WAAS and WCCP - looping packet detected

Similar Messages

• %IP-3-LOOPPAK: Looping packet detected and dropped -

  Hello All,
  Recenlty we have upgraded the IOS from c2800nm-ipvoicek9-mz.124-15.T14.bin to c2800nm-ipvoicek9-mz.151-4.M8.bin. After that the gateways are hitting the below error message. The src IP is voice gateway IP address and dst IP is muliticast MOH IP configured under call manager fall back. Assistance are much appreciated..
  %IP-3-LOOPPAK: Looping packet detected and dropped -
  src=10.0.XXX.XXX, dst=239.X.XXX.254, hl=20, tl=116, prot=17, sport=16803, dport=16385
  in=local, nexthop=239.X.XXX.254, out=GigabitEthernet0/0
  options=none -Process= "VOIP_RTCP", ipl= 0, pid= 299
  -Traceback= 425C9758z 425CAA30z 425CBBFCz 425CC0D4z 425CD214z 425CD524z 425CD590z 42AC4178z 43AA20DCz 43AA9B44z 437F3094z 437F3078z
  Thanks
  Murali

  CSCtn83520 is a suspect but you are already on an IOS version that contains the fix to this defect.
  Are you facing any issues with calls or MOH?

• WAAS and WCCP router selection

  Hi
  Is there some information about that how much of wccp traffic can be handled by different model of routers?
  I'm not looking for throughput report like Process\CEF switching per routers but I would like to see some info about wccp treshold on each models, what's the maximum amount of redirected traffic what the router can handle?
  thanks

  no "out" anywhere. The LAB router has a WAE list to only allow redirect to the lab WAE. I don't even need the 62 in on the WAN side, just applying 61 in on the LAN side breaks telnet to the router.
  LOOPING PACKET DETECTION:
  from router console
  Feb 27 14:56:32.924: %IP-3-LOOPPAK: Looping packet detected and dropped -
  src=132.242.11.18, dst=153.61.83.70, hl=20, tl=76, prot=47, sport=0, dport=0
  in=GigabitEthernet0/1, nexthop=153.61.83.70, out=GigabitEthernet0/1
  options=none -Process= "IP Input", ipl= 0, pid= 77 -Traceback= 0x410F6978 0x415CC960 0x415CDC60 0x415BBB38 0x415BCF18 0x415BD27C 0x415BD2FC 0x415BD4E8
  Router configuration:
  ip wccp 61 redirect-list REDIRECT-WAAS-SUBNETS-61 group-list remote-waas-box
  interface Loopback0
  ip address 132.242.11.18 255.255.255.255
  h323-gateway voip bind srcaddr 132.242.11.18
  interface GigabitEthernet0/0.83
  description << data vlan 83 >>
  encapsulation dot1Q 83
  ip address 153.61.83.3 255.255.255.192
  ip helper-address 192.127.250.22
  ip helper-address 149.25.1.182
  no ip proxy-arp
  ip wccp 61 redirect in
  standby 83 ip 153.61.83.1
  standby 83 priority 200
  standby 83 preempt
  standby 83 track Serial0/1/0:0.99 100
  interface GigabitEthernet0/1
  description << WHQ LAB CE connection >>
  ip address 153.61.83.65 255.255.255.192
  load-interval 30
  duplex full
  speed 100
  ip access-list standard remote-waas-box
  permit 153.61.83.70
  ip access-list extended REDIRECT-WAAS-SUBNETS-61
  permit ip 153.61.83.0 0.0.0.63 any
  WAE configuration:
  device mode application-accelerator
  primary-interface GigabitEthernet 1/0
  interface GigabitEthernet 1/0
  ip address 153.61.83.70 255.255.255.192
  no autosense
  bandwidth 100
  full-duplex
  exit
  wccp router-list 1 153.61.83.65
  wccp tcp-promiscuous router-list-num 1
  wccp version 2
  wccp slow-start enable

• WAAS and WCCP

  Hello ,
  I have many Qs regarding the WAAS implemntation
  1- which better , using inline card or wccp and why ( is there any problem with inline cards ?)
  2- if we have ASA in the network , is there any os version required for the ASA to support tha WAAS, we have impelmnted the waas with wccp between 2 branches, all traffic optimized but there is 2 applications blocked ( not working at all ) , the 2 applications passing via Firewall is there any known reason for that ?
  3- we have cat4500 and it should support wccp to redirect traffic for WAAS , but redirect list is not supported at all, do you know if that for all 4500 platform or for just specific OS or Sup as nothing clear on Cisco regarding this point ( wccp redirect list ).
  Thanks
  Moamen

