is btwn 280 to 340msec and BW is 2mb. Do I also need to be concern with the BDP, L2 redirect(forwarding), and Mask assignments?
  TIA

• WAAS and SSA Baan ERP

  Hi all,
  Anybody how have setup Cisco WAAS and ERP application BAAN?
  I am interesting to setup a full optimization for ERP Baan.
  Jan

  Hi all,
  We found the problem.
  TCP/512 was in Classifier Unix-Remote-Execution and this Classifier was in pt.
  Jan

• WAAS and WCCP

  Hello ,
  I have many Qs regarding the WAAS implemntation
  1- which better , using inline card or wccp and why ( is there any problem with inline cards ?)
  2- if we have ASA in the network , is there any os version required for the ASA to support tha WAAS, we have impelmnted the waas with wccp between 2 branches, all traffic optimized but there is 2 applications blocked ( not working at all ) , the 2 applications passing via Firewall is there any known reason for that ?
  3- we have cat4500 and it should support wccp to redirect traffic for WAAS , but redirect list is not supported at all, do you know if that for all 4500 platform or for just specific OS or Sup as nothing clear on Cisco regarding this point ( wccp redirect list ).
  Thanks
  Moamen

  Hey Moamen,
  1. I would not say either is better, but there are different applications. Where you need more then a single WAE for scaling and redundancy, I would recommend WCCP. Where you have fairly simple topology, requirements for only one WAE, and/or non-Cisco gear, I would probably recommend In-line. I've done ton's of both and both work really well for interception.
  2. ASA do have a minimum recommend code version. For interoperability with WAAS, you need Cisco ASA/PIX version 7.2.3 or later. In that version, there is the command "inspect waas" to allow for the sequence number jump in optimized traffic, which is why your ASA is blocking the traffic.
  3. The CAT4500 can support WCCP in hardware. The platform hardware only supports ingress interception, L2-redirect, L2-return, mask-assign configs on the WAE and the minimum IOS version I would recommend running would be 12.2(40)SG or later. As you mentioned, there are limitations with the redirect lists, they are NOT supported in any version of IOS, it's a function of the hardware. If you need to exclude traffic, you might want to consider using application policies when using CAT-4500.
  I hope that helps you out.
  Dan

• WAAS and WCCP - looping packet detected

  Hi,
  Has anyone ran into this senario before. Before anyone answers with "move your WAE off the user subnet", it already has been.
  I have wccp 61 redirect in on the user subnet (gig0/0.83 of a dot1q trunk). The WAE is on gig0/1. Before I apply wccp62 to the serial link, I attempt to telnet from a user pc to the router (same subnet, clients default gateway), and the telnet fails. I get a "looping packet detected" on the router console. It shows the source of the packet as the router (wccp router id actually), and the destination ip of the WAE, but the packet came in gig0/1 (interface connected to wae). Obviously the WAE returned the packet to the router (with the original GRE headers, (router as source)). I thought WCCP would understand this as "don't redirect this traffic to me anymore", but the router, actually tries to route it back down gig0/1 and then sees it as a looping packet. I believe the WAE is returning the encapsulated packet to the router to indicate it doesn't want the flow, and the router is attempting to route the GRE packet, instead of realizing it should remove the GRE header and route the internal packet. Router is IOS 12.4(12) as recommended by my Cisco engineer. 2821 router.
  For kicks, I continue the WCCP setup on the datatcenter side. As expected, it doesn't work. When I apply the WCCP to the datacenter router (only redirecting lab subnet), the entire lab subnet is unreachable via TCP (but icmp still works as expected).
  The WCCP configuration isn't very complex, I can't believe its something I'm doing. I think its a code issue.
  Any advise?

