Professional Documents
Culture Documents
Volume 2
Implementation, Integration, and Management
Overview
Module Objectives
3-1
3-1
3-1
3-3
3-3
3-3
3-4
3-11
3-14
3-23
3-29
3-49
3-58
3-59
Overview
Objectives
Configuring Inline Interception
Configuring WCCPv2
Configuring PBR
Configuring ACE for Interception
Summary
3-59
3-59
3-60
3-68
3-75
3-82
3-87
3-89
Overview
Objectives
Introduction to Cisco WAAS Central Manager
Activating WAEs
Configuring Device Groups
Managing and Monitoring WAEs
Configuring Role-Based Access Control
Managing Software Distribution and Upgrade
Configuring High Availability
System Settings and Device Recovery
Summary
3-89
3-89
3-90
3-93
3-96
3-106
3-113
3-123
3-127
3-133
3-137
3-139
3-139
3-139
3-140
3-144
3-147
3-151
3-153
3-159
3-163
3-182
3-183
3-183
3-183
3-184
3-201
3-204
3-207
3-215
3-223
3-235
Module Summary
Module Self-Check
Module Self-Check Answer Key
3-239
3-241
3-245
4-1
Overview
Module Objectives
4-1
4-1
Introduction to Troubleshooting
Overview
Objectives
Troubleshooting Workflow
Common Issues
Platform Liveliness and Connectivity
Troubleshooting Management Services
Reporting Facilities
Summary
ii
4-3
4-3
4-3
4-4
4-6
4-11
4-21
4-29
4-38
4-39
Overview
Objectives
Overview
Troubleshooting WCCPv2 Interception
Troubleshooting PBR Interception
Troubleshooting Inline Interception
Troubleshooting ACE Interception
Troubleshooting Automatic Discovery
Summary
4-39
4-39
4-40
4-43
4-52
4-56
4-59
4-66
4-74
4-75
Overview
Objectives
Overview
Configured and Applied Policies
Examining Optimized Connections
TFO Transaction Logs
Compression Statistics
Summary
4-75
4-75
4-76
4-78
4-88
4-96
4-112
4-118
4-119
Overview
Objectives
Overview
CIFS Acceleration Policies and Services
CIFS Configuration and Directives
Validating Client Connectivity
Statistics, Health Indicators, and Logs
Troubleshooting Print Services
Summary
Module Summary
Module Self-Check
Module Self-Check Answer Key
4-119
4-119
4-120
4-123
4-129
4-133
4-142
4-146
4-154
4-155
4-157
4-160
Module 3
Implementation, Integration,
and Management
Overview
This module describes the process used to implement and integrate Cisco Wide Area
Application Services (WAAS) into the network, and also configure the Cisco WAAS solution
for application acceleration and WAN optimization. This module also examines how to manage
Cisco Wide Area Application Engines (WAEs) running Cisco WAAS.
Module Objectives
Upon completing this module, you will be able to describe Cisco WAAS implementation,
integration, and management. This includes being able to meet these objectives:
Explain how to configure traffic interception using physical inline deployment, WCCPv2,
PBR, and ACE
Explain how the WAAS Central Manager is used to centrally configure, manage, and
monitor a topology of WAE devices
3-2
Lesson 1
Objectives
Upon completing this lesson, you will be able to describe the WAE installation and
configuration process. This includes being able to meet these objectives:
Explain how to perform the initial installation of WAE appliance providing Central
Manager functionality
Explain how to perform the initial installation of WAE network modules configured as
accelerators
WAAS v4.0.73-4
The first WAE that should be installed is the Central Manager. The Central Manager WAE can
be initialized using the CLI setup script, which is accessible with a serial connection to the
WAE. Connect a serial cable to the WAE and configure your terminal application to 9600
baud, no parity, 8 data bits, 1 stop bit, no flow control (hardware or software), and then turn on
the WAE.
After the WAE loads, a setup script is presented for initial device configuration. To revisit the
setup script at any time, execute the setup command from the CLI prompt.
After the device is configured with the setup script, specify the primary interface and device
mode, and then save the configuration and reload the WAE. After the WAE has rebooted,
specify the Central Manager role, enable Central Management Services (CMS), and save the
configuration again. After CMS is enabled, other WAEs are able to register against the CM.
Note
3-4
Full duplex is
required for
proper
operation unless
using Gigabit
WAAS v4.0.73-5
The first part of the setup script is shown in the figure. This portion of the setup script allows
you to configure the following:
Full duplex is required to ensure proper operation and performance. If a system operates in
half-duplex mode, an alert is sent to the CM. GigabitEthernet forces the interface into
autonegotiate, because half-duplex is not possible with GigabitEthernet. For GigabitEthernet
configurations, be sure to leave the interface set to autosense, otherwise, set the interface to full.
3-5
This designation
applies
the configuration
defined in the setup
script.
WAAS v4.0.73-6
The second part of the setup script is shown in the figure. This portion allows you to configure
the following:
Default gateway
Domain name
This portion also allows you to save and apply the configuration.
3-6
The primary-interface
is the interface
that is used for
management
traffic and must be
defined on all
WAEs in the
deployment.
WAAS v4.0.73-7
After the network parameters have been configured, specify the primary interface of the WAE.
This is the interface that the WAE uses for management traffic.
Next, configure the device mode. Two devices modes exist in WAAS:
Central Manager: This WAE should act as a Central Manager in the WAAS network.
The device mode is configured via the device mode command under global configuration
mode. Be sure to save the running configuration using the copy run start command after
making the configuration changes.
3-7
This command
reboots
the WAE device.
WAAS v4.0.73-8
Use the copy run start command to save the running configuration to memory. The saved
configuration is persistent and is applied the next time the WAE is reloaded. The reload
command is used to reset the WAE. A WAE reload typically takes approximately 3 minutes.
With a console attached to the WAE, you can also specify the power-on and power-off
behavior of the WAE to ensure that the system boots as long as there is power in the outlet.
3-8
This command
specifies that this
Central Manager WAE
should be the
primary Central
Manager.
WAAS v4.0.73-9
After the Central Manager WAE has reloaded, use the config term command to return to
global configuration mode, and then specify the Central Manager role as primary. Note that for
a standby CM, you specify the CM role as standby. After the Central Manager role has been
defined, enable CMS by issuing the cms enable command.
3-9
WAAS v4.0.73-10
At this point, WAEs are able to register against the Central Manager WAE. Be sure save the
configuration of the Central Manager WAE.
3-10
WAAS v4.0.73-12
Initial setup tasks for application accelerator WAE appliances are similar to the Central
Manager WAE with the exception that a reload is not required during configuration.
Configuring an application accelerator requires the following:
Step 1
Step 2
Step 3
Step 4
Step 5
Enable CMS.
Step 6
3-11
WAAS v4.0.73-13
For an application accelerator WAE, specify the primary interface and configure the device
mode as application-accelerator.
3-12
Next, specify the IP address of the Central Manager using the central-manager address
command. Finally, run cms enable to register this WAE against the CM. Be sure to save the
configuration of the WAE at this point.
An alternative to using a statically defined Central Manager IP address is available when using
DHCP on the WAE. Within DHCP, a vendor class option (option number 43), can be set within
the DHCP scope to provide the IP address or hostname of the CM. The WAEs configured with
DHCP can be set to listen for this option by configuring them for autoregistration by issuing the
following command sequence:
WAE# configure
WAE(config)# auto-register enable gigabitEthernet 1/0
In this example, the interface supplied is the interface that should be used to receive DHCP
offers from the DHCP server. Autoregistration can be verified from the CLI by using the
following command:
WAE# show auto-register
3-13
WAAS v4.0.73-16
The NME-WAE platforms can be inserted into the following router platforms: 2811, 2821,
3825, 3845. The NME-WAE does not operate in a nonsupported router.
The NME-WAE service module REQUIRES at a minimum IOS v12.4(9)T1. The NME-WAE
does not operate in a nonsupported router, nor does the NME-WAE operate in a supported
router that is not at or above the minimum software version level.
Initial setup tasks for application accelerator WAE appliances are similar to the Central
Manager WAE with the exception that a reload is not required during configuration.
Configuring an application accelerator requires the following:
3-14
Insert network module into router: Ensure that the network module is properly inserted.
This must be done while the router is physically powered off. The network modules can not
be inserted while the router is powered on.
Configure network module internal interfaces on the router: The NME-WAE uses an
internal GigabitEthernet interface over the router backplane, and the router has a separate
internal interface that is used as the network module default gateway.
Connect to the network module via router console: The console of the NME-WAE can
be reached from the router console.
At this point, the NME-WAE is configured as any WAE appliance would be:
Completion of the CLI setup script: Identical to that of the WAE appliance.
3-15
8 21:13:47 2006
WAAS v4.0.73-17
The router CLI can be used to verify that the NME-WAE is properly inserted and powered up.
Use the sh ver command within the router CLI to validate that an Integrated Services Engine
appears in the hardware listing. Also, the service-module integrated-Services-Engine 1/0
status command validates that the NME-WAE is running Cisco WAAS software and a
hardware and software state.
3-16
Router Interface
Integrated-Services-Engine(slot)/0
service-module ip address 10.10.100.2
255.255.255.0
service-module ip default-gateway 10.10.100.1
WAE Interface
GigabitEthernet0/0
ip address 10.10.100.2 255.255.255.0
WAN
I/F
IP
Network
Service Module
Internal
I/F
Service
Module
I/F
WAAS v4.0.73-18
The NME-WAE has two GigabitEthernet interfaces. One interface is virtual and is connected to
the router via the router backplane as shown in the figure.
The NME-WAE internal interface connects directly over the router backplane to a router
interface that is dedicated to the service module. It is recommended that this router interface is
to be used as the default gateway for the NME-WAE; however, the NME-WAE can use the
external interface and an adjacent router (this configuration is not recommended). The router
internal interface should also be configured as being excluded from Web Cache
Communication Protocol (WCCP) redirection so that traffic coming into the interface from the
NME-WAE is not immediately redirected back to the NME-WAE. Issue the following
commands from the router CLI:
Router# config t
Router(config)# interface Integrated-Services-Engine (slot)/0
Router(config-if)# ip address 10.10.100.1 255.255.255.0
Router(config-if)# ip wccp redirect exclude in
Router(config-if)# no shut
This internal interface is identified as GigabitEthernet 1/0 in the WAE CLI. The IP address of
this interface can be configured from the router CLI by using:
Router# config t
Router(config)# interface Integrated-Services-Engine (slot)/0
Router(config-if)# service-module ip address 10.10.100.2 255.255.255.0
Router(config-if)# no shut
The IP address of this interface can also be configured in the WAE CLI, and should be
configured identically to the router CLI configuration:
NME-WAE# config t
NME-WAE(config)# interface GigabitEthernet 1/0
NME-WAE(config-if)# ip address 10.10.100.2 255.255.255.0
NME-WAE(config-if)# no shut
2007 Cisco Systems, Inc.
3-17
NME-WAE(config-if)# exit
NME-WAE(config)# ip default-gateway 10.10.100.1
Note
3-18
The NME-WAE internal interface and the router internal interface dedicated to the NMEWAE can not be configured with the same IP address. They do, however, need to be on the
same subnet. Configuring the NME-WAE IP address and default gateway also propagates
to the WAE configuration automatically.
reload
reset
session
shutdown
statistics
status
WAAS v4.0.73-19
The service-module command, when executed at the privileged exec prompt of a router
running an IOS version that supports the NME-WAE, provides a series of commands that can
be executed relative to any installed service modules:
R2821-edge#service-module integrated-Service-Engine 1/0 ?
default-boot Set/Clear Default Boot for the next reboot
reload Reload service module
reset Hardware reset of Service Module
session Service module session
shutdown Shutdown service module
statistics Service Module Statistics
status Service Module Information
To establish a console session to the service module using the existing router session:
R2821-edge#service-module integrated-Service-Engine 1/0 session
To clear a console session that has been established to the service module:
R2821-edge#service-module integrated-Service-Engine 1/0 session clear
[confirm]y [OK]
3-19
3-20
WAAS v4.0.73-20
The routers internal interface dedicated to the NME-WAE is configured from the router CLI.
This interface should be given an IP address on a subnet dedicated to WAEs. This interface
should also be configured for WCCP redirection exclusion so that traffic coming from the
NME-WAE is not immediately redirected back to the NME-WAE.
From the CLI configuration of the Integrated-Services-Engine(slot)/0 interface, you can also
configure the IP address of the NME-WAE as well as its default-gateway. The default-gateway
of the NME-WAE should be the routers internal interface. Be sure to enable the routers
internal interface using the no shut command, and add a static route to the NME-WAE on the
router.
The router internal interface and NME-WAE internal interface do not require speed or duplex
configuration.
3-21
WAAS v4.0.73-21
After the NME-WAE is powered up and the interfaces are configured, the service-module
Integrated-Service-Engine(slot)/0 session command allows you to attach to the NME-WAE
via a console connection. This console connection is internal over the router backplane and
requires no serial cable be connected to the NME-WAE itself (it does not have a serial port).
The console line of the NME-WAE can be cleared using the command service-module
integrated-Service-Engine 1/0 session clear on the router.
After you have connected to the NME-WAE (via console, telnet, SSH, or other), you can then
configure it as any WAE appliance.
3-22
WAAS v4.0.73-23
WAE interfaces are configured in a process similar to configuring interfaces in IOS. For proper
operation, it is required that full-duplex be explicitly configured on all WAEs. If interfaces are
operated in half-duplex mode, an alert is sent to the CM. Interfaces can be bundled into a
PortChannel for high availability if desired.
To configure an interface, use the config t command to enter global config mode, and then use
the interface gigabitEthernet 1/0 or interface gigabitEthernet 2/0 command to enter
interface configuration mode. You can also use the interface command to access configuration
mode for other types of interfaces, such as PortChannels. From here, the interface bandwidth,
duplex, and other settings can be applied.
Additionally, DHCP can be used on WAE interfaces. If DHCP is used, it is recommended that
reservations be created within the DHCP server so that the WAE receives the same IP address
each time.
Duplex and bandwidth settings do not need to be configured on the NME-WAE internal
interface. The external interface, however, which is GigabitEthernet 2/0, can be configured
with speed and duplex settings.
Note
Full-duplex should not be configured for interfaces that are connected to a Gigabit Ethernet
switch, as duplex is automatically set to full. Speed and duplex settings are only applicable
in non-Gigabit environments. Bandwidth and duplex settings do not need to be configured
on router internal interfaces supporting the NME-WAE, and do not need to be configured on
the internal interface within the NME-WAE.
3-23
WAAS v4.0.73-24
To configure an interface PortChannel, assign the IP address to the PortChannel interface itself
and not to the interface members of the PortChannel. Be sure to enable the interface by using
the no shutdown command.
Note
3-24
This is not applicable to the NME-WAE or internal router interfaces that connect to the NMEWAE.
WAAS v4.0.73-25
Next, assign each of the interfaces to the PortChannel using the channel-group command.
Make sure to enable the physical interfaces by using the no shutdown command.
Note
3-25
Network Configuration
Common CLI configuration commands include the following:
wafs30-edge(config)# ip default-gateway (ipaddr)
wafs30-edge(config)# ip domain-name (domainname)
wafs30-edge(config)# ip name-server (ipaddr)
wafs30-edge(config)# interface GigabitEthernet (slot/port)
wafs30-edge(config-if)# ip address (ipaddr) (subnetmask)
wafs30-edge(config-if)# no shut
WAAS v4.0.73-26
The CLI provides facilities to configure all of the networking components of the WAE,
including default-gateway, DNS server list (IP addresses, used sequentially) and DNS domainname. Note that GigabitEthernet1/0 on the NME-WAE represents the internal network
interface facing the router backplane.
3-26
WAAS v4.0.73-27
The show command provides information about the different functions of the WAE. In this
example, the show interface command was used to display interface configuration details and
statistics. Note that this command shows the configuration of the interface, including MAC
address, IP address, network mask, and maximum transmission unit (MTU), as well as statistics
(input packets, packets received, errors, drops, overruns, output packets, and more). Also note
that this command shows the operational state of the interface (up or down) and duplex. The
duplex should always be statically defined to full-duplex on each WAE. It is good practice to
use full-duplex on the switch ports and on the router interfaces as well.
3-27
WAAS v4.0.73-28
Issuing the show interface command against a PortChannel provides similar information. The
figure lists the PortChannel interface members and their current state.
Note
3-28
WAAS v4.0.73-30
CLI commands are generally used to define common platform components and functions:
Up to four syslog servers can be listed through the logging host command.
3-29
SNMP Configuration
This command specifies the
SNMP community string.
WAAS v4.0.73-31
The CLI allows you to configure almost every aspect of the Simple Network Management
Protocol (SNMP) on the WAE. The Central Manager GUI is recommended for performing
these tasks, because configurations defined through the GUI can be applied against a device
group, while the CLI only supports configuration for a single device.
Use the snmp-server ? command to configure the following SNMP options:
access-list: Configure a standard IP access list allowing access to the SNMP Agent
Note
3-30
Basic SNMP configuration can be performed via the device GUI by choosing Cisco WAE >
Configuration > SNMP. It is recommended that you use the Central Manager GUI for
SNMP configuration.
Syslog Configuration
waas40-edge(config)#logging host ?
Hostname or A.B.C.D Host IP address
waas40-edge(config)#logging host 1.1.1.1 ?
port
Port to use when logging to a host (default is 514)
priority
Priority level when logging to host (default is 'warning')
rate-limit Set messages per second limit
Defines a syslog
<cr>
server
Up to 4 can be
waas40-edge(config)#logging host 1.1.1.1 priority ?
defined
alert
(1) Immediate action needed
critical
(2) Critical conditions
Define the message priority
debug
(7) Debugging messages
required to trigger an alert
emergency
(0) System is unusable
to the syslog server
error
(3) Error conditions
Default is warning
information (6) Informational messages
notice
(5) Normal but significant conditions
warning
(4) Warning conditions
EDGE1(config)#logging host 1.1.1.1 priority warning ?
port
Port to use when logging to a host (default is 514)
rate-limit Set messages per second limit
<cr>
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.73-32
The WAE CLI can be used to configure up to four syslog servers. Each syslog server definition
requires a separate command entry in the WAE CLI. The logging host command also allows
the administrator to specify which port to use, the limited rate for sending syslog messages, and
what the minimum message priority level is to send a message to the syslog server.
3-31
System Time
Common CLI configuration commands are required to
specify system time, date, or an NTP server:
waas40-edge(config)# clock timezone (timezone) (hoursoffset) (minutesoffset)
waas40-edge(config)# exit
waas40-edge# clock set (HH:MM:SS) (month) (day) (year)
waas40-edge# config term
waas40-edge(config)# ntp server (ipaddr)
WAAS v4.0.73-33
It is important to maintain and ensure consistent system time when using Cisco WAAS,
particularly for file or print services. When using WAAS for file or print services, or when
using Windows authentication for management, the time skew from each of the WAEs to the
domain controller should be no more than 5 minutes. Otherwise, Windows tickets expire and
services do not function correctly.
System time can be specified manually or by using the Network Time Protocol (NTP).
Note
3-32
It is important to synchronize the clocks on each of the WAEs in the Cisco WAAS network
with the Central Manager WAEs. This allows for proper reporting of statistics and
monitoring. Should a WAE not be synchronized with the Central Manager, an alert is
displayed for that device in the Central Manager GUI.
WAAS v4.0.73-34
User passwords can be configured via the CLI, but it is recommended that you configure them
from Central Manager, because these configurations can be applied globally.
The CLI allows for the classification of users into one of two configured privilege levels:
0: A normal user with basic CLI monitoring access and no configuration capabilities
3-33
WAAS v4.0.73-35
Options include:
edge-wae(config)#authentication configuration ?
Options include:
edge-wae(config)#authentication login ?
Options include:
3-34
Options include:
Options include:
3-35
Login Authentication
Common CLI configuration commands include the following:
waas40-edge(config)# authentication login tacacs enable primary
waas40-edge(config)# authentication login radius enable secondary
waas40-edge(config)# authentication login local enable tertiary
waas40-edge(config)# authentication fail-over server-unreachable
WAAS v4.0.73-36
Authentication can be configured so that the WAE fails over to an alternate authentication,
authorization, and accounting (AAA) provider should the configured provider be unavailable.
The command syntax and options for authentication functions are listed and described as
follows.
edge-wae(config)#authentication ?
Options include:
edge-wae(config)#authentication fail-over ?
Options include:
server-unreachable: Query the next authentication method only if the server is unreachable
3-36
238472MB(232.9GB)
disk01: Normal
238472MB(232.9GB)
TYPE
DEVICE
SIZE
INUSE
root
/dev/root
35MB
30MB
5MB
85%
/swstore
internal
/dev/md1
495MB
327MB
168MB
66%
/state
internal
/dev/md2
4031MB
119MB
3912MB
2%
/disk00-04
CONTENT
/dev/md4
214232MB
/local/local1
SYSFS
/dev/md5
3967MB
.../local1/spool
PRINTSPOOL /dev/md6
/sw
internal
/dev/md0
FREE USE%
58MB 214174MB
0%
802MB
3165MB
20%
991MB
16MB
975MB
1%
991MB
431MB
560MB
43%
WAAS v4.0.73-37
Use the command shown in the figure to view disk details. When more than one disk drive is
installed in the WAE appliance, the WAE is configured to use RAID-1 mirroring for all file
systems. If all disks become unavailable, the WAE is still reachable on the network and
continues to apply Transport Flow Optimization (TFO) only, based on policy.
Note that the output of this command identifies the physical disks that are installed in the
system, including the state of the disks and their capacity. This command also lists the capacity
for each of the file systems that are configured on the disks.
The following are the file systems used by Cisco WAAS, as well as their purpose:
Root: /, the root file system, all file systems are children of the root file system
Software store: /swstore, any pending software updates and archived copy of previous
software image
State: /state, system read and write file system for internal system processes
Content: /disk00-04, used for data and metadata cache storage including application
acceleration and WAN optimization capabilities such as DRE and the Common Internet
File System (CIFS) file cache
Printspool: /local/local1/spool, capacity for spooled print jobs (1GB), reclaimed after print
job completed, shared among printer queues
The content file system is used as a read-write dynamic cache storage area for the CIFS and the
Data Redundancy Elimination (DRE) compression history. The size of this file system is
dynamic based on the WAE model, memory configuration, and installed disks:
NME-WAE-502 with 1GB of memory, 120GB disk; 40GB for DRE, 40GB for CIFS
3-37
WAE-512 with 1GB of memory, 250GB disks; 75GB for DRE, 110GB for CIFS
WAE-512 with 2GB of memory, 250GB disks; 110GB for DRE, 110GB for CIFS
WAE-612 with 2GB of memory, 300GB disks; 130GB for DRE, 130GB for CIFS
WAE-612 with 4GB of memory, 300GB disks; 130GB for DRE, 130GB for CIFS
WAE-7326 with 4GB of memory, 300GB disks; 380GB for DRE, 300GB for CIFS
Note
3-38
This capacity is allocated even if the services are not configured. These parameters can not
be changed by the administrator.
TYPE
STATUS
/dev/md0
RAID-1
NORMAL OPERATION
disk00/00[GOOD]
disk01/00[GOOD]
/dev/md1
RAID-1
NORMAL OPERATION
disk00/01[GOOD]
disk01/01[GOOD]
/dev/md2
RAID-1
NORMAL OPERATION
disk00/02[GOOD]
disk01/02[GOOD]
/dev/md3
RAID-1
NORMAL OPERATION
disk00/03[GOOD]
disk01/03[GOOD]
/dev/md4
RAID-1
NORMAL OPERATION
disk00/04[GOOD]
disk01/04[GOOD]
/dev/md5
RAID-1
NORMAL OPERATION
disk00/05[GOOD]
disk01/05[GOOD]
/dev/md6
RAID-1
NORMAL OPERATION
disk00/06[GOOD]
disk01/06[GOOD]
WAAS v4.0.73-38
The show disk details command also shows the redundant array of inexpensive disks (RAID)
configuration of each of the file systems as well as the status for each.