  Hey Moamen,
  1. I would not say either is better, but there are different applications. Where you need more then a single WAE for scaling and redundancy, I would recommend WCCP. Where you have fairly simple topology, requirements for only one WAE, and/or non-Cisco gear, I would probably recommend In-line. I've done ton's of both and both work really well for interception.
  2. ASA do have a minimum recommend code version. For interoperability with WAAS, you need Cisco ASA/PIX version 7.2.3 or later. In that version, there is the command "inspect waas" to allow for the sequence number jump in optimized traffic, which is why your ASA is blocking the traffic.
  3. The CAT4500 can support WCCP in hardware. The platform hardware only supports ingress interception, L2-redirect, L2-return, mask-assign configs on the WAE and the minimum IOS version I would recommend running would be 12.2(40)SG or later. As you mentioned, there are limitations with the redirect lists, they are NOT supported in any version of IOS, it's a function of the hardware. If you need to exclude traffic, you might want to consider using application policies when using CAT-4500.
  I hope that helps you out.
  Dan

• WAAS and WCCP question

  Is it possible to transition between two different WAAS appliances if using WCCP redirection? Currently I'm using a WAVE 274 and want to migrate to a recently installed NM-WAE-522.  WCCP is currently being used to redirect traffic to the WAVE.  Can I simply add the WAE to the WCCP config and then remove the WAVE?

  Does it matter that they are in the same subnet or not? The NM-WAE-522 is obviously on the same subnet as one of the router interfaces, but the WAVE-274 is actually on a different subnet off of our 6509.  I thought I remembered reading that it was at least recommended that WCCP devices be on the same subnet for load balancing, but I'm guessing it doesn't matter as I'm using L3 GRE redirection.

• WAAS and Routers running HSRP

  I am just in the process of deploying WAAS across our network. I have found that when the WAN router that is running WCCP has been configured for HSRP and is the active router i see the following
  If I try and telnet to the HSRP standby address it does not connect and I get the following error message :
  Jan 30 18:04:36.930 AU-Summ: %IP-3-LOOPPAK: Looping packet detected and dropped
  src=172.16.33.254, dst=172.16.9.251, hl=20, tl=72, prot=47, sport=0, dport=0
  in=GigabitEthernet0/0.9, nexthop=172.16.9.251, out=GigabitEthernet0/0.9
  options=none
  -Process= "IP Input", ipl= 0, pid= 82
  -Traceback= 0x611B33C0 0x616A0FD4 0x616A11E0 0x616A1C14 0x616A1FE4 0x6168D09C 0x
  6168E880 0x6168C384 0x6168C648 0x6168C704 0x6168C8A8
  f I telnet to the actual router address then ok.
  is this a Bug?

  just seen other question about HSRP and tried the
  "egress-method negotiated-return intercept-method wccp' command but made no difference
  see router interface configuration below
  Note if no HSRP then no problem
  interface Loopback0
  ip address 172.16.33.254 255.255.255.255
  interface GigabitEthernet0/0
  description trunk to Cat 6509
  bandwidth 100000
  no ip address
  duplex auto
  speed auto
  media-type rj45
  negotiation auto
  ntp broadcast
  interface GigabitEthernet0/0.1
  encapsulation dot1Q 1 native
  ip address 172.16.1.100 255.255.255.0
  no snmp trap link-status
  interface GigabitEthernet0/0.2
  encapsulation dot1Q 2
  ip address 172.16.2.250 255.255.255.0
  ip wccp 61 redirect in
  ip flow egress
  no snmp trap link-status
  interface GigabitEthernet0/0.3
  encapsulation dot1Q 3
  ip address 172.16.3.250 255.255.255.0
  ip wccp 61 redirect in
  no snmp trap link-status
  interface GigabitEthernet0/0.5
  encapsulation dot1Q 5
  ip address 172.16.5.252 255.255.255.0
  ip wccp 61 redirect in
  ip pim sparse-mode
  no snmp trap link-status
  standby 5 ip 172.16.5.254
  standby 5 preempt
  service-policy input prec
  interface GigabitEthernet0/0.6
  encapsulation dot1Q 6
  ip address 172.16.6.252 255.255.255.0
  ip helper-address 172.16.5.228
  ip accounting output-packets
  ip wccp 61 redirect in
  ip pim sparse-mode
  no snmp trap link-status
  standby 6 ip 172.16.6.254
  standby 6 preempt
  service-policy input prec
  interface GigabitEthernet0/0.7
  encapsulation dot1Q 7
  ip address 172.16.7.252 255.255.255.0
  ip helper-address 172.16.5.228
  ip wccp 61 redirect in
  ip pim sparse-mode
  no snmp trap link-status
  standby 7 ip 172.16.7.254
  standby 7 priority 105
  standby 7 preempt
  service-policy input prec
  interface GigabitEthernet0/0.9
  description testlan for WAAS
  encapsulation dot1Q 9
  ip address 172.16.9.254 255.255.255.0
  ip wccp redirect exclude in
  no snmp trap link-status