  no "out" anywhere. The LAB router has a WAE list to only allow redirect to the lab WAE. I don't even need the 62 in on the WAN side, just applying 61 in on the LAN side breaks telnet to the router.
  LOOPING PACKET DETECTION:
  from router console
  Feb 27 14:56:32.924: %IP-3-LOOPPAK: Looping packet detected and dropped -
  src=132.242.11.18, dst=153.61.83.70, hl=20, tl=76, prot=47, sport=0, dport=0
  in=GigabitEthernet0/1, nexthop=153.61.83.70, out=GigabitEthernet0/1
  options=none -Process= "IP Input", ipl= 0, pid= 77 -Traceback= 0x410F6978 0x415CC960 0x415CDC60 0x415BBB38 0x415BCF18 0x415BD27C 0x415BD2FC 0x415BD4E8
  Router configuration:
  ip wccp 61 redirect-list REDIRECT-WAAS-SUBNETS-61 group-list remote-waas-box
  interface Loopback0
  ip address 132.242.11.18 255.255.255.255
  h323-gateway voip bind srcaddr 132.242.11.18
  interface GigabitEthernet0/0.83
  description << data vlan 83 >>
  encapsulation dot1Q 83
  ip address 153.61.83.3 255.255.255.192
  ip helper-address 192.127.250.22
  ip helper-address 149.25.1.182
  no ip proxy-arp
  ip wccp 61 redirect in
  standby 83 ip 153.61.83.1
  standby 83 priority 200
  standby 83 preempt
  standby 83 track Serial0/1/0:0.99 100
  interface GigabitEthernet0/1
  description << WHQ LAB CE connection >>
  ip address 153.61.83.65 255.255.255.192
  load-interval 30
  duplex full
  speed 100
  ip access-list standard remote-waas-box
  permit 153.61.83.70
  ip access-list extended REDIRECT-WAAS-SUBNETS-61
  permit ip 153.61.83.0 0.0.0.63 any
  WAE configuration:
  device mode application-accelerator
  primary-interface GigabitEthernet 1/0
  interface GigabitEthernet 1/0
  ip address 153.61.83.70 255.255.255.192
  no autosense
  bandwidth 100
  full-duplex
  exit
  wccp router-list 1 153.61.83.65
  wccp tcp-promiscuous router-list-num 1
  wccp version 2
  wccp slow-start enable

• WAAS and Checkpoint compatibility.

  Hello
  Is there such a thing? Can I hope to install a WAE behind a Checkpoint firewall? Should I use tunnel mode udp 4050?
  I´ve run into a paper that suggests using "Wire Mode" on Checkpoint.
  Are there alternatives? Did someone out there have to do anything like this?
  Thanks a lot.
  GG

  Thanks for your replies. The following rules were modified and waas worked just fine.
  Sequence Verifier
  http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-17.html
  Packet Sanity
  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1071
  Thanks again
  Guido

• WAAS and Netflow, traffic reports are inflated unpredictably

  Not sure if anybody has any luck getting Netflow to report correctly when WAAS is in a picture.  We have about 30 sites deployed with WAAS in out of line configuration and every single one of them incorrectly report Netflow traffic to our NetQoS Reporter Analyzer product.  Typically the traffic throughput seems to be inflated several times higher.  We tried every which way to alter the netflow configuration in the router including Egress Netflow but the traffic is still showing higher than actual traffic coming out of a port.  In one site, even the "show interface" command on the router shows 5-minute rate of 16Mbps on a 6Mbps Mulitlink circuit. 

  Hello Thang Lu,
  We have run into this issue with a few customers and here are a some things to consider:
  - If you have 'Flexible' NetFlow enabled: Beware, Flexible NetFlow does not export the flow direction by default you must configure the direction bit to be set for egress flows.  Traditional NetFlow v9 does this automatically.
  - Are you excluding certain protocols in NetQoS?  If you don't do this, some tunnels and VPN connections will be exported twice!
  These are the protocols we exclude by default in Scrutinizer NetFlow Analyzer:
  I hope these suggestions help you.
  Jake

• WAAS and Citrix

  Can Cisco WAAS running 4.4.5c.4 optimize Citrix Xendesktop/XenApp traffic?

  hi Kashish
  With Cisco WAAS 4.5.1 capabilities work  "out-of-the-box", with no configuration needed within Citrix XenDesktop  servers, or at the clients, to enable optimization of Citrix traffic. In  contrast, earlier versions of Cisco WAAS required administrative  actions to disable native ICA encryption and compression  perform optimization.
  please review the following:
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-688526_ns978_Networking_Solutions_White_Paper.html
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/qa_c67-688536_ns978_Networking_Solutions_Q_and_A.html
  Regards,
  Felix