3-39
WAAS v4.0.73-39
The following commands can be used to configure a WAE to integrate into a domain via the
CLI. This approach is not typically recommended, as Central Manager or the local GUI are
preferred for accomplishing these tasks.
Note
The following commands are global parameters that must be applied when configuring domain
integration from the CLI:
waas-cm#conf t
waas-cm(config)#windows-domain
waas-cm(config)#windows-domain
waas-cm(config)#windows-domain
waas-cm(config)#windows-domain
Note
netbios-name "WAAS-CM"
workgroup "DOMAIN-NAME"
wins-server 10.10.10.100
password-server 10.10.10.100
Changing settings using the windows-domain command can cause updates to internal
configuration files. The results of these updates are displayed in the console.
Use the following syntax to join a domain from the CLI using NT LAN Manager version 1
(NTLMv1):
waas-cm#windows-domain diag net "join -S server U
administrator%password"
3-40
Where:
Use the following syntax to join a domain from the CLI using NTLMv2:
waas-cm#windows-domain diag net "rpc join -S server U
administrator%password"
Where:
Use the following syntax to join a domain from the CLI using Kerberos:
waas-cm#windows-domain diag net "ads join -S server U administrator%password"
Where:
The following commands might be required if the domain controller operating system version
is Windows 2000 Service Pack 4 or later, or Windows 2003 Service Pack 1 or later:
waas-cm#conf t
waas-cm(config)#smb-conf section global name "client schannel" value
"no"
waas-cm(config)#exit
waas-cm#windows-domain diag wbinfo "--set-authuser=administrator%password"
waas-cm#service restart winbindd
Where:
administrator%password is the name of the account used to join the domain, and the
password to be used with this account.
Note
WAE time must be within five minutes of the domain controller time for Windows integration
to be successful. Also, forward and reverse lookup entries must be created within the DNS,
or Windows integration and authentication fails to complete successfully.
3-41
WAAS v4.0.73-40
Following are useful help references for the most commonly used options of the windowsdomain diagnostics command.
edge-WAE#windows-domain diagnostics ?
Options include:
getent: Utility to get unified list of both local and Primary Domain Controller (PDC) users
and groups
smbstatus: Utility for inspecting the server status, connected clients, and related
components
smbtree: Utility for inspecting the Windows network neighborhood structure and content
tdbbackup: Utility for backing up, verifying, and restoring database files
3-42
No command: /usr/bin/net
net getlocalsid [NAME]: Option to get the service ID (SID) for local name
net changesecretpw: Option to change the machine password in the local secrets database
only; requires the -f flag as a safety barrier
net usersidlist: Option to get a list of all users and their SIDs
net ads <command>: Request to run Active Directory Service (ADS) commands
net rap <command>: Request to run pre-remote procedure call (RPC) rooftop access point
(RAP) commands
3-43
WAAS v4.0.73-41
It is recommended that all WAE configuration changes be saved. Use the copy running-config
startup-config command for this purpose.
The copy command allows you to copy from many sources to many destinations. Valid sources
include those shown in the following command syntax reference:
edge-wae#copy ?
Options include:
Valid destinations are based on the source. The following descriptions identify valid
destinations for each source:
edge-wae#copy cdrom ?
Options include:
edge-wae#copy http ?
Options include:
3-44
edge-wae#copy compactflash ?
Options include:
edge-wae#copy disk ?
Options include:
edge-wae#copy ftp ?
Options include:
disk: To disk
edge-wae#copy http ?
Options include:
edge-wae#copy running-config ?
Options include:
edge-wae#copy startup-config ?
Options include:
edge-wae#copy system-status ?
Options include:
edge-wae#copy tech-support ?
Options include:
edge-wae#copy tftp ?
Options include:
disk: To disk
startup-config: To startup-config
3-45
Note
3-46
As the copy command only captures the CLI running-config or startup-config, the GUI
backup mechanism should be used if Wide Area File Services (WAFS) or print services are
configured.
WAAS v4.0.73-42
The running-config or startup-config can also be recovered from a FTP or TFTP server. If
WAFS or print services are configured on the WAE, and the GUI backup procedure was used,
use the GUI restore procedure instead.
3-47
WAAS v4.0.73-43
The WAE can be rebooted by using the reload command. The WAE can be shut down by
using the following command:
edge-wae#shutdown ?
Options include:
The WAE boot sequence also allows you to enter the BIOS to configure power-on behavior.
3-48
WAAS v4.0.73-45
The WAE device GUI provides access to device-specific configuration, reporting, monitoring,
and control functions. The device GUI allows you to backup configurations, restore
configurations, view logs and graphs, and create and view system reports, and control system
services. The default credentials for accessing the device GUI directly (not needed if accessing
the device GUI from the Central Manager) are:
username = admin
password = default
Note
The WAE device GUI is secured using HTTPS. You must use HTTPS and not HTTP.
3-49
Current location
Workspace tabs
Logout
Help
Service-specific
functions
Workspace
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.73-46
The WAE GUI provides a taskbar on the left, which groups device functions and services. In
this example, two groupings are available; one for device functions called Cisco WAE and one
for service functions called WAFS Edge. If this WAE were a WAFS Core device you would
see a third grouping called WAFS Core.
The current location within the GUI is shown at the top of the window. A help button is located
at the top right of the window. The workspace area displays information that is relative to the
device function that is currently in view.
3-50
WAAS v4.0.73-47
Using the WAE device GUI, Cisco WAAS can be configured to send Simple Management
Transport Protocol (SMTP) email notifications should a notification or error message be
generated due to a system condition. To configure SMTP notifications, from the WAE Device
GUI choose Cisco WAE > Configuration > Notifier and supply the following data:
Mail server host name: The SMTP server that the WAE should connect to
Notify level: The minimum severity level for notifications to generate an SMTP email alert
Mail server port: The TCP port that the SMTP server uses
Login to server: Check this box if the server requires user authentication
Server user name: Supply only if SMTP server authentication is required; the username
that the WAE should authenticate using
Server password: Supply only if SMTP server authentication is required; the password for
the defined username that the WAE should authenticate with
From: The text that should appear in the From line when the recipient receives email
notification of a WAE alert
Subject: The text that should appear in the Subject line when the recipient receives email
notification of a WAE alert
The SNMP notification level can also be set from this page. This level defines the minimum
severity level of messages that trigger the WAE to send SNMP traps when events are
encountered.
3-51
WAAS v4.0.73-48
The WAE system report is a helpful tool for troubleshooting problems with the WAE. By
choosing Cisco WAE > Utilities > Support, an administrator can generate a full system report
(all logs) or a filtered system report (date range). The WAE compiles the system report and
compress it into a file that can be downloaded through the browser.
The system report contains the following information:
Command output: From commands such as show tech-support, show statistics tfo
connection, and others
Platform configuration: Internal configuration files for networking, routing, services, and
disk configuration
Platform state: Including memory consumption, CPU utilization, devices, file systems,
and partitions
Print services: Including SAMBA configuration and logs, Common Unix Printing System
(CUPS) configuration and logs
Internal services logs: Including web server (management), external packet memory
(EPM) error logs, compression, interception, and TCP proxy error logs
CIFS acceleration: Configuration files and service logs for Edge service, Core service,
preposition, manager, watchdog, and other utilities
Central management: Configuration files and service logs for local central management
(LCM) and audit logs for configuration changes
Syslog
The WAE CLI can also be used to generate a system report. The system report can then be
copied off of the WAE:
EDGE1#copy sysreport disk WAE start-date December 10 2006 end-date
December 2006
Generating sysreport ...
3-52
Cisco WAE system reports can be very large in size, in many cases over 10 MB.
3-53
WAAS v4.0.73-49
The WAE CPU utilization can be graphed from the device GUI by choosing Cisco WAE >
Monitoring, and selecting CPU Utilization. The graphs that appear chart the WAE CPU
utilization over the timespan of:
The WAE CLI can also be used to see the real-time CPU utilization:
EDGE1#sh proc
CPU average usage since last reboot:
cpu: 0.56% User, 3.06% System, 8.75% User(nice), 87.63% Idle
-------------------------------------------------------------------PID STATE PRI User T SYS T COMMAND
----- ----- --- ------ ------ -------------------1 S 0 588 548 (init)
2 S 0 0 0 (migration/0)
3 S 19 0 0 (ksoftirqd/0)
4 S -10 0 0 (events/0)
3-54
WAAS v4.0.73-50
The WAE GUI can also graph the disk utilization by choosing Cisco WAE > Monitoring, and
selecting Disk Utilization. After you click View, a graph appears showing the disk utilization
characteristics of the WAE. The CLI command show disks details also provides per-file
system real-time utilization data.
3-55
WAAS v4.0.73-51
To back up the full WAE configuration, open the device GUI and choose Cisco WAE >
Control > Backup. The WAE zips the configuration and state files to be saved, and downloads
this file through the browser.
3-56
WAAS v4.0.73-52
Configuration files are version specific. A backup from one version can not be restored to a
WAE running a different version of the configuration.
3-57
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The WAE primary interface defines which interface should be
used for management traffic and must be configured.
One of two device modes must be specified on each Cisco WAE
in the WAAS topology; application accelerator or Central
Manager.
WCCPv2 configuration includes service group definition, routerlist configuration, and redirection configuration.
PBR configuration includes access list configuration, route map
definition, and optionally, availability verification using IP SLAs.
The WAE CLI enables configuration of many items, including
interface channeling, SNMP, syslog, authentication, and NTP.
The Cisco WAE Device GUI provides a device-specific interface
for controlling services, performing configuration backup and
restore, and examining device log files.
3-58
WAAS v4.0.73-53
Lesson 2
Objectives
Upon completing this lesson, you will be able to explain how to configure traffic interception
using physical inline deployment, WCCPv2, PBR, and ACE. This includes being able to meet
these objectives:
Describe the configuration of the inline interception card within the WAE appliance
Describe the process of configuring WCCPv2 on the WAE and on the network router or
switch
Describe the configuration of PBR on the WAE and on the network router or switch
Describe the configuration of the ACE module to provide data center interception for Cisco
WAAS
WAN1
Interface InlinePort1/1/WAN
LAN1
Interface InlinePort1/1/LAN
WAN0
Interface InlinePort1/0/WAN
Interface InlineGroup1/1
Interface InlineGroup1/0
LAN0
Interface InlinePort1/0/LAN
WAAS v4.0.73-4
WAE appliances can be configured for in-path operation whereby it is deployed physically
between two network devices such as the branch office router and branch office LAN switch.
Such configurations require that the WAE appliance be configured with the 4-port WAE inline
card, shown here.
The 4-port WAE inline card provides fail-to-wire functionality, that is, any software, hardware,
or power failure causes the card to automatically bridge the two ports within each port group
together. In a fail-to-wire state, the inline card acts as a wire, thereby ensuring that a failure of
any kind does not prevent traffic from going into or out of the network. In normal operating
mode, traffic passes through the card, and the card forwards packets to be optimized up to the
Cisco WAAS software.
The 4-port WAE inline card has four ports, which are divided into two groups. Each 2-port
inline group represents a pair of ports that are associated with one another. Traffic entering one
port of the inline group always exits through the other port in the same group. One of the ports
is labeled LAN and the other is labeled WAN, which defines which device the port should be
connected to. LAN ports should be connected in a LAN-facing fashion (that is, toward endnodes attached to the LAN) and the WAN ports should be connected facing the WAN (that is,
toward the edge WAN router). Given that the inline card has four ports split into two inline
groups, the WAE can sit physically inline between two distinct network paths, that is,
redundant WAN links.
3-60
InlinePort1/0/WAN
No IP address
InlineGroup1/1
InlinePort1/1/LAN
No IP address
InlinePort1/1/WAN
No IP address
IP
Network
GigabitEthernet1/0
ip address x.x.x.x
Management interface
WAAS v4.0.73-5
The inline card for the WAE appliance has four 10/100/1000 autosensing copper Ethernet
interfaces. The interfaces are labeled LAN0, WAN0, LAN1, and WAN1, and are split into two
port groups where each interface with the same trailing number is a member of the same group.
These inline groups defined inline port pairs, whereby traffic entering one interface exits the
other interface in the same inline group. Should an inline group go into bypass mode (fail-towire), traffic entering an interface would be immediately passed to the other interface. IP
addresses are not assigned to inline card ports. The LAN port within the inline group connects
to the LAN, and the WAN port within the inline group connects to the WAN router (or next
upstream device, such as a firewall). The WAE must have one of the standard interfaces (not
from the inline card) attached to the LAN for management purposes (for instance,
GigabitEthernet1/0 or GigabitEthernet2/0).
Inline interception is compatible with any interception mechanism being used in other remote
sites. For instance, some remote sites could use inline interception, whereas others might be
using WCCPv2. Configuring inline interception on a WAE, though, requires that WCCPv2 be
explicitly disabled on that WAE.
3-61
Total 1 CPU.
1024 Mbytes of Physical memory.
1 CD ROM drive (CD-224E)
2 GigabitEthernet interfaces
2 InlineGroup interfaces.
1 Console interface
[8836PCC]
WAAS v4.0.73-6
The show hardware command displays the hardware configuration of the WAE. If the inline
card is inserted and recognized by the Cisco WAAS software, two InlineGroup interfaces
appears in the hardware inventory.
3-62
GigabitEthernet
InlineGroup
InlinePort
PortChannel
Standby
Standby groups
EDGE1(config)#interface inlinegroup ?
<1-4>/
Slot number
Group number
Used to
configure a
specific
port within an
inline group.
Used to configure
the group
of inline ports.
EDGE1(config-if)#
WAAS v4.0.73-7
Before configuring inline interception on the WAE, ensure that WCCPv2 is explicitly disabled
on that WAE. To configure the inline interception card, enter global configuration mode
(config t) and then enter the inlinegroup interface configuration mode (interface
inlinegroup<slot>/<pair>). Only one inline card can be installed in a WAE appliance.
3-63
failover
inline
no
shutdown
EDGE1(config-if)#inline ?
vlan
<cr>
EDGE1(config-if)#inline vlan ?
all
All vlans
native
Native vlan
WORD
EDGE1(config-if)#failover timeout ?
<1-1>
1 second
<3-3>
3 seconds
<5-5>
5 seconds
EDGE1(config-if)#failover timeout 3
EDGE1(config-if)#no shutdown
2007 Cisco Systems, Inc. All rights reserved.
To configure an inline group, enter the inline group interface configuration mode. From here,
the administrator can enable the inline group, specify the failover timer, and define the VLANs
that should be intercepted.
3-64
Interface autosense
bandwidth
Interface bandwidth
exit
full-duplex
Interface fullduplex
half-duplex
Interface halfduplex
no
WAAS v4.0.73-9
Ports within an inline group are by default autosensing. To statically set inline group port
parameters, enter the inline group port interface configuration mode. From here, the duplex and
bandwidth for an interface can be configured. These interfaces can not be explicitly enabled or
disabled (no shut or shut), as this is controlled by the inline group.
3-65
Validate that
packets are
traversing the
inline group
and are being
intercepted or
bridged.
WAAS v4.0.73-10
3-66
show interface inlinegroup <slot/group>: This command displays whether the inline
group is in bypass or intercept mode. Bypass mode is when the inline group is simply
sending received traffic immediately out the other interface in the inline group. Intercept
mode is when the inline group is receiving incoming packets and handing them off to Cisco
WAAS for optimization. This command also shows the watchdog timer statistics and
configuration.
WAN1
LAN1
WAN0
LAN0
LEDs
State
Description
Link/Activity
ON
Blinking
100
ON
1000
ON
Bypass
WAAS v4.0.73-11
The figure shows how to interpret the LED status indicators on the WAE inline card.
3-67
Configuring WCCPv2
This topic explains how to configure WCCPv2 on the WAE and on the network router or
switch to function as the network interception and redirection mechanism.
10.10.10.0/24
IP
Network
Gi0/0.11
TCP Promiscuous
Register with Router1
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.73-13
Enabling WCCPv2 requires configuration changes to the network boundary router or switch as
well as to the WAE. Remember that the WAE optimization interface must be deployed on a
VLAN or physical interface that is separate from the nodes to be optimized.
In this example, the WAE is deployed in an off-router, one-arm mode, meaning that the WAE
is attached to a VLAN on the LAN switch that is separate from the users, and shared only with
the border router, and the subnet is routable throughout the enterprise. Note that WCCPv2
interception is configured twice per router; once for service group 61 and again for service
group 62. In this example, ingress redirection is used, which means that there is no need to use
the redirect exclude command on the router interface that is adjacent to the WAE because this
command is only necessary when egress redirection is configured.
Note
3-68
WAE appliances configured with the inline card must have inline interception disabled.
Otherwise, WCCPv2 is not configurable. Network module enhanced (NME) WAE devices
rely on WCCPv2 for interception, but can alternatively be configured to use PBR.
WCCPv2 Configurations
1
2
LAN
WAN
LAN
WAN
3
LAN
WAN
LAN
WAN
LAN
WAN
LAN
WAN
62 out
61 out
61 in
62 in
Redirect exclude
WAAS v4.0.73-14
This slide shows the possible WCCPv2 configurations that can be achieved with Cisco WAAS.
Situations 1 and 2 are the easiest to use and incur the least amount of overhead on the router.
Situations 3 through 6 are used if interception can only be performed on one interface, but this
approach requires the use of the redirect exclude command on the WAE interface and egress
redirection for one of the service groups. These configurations are common in service isolation
mode, whereby it is desirable to wholly contain WCCP interception to a single interface.
Configurations using egress interception only (that is, 61/out and 62/out, regardless of interface
configuration) are not recommended.
Situations 5 and 6 are common if configuration can not be performed on the LAN interface, or
if the router has a single WAN interface and multiple LAN interfaces. This approach, and any
other configuration that uses egress redirection, requires use of the ip wccp redirect exclude in
command on the interface adjacent to the WAE.
For environments where WCCP is configured on a LAN switch, WCCP can only be configured
on Layer 3 interfaces; for example, on switch virtual interfaces (SVIs). With WCCP
configuration using SVIs, only one of the two WCCP service groups should be configured on
an SVI. In most cases, one service group is configured on the SVI adjacent to the clients or
servers, and the other is configured on the SVI adjacent to the WAN connection.
Note
Service groups determine how the router load-balances traffic, and placement of services
should be considered in sites where multiple WAEs are present. Service group 61 loadbalances based on source-IP, and service group 62 load-balances based on destination-IP.
Be sure to use a load-balancing scheme that allows for all of the WAEs to be used
effectively.
3-69
Configuring WCCPv2
The WAE configuration process involves the following:
1. Enabling WCCPv2
2. Defining the list of routers to register against
3. Registering with the routers as a TCP promiscuous device
WAAS v4.0.73-15
WCCPv2 is easily configured on the WAE (appliance or NME-WAE) and the router. WAE
configuration involves three steps:
Step 1
Step 2
Step 3
Register with the routers as a TCP promiscuous device, using service groups 61 and
62.
Router configuration involves four steps. Three steps are required, and one is optional:
Step 1
Step 2
Step 3
Step 4
3-70
WAE# config t
WAE(config)# wccp version 2
WAE(config)# wccp router-list 1 1.1.1.1
WAE(config)# wccp tcp-promiscuous router-list 1
Execute the commands shown in this figure to configure WCCPv2 on a WAE. Note that these
commands are issued from global configuration mode.
The wccp router-list command allows for the definition of up to four routers. If more than four
routers are needed, use multicast.
3-71
WAAS v4.0.73-17
Execute the commands shown in this figure on the router to enable CEF, WCCPv2, and support
for service group numbers 61 and 62. These commands are issued from global configuration
mode.
3-72
WAAS v4.0.73-18
Next, enter interface configuration mode for each of the interfaces where redirection is to be
performed, and apply the appropriate redirection statements. Make sure that one service group
is present in one direction of traffic flow, and that the other service group is present in the
opposite direction of traffic flow.
3-73
WAAS v4.0.73-19
In any situation where egress redirection is used, the command shown in this figure must be
issued on the router interface that is adjacent to the WAE. The ip wccp redirect exclude in
command ensures that packets received on the interface are not redirected again. This
command prevents an optimized packet from being rerouted directly back to the WAE. Instead,
the router sees the packet coming in and forwards it normally, and WCCP is bypassed for
packets received on that interface.
3-74
Configuring PBR
This topic explains how to configure PBR as a network interception and redirection mechanism
for Cisco WAAS.
Gi0/0.11
WAAS v4.0.73-21
Enabling PBR requires configuration changes to the network boundary router, but not to the
WAE. PBR is recommended only in situations where WCCPv2 is absolutely not an
interception option. Remember that the WAE optimization interface must be deployed on a
VLAN or physical interface that is separate from the nodes where traffic is to be optimized.
When configuring PBR, the WAAS Transport Flow Optimization (TFO) TCP maximum
segment size (MSS) can be increased from the default value, because generic routing
encapsulation (GRE) encapsulation is not used as it would be in cases where WCCPv2 is used
for network interception. This step is optional but recommended, as it can provide a slight
performance improvement.
Use the following commands on each WAE where PBR is used for interception:
WAE# configure
WAE(config)# tfo tcp original-mss 1460
Define access lists to specify interesting traffic for each direction of traffic flow
Note
PBR can be used for interception and redirection of traffic to an NME-WAE, but this is not a
recommended practice because the NME-WAE is already installed in an ISR that is well
capable of supporting WCCPv2.
3-75
WAAS v4.0.73-22
Access list ACL1 identifies all TCP traffic leaving the local network, as classified by IP
subnet.
Access list ACL2 identifies all TCP traffic entering the network, as classified by IP subnet.
Note that generic access lists with no IP classification can be used, but are not recommended
because these lists lack information needed for the comparison of inbound and outbound packet
statistics. It is recommended that separate access lists be configured with the appropriate IP
subnets defined.
3-76
WAAS v4.0.73-23
This example shows the creation of an access list that identifies TCP traffic leaving a branch
office.
3-77
WAAS v4.0.73-24
This example shows the creation of an access list that identifies TCP traffic entering a branch
office.
3-78
WAAS v4.0.73-25
Route maps provide two functions. First, they specify the match criteria as defined by access
lists. Second, a route map identifies the device receiving matched packets as an IP next-hop
router. The route map essentially says identify traffic based on this access list, and then forward
this packet to that router. Route maps must be configured for traffic entering the location and
also for traffic leaving the location.
This example shows the configuration of route maps for a branch office. Notice that all traffic
matching access list 100 and 101 is set to be forwarded to a WAE (IP addresses 1.1.1.1 and
1.1.1.2) as next hop routers. PBR can only use one next-hop at a time. Should that hop be
inaccessible, PBR references the next configured next-hop. PBR route map configurations for
WAAS and redirection should be identical for all routers in a given location so that they can
enable support for asymmetric routing environments.
3-79
WAAS v4.0.73-26
After the access lists are defined and the route maps are created, the route maps must then be
applied to interfaces on the router. Keep in mind that for WCCPv2, the WAE must be attached
to an interface where no interception or redirection is being performed. For PBR, the WAE
must be attached to an interface where no route map is applied that could possibly cause
routing loops.
Route maps are applied as IP policies on router interfaces. One route map should reference
traffic leaving the branch, including all TCP traffic from any inside IP address, and be applied
on the LAN interface of the router. The other route map should reference traffic entering the
branch, including all TCP traffic destined to any inside IP address, and be applied on the WAN
interface of the router.
3-80
WAAS v4.0.73-27
PBR can use next-hop availability verification to periodically check the responsiveness of the
WAE optimization interface. This is accomplished with IP service level agreements (SLAs) and
Internet Control Message Protocol (ICMP) echo messages. If a WAE optimization interface
fails the responsiveness check, it is no longer considered a valid next-hop IP address. IP SLAs
are configured as part of the route map definition process and should be configured on all route
maps.
To configure an IP SLA, return to the route map definition sequence and specify next-hop
routers for tracking. In this example, the route map is configured to use tracking instance 1 to
track the availability of the next-hop router at 1.1.1.1. One configuration statement is added for
each WAE to be tracked.
Next, go to global configuration mode and configure the IP SLA instance. Configure the IP
SLA to track the availability of the WAE using ICMP messages (recommended), the Cisco
Discovery Protocol (CDP) neighbor database, or TCP connection attempts. Specify the interval
(frequency of check), the source interface to use, and then schedule the SLA to run.