• Keepalive and layer 2 loopback detection

  My question is concerned with how Cisco switches use keepalive at layer 2 to detect loopbacks. All the info on keepalive that I could find was concerned with its use at higher layers (eg tunnels, routing protocols etc).
  We had an incident where a mismatch in switch configurations caused a loop that wasn't blocked by spanning tree. This caused a number of our switches to err-disable their uplinks "%ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected". Some of these switches where fairly deep down a chain of switches with only a single uplink path.
  We have also had a situation (which eventually went away) where the single uplink on a particular switch was err-disabled loopback detected although we could find no evidence of a loop. I have my suspicions about keepalive packets not being dealt with properly especially if vlan 1 is removed from trunk links (which we have to do in some cases) or ether channels are involved. Bugs CSCeg58877 and CSCdt82690 describe such problems but neither of these match our circumstances.
  Because of the above I am considering disabling keepalive on my Cisco switches layer 2 links, especially uplinks, is this a good or bad idea?
  Alex McLaren

  Hi Alex-
  Loopback detection was a mechanism that was put in place to detect loops in the network
  caused by Type1a or tyep2 copper cabling. While it is a good mechansim for those special
  situations , there seems to be no need for having it enabled on the Gig ports where you
  can use features like UDLD to detect a fiber loop or unidirectional fiber.
  But in 12.1EA releases , loopback detection is enabled by default on the fiber ports as
  well as copper ports. On some fiber ports , neighboring switch may just switch the
  keepalive packet back w/o making any change in the packet causing the original switch that
  sent out the keepalive to recive its own packet back kicking in this mechanism of
  error-disabling the port.
  What you can do is you can disable keepalives on the uplink Gig ports of the 2950 and that
  should take care of the problem
  On 2950
  int gig
  no keepalives
  But make sure you have UDLD enabled. Once you have disabled the keepalives , please make
  sure you have low cpu on the 2950s that were showing the problem as well as make sure the
  mac-aging timer stays at 300 sec.
  show proc cpu
  show mac- aging
  UDLD should however be enabled on fiber Gig ports to detect spanning tree loop problems.
  Keepalive detection mechansim is speciafically there for Type1a and type 2 cabling and has
  no significance on fiber ports.
  This is also documented in the the release notes of the following Cisco DDTS id #
  CSCea46385.
  An interface on a Catalyst switch is errordisabled after detecting a loopback.
  Mar 7 03:20:40: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet0/2.
  The port is forced to linkdown.
  Mar 7 03:20:42: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to
  administratively down
  Mar 7 03:20:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2,
  changed state to down
  Conditions:
  This might be seen on a Catalyst 2940, 2950, 2950-LRE, 2955, 2970, 3550, 3560 or
  3750 switch running 12.1EA or 12.2SE based code.
  Workaround:
  Disable keepalives by using the "no keepalive" interface command. This will
  prevent the port from being errdisabled, but it does not resolve the root cause of
  the problem. Please see section below for more information.
  Additional Information:
  The problem occurs because the keepalive packet is looped back to the port that sent
  the keepalive. There is a loop in the network. Although disabling the keepalive
  will prevent the interface from being errdisabled, it will not remove the loop.
  The problem is aggravated if there are a large number of Topology Change Notifications
  on the network. When a switch receives a BPDU with the Topology Change bit set,
  the switch will fast age the MAC Address table. When this happens, the number of
  flooded packets increases because the MAC Address table is empty.
  Keepalives are sent on the Catalyst 2940, 2950, 2950-LRE, 2955, 2970, 3550, 3560
  or 3750 switch to prevent loops in the network. The primary reason for the keepalives
  is to prevent loops as a result of Type 2 cabling. For more information, see:
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns74/ns149/networking_solution
  s_white_paper09186a00800b4249.shtml
  Keepalives are sent on ALL interfaces by default in 12.1EA based software. Starting
  in 12.2SE based releases, keepalives are NO longer sent by default on fiber and uplink
  interfaces. Since there is no 12.2SE release for 2950s , you will have to manually disable
  the keepalives on uplink Gig ports.
  Hope this helps.
  thanks
  Salman Zahid

