WAAS AND VPN

I want to deploy WAAS between a head office and a DR site, they will either connect through a private WAN or the Internet. A requirement is for the traffic to be encrypted and as such IPSEC VTIs will be used to enable routing as there will also be a back up link. I am thinking that traffic would be optimized before it is routed and passed through the tunnel. Is that the case? Can this work?

Traffic will receive full optimization if WAEs installed within network prior to data encryption.
As long as the tunnel is between the two WAN edge devices and stripped prior to delivery then it will be okay.
If not then the level of optimization will include TFO and LZ compression.

Similar Messages

  • WAAS and Netflow, traffic reports are inflated unpredictably

    Not sure if anybody has any luck getting Netflow to report correctly when WAAS is in a picture.  We have about 30 sites deployed with WAAS in out of line configuration and every single one of them incorrectly report Netflow traffic to our NetQoS Reporter Analyzer product.  Typically the traffic throughput seems to be inflated several times higher.  We tried every which way to alter the netflow configuration in the router including Egress Netflow but the traffic is still showing higher than actual traffic coming out of a port.  In one site, even the "show interface" command on the router shows 5-minute rate of 16Mbps on a 6Mbps Mulitlink circuit. 

    Hello Thang Lu,
    We have run into this issue with a few customers and here are a some things to consider:
    - If you have 'Flexible' NetFlow enabled: Beware, Flexible NetFlow does not export the flow direction by default you must configure the direction bit to be set for egress flows.  Traditional NetFlow v9 does this automatically.
    - Are you excluding certain protocols in NetQoS?  If you don't do this, some tunnels and VPN connections will be exported twice!
    These are the protocols we exclude by default in Scrutinizer NetFlow Analyzer:
    I hope these suggestions help you.
    Jake

  • WAAS and 512 Deployment

    Attach is the Visio as well as config for the India site. The Visio has 2 tabs (POC-WAAS and Proposed-WAAS). The POC (Proof of Concept) tab does not have the spare 3660 installed yet but I plan to do that soon. The "Proposed WAAS" is where we would want to be. However, my question will most likely address POC tab with the preparation to move to the Proposed tab.
    Current assumptions:
    Since we have a Manager in India, we will be getting another Manager in Calif, If so, I would like to setup a Primary/Standby deployment for redundancy.
    Questions:
    1. For Calif Primary WAE, the visio shows a Management interface but do I need a management interface or is it better to go with a standby interface instead as well as use MHSRP?
    2. Since we have a high speed link (4 Mb Internet for VPN in POC but 10mb WAN for proposed), should we tune the buffers to the max? If so how?
    3. Is this a recommend design for California? for India?
    4. Is my configs a recommend configs for California 3660 in POC? If so, what do I need to change in 3825 in Proposed?

    Zach
    After reading the SRND, I believe the best design is to move the 512 to the Cores. Please see the updated Visio and planned configs. Here's my updated requirements:
    1. Calif is hub
    2. All traffic to India (10.2/10.26) should go through the VPN tunnel through (ASA5520)
    3. All traffic to 10.3 and 10.5 should go through WAN via (R-Voice2)
    4. Latency to India is btwn 280 to 340msec and BW is 2mb. Do I also need to be concern with the BDP, L2 redirect(forwarding), and Mask assignments?
    TIA

  • Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access

    Hi there,
    I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
    Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
    connect I get the following message "couldn't connect -  We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
    Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
    to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
    RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
    can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
    Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
    the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
    being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
    VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
    Many thanks,
    RocknRollTim

    Any help would be much appreciated.
    Kind regards,
    RocknRollTim

  • Do I need to use open directory on Yosemite Server, I'm only looking to use file sharing and VPN

    I'm setting up a new mac mini server with Yosemite and I was wondering if there are any advantages or disadvantages to not using the open directory service? The only services I'm planning on using are File Sharing and VPN.

    You don't need Open Directory unless you want to manage user accounts centrally on the server.

  • Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

    With Namit Agarwal and Rahul Govindan 
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
    This is a continuation of the live webcast.
    Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
    Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
    Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
    Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
    Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
    Webcast related links:
    Slides from the live webcast
    Video Recording of the live webcast
    Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

    Hello Namit and Rahul,
    Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
    1)      How is ASA CX different from other UTM solutions ?
    2)      How is dynamic application inspection of CX better than other inspection engines  ?
    3)      What features or functionalities on the CX are available by default ?
    4)      what are the different ways we can run or install CX on the ASA platform ?
    5)      What VPN features are supported with multi context ASA in the 9.x release ?
    6)      What are the IPv6 Enhancements in the ASA version 9.x ?
    Request you to please provide your responses to them individually.
    Thanks.

  • ASA and vpn load balancing

    Hi,
    I am configuring 2 ASA5540 for internet trafic inside to outside ,
    outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
    In the doc I can configure them for internet trafic as Active/Standby or Active/active.
    for vpn : I can use vpn load balancing
    But no information if I want to use the active/passif and vpn load balancing together.
    Any thoughts on which way to go? what is the best thing to do ?
    Regards

    Hi,
    I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
    Hope it helps

  • Using 802.1x and vpn on t-mobile hotspot

    hi all,
    how do i configure 802.1x and vpn to enhance security on t-mobile hotspot?
    thanx for your help.