3-81
10.3.1.0/24
WAE
VLAN 12
WAN
Toward WAN/clients
VLAN 10
IP
Network
10.1.1.0/24
10.2.1.0/24
WAAS v4.0.73-29
Configuring the ACE module for the Catalyst 6500 series switch to provide network
interception for Cisco WAAS requires configuration of the following items:
1. Define VLANs on the Catalyst and assign the VLANs to the ACE.
2. Allocate the appropriate WAE interfaces into the WAE VLAN.
3. Ensure proper network routing from end to end.
4. Define WAE rservers (an rserver is a real server, that is, a WAE definition) and
serverfarms (groups of rservers).
5. Configure class maps, policy maps, and service policy.
3-82
Define VLANs:
Client-facing (VLAN 10)
WAE-facing (VLAN 11)
Server-facing (VLAN12)
Telnet or
session to
the ACE
module.
2007 Cisco Systems, Inc. All rights reserved.
Assign an IP address to
a VLAN to be used as the
default gateway for the ACE.
WAAS v4.0.73-30
The VLANs that are used should be configured on the Catalyst 6500 and then assigned to the
ACE module. Notice that three VLANs (minimum) are required:
VLAN facing the WAN, or directing traffic toward the WAN (in this example, VLAN 10)
VLAN facing the WAEs, the destination for traffic to be optimized or unoptimized (in this
example, VLAN 11)
VLAN facing the servers or toward the data center (in this example, VLAN 12)
VLANs are assigned to the ACE module through the svclc vlan-group command in the
Catalyst IOS global configuration mode.
Ensure that each VLAN has the appropriate IP configuration as necessary, and that network
connectivity is operational between all endpoints in the network through the Catalyst 6500
VLANs.
After the VLANs are defined and assigned to the ACE module, connect to the ACE using the
session command from the privileged exec mode on the Catalyst 6500 IOS command-line
interface (CLI).
3-83
Configure client-facing
VLAN and explicitly permit
traffic. Disable TCP
normalization.
Configure server-facing
VLAN and explicitly permit
traffic. Disable TCP
normalization.
Configure WAE-facing
VLAN and explicitly permit
traffic. Disable TCP
normalization. Enable
mac-sticky.
WAAS v4.0.73-31
From the ACE CLI, each of the VLANs assigned to it must be configured. This configuration
includes the relevant IP address and subnet mask, along with the following:
Disable TCP normalization, which allows the ACE to permit the TCP options used by
Cisco WAAS automatic discovery.
Create an access-list that defines what traffic can be routed through the ACE (in this
example, the access list is called PERMIT-ALL and permits any IP traffic) and apply input
and output access-group policies to each of the VLANs. This allows traffic to pass through
the ACE module explicitly.
On the WAE VLAN interface, enable mac-sticky, which ensures that traffic returning to
the ACE that is to be redirected to a WAE is sent to the same WAE that saw the data
previously. If no WAE has seen data from this connection previously, the configured ACE
load-balancing policy (predictor) is used..
Note
3-84
The mac-sticky feature must be configured on the WAE VLAN when more than one WAE is
used. This feature ensures that flows coming back through the ACE module are forwarded
to the same WAE. This requires Layer 2 adjacency from the ACE module to the WAE. If this
is not configured, traffic can not be optimized because the same WAE might not be in the
path for each direction of traffic flow.
WAE1
ip address 10.3.1.2
inservice
exit
WAE2
ip address 10.3.1.3
inservice
exit
WAAS v4.0.73-32
After the VLANs are created and configured, configure any necessary routes on the ACE to
ensure that end-to-end network connectivity is valid. This might require configuration of a
static route that tells the ACE module what its default gateway is.
The next step involves defining each of the WAEs that is used, and is accomplished by creating
rservers. An rserver is a real server and it is used as a means of defining what the real devices
that the ACE module interacts with are.
To configure a WAE rserver, use the rserver-host configuration command from the ACE
global configuration mode. Next, specify an IP address, and enable the rserver using the
inservice command. This should be done for each WAE that is used by the ACE module.
After the rservers have been defined, then define an rserver group, also called a server farm. A
server farm is a grouping of rservers and is used as the target for traffic that is load-balanced by
the ACE. When defining the server farm:
Ensure that the transparent command is used to notify the ACE that load-balancing to this
server farm should be done transparently.
Define a predictor (load-balancing policy). This example shows the use of a hash against
the source address.
Define the rservers that is assigned to the server farm, and place each rserver within the
server farm. Note that the rserver, when being defined, also has to be placed in service.
When assigning an rserver to a server farm, the rserver must be placed in service within the
server farm as well.
3-85
Define the
load-balance policy.
WAAS v4.0.73-33
The final step in configuring the ACE is to define the class maps, policy maps, and service
policy:
class-map: Defines the classifiers by which traffic that is considered for load balancing is
matched. In this example, all TCP traffic is matched. This can be filtered to only loadbalance a subset of traffic traversing the ACE. This works in concert with the access groups
defined on the VLANs in the ACE module config, that is, traffic must be permitted through
the ACE, and then traffic must be permitted for load-balancing.
Note
policy-map: Assigns the class that has been defined to a load-balancing policy and a server
farm.
Note
3-86
The access group configuration must permit an equivalent or greater amount of traffic than
what is defined by the class-map. If the class map expects a broader set of traffic than what
is permitted through the VLANs by the access group, the class map does not see the traffic
due to the filtering done by the access group.
The service policy must be applied to WAN-facing and server-facing VLANs but not the
WAE VLANs.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The Cisco WAE inline card configuration requires that WCCPv2
be disabled and consists of inline groups and inline ports.
WCCPv2 is the recommended off-path interception mechanism
for most deployments. It involves network configuration and Cisco
WAE configuration.
PBR is an alternative off-path interception mechanism in which
the Cisco WAE is treated as a next-hop router by the network for
selected traffic flows. The flows are determined by an access list
or other classification mechanisms.
The Catalyst 6500 ACE module allows Cisco WAAS to integrate
into enterprise data centers via off-path interception.
WAAS v4.0.73-34
3-87
3-88
Lesson 3
Objectives
Upon completing this lesson, you will be able to explain how the WAAS Central Manager is
used to centrally configure, manage, and monitor a topology of WAE devices. This includes
being able to meet these objectives:
Describe how to assign devices to device groups to simplify configuration and reporting
Explain how to use Central Manager to distribute a WAAS software image to multiple
devices, and control the installation of software versions
WAAS v4.0.73-4
Central Manager is a device mode configured on a standalone WAE that provides scalable,
secure, robust, and centralized management for all of the WAEs within the deployment. Central
Manager is used to provide device-specific and systemwide configuration, monitoring, and
reporting capabilities. Central Manager is accessible via a web browser at
https://(central_mgr_ipaddr):8443.
The default credentials for Central Manager are the same as those for the default WAE
credentials:
username = admin
password = default
Central Manager is typically deployed in the data center and can be deployed in an activepassive failover capacity by using two WAEs.
3-90
WAAS v4.0.73-5
username = admin
password = default
3-91
WAAS v4.0.73-6
The systemwide reduction; the top ten applications for last month
From here, you can click one of the following tabs or buttons:
3-92
View Detailed Report: This button provides additional data on systemwide behavior.
Devices: This tab allows you to examine configured devices and device groups, change the
configuration, monitor statistics, or generate reports.
Services: This tab allows you to configure application acceleration services or print
services.
Activating WAEs
This topic explains how to activate a Cisco WAE or a group of Cisco WAEs within a Cisco
WAAS topology.
WAAS v4.0.73-8
WAE devices that register with Central Manager must first be activated before they can receive
a policy and interact with other WAEs. To activate all inactive WAEs, click the Devices tab
and then click the Activate all inactive WAEs icon, as shown in the figure.
3-93
WAAS v4.0.73-9
To activate a single WAE, click the Edit icon at the left of the WAE entry in the main Devices
table, and then click Activate.
3-94
WAAS v4.0.73-10
After a device is selected for activation, its status changes to Pending. The device transitions to
Online after the activation process has finished, which generally takes two to three Central
Manager polling cycles. Central Manager polling cycles are configurable via the System tab.
3-95
Device Groups
Legend
Device
Group
1
WAN
Device
Group
2
Device
Group
3
WAAS v4.0.73-12
Device groups are used to simplify configuration of the WAAS topology. Policy and other
settings can be applied to a device group to improve administrative efficiency. The running
WAE policy is always:
From the last device group that the WAE was added to
A WAE can be a member of multiple groups. The best practice is to configure device groups
for:
3-96
Time zones
Windows integration
Network configuration
Print services
Acceleration policies
Other services
WAAS v4.0.73-13
Device groups are configured from Central Manager by clicking the Device Groups link from
the Devices tab.
Application policies can be configured against a device via the command-line interface (CLI)
or GUI, or can be configured against a device group where the WAE is a member. It is highly
recommended that device groups be used when configuring application policy to help ensure
consistency throughout the enterprise.
Note
3-97
WAAS v4.0.73-14
To create a new device group, click the Create New Device Group icon. After clicking Create
New Device Group, specify a unique name for the new group. Two types of device groups can
be created:
Configuration Group: This type is used to apply common application policy or other
configurations.
WAFS Core Cluster: This type is used only to group WAEs together as a WAFS Core
Cluster.
A device group can be specified as baseline for file services, acceleration, or platform.
Optionally, you can specify that new devices added to the system are automatically added to
this group.
3-98
WAAS v4.0.73-15
After the device group is created, click Assign Devices to add devices to the new device group.
After the device group is configured, Central Manager can configure most aspects of the
individual WAEs that are members of that device group, including the following:
Software version
Notifications
Network configuration
Interception
To accomplish administrative tasks for the new group, click the Home entry in the Contents
pane on the left. This takes you to the Device Group home page and allows you to perform
configuration tasks such as:
3-99
3-100
Reapplying all device group settings against all device group WAEs
WAAS v4.0.73-16
To force a WAE to use a policy explicitly from a device group the WAE is assigned to, choose
Acceleration > Policies from the Devices link and select the desired device group from the
listing.
A WAE always uses the last policy applied, that is, the last device group that the WAE was
joined to, or the last policy explicitly configured against the WAE. The exception to this rule is
dependent on the status of the explicit policy device group. If the explicit policy device group is
already configured, these settings override the local configuration, and the configuration is
inherited from other groups. The explicit policy device group can be configured on individual
devices from the device policy page.
3-101
WAAS v4.0.73-17
A baseline group is used to establish the default configuration for a particular feature:
File services
Acceleration
Platform configuration
Only one baseline group can be configured for each of these features within a WAAS topology.
Baseline groups are used to apply a common configuration across all WAEs.
3-102
WAAS v4.0.73-18
3-103
WAAS v4.0.73-19
To view the location tree, click the Locations link from the Devices tab and then click the
Location Trees icon. Note that locations appear in red and WAE devices appear in black. The
location view is hierarchical; child locations are nested beneath their parents.
3-104
WAAS v4.0.73-20
3-105
Edit icons
WAAS v4.0.73-22
The WAAS Central Manager supports device-specific configurations in a manner similar to the
process of configuring device groups. Click the Devices link from the Devices tab and view the
list of individual devices currently resident in the WAAS topology. To edit a device, click the
Edit icon located next to the WAE Name field.
3-106
Activation
Configuration
Policies
Services
Monitoring
Device
Groups
View reports
WAAS v4.0.73-23
By default, only basic configuration items are initially shown. Click the Show Advanced
button to view the entire table of contents. In addition to other items, the device management
home page provides statistics on the application traffic mix from last week.
From the Device Management home page, the following configuration items can be modified:
Software version
RAID settings
Notifications
Network configuration
Interception
Alarm status is the number of alarms with the highest severity alarm displayed.
3-107
3-108
Software version.
Hardware model.
Gateway.
WAAS v4.0.73-24
A system status bar is displayed in two different locations within Central Manager. The first
location is at the top of most Central Manager pages. The second location is on the Devices
home page. From this location you can view the status of each of the devices within the Cisco
WAAS network.
Central Manager performs a health check and status update on each WAE at a configurable
interval.
The poll rate can be configured by choosing System > Configuration >
System.datafeed.pollRate. The poll rate is the interval at which devices poll the Central
Manager for configuration updates.
The collection rate can be configured by navigating to System > Configuration >
System.monitoring.collectRate. The collection rate is the interval at which devices send
application statistics to the Central Manager. These statistics are the basis for the graphs
presented in the GUI.
The information exchanged between the Central Manager and registered WAEs includes the
following:
Statistics
Configuration
3-109
WAAS v4.0.73-25
To access additional WAE system functions, click the Alarm Information entry to edit or
monitor a device, telnet to a device, examine the device log, or run show commands. Alarms
are automatically cleared after they have been resolved, which occurs at the completion of a
Local Central Manager (LCM) polling cycle.
3-110
WAAS v4.0.73-26
Although rarely needed, advanced TCP settings can be configured to provide optimizations for
high bandwidth delay product (BDP) networks. It is recommended that WAE devices be
bundled into common device groups based on the BDP of the networks they support. Advanced
TCP settings can then be applied against the BDP device group.
The Transport Flow Optimization (TFO) TCP settings configurable via the CLI and GUI
include the following:
Keepalive: This setting enables WAEs to exchange keepalive data for connections.
Optimized maximum segment size (MSS): This is the MSS of the optimized side of the
WAE. The default is 1432 bytes.
Optimized Send Buffer: This is the send buffer size of the optimized side. The default is
32 KB, and can go as large as 8192 KB.
Optimized Receive Buffer: This is the receive buffer size of the optimized side. The
default is 32 KB, and can go as large as 8192 KB.
Original MSS: This is the maximum segment size of the nonoptimized side of the WAE.
The default is 1432 bytes.
Original Send Buffer: This is the send buffer size of the nonoptimized side of the WAE.
The default is 32 KB.
Original Receive Buffer: This is the receive buffer size of the nonoptimized side of the
WAE. The default is 32 KB.
The buffer size values are only tuned in those situations where high BDP networks are
encountered. The BDP of the network can be calculated as follows:
When multiple WAN links are serviced by a WAE, the BDP of the network is the sum of the
BDP of each of the WAN links supported by the WAE:
3-111
If the BDP that is supported by the WAE exceeds the values set for the send and receive
buffers, you can compensate by adjusting the send and receive buffers for the optimized side
settings of the WAE. Modifications are not necessary to the original side settings.
To configure TCP buffers from the CLI, use the following command:
EDGE-WAE(config)#tfo tcp ?
keepalive
TCP keepalive, default enabled
optimized-mss Optimized side TCP MSS, default 1432 bytes
optimized-receive-buffer Optimized side Rx buffer size in KByte,
default 32 KB
optimized-send-buffer Optimized side Tx buffer size in KByte, default
32 KB
original-mss Original side TCP max segment size, default 1432 bytes
original-receive-buffer Original side Rx buffer size in KByte, default
32 KB
original-send-buffer Original side Tx buffer size in KByte, default 32
KB
Note
3-112
The original-side TCP buffers should not be changed unless it is deemed that the BDP of
the network is so high that not enough data from the transmitting node can be buffered to
keep the network fully utilized.
WAAS v4.0.73-28
Central Manager allows for the definition of administrative users and associated roles. User
credentials can be stored locally on each WAE or they can be authenticated using a third-party
authentication provider, such as TACACS, RADIUS, or Active Directory.
Roles determine the menus that can be accessed by the user. To create, modify, or manage
users, click the AAA link on the System tab. The User Accounts page appears with a list of
current users. Click the Create New User Accounts icon to create a new user, or click the Edit
User icon to modify an existing user.
3-113
WAAS v4.0.73-29
The process of creating a new user allows you to specify the following information:
User name
Password
CLI user (for Central Manager use only; this setting does not propagate)
Contact information
Note
Central Manager allows you to delete accounts and assign roles to an account. Remember that a
role determines the screens within Central Manager that a user can access. A user can be
assigned multiple roles. The effective permissions of a user are the sum of the roles that are
assigned to that user.
Note
3-114
The admin user can not be deleted. The admin password must be set in the Central
Manager WAE CLI. It can not be set in the Central Manager GUI. Other user passwords can
be changed by clicking the Password link from the System tab. You must be logged in as
that user or editing the settings of that user to change the password of that user.
Managing Roles
WAAS v4.0.73-30
User roles allow the administrator to control who uses the different functions available through
Central Manager.
Roles are created by navigating to System > AAA > Roles and clicking the Create New Role
icon. Roles must have unique names. Assigning page accessibility to a role gives any user
associated with that role read-write access to those pages. Roles are read-write only. The Role
Configuration window allows administrators to control the functions that are accessible to the
users assigned to each role. Any GUI page within Central Manager can be selectively allowed
or disallowed during role configuration. Any GUI page that is selected in the role definition
will be made accessible in a read-write capacity to any user assigned to the role.
Note
Users can be assigned to multiple roles. The net effective permissions of the user are based
on the cumulative sum of all permitted pages for all roles that the user is assigned to.
3-115
Managing Domains
WAAS v4.0.73-31
A domain defines the devices or device groups within the Cisco WAAS topology that a user
assigned to that domain is able to access and configure. Domains are configured adjacent to
roles, which define Central Manager pages that the user can visit and manipulate. Domains can
be configured as device domains (specify individual devices that can or can not be accessed), or
group domains (specify device groups that can or can not be accessed). Users assigned to a
domain have the ability to configure the entities described by the domain based on the effective
permissions provided by the assigned roles.
3-116
WAAS v4.0.73-32
After roles and domains are created, users can be assigned to one or more roles and one or more
domains. To accomplish this task, choose System > AAA > Users > (user) > Role
Management and make your role assignments. Then choose System > AAA > Users > (user)
> Domain Management to make your domain assignments. Effective user permissions are the
summation of all roles assigned to that user, and effective device permissions are the
summation of all domains assigned to that user.
3-117
WAAS v4.0.73-33
To configure centralized authentication for Central Manager, open the Central Manager WAE
Device home page and choose Devices > Devices > Central Manager WAE. From there,
choose General Settings > Authentication > Authentication Methods and choose an
authentication method.
Central Manager can be configured to use the following authentication providers:
3-118
TACACS
RADIUS
Active Directory
Edit icon
WAAS v4.0.73-34
Central Manager is the preferred mechanism for integrating WAEs into Active Directory. The
majority of these tasks can be handled from the WAE home page by navigating to Devices >
Devices > (WAE).
3-119
Domain Integration
WAAS v4.0.73-35
A series of tasks must be completed before a WAE can be successfully integrated into a
Windows domain. These tasks include the following:
Configure time settings and time zone, or alternately, Network Time Protocol (NTP);
WAEs must not exceed 5 minutes variance from the domain controller and Kerberos Key
Distribution Center (KDC).
Forward and reverse domain name system (DNS) lookup entries must be created for the
WAEs before integrating into the domain
WAE devices are integrated into a Windows domain by choosing Devices > Devices > (WAE)
> General Settings > Authentication > Windows Domain. Ensure that advanced settings are
shown. From the table of contents choose General Settings > Authentication > Windows
Domain, and supply the following parameters:
3-120
Windows authentication for WAN failure: This setting enables WAFS disconnected
mode, because the domain controller must be reachable during WAN disconnection.
Windows authentication for login and configuration: This setting enables management
and domain integration.
Domain controller name or fully qualified domain name (FQDN): The FQDN is
preferred.
Credentials for user with sufficient rights for adding the WAE into the domain.
Click the Submit button first to ensure that your settings are saved. Next, resupply the domain
controller and credentials and click Register.
3-121
WAAS v4.0.73-36
After completing the domain integration, you can use the Show Authentication Status button
to verify that the WAE joined the domain successfully.
From this page, Central Manager provides a utility to verify domain integration for a specific
WAE. Click Show Authentication Status to verify domain integration and identify problem
areas. The following areas are verified:
Domain information
Time skew
If any of the items fail, the utility tells you how to correct the situation. After correction, the
join can be attempted again.
Note
3-122
The Microsoft Active Directory Users and Computers MMC snap-in can be used to verify
that a WAE has properly joined the domain. If the domain join was successful, the WAE
should appear as a computer in the domain.
WAAS v4.0.73-38
Central Manager provides a facility for centralized software distribution, upgrade, and rollback.
Software download access can be configured to use either FTP or HTTP. Software updates can
be applied to individual devices or to entire device groups.
To add a software version to Central Manager, click the Software Files link from the System
tab.
Central Manager only stores links to download locations and credentials. The number of links
that can be stored in Central Manager is beyond practical measure, because each link entry is
less than 1024 bytes long and consumes no processor or memory resources.
3-123
WAAS v4.0.73-39
To add a software image, click the Add Software Image icon on the Software Files page.
From there, specify the following parameters:
3-124
Software version
File size
Automatic reload: Selecting this option causes WAEs to automatically reboot after the
image is downloaded. This selection causes an immediate upgrade.
WAAS v4.0.73-40
Software images can be applied directly against a WAE by navigating to Devices > Devices >
(WAE Device) > Home. Click the Update Software icon on the home page for the selected
device to complete this task.
Software images can be applied directly against a Device Group (the recommended update
method) by choosing Devices > Device Groups > (Device Group) > Software Update.
Note
Devices automatically reload if the software image definition is configured with autoreload.
Software images are not applied until the WAE reboots.
A WAE automatically stores two versions of software. The first or primary version is the
version the WAE uses for the boot. Any previously installed software version automatically
becomes the secondary version and is stored for backup use. Each software upgrade moves the
last primary version into secondary position. If the primary version fails to boot, it is discarded
and the WAE automatically boots from the secondary version.
3-125
WAAS v4.0.73-41
After a WAE or device group is configured to install a particular software image, the WAEs
begin the installation processes. The status of these processes can be tracked by selecting the
Devices link from the Devices tab.
Device status can be one of the following:
Note
3-126
Software distribution and installation can not be cancelled from the Central Manager.
WAAS v4.0.73-43
3-127
WAAS v4.0.73-44
The process of configuring a standby Central Manager is identical to the process of configuring
a primary Central Manager with the exception of assigning the Content Distribution Manager
(CDM) role as standby.
3-128
WAAS v4.0.73-45
Central Manager is key based, and the key is shared by all of the WAEs in the deployment.
This approach allows a standby Central Manager to take over as a primary. In situations where
the primary fails and can not be explicitly configured as standby, you can manually promote the
standby to primary until the failed WAE is repaired or replaced. When the WAE is ready to
return to service, first demote the primary back to standby, and then bring the primary up.
3-129
WAAS v4.0.73-46
Use the cms database backup command to initiate a backup of the Central Manager database.
The output of the backup file is placed in the /local/local1 directory, which is the default
directory for copy operations when copying from disk.
3-130
WAAS v4.0.73-47
Use the copy disk ftp command to move the Central Manager database backup file to an FTP
server. The format of this command follows:
WAE# copy disk ftp <ipaddr> <directory where file is
located><filename>
3-131
WAAS v4.0.73-48
The Central Manager restore process requires that you first disable Cluster Management Suite
(CMS). After disabling CMS, download the Central Manager database backup file from FTP
and issue the CMS restore command to reenable CMS.
3-132
WAAS v4.0.73-50
Systemwide settings for Central Manager can be configured by clicking the Configuration link
on the System tab.
These systemwide settings include the following commonly used parameters:
Central Manager Session Timeout: This is the amount of idle time before Central
Manager automatically logs out the current user.
Data Feed Pollrate: This is the frequency at which the Central Manager and WAE
exchange configuration information during the LCM cycle.
Device Identify Recovery Key: This key is used to recover device identity if the device is
replaced or otherwise rebuilt from factory conditions.
Health Monitor Data Collection Rate: This is the frequency at which the WAEs transfer
health monitoring information to the Central Manager.
Application Monitor Data Collection Rate: This is the frequency at which application
statistics are transferred from WAEs to the Central Manager.
System.datafeed.pollRate is the interval at which devices poll the Central Manager for
configuration updates.
3-133
Deactivate
WAAS v4.0.73-51
Before device recovery can begin, the device must first be deactivated and specified as
replaceable. You can accomplish these tasks from the Device home page by choosing Devices
> <device> > Activation and selecting the device to be deactivated.