• WAE and WCCP mismatch

  Hello,
  I seem to be having a lot of trouble with a very simple implementation. I have 2 routers and a data centre WAE via WCCP. These devices are on the same L2/L3 segment (x.x.x.0/24). The WAN interfaces on the routers are in different networks. The remote WAE is inline. I configured ip wccp 61 redirect in on the LAN interface of each router and ip wccp 62 redirect in on the WAN interface of each router.  I get the alarm "WCCP router x.x.x.1(LAN) unusable for service id:61 reason redirection mismatch with router" and "WCCP router x.x.x.1(LAN) unusable for service id:62 reason redirection mismatch with router". For the WAN interfaces I get the alarm they are unreachable for the service ID.
  Snadard router config
  ip wccp version 2
  ip wccp 61
  ip wccp 62
  int gi0/0
  description LAN
  ip address x.x.x.1
  ip wccp 61 redirect in
  int gi0/1
  description WAN
  ip address y.y.y.1
  ip wccp 62 redirect in
  Should I only be trapping inbound traffic on the LAN interface ?
  The other thing I noticed was these messages from the PIX on the same L2/L3 segment
  Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER1/2048 on interface outside
  Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER2/2048 on interface outside
  Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER1/2048 on interface outside
  Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER2/2048 on interface outside
  Access list
  access-list outside_access_in extended permit udp host WADMZJA02 host IROUTER1 log notifications
  access-list outside_access_in extended permit udp host WADMZJA02 host IROUTER2 log notifications
  access-list outside_access_in extended permit udp host IROUTER1 host WADMZJA02 log notifications
  access-list outside_access_in extended permit udp host IROUTER2 host WADMZJA02 log notifications
  Best regards
  Stephen
  WAE config
  sh run
  2011 Dec 20 07:06:27 WADMZJA02 -admin-shell: %WAAS-PARSER-6-350232: CLI_LOG log_cli_command: sh run 
  ! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
  device mode application-accelerator
  hostname WADMZJA02
  clock timezone Europe/Brussels 1 0
  ip domain-name fibe.fortis
  primary-interface GigabitEthernet 1/0
  interface GigabitEthernet 1/0
  ip address x.x.x.248 255.255.255.0
  exit
  interface GigabitEthernet 2/0
  shutdown
  exit
  ip default-gateway x.x.x.4   <== firewall
  no auto-register enable
  ! ip path-mtu-discovery is disabled in WAAS by default
  !  <== traffic to be rerouted outbound ==>
  ip route a.a.a.0 255.255.255.0 x.x.x.1     <== Outbound HSRP
  ip access-list extended HK
  permit ip any 0.0.0.0 255.255.255.0
  exit
  logging console enable
  logging console priority debug
  interception access-list HKWAAS
  wccp router-list 1 z.z.z.202 y.y.y.122 x.x.x.1 x.x.x.2 x.x.x.3
  wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return
  wccp version 2
  egress-method negotiated-return intercept-method wccp
  ip icmp rate-limit unreachable df 0
  directed-mode enable
  transaction-logs flow enable
  --More--
  ! [K
  inetd enable rcp
  sshd allow-non-admin-users
  sshd enable
  tfo tcp optimized-send-buffer 2048
  tfo tcp optimized-receive-buffer 2048
  accelerator http metadatacache enable
  accelerator http metadatacache https enable
  accelerator http dre-hints enable
  central-manager address x.x.x.247
  cms enable
  ! End of WAAS configuration

  Hi Stephen,
  The "Redirection mismatch" messages indicate that the redirection or return method configured on the WAE is not compatible with the router. Probably, the routers you are using don't support L2 redirection
  Moving forward, I would recommend you to change the line "wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return" for "wccp tcp-promiscuous router-list-num 1". This will negotiate hash assignment, as well as GRE redirection and return, which are the parameters supported by most platforms.
  As for the firewall messages, it seems that some WCCP negotiation packets (UDP port 2048) are being dropped. Unfortunately, my firewall knowledge is very limited, so I cannot really help you with that part.
  Regards
  Daniel

• WCCP - All Packets are "UNASSIGNED" - HELP!!!