    Multi-Host is not the right option for you. In this Multi-Host only one device has to successfully authenticate to authenticate all device on that port.
    You need to set host-mode to  "multi-auth"

  • WAAS and IP SLA operation

    we are currently using the IP SLA udp jitter measurement to monitor our voice paths accross the WAN. If we implement a partial WAAS across the same WAN the voice traffic will be acellerated but not the IP SLA jitter measurement. Does this mean that when WAAS is implemented IP SLA is limited in its use?

    Hi Steve,
    The answer to your question depends on 1) how you deploy WAAS and 2) how you use IP SLA.  If you deploy WAAS using WCCP for interception, UDP traffic will never be intercepted.  If the WAAS device is deployed inline, all traffic flows through the WAAS device, so an IP SLA probe using UDP will be subject to WAAS pass-through handling behavior.
    What are you trying to measure with regards to WAAS?
    Zach

  • WAAS and Juniper Netscreen Interoperability

    I've been doing a dig on historical posts relating to WAAS deployed through firewalls.
    I am working on a deployment with Juniper Netscreens & ASA5520 sitting between WAE's. IP connectivity is fine. I can ssh to remote device etc. but users cannot login (XP). The login scripts calls upon CIFS etc and I suspect this is being broken through the fw's.
    When I disable WAAS for this flow - it all works fine i.e. users can login and access full set of corporate resources. I suspect the firewalls but would appreciate any leads..
    thanks
    Ajaz

    Hi Ajaz,
    WAAS adds TCP Option 0x21 and increments TCP packet sequence number during TCP handshake. FW needs to be configured to allow
    these changes.
    On the latest PIX/ASA a new command "ip inspect waas" has been added to allow above changes by wae. You might want to check
    Netscreen config guide on command to disable TCP sequence number checking.
    If SSH to Servers is working fine then it might not be FW dropping packets. However to confirm it might be best to use
    tcpdump/tethereal on both WAEs and to sniff the traffic on whether its being dropped along the path by the FW.
    Few questions:
    - Whats the version running on WAEs?
    - Is it only CIFS traffic which is affected? Try disabling CIFS AO if its enabled and then test.
    Hope this helps,
    Best Regards,
    Rahul Vavale

  • WAAS and TACACS

    We are trying to get our WAAS environment to authenticate against TACACS and then fall over to local if TACACS is unavailable. For engineer logins everything is working as expected. However we are seeing several thousand failures against the TACACS server from a username of "CMS". This user is not configured in the CM or in TACACS. So we log the failed login and CMS logs into the WAE due to the failover to local mechanism. Looking at packet captures, and debugging aaa on the WAE's it is definitely a CMS user that logs in but shows 127.0.0.1 as its "from" host. I am fairly confident this is automation within the WAE syncing with the CM or vice versa. Does anyone know how to get WAAS and TACACS to work together without a mass amount of login failures? Is there a way this CMS user can be cloned/duplicated on the tacacs server? What is the password for this automation user?
    Thanks in advance.

    Hi Stan,
    WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.
    There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.
    On TACACS side:
    1. Please make sure to create right username.
    2. Please make sure to verify if you are using ASCII password authentication.
    3. Try to use less than 15 letters - Alphanumeric TACACS password.
    4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.
    5. Verify if this user needs level 15 (admin equivalent account).
    On WAE CM side:
    1. Please make sure to select right authentication method as primary and secondary.
    2. Please make sure to enable the check box for authentication methods.
    You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.
    I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings
    Hope this helps.
    Regards.
    PS: Please mark this as Answered, if this resolves your issue.

  • WAAS and Symantec Vertitas Volume Replicator

    Hi,
    We are forwarding Symantec replication traffic via our WAAS infrastructure over a 20Mb WAN link. The CM appears to register the traffic but does not optimize it at all. Has anyone had any experience with WAAS and Symantec Veritas Volume Replicator (VVR) 4.3?

    I tested with VVR in the lab. VVR default uses UDP and using the nerd knob in the GUI did not force VVR to start using TCP. To get VVR to use TCP, I had to input these commands:
    vrport data 1999-1999
    vrport heartbeat 2000-2000
    or use what ever ports you want to use. The previous answer was asking if you were seeing TCP sessions in the WAE's. This can be seen by telneting to the WAE and issueing a "show tfo connection summary". Can you post the output of that command?

  • WAAS and SSA Baan ERP

    Hi all,
    Anybody how have setup Cisco WAAS and ERP application BAAN?
    I am interesting to setup a full optimization for ERP Baan.
    Jan

    Hi all,
    We found the problem.
    TCP/512 was in Classifier Unix-Remote-Execution and this Classifier was in pt.
    Jan

  • Kindly Is the Linksys E4200 Dual Band Router compatible with DHCP and VPN ?

    Kindly 
    Is the Linksys E4200 Dual Band Router compatible with DHCP and VPN?
    Thanks,

    Linksys/Cisco E4200 are compatible with DHCP. Second, these Wireless-N routers are only capable of enabling the VPN traffic to pass through the device.  You will need a VPN router and software to create the actual network to connect with your VPN client.

  • Cisco IOS supporting both voice and vpn

    Hi Friends
    i have one 2821 router.Can any one suggesting which ios will support both voice and vpn?

    Questions like this are better/faster answered by checking feature navigator.
    http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
    My suggestion is to run an MD release.
    Also a big dated document:
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_tech_note09186a00800fb9d9.shtml
    For old software and hardware you can also check out Figure 1 here:
    http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_bulletin_c25_506007.html
    M.

Maybe you are looking for