3-134
WAAS v4.0.73-52
After recovery, the WAE registers itself as the device that was specified as replaceable.
3-135
WAAS v4.0.73-53
Central Manager can be configured to use Fast Device Offline Detection to proactively mark a
device as offline. To enable this feature, choose System > Configuration > Fast Device
Offline Detection.
Enabling this feature causes Central Manager to mark a device offline based on the settings
specified within this page. These settings include:
Heartbeat rate of exchange: This setting defines how frequently the WAEs and Central
Manager exchange heartbeat information. These exchanges are separate from those
performed in the LCM cycle.
Heartbeat fail count: This setting defines how many heartbeat exchanges can be missed
before Central Manager marks a WAE as offline.
Heartbeat User Datagram Protocol (UDP) port: This setting specifies the UDP port to
use for heartbeat information.
Normally, Central Manager marks a device as offline when three LCM cycles are unsuccessful.
The time interval associated with this function is based on the datafeed pollrate value in the
system settings.
3-136
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Central Manager provides a robust, scalable, and secure single
point of management for a Cisco WAAS topology.
Devices must register with Central Manager and be activated
before they can participate as application accelerators.
Device groups provide an easy way for administrators to simplify
configuration of application policy and other acceleration features.
Role-based access control allows for the definition of features,
management pages, devices, and device groups that a user can
access.
Central Manager can be used to automate the distribution and
installation of device software to WAEs within a topology.
A standby Central Manager WAE can be configured to support
environments where high availability is critical.
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.73-54
3-137
3-138
Lesson 4
Objectives
Upon completing this lesson, you will be able to explain how to configure application traffic
policies. This includes being able to meet these objectives:
Describe the default application traffic policy that can be used to minimize administrative
configuration tasks
Identify the traffic policies that are configured for file services and UUID-based
classification
Explain how to use the WAE device CLI to monitor WAAS optimizations and their
effectiveness
Application
Definition
Traffic
Classifier
Policy
Map
WAAS v4.0.73-4
The ATP is a device-specific or global policy that defines WAE behavior when specific traffic
types are encountered. ATPs can be configured for individual WAEs, or they can be configured
globally through the WAAS Central Manager. To perform global configuration, the WAEs in
the topology must first be registered with the Central Manager.
ATPs support up to 256 application definitions, 512 classifiers, and 1024 match conditions.
Cisco WAAS comes preloaded with an ATP configuration containing over 30 application
groups with over 150 unique application classifiers. The default configuration that is included
with Cisco WAAS addresses the majority of enterprise applications today.
3-140
Application Definition
The application definition
provides a logical grouping
of traffic types.
Statistics from traffic
classifiers mapped to an
application through a
policy map report through
the application definition.
Monitoring is enabled per
application definition.
Traffic
Classifier
Policy
Map
Application
Definition
Applications are
assigned to devices or
device groups.
WAAS v4.0.73-5
The application definition provides a logical grouping of traffic types to support the monitoring
and collection of statistics. Monitoring must be enabled on an application group before
statistics can be gathered through the Central Manager polling cycle. Application definitions
can be globally-configured within Central Manager and then assigned to devices or device
groups, or they can be defined directly on individual WAEs.
3-141
Traffic Classifier
The traffic classifier is used to
identify a connection as a
specific type.
Actions are taken against the
classifier based upon the
configured policy map.
Statistics count toward the
application definition that the
classifier is assigned to via the
policy map.
Classification is based on
source or destination L3 and
L4 parameters.
Application
Definition
Policy
Traffic
Classifier
Map
WAAS v4.0.73-6
A traffic classifier is used to classify the traffic that is received by a WAE. Traffic classifiers
are based on:
3-142
All traffic
Policy Map
A policy map performs
two primary functions:
Associates a traffic
classifier to an application
definition for reporting
purposes.
Assigns an action to be
taken against traffic that
matches a traffic classifier.
Traffic
Classifier
Application
Policy
Map
Definition
TFO
TFO + LZ
TFO + DRE
Full (TFO + DRE + LZ)
Accelerate
Application adaptor or UUID
WAAS v4.0.73-7
A policy map associates classified traffic to an application definition that enables reporting and
monitoring. The policy map also assigns the actions to be taken against matching traffic. These
actions or optimizations include the following:
TCP optimize: For Transport Flow Optimizations (TFO) only, this optimization is
commonly used for encrypted or previously-compressed traffic, and is not highly
repeatable.
TCP optimize and Lempel-Ziv (LZ) compression: This optimization is commonly used
for interactive applications that use very small exchanges, such as telnet, where Data
Redundancy Elimination (DRE) offers little value.
TCP optimize + DRE: This optimization is commonly used for applications where the
traffic is encrypted or previously compressed but highly repeatable, and where LZ does not
provide significant value
Classified traffic can also be handed to an application adaptor, in a process called acceleration:
End Point Mapper (EPM): This adaptor allows the WAE to identify an applications
dynamically-assigned port number, which is useful for applications that first transmit a
universally unique identifier (UUID) on TCP port 135 to request a dynamically assigned
port. The WAE intercepts these messages and dynamically builds a policy based on the
dynamically-assigned port.
WAFS Accept: This adaptor allows the WAE to act as a file server proxy-cache.
WAFS Transport: This adaptor allows the WAE to optimize the Common Internet File
System (CIFS) flows that must traverse the WAN.
A policy that does not use an application adaptor is considered a basic policy, unless it is
defined for all traffic, in which case it is considered an other policy. Application policies are
applied based on the priority assignment of the policy within Central Manager.
2007 Cisco Systems, Inc.
3-143
Default Policies
This topic describes the Cisco-provided default application traffic policy and explains its use.
Action
Logic
Encrypted with
fixed keys
FULL
TFO
Compressed and
repeatable
FULL
Transient
compressible data
TFO+LZ
FULL
LZ
WAAS v4.0.73-9
Cisco WAASv4 ships with an embedded, robust default application policy that provides the
following:
The default application policy can be enabled on a device or device group in Central Manager,
or it can be enabled through the command-line interface (CLI).
3-144
WAAS v4.0.73-10
Enable the default policy on a WAE or group of WAEs by clicking the restore default policy
icon on the Device Groups page of Central Manager. After enabling the default policy, click ok
to verify this action and propagate the policy to the WAE or the device group during the Local
Central Manager (LCM) polling cycle.
To enable the default policy on an individual WAE using the WAE CLI, execute the following
commands:
WAE# config term
WAE(config)# policy-engine config restore-predefined
To enable the default policy on a device group of WAEs using Central Manager, open the
device group and click the Restore default application policies button. This lesson assumes that
the default policy has been applied to all WAEs in the WAAS topology.
3-145
WAAS v4.0.73-11
Global optimization capabilities for a WAE device or a WAE device group can be configured
at Devices > (Devices or Device Groups) > (Entity Name) > Acceleration > General Settings.
Any feature with a checkmark next to it is enabled. Any feature missing a checkmark is
disabled. If a WAE is configured to explicitly pull its policy and configuration from a device
group, as shown here, this page does not allow you to modify these settings. In this case,
modify the settings in the device group configuration page.
3-146
WAAS v4.0.73-13
Application definitions are groups used to bundle classifiers into a common reporting entity.
Application definitions are configured from the Applications panel of Central Manager. When
using the default application traffic policy, all of the applications shown on this panel are
preconfigured.
The Applications panel allows you to create a new application definition or modify existing
application definitions. Statistics from associated classifiers are gathered and reported
cumulatively by the application definition, and individual classifier statistics are available.
To edit an existing application definition or enable an application for monitoring, click the edit
application icon next to the application name. To create a new application definition, click the
new icon.
Use the edge-wae#show policy-engine application name command to view a list of
application definitions that are provided by the Cisco WAAS default application policy. The
number shown in parentheses represents an identifier that is used internally:
Number of Applications: 28
1. Authentication (15)
2. Backup (17)
3. Call-Management (18)
4. Conferencing (8)
5. Console (4)
6. Content-Management (20)
2007 Cisco Systems, Inc.
3-147
7. Directory-Services (6)
8. Email-and-Messaging (12)
9. Enterprise-Applications (13)
10. File-System (2)
11. File-Transfer (16)
12. Instant-Messaging (22)
13. Name-Services (25)
14. Network-Analysis (26)
15. Peer-to-peer (P2P) (9)
16. Printing (14)
17. Remote-Desktop (5)
18. Replication (21)
19. Structured Query Language (SQL) (1)
20. Secure Shell (SSH) (24)
21. Storage (27)
22. Streaming (10)
23. Systems-Management (3)
24. Virtual private network (VPN) (23)
25. Version-Management (7)
26. WAFS (11)
27. Web (19)
28. Other (0)
Note
3-148
Enabling an application for monitoring enables the exchange of application data between the
Central Manager and the WAEs to which the application is assigned.
WAAS v4.0.73-14
Check the enable statistics box to gather statistics relative to this application from the
assigned WAEs.
3-149
WAAS v4.0.73-15
Select the devices or device groups to be added to the WAE and click the submit button. All
configuration changes are propagated to the WAEs that are in the device group.
3-150
Managing Policies
This topic examines the purpose and use of policy maps.
Managing Policies
WAAS v4.0.73-17
A policy map associates an action with a classifier, and assigns optimization statistics to an
application.
Policy Maps are configured on a device or a device group through Central Manager by
navigating to Devices > Device Groups > (name) > Acceleration > Policies > Definitions.
The device group policies page allows you to perform the following functions:
Policy maps have assigned priorities, as indicated by the Type - Position column shown in the
figure. These assigned priorities can be changed from within Central Manager. An Other
policy, located at the bottom of the policy definition list, is used when no classifiers match the
traffic found. The Other policy is required for the system to function properly and is added
automatically when the default policy is installed. The Other policy can be adjusted to tune the
level of optimization applied to flows that could not be classified.
3-151
Editing Policies
WAAS v4.0.73-18
Type
Application
Classifier
Action
EPM traffic
Position
EPM: An EPM policy is identified by a UUID, for instance, Exchange or Active Directory
Replication.
WAFS accept: A WAFS accept policy is used to route CIFS traffic for file servers
configured for acceleration to the CIFS application adaptor.
WAFS transport: A WAFS transport policy is used to optimize CIFS flows between
WAEs traversing the WAN for file servers that are configured for acceleration.
This application parameter defines the application that is associated with the statistics.
The classifier parameter is used to identify relevant traffic.
The action parameter specifies how the WAE is to respond to a flow when identified, and
determines the optimizations to list as desirable during the automatic discovery process:
3-152
TFO with Data Redundancy Elimination: TFO and DRE are applied to this flow.
TFO with LZ Compression: TFO and LZ compression are applied to this flow.
Full Optimization: DRE, TFO, and LZ compression are applied to this flow.
The position parameter can be manually set here to one of the following:
First (in the list): This policy is the first policy that flows are compared against.
Last (in the list): This policy is the last policy that flows are compared against.
Specific (position): This policy must be inserted at a specific position within the list.
Additionally, policy prioritization can be manually adjusted by clicking the Prioritization table
of contents item at the left of the panel.
Note
DRE and LZ compression require the use of TFO, as TFO is the data path for the WAEs.
3-153
WAAS v4.0.73-19
When traffic is received by a WAE, it scans the policy list for a TCP synchronize (SYN)
message and uses the first match it finds. This approach is helpful when policies overlap, or
when a specific policy is preferred.
For example, an IT organization can choose to have all HTTP traffic configured for full
optimization, with the exception of traffic originating from the server with IP address 2.2.2.2,
which is configured for pass-through. To fulfill this example, two policies are created:
Policy 1: This policy matches traffic on destination port TCP 80 (HTTP), and specifies full
optimization.
Policy 2: This policy matches traffic on destination port TCP 80 (HTTP) and destination IP
address of 2.2.2.2, and specifies pass-through.
To continue this example, policy 2 is configured with a higher priority than policy 1, so that
any traffic to 2.2.2.2 on TCP 80 (HTTP) is passed-through with no optimizations, while all
other HTTP traffic is fully optimized.
Policy priority can be changed through the policy definition page by specifying first, last, or
specific position, or by using the arrows found in the move column of the policy definition
page.
3-154
Managing Classifiers
WAAS v4.0.73-20
Classifiers are used to identify flows and associate those flows to the assigned policy. Each
classifier must have a unique name. A classifier can contain one or more match conditions.
Each match condition can contain parameters the WAE can use when identifying traffic:
To edit a match condition within a classifier, click the Edit icon on the Application Classifier
panel. To create a new match condition within a classifier, click the New icon.
3-155
WAAS v4.0.73-21
The Match Conditions panel allows you to define classifier match conditions. The following
parameters can be supplied:
Match all: Any and all traffic is considered a match by this classifier.
Destination IP wildcard: This parameter is the inverse of the subnet mask. Use this field
only when supplying a specific destination IP address or subnet.
Destination port start: To specify a single destination port definition, enter the port
number in this field. To configure a range of destination ports, enter the first port of the
range in this field.
Destination port end: Use this field only when defining a port range. Enter the last port of
the range in this field.
Source IP wildcard: This parameter is the inverse of the subnet mask. Use this field only
when supplying a source IP address or subnet.
Source port start: To specify a single source port definition, enter the port number in this
field. To configure a range of source ports, enter the first port of the range in this field.
Source port end: Use this field only when defining port ranges. Enter the last port of the
range in this field.
Supply the necessary information and click the Update Classifier button at the bottom of the
panel to save the match criteria.
3-156
Edit
icons
WAAS v4.0.73-22
The Central Manager allows an administrator to view the policies that have been applied to
each device and device group. This function is useful for identifying policies that overlap or
conflict with other classifications. Click the Edit icon next to the device or the device group, to
view the policy listing page for that device or group.
3-157
WAAS v4.0.73-23
The Central Manager allows an administrator to view all of the classifiers that are defined
within the system. This function is useful for identifying overlapping or conflicting classifiers.
Click the View icon next to the classifier to view the parameters defined for that classifier.
From this page, click the Edit icon next to the appropriate device or device group to modify the
settings for that classifier.
3-158
WAAS v4.0.73-25
Adaptor policies define the optimization to apply to a specific type of flow. Adaptor policies
are automatically configured as part of the default application policy. Valid adaptors in
WAASv4 include the following:
WAFS Transport: This adaptor specifies TCP4050, which is used between WAFS Edge
and Core devices for CIFS acceleration and, more specifically, messages that must be sent
across the WAN for CIFS-accelerated connections.
EPM: This adaptor listens on TCP135, identifies the UUIDs of an application, and assigns
policy to the dynamically-assigned port.
3-159
CIFS Policy
WAAS v4.0.73-26
Full optimization, when a server can not be CIFS accelerated due to Server Message Block
(SMB) signing
The application classifier used by the CIFS policy is CIFS, which references TCP ports 139 and
445. When a user attempts a connection to a CIFS file server through a edge WAE running the
WAFS Edge service, it initiates a query of the connected core cluster (containing WAEs
running the WAFS Core service) to find who is closest. A connection is then established to the
core cluster that responds the fastest.
The configuration of the CIFS policy should be as follows (and is configured this way by
default):
3-160
Type: Basic
Application: File-System
Enabled: Yes
WAAS v4.0.73-27
The WAFS Transport adaptor dynamically builds its own classifier based on the WAFS
service, directive configuration, and file servers that have been explicitly defined or
automatically discovered. This policy is used to define full optimization for traffic from the
CIFS accelerator that needs to traverse the WAN. This policy is already built as part of the
default application traffic policy, and must be enabled on any WAE that is participating in file
services optimizations as a Core or Edge WAFS device.
The WAFS Transport policy is configured as follows:
Application: WAFS
Enabled: Yes
3-161
WAAS v4.0.73-28
The EPM adaptor is used for applications that use dynamic port assignment via TCP135. The
EPM adaptor intercepts exchanges for dynamic port requests to allow WAAS to apply
optimization against the port assigned. UUIDs are predefined and associated with canonical
names in the GUI:
3-162
Monitoring Optimizations
This topic explains how to use the WAE device CLI to examine the optimizations applied to
traffic flows, and how to judge the effectiveness of those optimizations.
WAE Details
2007 Cisco Systems, Inc. All rights reserved.
Connection
WAAS v4.0.73-30
Central Manager allows the administrator to view established optimized connections between
WAEs. To perform this function, navigate to the Topology page and examine the statistics
related to a connection, or to an individual device.
3-163
WAAS v4.0.73-31
From the topology panel, select a WAE and click the Traffic Statistics Details link to view
detailed traffic statistics for that device. Note the following information, which can be filtered
by timeframe or direction of flow:
3-164
Bytes transmitted
Bytes savings
Pass-through traffic
Applications to include
or All
WAAS v4.0.73-32
The Central Manager detailed report allows you to specify the type of chart to examine:
This chart can be small, medium, or large in size, and can be filtered for a specific timeframe:
Hour
Day
Week
Month
Date range
3-165
WAAS v4.0.73-33
This example of a large report shows statistics for the past month for traffic reduction excluding
pass-through. Four traffic types provide the basis for this report. This particular report shows
the percentage of bandwidth reduction provided by Cisco WAAS over the previous month for
all traffic and three specific application groups.
3-166
WAAS v4.0.73-34
The device CLI provides full visibility into optimizations applied and their effectiveness,
including:
Auto-discovery statistics
3-167
WAAS v4.0.73-35
Acceleration services maintain keepalives with the policy engine. This function ensures that
packets are redirected using the remaining policy engine rules if an accelerator service fails.
The handling level is the load an accelerator service can handle, and is reported to the policy
engine. A handling level of 100 percent indicates the accelerator is healthy, and is capable of
handling all of the workload identified by the policy engine. A handling level of less than 100
percent indicates the accelerator is under load, and is telling the policy engine how much traffic
can be processed.
Generally, the accelerator handling level remains at 100 percent unless the WAE encounters an
overload scenario, based on static system limits. An overload scenario is reached when 98
percent of maximum system limits are encountered. The WAE does not leave the overload
situation until less than 95 percent of maximum system limits are encountered.
Note
3-168
The CIFS accelerator only shows up if the WAE is configured with the WAFS Edge service.
WAFS Core WAEs do not have the CIFS accelerator registered with TFO. WAFS Edge
WAEs operating in non-transparent mode show a handling level of 0 percent.
Auto-Discovery Statistics
Auto-discovery statistics on a WAE can be viewed by
using the show tfo auto-discovery command:
edge-wae# sh tfo auto-discovery
Auto discovery structure allocations failure:
Auto discovery structure allocations success:
Auto discovery structure deallocations:
Auto discovery table bucket overflows:
Auto discovery table overflows:
Auto discovery table entry adds:
Auto discovery table entry drops:
Auto discovery table lookups:
Auto discovery table entry count:
Packets sent during auto discovery:
Packets received during auto discovery:
Number of route lookup failures:
Number of successful route lookups:
Bind hash add failures:
0
1092
526
0
0
1092
526
528
566
1577
1620
0
39
0
WAAS v4.0.73-36
The show tfo auto-discovery command provides an overview of the auto-discovery situations
encountered. This command is helpful for identifying the cause of auto-discovery failure.
3-169
0
0
0
0
10
0
0
0
0
0
37
0
478
1
0
0
WAAS v4.0.73-37
3-170
:
:
:
:
272
7
1
0
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0
250
0
2
0
0
0
0
0
0
WAAS v4.0.73-38
The show statistics tfo command displays the total number of connections that are optimized
by the system, the number of active connections, and the number of peers. This command is
helpful for determining if the system is operating within static system limits.
3-171
Conn Type
App Dyn Mtch Optimized
WAAS v4.0.73-39
The show tfo connection summary command displays all of the connections that are optimized
and passed-through by the WAE. A table displays the tuple information (source IP, destination
IP, source port, destination port), and the internal connection ID, peer WAE ID, and policy.
Policy descriptors are described as follows:
3-172
O: Our policy; this is the policy that is configured on the local WAE
P: Peer policy; this is the policy that is configured on the peer WAE
F: Negotiated policy; this is the least common denominator of the two configured policies
A: Applied policy; this is the policy applied, based on the WAE capabilities and load
00:11:25:ac:3c:5c
1690902
2070
808211
2158
802415
1589
1689237
2766
49
80
2
520
Sun Mar 12 20:04:52 2006
WAAS v4.0.73-40
Use the show statistics tfo peer command to examine the optimization statistics for all peer
WAEs. Notice the number of encodes, decodes, active connections, and total connections.
Also, note the number of bytes read versus the number of bytes written.
3-173
00:11:25:ac:3c:5c
Int. Client
1.1.1.100
51524
10.10.10.100
389
TCP_OPTIMIZE + DRE + LZ
TCP_OPTIMIZE + DRE + LZ
TCP_OPTIMIZE + DRE + LZ
TCP_OPTIMIZE
WAAS v4.0.73-41
Use the show tfo connection command to view the optimizations applied to all connections on
a WAE device, and the statistics associated with those optimizations.
This command can be filtered to minimize the output by specifying the following parameters:
client-ip
client-port
peer-id
server-ip
server-port
Note the socket information (source and destination IP, and source and destination port), and
the policy information (our policy, peer policy, negotiated policy).
3-174
WAAS v4.0.73-42
This figure is a continuation from the previous page. Notice the number of reads and writes,
and encodes and decodes.
3-175
WAAS v4.0.73-43
Use the show stat tfo application command to view optimizations applied to traffic for a
specific application. This command can be filtered to minimize display output by appending an
application name to the end of the command line.
Use the edge-wae#sh policy-engine app name command to view a list of available
applications.
3-176
WAAS v4.0.73-44
Use the show stat tfo saving command to view savings statistics for all configured
applications. This command can be filtered to include a single application as shown in the
figure. Note the bytes savings, packets savings, and perceived compression ratio.
3-177
Total (cumulative): 4
Active: 4
Encode:
Overall: msg:
2, in:
207 B, out:
45 B, ratio: 78.26%
DRE: msg:
2, in:
207 B, out:
45 B, ratio: 78.26%
LZ: msg:
0, in:
0 B, out:
0 B, ratio:
0.00%
Bypass: msg:
0, in:
0 B, partial chunks:
17 B
Latency(Last 3 sec): max 0 ms, avg 0 ms
Message size distribution:
0-1K=0% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Decode:
Overall: msg:
901, in:
323 KB, out: 15608 KB, ratio: 97.92%
DRE: msg:
901, in:
375 KB, out: 15608 KB, ratio: 97.60%
LZ: msg:
234, in:
110 KB, out:
161 KB, ratio: 31.68%
Bypass: msg:
0, in:
0 B
Latency (Last 3 sec): max 0 ms, avg 0 ms
Message size distribution:
0-1K=1% 1K-5K=13% 5K-15K=36% 15K-25K=22% 25K-40K=20% >40K=5%
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.73-45
The device CLI provides full visibility into DRE and LZ compression statistics and
effectiveness:
The show statistics dre command displays information relative to the state of the DRE cache,
including the age of the oldest data, the amount of disk capacity consumed and maximum
available, the amount of RAM consumed and maximum available, and the number of active
connections. Note that it also shows overall encode and decode statistics, including
compression ratio and bytes-in versus bytes-out.
3-178
WAAS v4.0.73-46
Use the show statistics dre conn command to view statistics for all of the connections
optimized by DRE. Note that this command can be filtered based on:
Connection ID
Peer number
Last connection
The syntax and options for this command are listed and described as follows.
edge-wae#sh stat dre con ?
3-179
WAAS v4.0.73-47
Note that DRE statistics are relative to working with a specific peer. Note the number of bytesin versus bytes-out, the compression ratios, and the latency that is imposed due to compression.
Use the sh stat dre peer command to view DRE statistics for specific connected peers.
This command can be filtered to show information related to any of the following:
Contexts
Peer IP address
Peer ID
The syntax and options for this command are listed and described as follows:
edge-wae#sh stat dre peer ?
Options include:
3-180
WAAS v4.0.73-48
Clearing the DRE cache stops and restarts the TCP proxy service and any CIFS acceleration
services. Any sessions or connections that are active are broken and must be automatically
regenerated by the communicating nodes. This action removes the compression history of the
DRE cache on the local WAE. A reboot is required only in cases where the TCP proxy service
is unable to be restarted after it has been stopped. Otherwise the WAE reboots automatically.