  I just brought up a couple WAAS appliances up connected to my 6509 and it appears none of the traffic is getting redirected to my 2 WAAS devices. When I do a "sh ip wccp",all packets are unassigned. I am running 4.1.1b on the WAAS.
  phx-core-sw-a#sh ip wccp
  Global WCCP information:
  Router information:
  Router Identifier: 10.20.255.252
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Service Group Clients: 2
  Number of Service Group Routers: 2
  Total Packets s/w Redirected: 0
  Process: 0
  CEF: 0
  Redirect access-list: -none-
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 427007868
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  Service Identifier: 62
  Number of Service Group Clients: 2
  Number of Service Group Routers: 2
  Total Packets s/w Redirected: 0
  Process: 0
  CEF: 0
  Redirect access-list: -none-
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 12021424
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  Config Snippets from 6509's - same on both
  ip wccp 61
  ip wccp 62
  interface GigabitEthernet9/48
  description Interface to WAN Router
  ip address 10.20.255.2 255.255.255.252
  ip wccp 62 redirect in
  interface Vlan112
  description File Servers 10.0.12.0/24
  ip address 10.0.12.2 255.255.255.0
  ip wccp 61 redirect in
  ************WAAS Config*********
  device mode application-accelerator
  hostname phx-waas-app-01
  clock timezone MST -7 0
  primary-interface PortChannel 1
  interface PortChannel 1
  description Port Channel to phx-core-sw-a
  ip address 10.20.253.250 255.255.255.0
  exit
  interface GigabitEthernet 1/0
  channel-group 1
  exit
  interface GigabitEthernet 2/0
  channel-group 1
  exit
  ip default-gateway 10.20.253.254
  no auto-register enable
  ! ip path-mtu-discovery is disabled in WAAS by default
  ntp server 10.10.254.252
  wccp router-list 1 10.20.255.252 10.20.255.253
  wccp tcp-promiscuous router-list-num 1 l2-redirect
  wccp version 2

  Any improvment with the Mask-assign method? If it's still not working, I would do the following.
  1. do "no wccp ver 2" on your WAEs. Let things set for a few minutes and then bring it back up. This will take down your acceleration, so be careful but will allow you to re-establish wccp if it's still attempting to use hash assign (default).
  2. If it's not working yet, then clear the counters and let some traffic flow so we can see fresh info, and do the following on your routers.
  sh ip wccp 61 detail
  sh ip wccp 62 detail
  and do the following on your WAEs
  sh wccp gre
  sh wccp router
  And post it and we'll see what you get.
  Thanks,
  Dan

• Packet sniffer only picks up UDP and no RTP packets when using JMF???

  Hi,
  I am developing a voice mail application to interface with asterisk. Here is the problem.
  I am using ethereal packet sniffer to sniff the packets. When I connect two regular SIP phones and sniff , I can sniff the RTP packets.
  But when I use JMF AVtransmit2.java and AVReceive2.java I sniff only UDP packets and no RTP packets.
  I am very confused. What is going on? If JMF sends over RTP (that uses UDP underneath), then why cannot packet sniffers detect it.

  Hi,
  I am developing a voice mail application to interface with asterisk. Here is the problem.
  I am using ethereal packet sniffer to sniff the packets. When I connect two regular SIP phones and sniff , I can sniff the RTP packets.
  But when I use JMF AVtransmit2.java and AVReceive2.java I sniff only UDP packets and no RTP packets.
  I am very confused. What is going on? If JMF sends over RTP (that uses UDP underneath), then why cannot packet sniffers detect it.

• Duplicate Phase 1 Packet detected. ASA 5520 Client Access

  We have a user that is getting a Duplicate Phase 1 Packet detected. Retransmitting last Packet. He is using Cisco VPN Client Software 5.0.01.0600. He is using Windows XP and going through a Dlink DIR 625. We are seeing him connect to the ASA5520 running Version 7.2(2) getting the above error. There is no previous version of Cisco client software on the PC and the firewall is off.
  Thanks for Any help
  Bryon