• WAAS and WSUS

  Does anyone know how good WAAS works on deduplicateting WSUS updates (from Internet and from coprporate WSUS Server, if that makes a difference)?
  Michael

  Hi all,
  We found the problem.
  TCP/512 was in Classifier Unix-Remote-Execution and this Classifier was in pt.
  Jan

• WAAS and AutoCAD

  Hi,
  I have an engineering firm interested in deploying Cisco WAAS for their multiple sites and I know that they use a lot AutoCAD and Windows Terminal Services over the WAN.
  Is there any design/config or other documents related to this that can clear some questions that the client might have?
  Thanks,
  Patrick Moubarak

  Hi Patrick,
  I do not have an answer for you but searching thru this forum gave me a nice link and response from one of our very talented person - Joseph Merrill.
  According to him in his own words from this thread: https://supportforums.cisco.com/thread/2036858
  Personally, I am unfamiliar with  MicroSurvey CAD software, and don't recall working with any accounts  where that was deployed.  Of course, I am not involved with every  deployment and can't say whether others watching this forum might have  experience with deploying MSCAD across WAAS.
  I  went to their web site to see if they perhaps have posted protocol  information, but didn't find anything helpful.  We would need to know  the protocol(s) over which MSCAD communicates (ex. CIFS, HTTP, HTTPS,  proprietary TCP, etc.).  We also would need to know whether the data is  already compressed and/or encrypted.
  Cisco  TAC should be able to assist you in diagnosing the cause of the slower  performance with MSCAD.  They will likely ask for a good, detailed  problem description, a set of packet captures that show the problem, and  sysreports from the WAEs.  A sysreport contains a collection of logs,  configuration information, and statistics which TAC will use in  conjunction with the packet captures to pinpoint where the slowness is  occurring.
  AFAIK, in March 2008  Autodesk changed the DWG file format for AutoCAD 2007 to make it more compact and improve performance for AutoCAD users. One of the side effects of the DWG format changes is that when users perform a complete save from within AutoCAD (as opposed to an "incremental" save), virtually every byte of the file gets changed - even if zero changes were made to the file itself. The effect of the new file format, is that in some scenarios where the default configuration of the Autodesk save is modified, the save of the file object will render the caching / optimization less effective. One of the variables of the AutoCAD application is called Incremental Save Percentage (ISP). This variable can be tuned to better benefit from WAAS optimization.
  Windows Explorer shell extension allows for custom thumbnail previewers and tooltip handlers. The default file tooltip displays file title, author, subject and comments; this metadata may be read from a special NTFS stream, if the file is on an NTFS volume, or from an OLE structured storage stream, if the file is a structured storage document. All Microsoft Office documents since Office 95 make use of structured storage, so their metadata is displayable in the Windows 2000 Explorer default tooltip. File shortcuts can also store comments which are displayed as a tooltip when the mouse hovers over the shortcut.
  There was a problem when AutoCAD changed its file drawing format for  AutoCAD 2007 and it continued with AutoCAD 2008. Beginning with AutoCAD  2007, the application rescrambles all bits of a file on every save, even  if no changes are made to the file. This neutralizes the advantages of  data deduplication that most WAFS products use.     Customers have the option of setting an incremental save value and set it to 50, I believe.
  It also depends upon the version of Autocad. Autocad is known to add more security and improvements that have really hurt the WAN optimizations in the past.
  Hope this helps.
  Regards.

• WAAS and "Other traffic"

  Hi there,
  Recently I have deployed WAAS for just one site, and I am a bit concerned as majority of the traffic falls into "Other Traffic" category. I've discovered this is just a file transfer between XP desktops and a W2003 server.
  Why it's categorized as Other?
  Thanks

  Correct - that would be SMB traffic. Prior to 4.0.7, it should be classified as part of the File-System application. From 4.0.7 on, it is classified as part of the WAFS application.
  Can you please confirm that you have classifiers that cover ports 139 and 445. If so, which application is the classifier associated with?
  Zach