3-181
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Application traffic policies define the behavior of the WAEs in the network and
dictates what optimizations are applied when traffic of a specific type is
encountered.
The default traffic policy can be used for simple optimization configurations and
includes policies for over 150 classifiers.
Application definitions are a top-level object used for reporting statistics for all
associated classifiers and optimizations.
Policy maps are used to associate traffic classifiers with an application definition
for statistical purposes. They also define the optimizations to apply.
Traffic classifiers are used to specify the qualifiers to look for before associating a
traffic flow with a specific application.
Traffic policies are commonly configured from Central Manager for synchronization
and simplicity. They can also be configured on each WAE using the CLI.
Adaptor policies are used for specific applications where the TCP port assignment
is dynamic or additional latency reduction is required.
You can monitor the impact of optimizations using the CLI.
3-182
WAAS v4.0.73-49
Lesson 5
Configuring Application
Acceleration
Overview
This topic explains how to use Central Manager as a centralized driver repository and describes
how to configure driver upload and distribution.
Objectives
Upon completing this lesson, you will be able to explain how to configure file and print
services acceleration. This includes being able to meet these objectives:
Explain the basic file services optimization configuration for WAAS, including file server
definition, core cluster configuration, edge server configuration, controlling services, and
connectivity directives
Explain the behavior of WAAS file services during periods of intermittent and prolonged
network disconnection
Explain how WAAS can prepopulate an edge cache and DRE to improve performance for
the first user and for subsequent users
WAN
Files
FILE.DOC
Cache
WAAS v4.0.73-4
Cisco WAAS provides the industries most innovative and robust file services optimizations:
Application protocol interface for CIFS to handle protocol message workload at the Edge
to mitigate the impact of latency through message suppression, local response handling,
protocol caching, operation batching, message prediction, read-ahead, and pre-fetch
Application data and meta data cache to serve usable content at the Edge to mitigate
unnecessary data transfers when safe; validate-on-open to verify that file data has not
changed; global locking to ensure coherency and enable global collaboration scenarios
The Wide Area File Services (WAFS) Benchmark Tool is available for download on Cisco
Connection Online (CCO). This utility stages data to a file server and then executes a script that
makes calls against these files, including OPEN, READ, WRITE, SAVE, and CLOSE
operations. The amount of time taken to perform these tests can then be saved to a comma
separated value (CSV) file for viewing and graphing. The results shown in the figure represent
the typical performance improvement provided by Cisco WAAS in CIFS environments.
Cisco WAAS acceleration is safe and requires no coherency configuration. The level of
optimization applied is directly related to the type of file being opened, and the state of the
opportunistic lock that is granted to the user. For single-user situations, Cisco WAAS can
employ the breadth of its optimizations to dramatically improve performance. For multi-user
3-184
situations or no-oplock situations, Cisco WAAS can safely apply many optimizations to
improve performance.
For example, when a Microsoft Word file that is being edited by a single user, WAAS employs
all of the optimizations available to improve performance. This is true for Microsoft Access
database files and other collaborative data sets; when a single user is working with an object,
Cisco WAAS employs the full optimization suite. When multiple users are working with the
same file, WAAS automatically adjusts its level of optimization to maintain data integrity and
safety.
Cisco WAAS is proven effective for the most common CIFS applications including Microsoft
Office (Word, PowerPoint, Excel), MS Access (and other database applications that use CIFS),
computer-aided design/computer-aided manufacturing (CAD/CAM) applications, My
Documents storage, desktop backup and restore, and other applications such as imaging.
3-185
CIFS Acceleration
WAAS v4.0.73-5
The default policy contains two policies that are required for WAFS to operate:
CIFS policy: This policy allows the system to send appropriate traffic to the CIFS
accelerator. The classifier used is CIFS (TCP 139 and TCP 445). The actions include Full
Optimization and CIFS acceleration.
WAFS transport policy: This policy allows the system to optimize traffic sent between
WAFS application adaptor instances (Core and Edge nodes) using TFO, DRE, and LZ.
Note
3-186
These policies are included in the default Cisco WAAS policy and do not require
modification. Cisco WAAS dynamically builds match conditions based on service
configuration which allows for the WAEs to accurately handle and accelerate CIFS traffic.
For this reason administrators do not need to modify or manipulate these policies.
WAAS v4.0.73-6
A Core Server cluster must first be defined before file services optimizations can be configured.
A Core Server cluster can have a single WAE as a member, or many WAEs as members. When
an Edge Server connects to a Core Server cluster, it is provided a list of all of the Core Server
members. It then randomizes the list and connects to one of the nodes. If that node fails, the
Edge Server removes the failed node from the list, re-shuffles, and connects to another node.
3-187
WAAS v4.0.73-7
The credentials supplied on the Core cluster configuration allow the Core Server nodes to
browse the origin servers and read from the origin servers when configuring the preposition
function. High priority messages can be marked with a configurable Differentiated Services
Code Point (DSCP) value to enable higher priority handling within the network, which can lead
to improved performance.
Note
3-188
The file server access username and password are only required when using the preposition
capabilities of Cisco WAAS. The credentials provided here should be for a user that has
read-access to any file servers where preposition is needed, and the user should be a
member of a domain that has trusted access to any domain that a file server participating in
preposition resides in.
WAAS v4.0.73-8
One or more WAE nodes deployed near the origin file servers should be configured as WAFS
Core Servers. This WAE must be assigned to a WAFS Core Cluster group. This assignment is
configured in Central Manager by navigating to Devices > Device > (node) > File Services >
Core Configuration. A Core Server WAE can be a member of only one Core Cluster.
3-189
WAAS v4.0.73-9
Launch the local GUI of the Core Server WAE and verify that the WAFS Core service is
running. If the service is not running, be sure to start the service.
3-190
WAAS v4.0.73-10
One or more WAE nodes deployed in the remote office should be configured as a WAFS Edge
Server. No WAFS Edge Server group configuration is required, and you can use a standard
configuration group, but this is not necessary. The Edge Server service is configured in Central
Manager by navigating to Devices > Device > (node) > File Services > Edge Configuration.
Specify the following configuration options for the device or device group:
Transparent mode
3-191
WAAS v4.0.73-11
Launch the local GUI of the Edge Server WAE and verify that the WAFS Edge service is
running. If the service is not running, be sure to start the service.
3-192
WAAS v4.0.73-12
Cisco WAAS does not explicitly require definition of each file server that is to be accelerated.
However, if preposition or disconnected mode or both are to be used, the file servers associated
with each of those features must be defined at Services > File > File Servers.
File servers that are accelerated but not participating in preposition or disconnected mode of
operation do not need to be configured on this page.
When defining file servers (to configure preposition or disconnected mode of operation), you
must specify the following:
Clicking the magnifying glass icon next to the Core Cluster definition causes the Core WAEs in
the cluster to attempt to resolve the name of the file server. WAEs configured with the WAFS
Core service must be able to resolve the name of the file servers being optimized to an IP
address if they are defined on this page.
To serve the needs of organizations with a large list of file servers that need to participate in
disconnected mode of operation or preposition, an import utility is available from the Central
Manager. This utility allows an administrator to import a CSV file that can be used to define
the appropriate file servers. The CSV file for importing file server information should be
defined as follows:
The first row should be populated with the following words in each column, each as a column
header: Name,AllowDisconnected,Cluster
Multiple columns in the first row should be created with the name Cluster if multiple WAFS
Core Clusters are to be listed in the data rows that follow.
Next, create rows beneath the column header row, each with the following values:
Name,AllowDisconnected,Cluster
3-193
Note
This row will contain data, and not the actual words Name, AllowDisconnected, and
Cluster.
Where:
Name is the name of the file server. This name must be resolvable.
AllowDisconnected is TRUE or FALSE. This value is required for CIFS servers only, to
enable read-only disconnected mode. The default is TRUE if left blank.
Cluster is name of the WAFS Core Cluster. This value can include more than one cluster
name, with each name separated by a comma.
For example:
server1,TRUE,cluster1:
In this example, the file server name server1 is a CIFS server accessible in read-only
disconnected mode, and is accessible via cluster cluster1.
server2,FALSE,cluster2,cluster3:
In this example, the file server name server2 is a CIFS server not accessible in readonly disconnected mode, and is accessible via clusters cluster2 and cluster3.
The import tool can be found in the file servers toolbar at Services > File > File Servers.
Note
3-194
Cisco WAAS will inspect Server Message Block (SMB) headers in packets exchanged
between clients and servers to see if SMB signing is required or optional. If set to optional,
Cisco WAAS will dynamically change the setting of the packets to off to allow for full
acceleration capabilities to be applied. If SMB signing is set to required, SMB-signed CIFS
traffic will not benefit from the full acceleration capabilities, but will benefit from other
optimizations (DRE, TFO, and Persistent LZ) provided by WAAS. File servers that require
SMB signing should not be defined in Central Manager.
WAAS v4.0.73-13
Which core cluster of WAEs to use when optimizing a file server that is explicitly defined
Which core cluster of WAEs to have query the file server and respond to the edge to
dynamically determine which core cluster is closest in proximity to an undefined file server
3-195
WAAS v4.0.73-14
You must specify the file server settings for file servers that are manually defined and configure
expected WAN utilization. The WAN utilization settings perform two functions:
Limits the amount of WAN bandwidth that the CIFS acceleration service can provide, and
Automatically performs tune-up of the CIFS acceleration services to better leverage WAN
capacity
3-196
WAAS v4.0.73-15
The WAE Device GUI is useful for verifying that the Edge WAEs and Core WAE clusters are
connected correctly. The WAE Device GUI can be accessed from the Central Manager device
home page by clicking the Device GUI link, or by browsing directly to the WAE at
https://(ip_addr_of_WAE):8443.
To view Edge WAE connectivity information, navigate to WAFS Edge > Configuration >
Connectivity. This panel shows which Core Clusters the Edge WAE connects to based on the
connectivity directive definition. A connected cluster is identified by a green checkmark, and a
nonconnected cluster is identified by a red X.
To view statistics on the connectivity between an Edge WAE and a Core cluster, navigate to
WAFS Edge > Monitoring from the Edge WAE Device GUI. This panel provides additional
information on the connection to the Core Cluster, including the number of messages sent and
received, and the number of bytes sent and received.
Similar data can be found on the Core WAE by navigating to WAFS Core > Monitoring >
Connectivity from the Core WAE Device GUI.
The WAFS Edge > Configuration submenu allows the administrator to view the configuration
of CIFS, open print services administration, and configure Simple Management Transport
Protocol (SMTP) notifications.
The WAFS Core > Configuration submenu allows the administrator to view the configured
CIFS servers, and configure SMTP notifications.
3-197
WAAS v4.0.73-16
The WAFS Edge Device GUI allows administrators to view CIFS protocol optimization
statistics and cache statistics. The following functions are available within the Device GUI, by
navigating to WAFS Edge > Monitoring.
The CIFS tab allows the administrator to:
Examine request counts, local and remote, including how many were handled locally and
thus optimized, and how many were handled remotely
Examine total network time, local and remote, including how much time was spent on the
LAN versus the WAN
Examine connected session counts; these counts are useful for verifying that a user session
is being optimized
Examine the number of open files; this value is useful for verifying that a user session is
being optimized
3-198
Examine the cache disk statistics, including maximum capacity and amount of capacity
used
Examine the cache resource statistics, including maximum objects and current cached
objects
Examine eviction statistics, including number of objects evicted, last eviction; these values
are useful for determining if the cache size is too small
Cache eviction watermark for both capacity and number of objects; the high watermark
indicates the percentage of capacity or cached objects that must be reached before LRUbased eviction begins; the low watermark indicates the percentage of capacity or cached
objects that must be reached before LRU-based eviction ends
The contents of the file cache are not visible to the administrator. Files can not be selectively
removed from the cache.
3-199
WAAS v4.0.73-17
The WAE Device GUI provides graphs for examining statistics over time. All graphs are
presented in Multi Router Traffic Grapher (MRTG) format and show daily graphs with a 5minute average, weekly graphs with a 30-minute average, monthly graphs with a 2-hour
average, and yearly graphs with a 1-day average.
The WAFS Edge Device GUI provides the following graphs:
Client throughput
All of the data contained within these graphs is also exposed via Simple Network Management
Protocol (SNMP).
3-200
WAAS v4.0.73-18
CIFS Servers
To verify file services operation, connect to a share on the server through a client while WAAS
is deployed and configured between them. This can be performed using one of the following:
Universal Naming Convention (UNC) Paths: Use the Run dialog box (Start > Run >
\\servername)
The Windows NET command provides a powerful utility to connect to and manage SMB
resources. This utility can be accessed by navigating to C:\Documents and Settings\User>net.
The syntax of the NET command is:
NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]
To map a drive when logged in as a user with permissions to access the resource, use the
following NET command:
C:\> net use X: \\servername\sharename
Where:
servername is the NetBIOS name, fully qualified domain name (FQDN), or IP address of
the server
To map a drive using alternate credentials, use the following NET command:
3-201
Where:
To view the shares on a file server, assuming you can net use to the server, use the following
NET command:
C:\> net view \\servername
Alternately, rebooting a workstation forces a CIFS session to be deleted. If the drive mapping is
configured as persistent, or as part of a login script, the session is reestablished upon reboot.
After the drive is mapped, go to the server and verify that the user session is coming from the
Core Server and not the client workstation. This task is shown on the next slide.
Note
For WAAS file services optimizations configured in transparent mode, the server name is
that of the file server in the data center. For WAAS file services optimizations configured in
non-transparent mode, the server name is that of the server name that is being published by
the WAE.
Note that the WAE is designed to not provide optimizations for pre-existing CIFS sessions. If a
CIFS session is already active at the time WCCPv2 is enabled, any CIFS traffic that is
redirected to the WAE is not accelerated at the application layer. Cisco WAAS must see the
session brought up from the beginning before any optimizations can be applied to verify user
authenticity, user authorization, and file state. When verifying WAFS functionality, it might be
necessary to shut down any existing CIFS sessions before application layer acceleration can be
seen.
To verify that a file server is being accelerated by a WAFS Edge WAE via the file server itself,
navigate to Computer Management > System Tools > Shared Folders > Sessions. If the IP
address of the WAFS Core WAE appears under computer, then the session is being accelerated
by Cisco WAAS CIFS acceleration. If the IP address of the client appears under computer, then
the session is not being accelerated by Cisco WAAS CIFS acceleration.
To verify that a file server is being accelerated by a WAFS Edge WAE, use the show bypass
list command on the WAFS Edge WAE to verify that the CIFS server appears with appropriate
ports listed:
Edge-WAE# sh bypass list
3-202
Client
Server
Entry type ------------------- any-client:0
CIFS_server_IP:139
accept anyclient:0
CIFS_server_IP:445
accept
The WAFS Edge WAE device GUI can be examined to see if CIFS cache counters are
incrementing. This can provide a clear indication that CIFS acceleration is functioning.
If the WAAS file services optimizations are configured correctly, the WAAS Core Device IP
address appears in the computer name field in the sessions listing of the Computer Management
panel if CIFS over TCP is used. For cases where CIFS over NetBIOS is used, the client
computer name will appear in the computer name field in the sessions listing. In such cases
(where CIFS over NetBIOS is used), other metrics, such as the request counters and session
count in the Edge WAE Device GUI, must be used to validate that the session is indeed being
accelerated. If the user workstation IP address is displayed, there might be a configuration
error, or the session might have existed before WAFS services were enabled. In the last case,
the user session must be deleted and restarted. Use one of the following alternative procedures
to delete an existing CIFS session:
Use the net view command on the client workstation to view existing sessions, and then
use the net use /delete command on the client workstation to delete the session. Finally,
issue the net use command to reconnect to the server and share. Note that IPC$ sessions
must also be deleted.
Disable the client network interface card and then re-enable it.
If the session is active before enabling WAFS functionality, it might be necessary to delete it
before acceleration can be verified.
3-203
In prolonged disconnection mode, user sessions can be reestablished to access cached files in a read-only fashion
assuming a domain controller is reachable. The WAE must be
configured to join the Windows domain.
WAAS v4.0.73-20
WAAS is designed to be resilient during periods of WAN disconnection. Two types of WAN
outages are identified by Cisco WAAS, and each is handled in a different manner:
Prolonged disconnection: This term refers to periods of loss of WAN connectivity lasting
longer than 90 seconds, in which case the WAE enters a prolonged disconnection mode,
and all state is cleaned up on the Edge WAE and the Core WAE. At this point, the Edge
WAE can enter into read-only disconnected mode, assuming the file server is configured
for this mode in Central Manager. If this mode is not configured, the file server is no longer
accessible through WAAS, although offline files and folders within Windows can be
configured.
WAASv4 provides a R/O disconnected mode of operation that allows users to have read-only
access to fully-cached files during periods of prolonged WAN disconnection. A series of
functions are implemented specifically to support servers and shares defined for R/O
disconnected access:
3-204
Aggressive file caching of files accessed on-demand (read-ahead and file read-ahead):
This function ensures that files are fully cached in the Edge WAE so they can be available
if the WAE enters a prolonged disconnection mode lasting more than 90 seconds.
Metadata and access list prefetch: This function ensures that access control information
is cached by the Edge WAE for the purposes of authorization during disconnection.
Preposition: This optional function is used to continually update the Edge WAE cache and
ensure that files are available in the Edge WAE cache if the WAE enters a prolonged
disconnection mode.
When WAAS file services enters prolonged disconnected mode, all CIFS sessions are
disconnected in both the remote office and the data center. If read-only disconnected mode is
not configured, the user does not have access to the file server. Windows Offline Files and
Folders can be configured as an alternative to read-only disconnected mode, providing users
with the ability to continue working during the period of disconnection, and resynchronizing
changes back to the origin file server when the connection is re-established.
If read-only disconnected mode is configured, the WAEs still enter prolonged disconnected
mode, which destroys user sessions in the remote office and in the data center. User sessions
must be restarted, which requires authentication with a domain controller, which must be
reachable on the network. The WAFS Edge WAE can self-authorize the user based on cached
ACLs from the origin file server. After the user re-authenticates successfully, the Edge WAE
exports the server and acts on its behalf, providing read-only access to cached files and folders
based on the cached access control information. With read-only disconnected mode, the last set
of cached files and last set of cached ACLs is used. If the file server is unreachable through
WAAS for a long period of time and files or access control information has changed, the
contents in the Edge WAE will not be the same as those on the origin file server.
For read-only disconnected mode to work properly, the WAE must be configured for Windows
authentication and be successfully joined to the domain. Also, the file server must be defined at
Services > File > File Servers within the Central Manager.
3-205
WAAS v4.0.73-21
To configure a file server to be accessible during periods of prolonged disconnection, the file
server must first be defined at Services > File > File Servers. In the file server configuration
page, check the Available on WAN Failure checkbox on the file server definition page. It is
recommended that preposition be configured to ensure that a larger set of content is made
accessible during the disconnected mode.
The WAE must be configured as a domain member in order to be capable of supporting readonly disconnected mode. The steps to join a WAE to the domain are discussed in the Central
Manager lesson.
Use of disconnected mode of operation requires that the WAE be able to reach a domain
controller during periods of network disconnection. If a domain controller is not reachable, then
disconnected mode of operation will not work.
3-206
Using Prepositioning
This topic explains how WAAS prepositioning can be used to prepopulate an edge file services
cache and DRE cache to improve the performance for first user access to content. The process
of configuring and monitoring prepositioning tasks is also described.
File Preposition
Files can be prepositioned into an Edge WAFS device cache to
improve performance for first-user access:
Schedules the acquisition and distribution of files
Populates DRE database on WAEs
Provides a cache hit on first user access, and local delivery
CAD/CAM packages
Engineering, software development
Software distribution, patch management
Imaging
WAAS v4.0.73-23
Files can be prepositioned into an Edge device cache to improve performance for first-user
access. Prepositioning is the process of scheduling the acquisition and distribution of files.
Prepositioning populates file data into the DRE database of the WAE. This approach allows
users to obtain a cache hit on first user access, and provide local delivery of the content.
Prepositioning is commonly used in environments where the need to deliver large files or large
amounts of data is critical. Examples of these environments include the following:
CAD/CAM packages
Imaging
3-207
LIST
LIST
Send FILE123.DOC
NAS
Files
Core
WAE
FILE123
DOC
Edge
WAE
WAAS v4.0.73-24
When the administrator defines a preposition directive in Central Manager, the following
processes are executed:
Step 1
The Edge WAE connects to the Core WAE and sends preposition parameters. These
include:
Time filters
Step 2
The Core WAE performs the scan against the server based on the criteria provided
and returns a match list, representing the results of a filtered scan, to the Edge WAE.
Step 3
The Edge WAE compares the match list against the current state of the file cache
and creates a delta list. Any file that does not exist in the cache or has been changed
is added to the delta list.
Step 4
The Edge WAE then submits requests sequentially to the Core WAE based on the
files contained within the delta list.
Step 5
The Core WAE fetches the file and stores it in the preposition staging area. The
Core WAE then instructs the Edge WAE to download the file.
Steps 4 and 5 are repeated until the delta list has been exhausted or the limitation parameters of
the preposition directive have been met.
3-208
Note
Preposition is only available for CIFS file servers. Preposition populates the DRE cache on
both WAEs involved in the transaction. This ability is useful when users access files that
have changed, as the rebuild of the cache is efficient and high-performance, assuming the
segments that made up the original transfer of the file still exist in the DRE context.
Preposition can also be used as a mechanism for warming the DRE context for other
applications, including web, email, video, database, and others.
3-209
Access
sitemap to
browse
server
shares
WAAS v4.0.73-25
To create a new preposition directive, navigate to Services > File > Preposition and click the
New icon. To edit an existing preposition directive, click the edit icon next to the desired
preposition task.
File preposition directives are optional and are designed for CIFS file servers only. To
configure file preposition from Central Manager, navigate to Services > File > Preposition.
The Core WAE will use preconfigured privileges to access and retrieve requested files from the
file server. The job definition includes the following information:
Note that a Browse button is provided to help simplify the selection of root share and directory.
Clicking the Browse button causes the Core Server WAE to use preconfigured credentials to
read the share and directory structure from the file server selected. This sitemap allows the
administrator to use the GUI to select the share and directory.
A file name match pattern can be applied in the preposition definition.
3-210
WAAS v4.0.73-26
To use the sitemap function, the Core Server must have appropriate privileges to view the share
and directory structure on the server which is generally accomplished by providing a set of
credentials to the Core Cluster.
3-211
Preposition Schedule
WAAS v4.0.73-27
The schedule for a preposition job can be configured by navigating to Services > File >
Preposition > (job) > Schedule.
From this window, the administrator specifies the following information:
3-212
Preposition Status
To display preposition status, select
Preposition Status from the table of contents.
WAAS v4.0.73-28
Preposition jobs are dependent upon the WAFS Core WAE having the appropriate permissions
to read from the share, directory, and files. Additionally, the files must be unlocked and
available for reading at the time of the preposition task.
3-213
WAAS v4.0.73-29
Preposition status can be viewed from Central Manager or from the local GUI of the WAFS
Edge WAE. The preposition job is controlled by the Edge WAE, so preposition statistics can
not be viewed on a Core WAE. To examine preposition jobs, navigate to WAFS Edge >
Preposition.
To view or terminate a particular preposition job on an Edge Server, open the Device GUI and
navigate to WAFS Edge > Preposition.
Note
3-214
Preposition directives are controlled by the WAFS Edge WAE and not the WAFS Core WAE.
Data Center
Branch Office
Router
NAS
WAN
Driver
Distribution
JOB
JOB
FILE
Print
FILE.DOC
WAAS v4.0.73-31
Cisco WAAS provides Windows-compatible print services. Any printer is supported, as the
WAE does not require special software to support a particular printer because it uses Raw mode
queues, and the client handles the rendering. Cisco WAAS printing provides printing to any
user regardless of whether the WAN is connected or disconnected, as it does not need to
integrate into a Windows domain.