  I Get the same problem. (1721 router)
  Feb 15 17:38:23.328: ISAKMP (1): Total payload length: 12
  Feb 15 17:38:23.328: ISAKMP (0:1): sending packet to 70.217.240.15 my_port 500 peer_port 500 (R) AG_INIT_EXCH
  Feb 15 17:38:23.328: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
  Feb 15 17:38:23.332: ISAKMP (0:1): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
  Feb 15 17:38:27.580: ISAKMP (0:1): received packet from 70.217.240.15 dport 500 sport 500 Global (R) AG_INIT_EXCH
  Feb 15 17:38:27.580: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
  Feb 15 17:38:27.580: ISAKMP (0:1): retransmitting due to retransmit phase 1
  Feb 15 17:38:28.084: ISAKMP (0:1): retransmitting phase 1 AG_INIT_EXCH...
  Feb 15 17:38:28.084: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

• WAAS and IP SLA operation

  we are currently using the IP SLA udp jitter measurement to monitor our voice paths accross the WAN. If we implement a partial WAAS across the same WAN the voice traffic will be acellerated but not the IP SLA jitter measurement. Does this mean that when WAAS is implemented IP SLA is limited in its use?

  Hi Steve,
  The answer to your question depends on 1) how you deploy WAAS and 2) how you use IP SLA.  If you deploy WAAS using WCCP for interception, UDP traffic will never be intercepted.  If the WAAS device is deployed inline, all traffic flows through the WAAS device, so an IP SLA probe using UDP will be subject to WAAS pass-through handling behavior.
  What are you trying to measure with regards to WAAS?
  Zach

• WAAS and Juniper Netscreen Interoperability

  I've been doing a dig on historical posts relating to WAAS deployed through firewalls.
  I am working on a deployment with Juniper Netscreens & ASA5520 sitting between WAE's. IP connectivity is fine. I can ssh to remote device etc. but users cannot login (XP). The login scripts calls upon CIFS etc and I suspect this is being broken through the fw's.
  When I disable WAAS for this flow - it all works fine i.e. users can login and access full set of corporate resources. I suspect the firewalls but would appreciate any leads..
  thanks
  Ajaz

  Hi Ajaz,
  WAAS adds TCP Option 0x21 and increments TCP packet sequence number during TCP handshake. FW needs to be configured to allow
  these changes.
  On the latest PIX/ASA a new command "ip inspect waas" has been added to allow above changes by wae. You might want to check
  Netscreen config guide on command to disable TCP sequence number checking.
  If SSH to Servers is working fine then it might not be FW dropping packets. However to confirm it might be best to use
  tcpdump/tethereal on both WAEs and to sniff the traffic on whether its being dropped along the path by the FW.
  Few questions:
  - Whats the version running on WAEs?
  - Is it only CIFS traffic which is affected? Try disabling CIFS AO if its enabled and then test.
  Hope this helps,
  Best Regards,
  Rahul Vavale

• WAAS and TACACS

  We are trying to get our WAAS environment to authenticate against TACACS and then fall over to local if TACACS is unavailable. For engineer logins everything is working as expected. However we are seeing several thousand failures against the TACACS server from a username of "CMS". This user is not configured in the CM or in TACACS. So we log the failed login and CMS logs into the WAE due to the failover to local mechanism. Looking at packet captures, and debugging aaa on the WAE's it is definitely a CMS user that logs in but shows 127.0.0.1 as its "from" host. I am fairly confident this is automation within the WAE syncing with the CM or vice versa. Does anyone know how to get WAAS and TACACS to work together without a mass amount of login failures? Is there a way this CMS user can be cloned/duplicated on the tacacs server? What is the password for this automation user?
  Thanks in advance.

  Hi Stan,
  WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.
  There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.
  On TACACS side:
  1. Please make sure to create right username.
  2. Please make sure to verify if you are using ASCII password authentication.
  3. Try to use less than 15 letters - Alphanumeric TACACS password.
  4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.
  5. Verify if this user needs level 15 (admin equivalent account).
  On WAE CM side:
  1. Please make sure to select right authentication method as primary and secondary.
  2. Please make sure to enable the check box for authentication methods.
  You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.
  I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings
  Hope this helps.
  Regards.
  PS: Please mark this as Answered, if this resolves your issue.

• WAAS using WCCP with gre tunnel going via vpn

  Hello All
  I am trying to get WAAS using WCCP to work according to the attached diagram. I would like to know if there is a redirection config that I need to apply to the ASAs?
  Many thanks
  Donagh

  Hello
  Thanks for your reply.
  I posted this twice in error.
  Original is here
  http://preview.tinyurl.com/ygpuehy
  You might have a look and see if you agree. I have not deployed yet.
  Thanks
  Donagh