[c-nsp] WAAS working on one site but not others...

Brett Looney brett at looney.id.au
Thu Jul 12 06:51:18 EDT 2007


Greets,

I've got a little situation with WAAS I'm hoping someone can shed some light
on. Tune out now if this is of no interest to you - it's a little long.

Configuration of each site (there are four - one core, three edge) is:

	3750 doing policy-based routing to send traffic to the WAE
	Local WAE on its own routed subnet
	ASA 5510 for connectivity via VPN to other sites (v7.2(2))

Central location has a core WAE (as well as the central manager) (call it
site A), all other sites are edge WAE only (call them sites B, C and D). All
WAE have the Enterprise license. Note that A, B, C and D are all in
different countries so physical access is a bit difficult...

The ASA firewalls have been configured as to allow TCP option 33 through,
not to randomize TCP sequence numbers and to have nailed-up static NAT
connections between each site. Traffic flows between all sites correctly.
The policy-based routing does the right thing and can be seen sending
traffic to each WAE.

The whole WAAS solution works perfectly between sites A and B. Compression
statistics show up, I can do a (for example) "show statistics dre peer" and
see things going back and forth. Great. No worries.

But, sites C and D never come up. They register with the central manager,
they can ping and connect (doing a "show tfo accelerator" shows them as
being registers), the central manager can send config changes, etc. It's all
good except there is no compression.

Doing a "show statistics dre peer" on C and D show no entries. A can't see
them either. It's as if option 33 is not getting through but the firewall
configs have been quadruple checked by three people and are (as much as can
be) in synch with each other.

One other piece of the puzzle. I'm getting an error message in the logs on C
and D complaining that they can't make a connection to A on TCP port 4050
(presumably for the CIFS functionality). If I go to B and do "telnet <IP
address of A> 4050" I get an open TCP session. It stays open until I send
data and then it closes because I'm not sending the right thing. No problems
there. Incidentally, B reports in its logs that it can connect successfully.

But, if I go to C and D and do "telnet <IP address of A> 4050" the TCP
session opens and then immediately closes ("Connection closed by remote
host"). Clearly this is the cause of the log entry but I can't figure out
why the TCP session is being closed for C and D but it works for B. If I
didn't know better, I'd say the firewalls were allowing the three-way
handshake for the TCP session and then closing it. But if I go to any other
machine at site B and do the same thing the TCP works fine - it stays open.

I've tried restarting each WAE, each firewall, deregistering/registering the
edge WAE, changing MTU, rewriting firewall configs and a whole lot of other
things besides. No luck. Anybody got any other ideas? Thanks for listening
so far... ;-)

B.



More information about the cisco-nsp mailing list