Cisco WAAS allocates 1GB of data to the PRINTSPOOL file system. This storage capacity can
not be manually allocated and is shared by all of the print queues. Although this storage
capacity can support a recommended maximum of 100 concurrent queues, 20-25 is the
recommended number for adequate storage allocation per queue, and there is no hard limit or
enforced maximum number of queues that can be defined.
Cisco WAAS supports up to a maximum of 100 concurrent printing users and up to a
maximum of 500 concurrent print jobs. The print job timeout is 60 seconds.
Cisco WAAS print services eliminates the need to leave a server in the branch office to provide
local printing capabilities. Cisco WAAS print services leverages Samba and Common Unix
Printing System (CUPS) to enable branch office printing. By using Cisco WAAS, Windowscompatible print services can remain in the branch, keeping print jobs from needing to traverse
the WAN.
WAAS print services rely on users configured through the command-line interface (CLI) for
print queue administration and print driver repository administration. No authentication or
authorization is provided for print services, so any user in the remote office can print to a print
queue that is configured on the WAE regardless of whether the WAN is connected or
disconnected.
Cisco WAAS self-authenticates users that are attempting to print, and usernames are
maintained with the active job set. As such, a user can only modify or manipulate their own
2007 Cisco Systems, Inc.
3-215
jobs using standard Windows printer management tools. Users that authenticate to the print
server using administrative credentials can manipulate any job running on the WAE.
Note
3-216
When using WAAS to optimize access to a centralized print server, that is not running print
services on the WAE, this configuration is not necessary.
WAAS v4.0.73-32
Cisco WAAS print services are a function of the WAFS Edge service. The WAFS Edge service
must be enabled before print services can be enabled and configured.
Print services are enabled through the Edge print server WAE device GUI by navigating to
WAFS Edge > Configuration > Print Services.
On the Print Services panel, click the Print services enabled checkbox, and then click the Save
button at the bottom of the page.
Note
Edge print services do not function unless the WAE is configured as a WAFS Edge WAE,
and the WAFS Edge service is started.
Alternately, print services can be enabled on a WAE configured as a WAFS Edge through the
CLI using the following command sequence:
WAE# configure
WAE(config)# print-services enable
WAE(config)# print-services guest-print enable
Note
All users are able to print to printer queues configured on the WAE print server.
3-217
WAAS v4.0.73-33
After enabling print services on the WAE, the next step is to configure print administrator users
on each WAE that is running print services. This user and associated credentials are used for
managing the print queues and printers defined on the print server WAEs. It is recommended
that a device group be configured for Print Servers, and that the user be defined within the
context of the device group. This is configured by navigating to Devices > Device Groups >
(Print Server Device Group) > General Settings > Login Access Control > Users.
From the Usernames panel, click the new user icon.
Note
This user is not used for managing the Central Manager printer driver repository.
Define the print administrator user, specify and verify a password, and select the print admin
checkbox. The user privilege is automatically set to super user.
Next, click Submit, and Central Manager propagates the change to the device group.
Note
3-218
This print user is used to manage the configuration of print queues and printers on the Edge
WAE print servers. A separate user is configured on the Central Manager for the purposes
of managing the driver repository.
WAAS v4.0.73-34
After the Edge print service is enabled, a print queue is configured on the WAE. To perform
this task, navigate to WAFS Edge > Configuration > Print Services and click the Open link.
Any time a new queue is created, the print service must be restarted.
Note
From the Print Services Administration panel, click the new icon to create a new print queue, or
click the edit icon next to an existing print queue to modify that queue. If you are prompted to
authenticate, specify the user name and password of the user that is configured on the WAE
print server as a print administrator user.
Note
3-219
WAAS v4.0.73-35
The Add New Printer panel appears. To add a new printer, specify the following parameters
and click the Submit button:
Printer name
Device Uniform Resource Identifier (URI): This is the mechanism by which the WAE
communicates with the printer. This value is supplied by the printer vendor.
Creating a new printer requires a restart of the Edge print services. If you are unsure of which
device URI to use, refer to the documentation supplied with your printer.
3-220
WAAS v4.0.73-36
After the Edge print queue is created, it is displayed in Central Manager on the Print panel at
Services > Print > Servers > Printers.
All of the configured print queues appear on this panel.
Note
The Central Manager is updated with the status of queues and new queues during Local
Central Manager (LCM) polling cycle. This process can take a few moments to complete.
3-221
WAAS v4.0.73-37
When a new print queue is added, or when a queue becomes jammed, the print server can be
restarted by opening the device GUI and navigating to WAFS Edge > Configuration > Print
Services.
Click the Restart print server button on the Print Services panel to restart the server. Restarting
the print server is disruptive to any jobs that are using other printers managed by the WAE.
Restarting the print server takes less than a minute.
3-222
Data Center
WAN
DC
Upload
Drivers
Download
Driver
and
PRINT!
Branch Office
Distribute HP
LaserJet
Driver
JOB
FILE
WAAS v4.0.73-39
Central Manager can be configured as a repository for print drivers. After it is configured as a
repository, Central Manager can be accessed directly and print drivers can be uploaded to it.
After the drivers have been uploaded, they can then be distributed to Edge print server WAEs.
3-223
WAAS v4.0.73-40
The next step is to configure a print driver administration user. This user is used to manage the
driver repository on the Central Manager. To perform this task, navigate to System > AAA >
Users > Account Management.
Note
This is not the same user account that is used for Edge WAE print server queue and printer
administration. Both users can share the same name and credentials if desired, as the print
driver administration user is configured on the Central Manager WAE directly.
Click the new user icon to create the print driver administrator user. Provide a username, and be
sure to select create CLI user and print admin. Notice that the privilege level is automatically
set to 15, indicating super user, when configuring a print administrator. Be sure to provide a
password, and click Submit when finished.
This process creates the print driver administrator user. This user and the associated credentials
are used when connecting to the Central Manager WAE via its UNC path for the purposes of
uploading drivers.
3-224
WAAS v4.0.73-41
To configure Central Manager as a print driver repository within Central Manager, navigate to
Services > Print > Repository and click the checkbox for Enable Central Manager as Driver
Repository. Click the Submit button to save your settings.
After the print driver repository is enabled and a print driver administration user is configured,
you can connect to the Central Manager WAE to manage the driver repository.
3-225
Uploading Drivers
Connect to Central Manager via the UNC path to upload
and manage drivers:
Start > Run > \\(NetBIOS name of CM WAE)
WAAS v4.0.73-42
Connect to the Central Manager by typing in the UNC path from the Run dialog box in
Windows. When prompted for credentials, supply the credentials of the print driver
administration user. Next, double-click the Printers and Faxes entry from the \\WAAS-CM
panel.
Alternately, a session can be established to the print server prior to uploading drivers, by
issuing the following command from the command line:
C:\> net use \\(NetBIOS name of CM WAE) /user:(print admin)
Where:
3-226
When prompted, supply the credentials of the print driver repository administrator, and not
the credentials for the Edge WAE print server administrator.
WAAS v4.0.73-43
After connecting to Central Manager, right-click anywhere in the workspace area of the
explorer window and select Server properties from the menu, or select File and then Server
Properties to accomplish the same task.
Note
Do not use the Add Printer icon, as a printer is not being added. It is only necessary to
upload drivers, so Server Properties must be used.
3-227
WAAS v4.0.73-44
When the server properties page appears, click the drivers tab. A list of all of the drivers
installed on the Central Manager is displayed. From this panel, you can remove drivers,
reinstall drivers, examine driver properties, or add drivers.
Click the Add tab to open the Add Printer Driver Wizard dialog box. Follow the wizard to
identify the drivers you want to upload. At the conclusion of this process, the wizard uploads
the drivers for you.
If the server properties window does not give you permissions to control the drivers that are
available on the Central Manager, you might be connected to the Central Manager using
credentials that are not those of the print driver repository administrator.
To correct this situation, open a command prompt, and delete the session to the Central
Manager using the following command:
C:\> net use \\(NetBIOS name of Central Manager WAE) /delete
This command deletes the session. Next, establish a new session to the Central Manager using
the following command:
C:\> net use \\(NetBIOS name of Central Manager WAE) /user:(user name)
Where:
Central Manager prompts you for a password for this account and then establishes the new
session.
3-228
WAAS v4.0.73-45
After the drivers have been uploaded, they can be viewed through Central Manager by
navigating to Services > Print > Drivers.
Print drivers can be distributed from Central Manager to individual devices or to entire Device
Groups. To distribute a driver, open the driver from within Central Manager by navigating to
Services > Print > Drivers. Next, select a driver by clicking the edit icon next to the desired
entry.
3-229
WAAS v4.0.73-46
From the driver properties page, a driver can be distributed to individual print servers or to
entire device groups.
3-230
WAAS v4.0.73-47
After clicking the Submit button, the Edge WAE print server FTPs to the Central Manager and
downloads the drivers from the hidden PRINT$ share on the Central Manager. The status of
this distribution can be tracked by navigating to Services > Print > Servers.
Note that this table provides information on the following quantities:
To view additional details on the drivers that are being installed and distributed, click the edit
icon next to the name of the desired print server.
3-231
WAAS v4.0.73-48
This screen displays additional information on an individual print server WAE. Click the failed
download icon to repeat the download process for drivers that did not download correctly.
3-232
WAAS v4.0.73-49
On-screen counters and status values change as each driver is successfully distributed.
3-233
WAAS v4.0.73-50
The WAE device home page can also be used to select print drivers for download. Be sure
advanced settings are displayed, and navigate to Print Services > Download Drivers.
3-234
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Cisco WAAS provides CIFS acceleration services such as latency reduction, data
caching, and metadata caching to provide LAN-like access to centralized file
server or NAS storage.
Configuring Cisco WAAS file services includes policy configuration, service
configuration, and directive configuration.
Prepositioning is a tool that helps to distribute content to an edge cache based on
a schedule and is useful in environments that make use of engineering packages,
imaging and multimedia, and software distribution environments.
Print services configuration includes enabling the WAFS Edge service, enabling
the print service, and configuring the service, administrative users, driver
repository, and print queue.
Two user accounts are required for print services administration; one is for printer
administration on the WAEs, and one is used for Central Manager driver
repository
WAAS v4.0.73-51
3-235
3-236
Module Summary
This topic summarizes the key points that were discussed in this module.
Module Summary
One of two device modes must be specified on each Cisco WAE in the
WAAS topology; application accelerator or Central Manager.
Cisco WAE devices interact with the network either as an in-path device
or as an off-path device, using network interception techniques such as
WCCPv2, PBR, or ACE.
The Cisco WAAS Central Manager provides holistic system and device
management, configuration, and reporting capabilities, along with policy
and service management for WAN optimization, application acceleration,
and print services.
Central Manager device groups streamline the configuration and
management of a large number of WAE devices.
Cisco WAAS Application Traffic Policies enable flexible, prioritized
configuration of WAN optimization capabilities.
Configuring Cisco WAAS file services includes policy configuration,
service configuration, and directive configuration.
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.73-2
In this module, you learned how to configure Cisco WAAS, integrate WAAS into the network
through traffic interception, centrally manage WAAS using the Central Manager secure web
GUI, and configure traffic policies for WAN optimization and application acceleration.
3-239
3-240
Module Self-Check
Use the questions here to review what you learned in this module. The correct answers and
solutions are found in the Module Self-Check Answer Key.
Q1)
Which configuration mode would you use if the WAE is directly-attached to the router
but the WAE VLAN is non-routable? (Source: Configuring WAE Interfaces)
A)
B)
C)
D)
Q2)
Which configuration mode would allow for higher levels of WAFS performance for
users that are Layer 2-adjacent to one of the WAE interfaces? (Source: Configuring
WAE Interfaces)
A)
B)
C)
D)
Q3)
How many standby Central Manager WAEs can be configured? (Source: Configuring
High Availability)
A)
B)
C)
D)
Q6)
60
61
62
63
A device has recently registered against Central Manager. What must be done before
the device can be used? (Source: Activating WAAS Devices)
A)
B)
C)
D)
Q5)
One-arm
Two-arm
Active-Standby
DRE
Which two of the following WCCP service groups are used by Cisco WAAS? (Choose
2.) (Source: Configuring WCCPv2)
A)
B)
C)
D)
Q4)
Off-router, One-arm
Off-router, Two-arm
On-router, One-arm
On-router, Two-arm
1
2
3
4
system.datafeed.Pollrate
system.healthmonitor.Collectrate
system.monitoring.Collectrate
All of the above
3-241
Q7)
Q8)
Which four of the following are valid, configurable parameters within an application
classifier? Choose four. (Source: Using Traffic Classifiers)
A)
B)
C)
D)
E)
F)
G)
Q9)
Which command shows the load level offered to each of the acceleration services?
(Source: Monitoring Optimized Connections)
A)
B)
C)
D)
3-242
WAFS Terminate
Connectivity Directive
WAFS Accept
WAFS Transport
What is the purpose of the EPM adaptor? (Source: Configuring Adaptor Policies)
A)
B)
C)
D)
Q13)
Auto discovery
Device GUI
Default Policy
Auto learning
Which two of the following traffic policies are used by WAFS? Choose two. (Source:
Configuring Adaptor Policies)
A)
B)
C)
D)
Q12)
Q11)
Q10)
Q14)
Which command shows the connections that are optimized and how they are
optimized? (Source: Monitoring Optimized Connections)
A)
B)
C)
D)
Q15)
Q16)
1
2
3
4
What is the purpose of the connectivity directive? (Source: Configuring WAAS File
Services)
A)
B)
C)
D)
Q19)
Protocol proxy
Data cache
Meta data cache
Intelligent read-ahead
Operation batching
Message prediction
Preposition
Disconnected mode
All of the above
What is the minimum number of WAEs that must be in a core cluster for WAFS to
work? (Source: Configuring WAAS File Services)
A)
B)
C)
D)
Q18)
What optimizations for file services protocols does WAAS provide? (Source: WAAS
Optimizations for File Protocols)
A)
B)
C)
D)
E)
F)
G)
H)
I)
Q17)
How does WAAS handle a brief WAN outage of less than 90 seconds? (Source:
Disconnected Mode of Operations)
A)
B)
C)
D)
3-243
Q20)
What level of access does WAAS file server disconnected mode provide? (Source:
Disconnected Mode of Operations)
A)
B)
C)
D)
Q21)
What is a common usage scenario for WAAS file preposition? (Source: Using
Prepositioning)
A)
B)
C)
D)
E)
Q22)
1
2
3
4
When an administrator uploads a driver directly to an Edge WAE, how long does it
take before the driver appears in the Central Manager repository? (Source: Distributing
Drivers)
A)
B)
C)
D)
3-244
How many versions of a print driver can exist in the repository at any one time?
(Source: Distributing Drivers)
A)
B)
C)
D)
Q24)
What must be configured for print services and driver distribution to work properly?
(Source: Distributing Drivers)
A)
B)
C)
D)
Q23)
Read-only
Read-write
Local file server
Asynchronous write-back
Q2)
Q3)
B,C
Q4)
Q5)
Q6)
Q7)
Q8)
A,D,E,G
Q9)
Q10)
Q11)
C,D
Q12)
Q13)
Q14)
Q15)
Q16)
Q17)
Q18)
Q19)
Q20)
Q21)
Q22)
Q23)
Q24)
3-245
3-246
Module 4
Module Objectives
Upon completing this module, you will be able to describe how to troubleshoot Cisco WAAS
installations, including platform and network connectivity issues, network interception issues,
WAN optimization issues, and application acceleration issues. This includes being able to meet
these objectives:
Identify key tools and steps for troubleshooting Cisco WAAS deployments
4-2
Lesson 1
Introduction to Troubleshooting
Overview
This lesson provides an introduction to troubleshooting Cisco WAAS, including common
issues, device liveliness, management services, reporting, and device logs.
Objectives
Upon completing this lesson, you will be able to identify key tools and steps for
troubleshooting Cisco WAAS deployments. This includes being able to meet these objectives:
Identify the common issues that are encountered in Cisco WAAS deployments
Troubleshooting Workflow
This topic defines a workflow that can be followed while troubleshooting Cisco Wide Area
Application Services (WAAS). This workflow is referred to in other lessons in this module as
well.
Troubleshooting Workflow
Validate platform liveliness including management services,
examine common issues, and understand system log files
and locations
Validate network interception and automatic discovery to
ensure that traffic is received and handled by the WAEs
within the Cisco WAAS network
Examine WAN optimization features relative to optimized
connections, optimization policy, statistics, and log files and
locations
Examine application acceleration features relative to
optimized sessions, configured policies, features, statistics,
and log files and locations
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.74-4
The first step in troubleshooting Cisco WAAS is to examine the system for commonly
encountered issues, verify that devices are online and reachable, ensure that management
services are configured correctly, and examine system log files. The framework listed in the
figure is used in the remainder of the lessons in this module to provide a consistent model for
troubleshooting Cisco WAAS.
4-4
WAAS v4.0.74-5
In this lesson, you learn how to validate platform liveliness including management services,
understand commonly encountered issues, and use system log files such as the system report to
understand system behavior.
4-5
Common Issues
This topic examines the common issues that are encountered in Cisco WAAS deployments,
symptoms of each, and resolution for each.
WAAS v4.0.74-7
The most commonly encountered issue is when the system is configured correctly, traffic is
being intercepted and optimized, yet performance is poor. This can be caused by a number of
factors, but is most commonly caused by having a node somewhere between the client and the
server configured for half-duplex (or auto-negotiated to half-duplex). Duplex should be
examined end-to-end, which means everything including:
Client PCs
Servers
Switches
Routers
This issue is so pervasive that it should be considered the first place to look when experiencing
poor performance, and should not be overlooked under any circumstances.
Note
4-6
Cisco WAEs are configured to, by default, automatically detect link speed and duplex. It is a
best practice to statically set the duplex to full when working with a Fast Ethernet switch, and
set the interface into autosense mode when using Gigabit Ethernet (as half-duplex is not a
valid configuration).
The show interface command displays configuration data and statistical data about an
interface. Note that the last two entries in the output of this command show the state of the
interface and the mode that the interface is operating in. If the interface is operating at halfduplex due to negotiation, an alarm is sent via syslog and Simple Network Management
Protocol (SNMP) to notify the administrator. If the interface is operating at half-duplex due to
administrative configuration, no alarm is raised.
4-7
WAAS v4.0.74-9
When Cisco WAE devices are deployed off-path, and interception such as Cisco Web Cache
Communication Protocol Version 2 (WCCPv2), policy-based routing (PBR), or Cisco
Application Control Engine (ACE) is configured, the WAE must be deployed on a separate
subnet, that is, not on the same subnet as users or servers. This is required, because the packets
leaving the WAE that are optimized have the same header information as the unoptimized
packets. Interfaces adjacent to the WAE must be configured in such a way that they are
excluded from further redirection, so that the traffic is not continuously routed back to the
WAE. If the Cisco WAE is deployed off-path and in the same subnet or VLAN as the users or
the servers, common issue #3 will be encountered.
Note
4-8
Cisco WAE devices that are deployed in-path do not need such consideration.
WAAS v4.0.74-10
An extension to common issue #2, common issue #3 is a virtual black hole, whereby Internet
Control Message Protocol (ICMP) messages (pings) are able to pass, but application traffic is
not able to pass through a location where network interception is configured to support off-path
Cisco WAE devices. This can be because of common issue #2 (WAE deployed on the same
subnet or VLAN as the users or servers) or because the network interception (WCCPv2, PBR,
ACE) is not configured correctly.
Always ensure that off-path WAEs are deployed on a subnet that is separate from users and
servers. When using WCCPv2, ensure that the interface adjacent to the WAEs (on the
WCCPv2 server device) is configured with the ip wccp redirect exclude in command to
ensure that packets returning on that interface (from a WAE) are not immediately redirected
again.
In the case where ping is successful but application traffic is not, recall that WCCPv2 when
used by WAAS only redirects TCP traffic to the WAE. Ping uses ICMP, and as such, is not
redirected.
4-9
IOS Routers
Switches
Major Version
M Train
T Train
12.1
12.1(14)
12.1(3)T
12.2
12.2(26)
12.2(8)T0c
12.3
12.3(13)
12.3(14)TS
12.4
12.4(10)
12.4(9)T1
Platform
Version
12.1(27)E
12.1(27)E
12.2(18)SXF5
12.2(31)SG
WAAS v4.0.74-11
4-10
If using WCCPv2 with Cisco WAAS, it is strongly recommended that you use this table
during the design phase to ensure that devices where WCCPv2 will be configured are at an
appropriate IOS version. If the IOS version can not be upgraded, another interception
mechanism should also be strongly considered.
WAAS v4.0.74-13
When optimization is not occurring or not occurring correctly, the first thing to do is to
understand the network path being taken by the client and the server for the exchange in
question. Identify each of the WAEs in the network path between the client and the server, and
verify from each WAE that it is online and network connectivity is present.
For NME-WAE network modules installed in an integrated services router (ISR):
Verify that the network module is running a version of IOS that recognizes the NME-WAE
Verify connectivity between the network module and the router internal interface
If you are unable to reach the default gateway or beyond the default gateway, check the IP
address configuration, subnet mask, interface configuration and state, switch port configuration,
VLAN configuration, and routing.
4-11
WAAS v4.0.74-14
The show hardware command on an ISR with the NME-WAE installed can be useful for
verifying that the network module is properly inserted, recognized, and configured with the
correct version of software. An example of the output is partially shown in the figure, and
shown in full here:
R2821-edge# show hardware
Cisco IOS Software, 2800 Software (C2800NM-ENTBASEK9-M), Version
12.4(9)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 30-Aug-06 16:22 by prod_rel_team
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE
(fc1)
R2821-edge uptime is 7 weeks, 4 days, 5 hours, 37 minutes
System returned to ROM by power-on
System restarted at 22:29:34 UTC Wed Nov 29 2006
System image file is "flash:c2800nm-entbasek9-mz.124-9.T1.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are
unable to comply with U.S. and local laws, return this product
immediately.
A summary of U.S. laws governing Cisco cryptographic products can be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
4-12
4-13
Building configuration...
!
!
interface Integrated-Service-Engine1/0
ip address 10.10.1.1 255.255.255.0
ip wccp redirect exclude in
service-module ip default-gateway 10.10.1.1
service-module ip address 10.10.1.2 255.255.255.0
!
LAN
WAN
Service
Module
internal
interface
Service
Module
interface
WAAS v4.0.74-15
Examine the running configuration of the ISR to look for network configuration errors that
could prevent the NME-WAE from performing optimization. Recall that the ISR has an
internal interface that is adjacent to the NME-WAE service module, which should be
configured as the NME-WAEs default gateway. The interface Integrated-Service-Engine is
where the NME-WAE network configuration is applied, as shown in the figure.
R2821-edge# show run
!
! (portions removed)
!
interface Integrated-Service-Engine1/0
ip address 10.10.100.1 255.255.255.0
// this is the IP address of the interface adjacent to the NME-WAE
ip wccp redirect exclude in
// should always be added to the NME-WAE internal interface
service-module ip address 10.10.100.2 255.255.255.0
// the IP address of the network module itself
service-module ip default-gateway 10.10.100.1
// the default-gateway of the network module, should be identical to
the interface IP address
4-14
WAAS v4.0.74-16
The show interface Integrated-Service-Engine command can be used to verify that the
interface adjacent to the network module is operational and configured properly. Verify that the
network configuration is correct and permitting packets to flow from the network module
through the router:
R2821-edge# show interface Integrated-Service-Engine 1/0
Integrated-Service-Engine1/0 is up, line protocol is up
Hardware is BCM5703, address is 000a.b82e.21a0 (bia 000a.b82e.21a0)
Internet address is 10.10.100.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, link type is force-up, media type is internal
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:20, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/512 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
10143177 packets input, 1633482832 bytes, 0 no buffer
Received 91837 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 76535 multicast, 0 pause input
0 input packets with dribble condition detected
9954042 packets output, 1285373698 bytes, 0 underruns
2007 Cisco Systems, Inc.
4-15
0
0
0
0
4-16
Establish a console
session to the WAE
network module
Username: admin
to the default gateway (router)
Password:
and through the network for both
System Initialization Finished.
directions of traffic flow!
EDGE-NM# ping 10.10.100.1
PING 10.10.100.1 (10.10.100.1) from 10.10.100.2 : 56(84) bytes of data.
64 bytes from 10.10.100.1: icmp_seq=0 ttl=255 time=467 usec
--- 10.10.100.1 ping statistics --1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.409/0.438/0.467/0.029 ms
EDGE-NM# ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) from 10.10.100.2 : 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=0 ttl=62 time=83.315 msec
--- 10.10.10.10 ping statistics --1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 83.315/98.378/113.442/15.066 ms
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.74-17
Always be sure to verify network connectivity in both directions of traffic flow, for example,
from the Cisco WAAS Central Manager WAE back to the NME-WAE.
4-17
WAAS v4.0.74-18
When a PortChannel is configured, the physical interfaces assigned to the PortChannel do not
have an IP configuration applied to them. Instead, the IP configuration is applied to the
PortChannel interface instead, and each of the physical interfaces are configured as members of
the PortChannel using the channel-group command.
When a PortChannel is configured, verify that the physical interfaces are up and online, and
configured as members of the PortChannel:
EDGE1# sh int portChannel 1
!
(portions removed)
!
Interface PortChannel 1 (2 physical interface(s)):
GigabitEthernet 1/0 (active)
GigabitEthernet 2/0 (inactive)
Verify that the PortChannel interface is UP and online. If the interface is down, either the
member interfaces are both down, or the PortChannel interface itself is down. Enabling a
PortChannel interface is identical to enabling a physical interface; use the no shutdown
command.
EDGE1# sh int portChannel 1
Interface PortChannel 1 (2 physical interface(s)):
GigabitEthernet 1/0 (active)
GigabitEthernet 2/0 (inactive)
--------------------Type:Ethernet
Ethernet address:00:11:25:AC:3C:5C
Internet address:1.1.1.2
Broadcast address:1.1.1.255
Netmask:255.255.255.0
4-18
Notice that the PortChannel interface has an IP configuration, but the physical interfaces do
not. When examining the physical interfaces using the show interface command, it should be
noted that the IP configuration of the PortChannel is inherited:
EDGE1# sh int gigabitEthernet 1/0
!
(portions removed)
!
Type:Ethernet
Ethernet address:00:11:25:AC:3C:5C
Internet address:1.1.1.2
Broadcast address:1.1.1.255
Netmask:255.255.255.0
Maximum Transfer Unit Size:1500
Flags:UP BROADCAST RUNNING SLAVE MULTICAST
2007 Cisco Systems, Inc.
4-19
After you have verified that the PortChannel is online and operational, verify network
connectivity to an adjacent node. If the adjacent node is not reachable, check the PortChannel
and physical interface configuration, IP address, subnet mask, switch port configuration, and
VLAN configuration on the switch. Also verify connectivity to the default gateway and beyond
the default-gateway. Verify that connectivity to the Cisco WAAS Central Manager is also
present.
4-20
WAAS v4.0.74-20
The LCM process is used to ensure that each Cisco WAE and NME-WAE deployed throughout
the network is regularly synchronized with the Central Manager WAE in terms of configuration
and statistical data. The LCM cycle causes WAEs, including the Central Manager, to regularly
exchange such data based on the configuration of the system.Datafeed.pollrate variable in the
Central Manager (found at System > Configuration > System Properties).
If the network is down, or the service is offline, the WAAS Central Manager is unable to make
configuration changes, synchronize configuration data, or extract reporting data from that
particular WAE. It is important to ensure that the LCM process is running on the WAE, and
that the WAE has network connectivity to the Central Manager.
4-21
WAAS v4.0.74-21
The Cisco WAAS Central Manager devices page provides a quick status overview of each of
the WAEs deployed throughout the network that are registered against that particular Central
Manager. Each device reports a CMS Status, which alerts the administrator to the state of the
WAE at that time. This state could include online or offline, and if the CMS service is disabled
or network connectivity is unavailable to that particular WAE, it is reported as offline. When a
WAE is reported as offline, the Central Manager is unable to synchronize configuration data
with that WAE and unable to fetch new reporting data.
4-22
WAAS v4.0.74-22
The show cms info command can be executed on a WAE to see the status of the CMS service.
The following output is from a WAE configured as an application accelerator:
CORE1# sh cms info
Device registration information :
Device Id
= 194
Device registered as
= WAAS Application Engine
Current WAAS Central Manager = 10.10.10.10
Registered with WAAS Central Manager = 10.10.10.10
Status
= Online
Time of last config-sync = Sat Dec 30 17:38:23 2006
CMS services information :
Service cms_ce is running
4-23
Notice that the application accelerator WAE has a single service called cms_ce, with the
Central Manager running two services: cms_httpd and cms_cdm. This is because the cms_ce
service is a child process, and the cms_cdm process is a server process. The cms_httpd is a
web server process used to provide the user with access to the Central Manager GUI via a
browser.
4-24
WAAS v4.0.74-23
The cms_httpd service on the Cisco WAAS Central Manager is the web server interface that
provides users with access to the Central Manager GUI via a web browser. If the service is
down, a page can not be displayed (or similar) error is returned when trying to access the
Central Manager GUI via https://<ipaddress>:8443.
4-25
= 142
Device registered as
= Primary
WAAS v4.0.74-24
If a Central Manager WAEs services are set to not running and can not be enabled through
the cms enable, it is possible that a change in software version has created an incompatibility
between the Central Manager database files and the currently installed Cisco WAAS software.
By using the show cms info on the Central Manager, you can see an alarm that notifies the
administrator that a database downgrade is required.
When this situation is encountered, it is recommended that a CMS database backup be
performed before performing the database downgrade:
CM1# cms database backup
Creating database backup file cms-db-12-30-2006-18-57.dump
Backup file local1/cms-db-12-30-2006-18-57.dump is ready.
Please use copy commands to move the backup file to a remote host.
Before restoring, disable CMS with no cms enable
CM1#
After the CMS database has been backed up, a database downgrade can be initiated, as shown
in the figure.
Note
If the database needs to be restored at a later point, use the cms database restore
command.
4-26
Please enable the cms process using the cms enable command to complete
the cms database restore procedure.
Preserving restored identity and certificate/key pair
Database files and node identity information successfully restored
from file cms-db-12-30-2006-18-57.dump
After the CMS database has been restored, execute cms enable.
4-27
The system will perform a database downgrade without applying a downgrade script.
Please refer to product documentation to confirm that the previously-installed
software release does not require a downgrade script for this release.
Proceed with database downgrade [no]? yes
Creating database backup file cms-db-01-05-2007-03-32.dump
Database downgrade succeeded.
CM1# sh cms info
Device registration information :
Device Id
= 142
Device registered as
= Primary
WAAS v4.0.74-25
The cms database downgrade command instructs the Central Manager to examine the Central
Manager database files and remove portions that can not be configured or managed by the
Central Manager based on the installed software version. After the database downgrade has
finished, use the sh cms info command and verify that the database downgrade required
error is no longer present. The services will be listed as not running and will stay in this state
until the cms enable command is executed on the WAE.
4-28
Reporting Facilities
This topic explains each of the facilities used by Cisco WAAS for reporting and notification,
including the system report, SNMP, syslog, SMTP, and device logs.
WAAS v4.0.74-27
Each Cisco WAE is capable of sending alarms, alerts, and notifications through a number of
interfaces including the following:
Syslog (up to four servers), internal syslog files, and WAE console
System report
Each WAE should be configured with the relevant reporting configuration to ensure that, when
problems arise, the administrator is notified quickly with a concise error message about the
behavior that is being exhibited or symptoms that have been identified.
4-29
WAAS v4.0.74-28
Cisco WAEs configured with Cisco WAAS software support a number of SNMP Management
Information Bases (MIBs). Some of the SNMP MIBs are owned and managed by Cisco, and
others are industry-standard MIBs that are broadly accepted throughout the networking and
systems community. This list can also be found on Cisco Connection Online (CCO) at:
http://www.cisco.com/en/US/products/ps6870/products_configuration_guide_chapter09186a00
8076386c.html
4-30
Device
Subsystem
Notification
WAAS v4.0.74-29
Each Cisco WAE can be configured with up to four syslog servers and an alert level. Any
system messages that meet or exceed the configured alert level are not only reported to syslog,
but also are appended to the internal system log file and sent to the Cisco WAE console.
The error book contains a list of all of the messages that can be encountered in the syslog. The
error book can be found at (CCO login required):
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/contentdelivery/waas/4.0/WAAS-4.0.3.9-Error_Book&app=Tablebuild&status=showC2A
To enable syslog and console logging:
EDGE1(config)# logging con priority ?
Where:
4-31
Each system alert contains a notification timestamp, name of the device, subsystem generating
the alert, name of the alert (notification), and text provided by the subsystem on the alert.
4-32
WAAS v4.0.74-30
As discussed earlier in this lesson, each WAE reports a status to the Central Manager, which
can be seen in three places:
Devices page
Events such as loss of network connectivity, disabled service, and overload conditions all
trigger alarms with the Central Manager. These alarms raise the system status from green to
yellow to orange to red to ensure that the administrator is alerted to such conditions. Such
alarms include:
User core files or kernel crash dump files are present (indicating a crash)
Network issues
A full list of the alarms that can be raised can be found in the alarm book on CCO at:
http://ftp-sj.cisco.com/cisco/content-delivery/waas/4.0/WAAS-4.0.3.9-Alarm_Book.html
Note
4-33
WAAS v4.0.74-31
From any location where the system status indicator or device status indicator can be seen,
clicking the indicator takes you to the system status window. The system status window shows:
Hovering over an alarm with the mouse provides a pop-up window containing actions that can
be performed. These actions include:
4-34
Edit or monitor the device: links you to the device home page within the Central Manager
View device log: this log is maintained on the Central Manager and by the Central
Manager
The sysreport is accessible via the Device GUI or device CLI and
can be filtered based on date.
WAAS v4.0.74-32
The WAE can provide the administrator with a downloadable file called the system report. The
system report is a compressed file that contains all of the relevant configuration, statistical,
reporting, and health information about a particular WAE. The system report should be
considered the first item that is collected from the Cisco WAE devices, along with detailed
information about the network that Cisco WAAS is integrating into.
The system report can be downloaded from the device GUI (see Cisco WAE > Utilities >
Support) or from the device CLI. Because this file can be quite large, a filtering capability is
provided to allow the administrator to specify a date range to keep the size of the file
manageable.
The system report includes the following data:
CLI command output, including show tech, show stat tfo connection, many others
Platform configuration files from internally used directories (/etc, /proc), networking
configuration, disk configuration, file system configuration
Platform state information, including running processes, CPU and memory utilization,
swap utilization, status of modules
Network state information, including open sockets and connections, listening ports
Service state information including TFO, DRE, LZ, CIFS, CMS, authentication, print
services, and others
Note
Generating a system report consumes WAE CPU cycles and memory capacity and might
temporarily decrease system performance.
4-35
4-36
Cisco WAE system reports can be very large in size, in many cases over 10MB.
WAAS v4.0.74-33
The Cisco WAE CLI allows the administrator direct access to the management file system and
log files stored within. Log files can then be viewed directly or copied off of the WAE for
offline analysis. The root of the file system that is accessible from the CLI is the /local1 folder.
Within this folder, subfolders exist that provide access to a variety of log files. Navigating the
filesystem structure on a WAE is nearly identical to navigating the filesystem structure on a
Linux or UNIX system. The following directories are of note when looking for log files:
/local1/core_dir: kernel crash files and core dump files are stored here when a WAE
crashes
4-37
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The first step in troubleshooting Cisco WAAS to look at common
issues, including duplex and redirection configuration.
WAE and NME-WAE liveliness can be verified from the Central
Manager GUI as well as from the device CLI.
Each WAE, including the NME-WAE, runs a local service for
central management. Troubleshooting management issues
begins with understanding the configuration and state of this
service.
Cisco WAE devices report alarms and notifications through a
variety of interfaces, including SNMP, syslog, device console, and
Central Manager alarm facilities.
The Cisco WAE system report is an excellent repository of
configuration, logging, and alarm data contained on a Cisco WAE
and should be gathered for any troubleshooting situation.
2007 Cisco Systems, Inc. All rights reserved.
4-38
WAAS v4.0.74-34
Lesson 2
Troubleshooting Network
Interception
Overview
This lesson examines how to troubleshoot network interception mechanisms such as Cisco Web
Cache Communication Protocol Version 2 (WCCPv2), policy-based routing (PBR), physical
inline, and Cisco Application Control Engine (ACE). This lesson also examines how to
troubleshoot automatic discovery problems.
Objectives
Upon completing this lesson, you will be able to explain how to troubleshoot network
interception. This includes being able to meet these objectives:
Overview
This topic provides an overview of the process of troubleshooting interception issues.
Troubleshooting Workflow
Validate platform liveliness including management services,
examine common issues, and understand system log files
and locations
Validate network interception and automatic discovery to
ensure that traffic is received and handled by the WAEs
within the Cisco WAAS network
Examine WAN optimization features relative to optimized
connections, optimization policy, statistics, and log files and
locations
Examine application acceleration features relative to
optimized sessions, configured policies, features, statistics,
and log files and locations
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.74-4
The workflow shown in the figure is used throughout all the lessons within the troubleshooting
module. In the first lesson, you learned how to validate Wide Area Application Engine (WAE)
liveliness, management services, reporting infrastructure, and about common issues. In this
lesson, you learn about the mechanisms that are employed to have traffic redirected to the
WAE for optimization. These redirection mechanisms include WCCPv2, PBR, ACE, and
physical inline.
4-40
WAAS v4.0.74-5
In this lesson, you learn how to examine network interception configuration (WCCPv2, PBR,
physical inline, and ACE) to ensure that traffic is being redirected to the Cisco WAE. You also
learn how to diagnose network interception issues through the course of the lesson. This lesson
also shows you how to examine automatic discovery statistics to determine if peers are not able
to be identified or other situations are occurring.
4-41
WAAS v4.0.74-6
An incorrect network interception configuration can lead to a number of issues. These can
include application traffic being black-holed (similar to one of the common issues presented in
the first lesson) or traffic not being properly optimized. Another symptom is that traffic is not
being optimized at all.
In general, Cisco WAAS requires four-way interception. This means that interception must
occur in each location where a WAE is deployed, and for both directions of traffic flow. Simply
put, in a single branch office, single data-center deployment, network interception would need
to be configured in the branch office for traffic leaving the branch and for traffic entering the
branch. In the data center, network interception would need to be configured in the data center
for traffic leaving the data center and for traffic entering the data center. In this way, any traffic
going into or out of a location is first sent through a WAE to see if optimization can be applied
or a peer can be automatically discovered.
For WCCPv2, this equates to having one service group in the path of each direction of traffic
flow. For policy-based routing, this equates to having a route-map for each direction of traffic
flow. For physical inline, the WAE sees all traffic traversing the link between the two network
devices that the WAE sits in between, so it naturally sees traffic for both directions of traffic
flow (assuming it is inline for each LAN to WAN connection). As with other interception
mechanisms, with the ACE, traffic interception needs to be configured for both directions of
traffic flow, and WAE stickiness needs to be configured to ensure that the return flow is always
routed through the same WAE in both directions.
4-42
Client
61 in
62 in
exclude
in
WAE
61 out
62 in
exclude
in
61 out
62 in
exclude
in
Server
WAE
Counters incrementing
Correct IOS version
61 in
62 in
Server
exclude
in
WAE
WAAS v4.0.74-8
One of these service groups must be placed in the path for traffic going in one direction, and the
other service group must be placed in the path for traffic going in the opposite direction.
With WCCPv2, you should examine a number of items to validate the configuration and isolate
any WCCPv2-related issues:
Correctly configured services: is one service group in the path for each direction of traffic
flow?
Is the correct redirection mechanism (Generic Routing Encapsulation (GRE), L2) and
return mechanism configured?
Is the interface adjacent to the WAE configured for redirection exclusion? (this could cause
a black-hole)
Is a recommended version of IOS installed? (this could lead to lower stability and
performance)
After these items have been examined, check to make sure that the counters are incrementing
properly on the router and on the WAE.
4-43
1
1
345635
33
0
345602
-none0
3
-none0
0
0
Validate version
two is running
Verify that service
group 61 is
configured
WAAS v4.0.74-9
The first step in troubleshooting WCCPv2 network interception issues is to examine the state of
WCCP on the WCCP server, that is, the router (or whatever device is performing the
redirection). Use the show ip wccp command to examine the global WCCP configuration and
statistics. This command shows:
If the WCCP version configured is version 1, Cisco WAAS interception does not work. Cisco
WAAS requires WCCPv2. In such a case, you need to fix your WCCPv2 configuration.
If the output does not show that both service groups 61 and 62 are configured, WCCPv2 is
configured incorrectly. Verify your device configuration.
If the output does show that WCCPv2 is configured, and service groups 61 and 62 are running,
but counters are not incrementing, verify that traffic is indeed traversing the router in question.
4-44
1
1
827530
0
0
827530
-none0
2
-none0
0
0
If service group
password is configured
and incorrect password
defined, this counter
increments
WAAS v4.0.74-10
The show ip wccp command also shows how packets are being redirected. This includes:
Process switching: done in the router processor, which is the least scalable (highest router
CPU utilization) and provides the least performance
Fast switching: done in an interface cache on the router, which provides better scale
(lower CPU utilization) and performance than process switching
Cisco Express Forwarding (CEF) switching: done in router hardware, which provides
best scalability (lowest CPU utilization) and highest performance
If a large number of packets are redirected using process switching or fast switching, configure
CEF.
If a redirection access-list (also called a redirect-list) is configured, verify that the redirect-list is
configured correctly and allows the traffic patterns in question to traverse the WAE. The
counter packets denied redirect increments if packets are received that match the criteria in
the access-list. Such traffic is not redirected to the WAE, and as such, automatic discovery for
that traffic does not take place, and optimization is not applied.
If authentication is configured, and passwords are not synchronized or configured properly, the
counter total authentication failures increments. This can be indicative of a WAE not being
able to join the service group due to misconfiguration.
4-45
0
1
0
FALSE
FastEthernet0/1.41
Output services:
Input services:
Mcast services:
Exclude In:
0
0
0
TRUE
WAAS v4.0.74-11
The next command to use to verify WCCPv2 configuration when troubleshooting interception
problems is show ip wccp interfaces. This command shows you which interfaces have
WCCPv2 redirection configured. Ensure that WCCPv2 is configured to provide interception for
both directions of traffic flow. Furthermore, ensure that the interface adjacent to the WAE is
configured with redirect exclude in such that optimized packets are not considered candidates
for redirection when they return through the router from the WAE.
4-46
WAAS v4.0.74-12
The show ip wccp <service_group> detail command provides per WCCPv2-client (WAE)
details about the service group. For instance, when executing show ip wccp 61 detail, the
command shows:
By using the output of this command, you can determine if the WAE has been registered for a
significant period of time or a short period of time, which might indicate loss of connectivity,
device reboot, configuration problem, or software process problems. Also, this command helps
the administrator to validate that the WAE is supposed to be receiving a portion of the traffic
that is to be redirected.
If the WAE does not appear in the output of this command, it is not registered to the service
group. This could be caused by an interface configuration issue, WCCPv2 configuration issue
(on the router or on the WAE), or network connectivity issue. In such cases, traffic would not
be redirected to the WAE.
4-47
WAAS v4.0.74-13
If necessary, debug commands can be used to examine the exchange of HERE_I_AM and
I_SEE_YOU messages that are sent between WCCPv2 clients (WAEs) and servers (routers).
These messages should be exchanged every 10 seconds. Upon adding a WAE to a service
group, the cache acquired message should be displayed. If a WAE is lost, a cache lost
message is displayed. This, coupled with a packet capture on the WAE, can help isolate
problems associated with a WAE joining a WCCPv2 service group on a router.
4-48
WAAS v4.0.74-14
On the WAE, verify that WCCPv2 is configured, TCP promiscuous services are running, and
that the router is able to see the WAE. If these are not configured correctly, the router can not
redirect traffic to this particular WAE using WCCPv2.
4-49
62
Engine(1)
Recv ID
0000000D
WAAS v4.0.74-15
Verify that all applicable routers see the WAE for both service groups 61 and 62. Any routers
that do not see this WAE can not redirect traffic to it, because the router does not consider it to
be a member of the service group.
4-50
WAAS v4.0.74-16
The show wccp gre command is one of the most versatile troubleshooting commands on the
WAE. This command can be used to examine packet counters for traffic that:
Has been redirected to the WAE using GRE encapsulation (WCCPv2 GRE redirect)
Has been redirected to the WAE using Layer-2 forwarding (WCCPv2 L2-forwarding)
Has been redirected to the WAE using non-GRE and non-Layer 2 (non-WCCP
interception)
For example, if the transparent non-GRE non-WCCP packets counter increments, that is a
sign that a non-WCCP interception mechanism is configured, such as ACE.
If the transparent GRE packets received or transparent non-GRE packets received
increments, this is a sign that WCCP is configured and operational. Verify that the forwarding
mechanism configured (GRE or Layer-2) aligns with the counter that is incrementing:
If using Layer-2 redirect, the transparent non-GRE packets received counter increments.
If using GRE redirect, the transparent GRE packets received counter increment.
Validate the network routing path to ensure that traffic flows through the router and the
configured interfaces
4-51
Client
Interface configuration
with route-maps
Server
WAE
WAE
Counters incrementing
CEF enable/disable on
the router
Duplex and bandwidth
on interfaces
Client
Server
WAE
WAE
WAAS v4.0.74-18
When using PBR with Cisco WAAS, the router must be configured in such a way that any
traffic going toward the WAN or coming in from the WAN is first routed through the WAE as
a next-hop router. This requires:
A minimum of one access-list that permits TCP traffic. This access-list is referenced by the
route-map
A route-map that specifies the access-list as the definition of traffic that is interesting, and
specifies the WAE as a next-hop router
If some traffic is being redirected but some is not, check the access-list configuration. If no
traffic is being redirected, check the route-map definition, WAE to router network connectivity,
and interface configuration.
4-52
WAAS v4.0.74-19
PBR configuration is done on the router only. The WAE does not require any configuration
commands for PBR to work. For PBR to work, the WAE must simply be reachable on the
network and connectivity must be possible in both directions of traffic flow. To verify the
access-list configuration, use the show access-list command. The output should:
Correctly identify any TCP traffic that should and should not be redirected to the WAE
Contain a deny ip any any at the end to ensure that non-TCP traffic is not redirected to the
WAE
If the access-list configuration is not correct, some or all traffic might not get redirected to the
WAE.
Next, verify that the route-map is configured properly. The route-map associates the access-list
(which defines interesting traffic) to a set of next-hop routers (WAEs):
Check to make sure that the correct WAE IP addresses are listed
Verify that the router can indeed reach the WAE over the network
Finally, use the show ip policy configuration to verify that the correct route-maps are applied
to the correct interfaces. Ensure that each interface on the router that could be a source or
destination for traffic that needs to be optimized has a route-map configured:
If a route-map is not configured on an interface, traffic coming into or leaving that interface
is not redirected. The WAE does not complete automatic discovery and thus can not
optimize traffic.
4-53
4-54
If route-maps are only configured for one direction of traffic flow, the WAE does not
successfully complete automatic discovery, because they do not see both directions of
traffic flow and thus can not optimize traffic.
17364
0
946527
963891
0
0
WAAS v4.0.74-20
The show wccp gre command on the WAE is useful for verifying that PBR interception is
working correctly. The transparent non-GRE non-WCCP packets received counter
increments as packets are forwarded to the WAE as a next-hop router based on PBR
configuration.
4-55
MGMT
WAN
WAE1
WAAS v4.0.74-22
When using the inline adapter in the WAE for interception, be sure to validate that:
4-56
The card is recognized by the WAE, plugged into the network correctly. If the card is not
recognized, it is in pass-through mode and not intercepting packets for automatic discovery
or optimization.
The correct connections are made: the LAN port is plugged into the LAN, and the WAN
port is plugged into the router. Interception continues to work if not connected correctly,
but it is a best practice to plug them in correctly.
The thin piece of paper covering the ports that displays the port descriptions is not pushed
into the port itself by the cable, thereby blocking electrical connections from the cable to
the port.
The LED status indicators show the appropriate speed and link condition.
The interface group and interface ports are configured correctly in terms of speed and
duplex. A mismatch here can cause performance problems.
Local Intrfce
Gig 0/1
Holdtme
164
Capability
S I
Platform Port ID
WS-C3750G-Gig 1/0/16
4 2007)
[8836PBN]
WAAS v4.0.74-23
When using inline interception, any packet that is received on a port on the inline card is
analyzed to see if it is a candidate for interception. Traffic is handled as follows:
Non-TCP traffic is hardware-forwarded to the other port in the group (not intercepted).
TCP traffic is handed to the Policy Engine to determine if automatic discovery should
occur (intercepted) based on configured policy.
In this way, any traffic that is not TCP, such as User Datagram Protocol (UDP), Internet
Control Message Protocol (ICMP), and Cisco Discovery Protocol (CDP), is transparently
bridged. As such, CDP can be a helpful tool to verify Layer 2 connectivity between devices that
are separated by a WAE with an inline card. Use the show cdp neighbors (IOS version
dependent) command to make sure that CDP is traversing the WAE between the two devices.
This, of course, requires that both devices on opposite sides of the WAE are running CDP.
The show hardware command can be used to validate that the WAE recognizes the inline
card. Note that versions of software that do not support the inline card do not show that 2
InlineGroup interfaces are present.
If the show hardware command does not show that the inlinegroups are present, verify the
level of software installed on the WAE.
4-57
WAAS v4.0.74-24
The show inlineport command allows you to view data about each of the four ports on the
inline card. The command should be executed in the form of show inlineport
<slot/group/port>, where:
Group: which port group is being referenced; ports labeled as WAN0 and LAN0 belong to
group 0, whereas ports labeled as WAN1 and LAN1 belong to group 1
Verify that traffic is being seen on both the LAN and WAN interfaces. If the interfaces do not
see packets, ensure that the interfaces are not disabled for some reason. Also, check duplex and
speed configuration on the interfaces themselves as well as the switch. If all else fails, check
the cabling.
Then, check the inlinegroup interface. Note that the inlinegroup interface is the interception
interface, whereas the ports are the physical ports within the inlinegroup. The inlinegroup is set
to either intercept operating mode or bypass operating mode. If the inlinegroup is set to:
Intercept operating mode: packets received on ports in this inline group are sent to the
Policy Engine to see if automatic discovery or optimization should take place.
Bypass operating mode: packets received on ports in this inline group are forwarded to
the other port in the group without being examined by the policy engine.
4-58
Inline group configuration: if the inline group is not configured properly (VLAN
configuration, interface enabled), then the group is in bypass.
Watchdog timer expiration: if there is a software process failure, kernel panic, or power
outage, the inlinegroup transitions to bypass.
WAN
Module verification
VLAN assignments on Cat6K/ACE
Optimized
Flow
Catalyst
6509 with
ACE
Original
Flow
WAAS v4.0.74-26
Troubleshooting the ACE module requires that the ACE configuration be verified step-by-step.
This section examines each of the components of ACE configuration and identifies potential
root causes for issues that might be encountered.
4-59
Sub-Module
--------------------------Policy Feature Card 3
MSFC3 Daughterboard
Mod
---1
3
4
5
Model
-----------------WS-F6K-PFC3A
WS-SUP720
Serial
Hw
Status
----------- ------- ------SAL1009ENLF 2.6
Ok
SAL10392MVL 2.7
Ok
WAAS v4.0.74-27
The first step is to verify that the ACE module is properly installed into the Catalyst 6500
chassis and recognized by the IOS software. Note that the ACE module requires a Supervisor
720 module. Use the show module command within IOS to make sure that the card is properly
recognized.
If the card is not recognized, it can not perform interception, which can lead to flows not being
optimized by Cisco WAAS.
4-60
VLAN Assignments
Ensure that VLANs are defined properly
Status
--------active
active
active
Ports
------------------------------Fa1/3
Fa1/7, Fa1/9
Fa1/5, Fa1/6
WAAS v4.0.74-28
The next step is to verify that all the appropriate VLANs are configured on the switch and that
the VLANs are also assigned to the ACE module. First, use the show vlan command in IOS to
verify that the VLANs are defined and the appropriate interfaces are configured in each VLAN.
Then, establish a console connection to the module using the session command within IOS
(that is, session slot 4 processor 0) and log in to the ACE. From the ACE console, execute the
show vlans configuration to make sure that the appropriate VLANs are assigned to the ACE
module.
If the appropriate VLANs are not assigned to the ACE module, traffic might not be intercepted,
which could lead to flows not being optimized.
4-61
rserver
: WAAS-CORE1, type: HOST
state
: OPERATIONAL
max-conns
: 4294967295, min-conns
: 4294967295
weight
: 8
real
weight state
current
total
---+---------------------+------+------------+----------+-------------------Verify that the WAE rservers are
serverfarm: WAAS
assigned
to the correct serverfarm
172.16.2.10:0
8
OPERATIONAL 0
47
and are operational
max-conns : 4294967295, total conn-failures : 24
min-conns : 4294967295
rserver
: WAAS-CORE2, type: HOST
state
: OUTOFSERVICE
max-conns
: 4294967295, min-conns
: 4294967295
weight
: 8
real
weight state
current
total
---+---------------------+------+------------+----------+-------------------serverfarm: WAAS
172.16.2.12:0
8
OUTOFSERVICE 0
0
max-conns : 4294967295, total conn-failures : 0
min-conns : 4294967295
WAAS v4.0.74-29
The next step is to verify that the rservers have been defined for each of the WAEs. Note that
the rserver is a real server, that is, a definition of each of the WAEs that are adjacent to the
ACE module and are available for operation (to optimize TCP connections). Use the show
rserver detail command to verify that each of the WAEs are defined, that the server-farm
assignment is correct, that the server-farm IP is correct, and that the state of the WAE is
operational.
If a WAE appears to be outofservice, verify that the WAE is online and available on the
network. Also verify the rserver configuration on the ACE module to make sure it is not
disabled.
If no WAEs are operational, traffic is not optimized. If the wrong serverfarm IP address is
supplied, the ACE module might not be able to reach the server farm and traffic might not be
optimized.
4-62
real
weight state
current
total
---+---------------------+------+------------+----------+-------------------rserver: WAAS-CORE1
172.16.2.10:0
8
OPERATIONAL 0
47
rserver: WAAS-CORE2
172.16.2.12:0
8
OUTOFSERVICE 0
0
WAAS v4.0.74-30
Another helpful command in validating the rserver and serverfarm configuration is show
serverfarm <name>, where <name> is the name of the serverfarm being used. This command
provides a useful table that lists all the rservers, total number of rservers, and state of each.
4-63
WAAS v4.0.74-31
Use the show service-policy command from the ACE module to verify that the service-policy
is active on the appropriate VLANs. An inactive service policy results in traffic not being
intercepted and load-balanced to the WAE rservers. An invalid VLAN configuration leads to
traffic not being redirected from the right locations within the network, and flows potentially
might not be optimized. From within this command, you can also see the class assigned to the
service-policy. Verify that the class adequately encompasses all traffic that is intended to be
load-balanced.
This command also shows the load-balancing policy as well as the serverfarm that should be
used by this service-policy. Ensure that the correct serverfarm is defined and also verify that the
serverfarm is inservice. Make sure that mac-sticky is configured on the WAE VLAN; if not,
traffic might be load-balanced to a different WAE for each direction of traffic flow, thereby
rendering WAAS unable to automatically discover or otherwise optimize a flow.
4-64
17364
0
946527
963891
0
0
WAAS v4.0.74-32
On the WAE, the show wccp gre command can be used to validate that the WAE is indeed
receiving traffic that has been load-balanced to it from the ACE module. Validate that the
transparent non-GRE non-WCCP packets received counter increments as traffic flows
through the WAE. If this counter does not increment, check:
Network configuration
4-65
WAAS v4.0.74-34
Automatic discovery is the foundational component that enables optimization within Cisco
WAAS. Each WAE needs to be able to advertise its availability for each connection that is to
be optimized, and a peer WAE at the distant end of the network must respond to this
advertisement with its own information. From there, the two negotiate a policy (least-commondenominator of the configured policies on each WAE) and can begin employing optimization
against a connection.
In environments with asymmetric routing, you should ensure that interception is configured in
such a way that both directions of traffic flow for a given connection traverse the same WAE
device. This can be verified by ensuring that:
For WCCPv2 environments with multiple WAN routers and WAN connections, WCCPv2
interception is identical across all entry/exit routers and the WAE is registered against all of
these routers
For PBR environments with multiple WAN routers and WAN connections, the same routemap configuration is applied consistently across all entry/exit routers and the WAE is
defined as a next-hop at each
For ACE environments, the ACE module or a cluster of ACE modules exists physically in
the path of each direction of traffic flow, and mac-sticky is configured
For inline environments, the WAEs are physically connected in-path to all WAN
connections (up to 2)
If only one WAE exists in the path symmetrically, then no optimization can take place. This
means that if two WAEs are in the path for one direction of traffic flow, but only one WAE
exists in the reverse path, no optimization can be applied. The WAE CLI provides useful
insight into issues with automatic discovery, including asymmetric routing events.
4-66
WAAS v4.0.74-35
The show tfo auto-discovery command on the WAE CLI shows counters related to automatic
discovery events. This includes auto discovery success and failure conditions. Of note are the
allocations success (where automatic discovery completed successfully, structures are
deallocated when connections are torn down) and autodiscovery failures, which are shown in
the figure:
EDGE1# show tfo auto-discovery
Auto discovery structure allocations failure: 0
Auto discovery structure allocations success: 12377
Auto discovery structure deallocations: 12377
Auto discovery structures timed out:
10
Auto discovery table bucket overflows: 0
Auto discovery table overflows:
0
Auto discovery table entry adds:
12206
Auto discovery table entry drops:
12206
Auto discovery table lookups:
13140
Auto discovery table entry count:
0
Packets sent during auto discovery:
34496
Packets received during auto discovery: 25513
Number of route lookup failures:
0
Number of successful route lookups:
1948
Bind hash add failures:
0
Accept socket pair allocation failures: 0
Sock allocation failures:
0
Sock(u) allocation failures:
0
Connect socket lookup failures:
0
Auto discovery failures:
4
Number of resets received during auto discovery: 1830
Packet memory allocation failures:
0
2007 Cisco Systems, Inc.
4-67
4-68
WAAS v4.0.74-36
Each WAE has two tools that are user-accessible via the CLI and assist in troubleshooting
automatic discovery issues: tethereal and tcpdump. Both can be used to capture packets and
save a capture file to the WAE disk. This file can then be copied off of the WAE via FTP or
other means using the copy command.
To use tethereal to capture a trace file:
EDGE1# tethereal -w capture.cap
Capturing on eth0
28
The capture continues until stopped using the Ctrl-break (or Ctrl-C)
keys. When the capture is finished, the file is written to the WAE
filesystem in the current working directory:
EDGE1# ls
!
capture.cap
!
EDGE1# Jan 27 21:14:0
Tethereal can also be filtered for a specific interface. This is especially helpful when using an
inline card when you want to capture packets from the LAN-side or the WAN-side of an inline
group. Use the show interface inlineport <slot/group/port> command (that is, show interface
inlineport 1/0/LAN) to determine the interface identifiers from an inlineport:
EDGE1# show int inlineport 1/0/LAN
Device name : eth5. Bypass slave interface.
!
To filter tethereal to use a specific interface and write a capture
file:
EDGE1# tethereal -w capture.cap -I eth5
TCPdump uses the same configuration options as tethereal. The choice of using tethereal versus
tcpdump is based strictly on preference.
2007 Cisco Systems, Inc.
4-69
Client
WAE
Server
Client:Server
TCP SYN
WAAS v4.0.74-37
A trace taken from the client PC shows the TCP SYN packet with the appropriate IP addresses
and TCP port information. This packet is intercepted and redirected to the WAE (depending on
type of interception used).
4-70
Client
Client:Server
TCP SYN
WAE
Server
Client:Server
TCP SYN+OPT
WAAS v4.0.74-38
This capture, taken on the WAE (configured using WCCPv2 interception) shows that the
original SYN packet is seen (upper packet) and the SYN packet with TCP option 0x21 (option
33) applied, indicating that the WAE near the user is attempting automatic discovery. Notice
the appearance of an unknown option (0x21) that is 12-bytes in length. This indicates Cisco
WAAS automatic discovery.
If the SYN packet coming out of the WAE does not include TCP option 0x21, check:
4-71
WAE
WAE
Client:Server
TCP SYN+OPT
Server
Client:Server
TCP SYN+OPT
WAAS v4.0.74-39
Notice that the SYN with options propagates all the way to the origin server. This is done to
identify every WAE in the network path between the client and the server.
If the SYN packet coming into WAE does not include TCP option 0x21, check:
4-72
Device scrubbing options: Is there a firewall or other device between the WAEs that
might be scrubbing TCP options?
WAE
WAE
Server:Client
TCP SYN-ACK
OPT
Server
Server:Client
TCP SYN-ACK
WAAS v4.0.74-40
This capture is taken from the core WAE near the server. The top packet is the SYN/ACK
packet sent by the server back to the user. The bottom packet is the SYN/ACK packet after the
WAE has applied TCP option 0x21 (option 33) to attempt to complete automatic discovery. A
packet capture on the WAE close to the user shows the receipt of a TCP SYN/ACK packet with
TCP option 0x21 set.
If the SYN/ACK packet coming out of the core WAE does not include TCP option 0x21,
check:
4-73
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Troubleshooting network interception issues involves validation of
configuration on the interception device and on the Cisco WAE.
WCCPv2 interception troubleshooting starts with service group
definition, interception configuration, and WCCPv2 statistics.
WCCPv2 statistics on the WAE are also helpful in troubleshooting
other interception mechanisms such as PBR and ACE.
PBR troubleshooting involves verifying access-list configuration
and route-map configuration.
ACE troubleshooting involves verification of VLANs, WAE
rservers, serverfarms, and service policies.
Automatic discovery counters provide valuable insight into Cisco
WAAS troubleshooting by identifying routing loops, intermediary
devices, successful discoveries, and failed discoveries.
2007 Cisco Systems, Inc. All rights reserved.
4-74
WAAS v4.0.74-41
Lesson 3
Troubleshooting WAN
Optimization
Overview
This module explains how to initially configure the Cisco Wide Area Application Engine
(WAE) and Wide Area Application Services (WAAS) software, activate WAE devices, and
define network interception options including Web Cache Communication Protocol version 2
(WCCPv2) and Policy-Based Routing (PBR).
Objectives
Upon completing this lesson, you will be able to describe the process of troubleshooting WAN
optimization. This includes being able to meet these objectives:
Examine the policy applied to a flow, the configured policy, and the negotiated policy
Overview
This topic provides an overview of the process of troubleshooting WAN optimzation issues.
Troubleshooting Workflow
Validate platform liveliness including management services,
examine common issues, and understand system log files
and locations
Validate network interception and automatic discovery to
ensure that traffic is received and handled by the WAEs
within the Cisco WAAS network
Examine WAN optimization features relative to optimized
connections, optimization policy, statistics, and log files and
locations
Examine application acceleration features relative to
optimized sessions, configured policies, features, statistics,
and log files and locations
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.74-4
This is the third module of four that cover troubleshooting Cisco WAAS. The first two discuss
common issues, device liveliness, management services, reporting, network interception, and
automatic discovery. This module focuses on the WAN optimization features included in Cisco
WAAS and troubleshooting optimization issues. This module covers examination of
connections that are optimized or passed-through, configured and negotiated optimization
policy, statistics for each of the optimizations, and log files and locations related to
optimization functions. The last segment in this module discusses Common Internet File
System (CIFS) acceleration and print services.
4-76
Troubleshooting Workflow
WAAS v4.0.74-5
To appropriately troubleshoot the WAN optimization capabilities of Cisco WAAS, you must be
able to understand how to identify the way a connection is being handled, how policies are
negotiated and applied, and how to find data about connections that are optimized or passedthrough, and understand statistics.
4-77
WAAS v4.0.74-7
The policy is the component that determines how an optimization is applied to a connection
that has successfully completed automatic discovery. Before troubleshooting WAN
optimization features, ensure that the connection is going through automatic discovery
successfully, and ensure that you are able to identify which WAEs are optimizing the flow.
If the policy applied is incorrect or there is an issue with policy negotiation or configuration, a
number of symptoms can appear:
Traffic not being optimized to the degree that one would expect
Miscalculated statistics
A best practice in ensuring that the appropriate policy configuration is synchronized across all
devices within a Cisco WAAS network is to employ policies at a device group level. This
requires statically configuring each WAE to use the device group as its parent for retrieving
configured policy.
4-78
Remote-IP:Port
2.2.2.100:4050
2.2.2.100:4050
2.2.2.100:4050
10.10.13.100:3389
10.10.10.100:1025
10.10.10.100:1025
10.10.10.100:80
10.10.10.100:80
Pass-Through Connections
Local-IP:Port
Remote-IP:Port
2.2.2.100:25737
10.10.10.10:443
2.2.2.100:11496
10.10.10.100:445
10.10.13.100:3813
10.10.10.100:135
10.10.13.100:3793
10.10.10.100:135
ConId
15637
15638
15639
34735
34739
34747
34755
34756
PeerId
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
Policy
F,F,F,F
F,F,F,F
F,F,F,F
T,T,T,T
F,F,F,F
F,F,F,F
L,F,L,L
L,F,L,L
WAAS v4.0.74-8
The show tfo connection summary command is useful for examining a list of connections that
the WAE is seeing. Any connections that are being optimized appear in the optimized
connection list, and any connections that are being passed-through appear in the pass-through
connections list. Any connection that appears as pass-through also displays the type of
connection that is being passed through.
In terms of the optimized connections, each connection consumes one line of the output. This
line includes the four-tuple of the connection; source IP, destination IP, source port, destination
port, as well as an internal connection identifier, internal to the Cisco WAAS software. The
WAE peer that was automatically discovered is also listed based on device ID, which is equal
to the WAE MAC address, as well as the policy flags.
The policy flags are split into four columns. The first column is the configured policy on the
local device. The second column is the configured policy on the auto-discovered peer. The third
column is the policy that was negotiated , least common denominator of the two configured
policies, and the fourth column is the applied policy, the negotiated policy applied if system
resources permit.
4-79
Remote-IP:Port
2.2.2.100:4050
2.2.2.100:4050
2.2.2.100:4050
10.10.13.100:3389
10.10.10.100:1025
10.10.10.100:1025
10.10.10.100:80
10.10.10.100:80
Pass-Through Connections
Local-IP:Port
Remote-IP:Port
2.2.2.100:25737
10.10.10.10:443
2.2.2.100:11496
10.10.10.100:445
10.10.13.100:3813
10.10.10.100:135
10.10.13.100:3793
10.10.10.100:135
ConId
15637
15638
15639
34735
34739
34747
34755
34756
PeerId
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
Policy
F,F,F,F
F,F,F,F
F,F,F,F
T,T,T,T
F,F,F,F
F,F,F,F
L,F,L,L
L,F,L,L
Conn Type
policy summary, including
Internal local
Client
policy, peer policy,
App Dyn Mtch
Non-Optimized
negotiated
policy, and
Accelerator Optimized
applied policy
Accelerator Optimized
WAAS v4.0.74-9
The figure shows the same output of the show tfo connection summary command. Notice the
peer identification and policy flags for each policy.
4-80
Remote-IP:Port
2.2.2.100:4050
2.2.2.100:4050
2.2.2.100:4050
10.10.13.100:3389
10.10.10.100:1025
10.10.10.100:1025
10.10.10.100:80
10.10.10.100:80
Pass-Through Connections
Local-IP:Port
Remote-IP:Port
2.2.2.100:25737
10.10.10.10:443
2.2.2.100:11496
10.10.10.100:445
10.10.13.100:3813
10.10.10.100:135
10.10.13.100:3793
10.10.10.100:135
ConId
15637
15638
15639
34735
34739
34747
34755
34756
PeerId
Policy
00:11:25:aa:c1:e8 F,F,F,F
00:11:25:aa:c1:e8 F,F,F,F
00:11:25:aa:c1:e8 F,F,F,F
00:11:25:aa:c1:e8 T,T,T,T
Pass-through
connections
00:11:25:aa:c1:e8
F,F,F,F
Connection
00:11:25:aa:c1:e8
F,F,F,Fdetails
Reason L,F,L,L
for pass-through
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8 L,F,L,L
Conn Type
Internal Client
App Dyn Mtch Non-Optimized
Accelerator Optimized
Accelerator Optimized
WAAS v4.0.74-10
The figure shows the same output of the show tfo connection summary command. Notice the
pass-through connections are each identified, along with what type of connection it is. Some
internally-generated connections, such as a connection between Wide Area File Services
(WAFS) Edge WAEs and WAFS Core WAEs are configured for pass-through based on the
policy. Such connections might be transferring latency-sensitive data in small packet sizes
where optimization provides no benefit.
4-81
WAAS v4.0.74-11
After you have identified connections that are being handled by a WAE, either as optimized or
as pass-through, the next step is to validate the policy configuration on both the WAE and its
peer. If the policy applied is incorrect, this could be caused by one of the following:
Policy configured on device group that either local device or peer device is configured to
use is incorrect
Service not functioning or one of the two devices is experiencing heavy load. See the show
tfo accelerators command later in the module. The policy configuration on each WAE in
the path can be examined either from the command line interface (CLI) or from the Central
Manager. From the CLI, use the show running-config command (that is, just show run)
and verify that:
Match conditions for the classifier are correct, that is, match <src|dst> <ip|port> eq
<identifier>
Policy map exists, that is, map basic, followed by name <application name> classifier
<classifier name>, followed by the appropriate action
4-82
Traffic that is not explicitly classified and associated with a policy is optimized based on the
configuration of the map other statement. This is considered the default policy.
WAAS v4.0.74-12
The Central Manager GUI can also be used to verify the application definition, classifier and
match conditions, and policy map.
4-83
WAAS v4.0.74-13
To ensure consistency throughout the WAAS network, it is best to configure each WAE in the
topology to explicitly pull its optimization policy from a device group. This device group
should be where all policy configuration changes are applied. Devices that are configured to
explicitly receive policy from this device group automatically receive any changes made to the
policies via the Central Manager LIM Controller Module (LCM) cycle.
4-84
00:14:5e:41:eb:78
WAAS v4.0.74-14
Another possible reason why specific optimizations are not being employed is that the
optimizations are not enabled or are under significant amounts of load. Use the show tfo status
CLI command to validate whether or not each of the optimization components are enabled.
These components include DRE, LZ compression, and TFO. If all components are enabled, the
command reports optimize full. The output of the command also reports the state of TFO.
4-85
WAAS v4.0.74-15
Global optimization capabilities for a WAE device or a WAE device group can be configured
at Devices > (Devices or Device Groups) > (Entity Name) > Acceleration > General Settings.
Any feature with a checkmark next to it is enabled. Any feature missing a checkmark is
disabled. If a WAE is configured to explicitly pull its policy and configuration from a device
group, as shown in the figure, then this page does not allow you to modify these settings. In
such a case, they need to be modified in the device group configuration page.
4-86
State: Registered,
Session timeouts: 0,
Total timeouts: 0
State: Registered,
Session timeouts: 0,
Total timeouts: 0
Name: CIFS
WAAS v4.0.74-16
The show tfo accelerators command shows the liveliness of each of the acceleration
components. This includes:
TFO: TFO is the data-path of the Cisco WAE, and includes TCP optimization, DRE, and
LZ compression.
EPM: EPM is the end-point mapper classification system for DCOM traffic (dynamically
assigned ports).
The handling level is of interest, as it reports the amount of load the subsystem is able to
receive based on current workload. If the handling level for an accelerator is set to 100%, it is
operating correctly and able to receive workload. If the handling level for an accelerator is set
to 0%, it is experiencing one of the following:
Note
The WAFS Core service always reports the CIFS accelerator handling level of 0%.
4-87
WAAS v4.0.74-18
After automatic discovery has been verified, policy has been verified, and accelerator liveliness
has been verified, the WAE CLI can be used to examine details about each of the connections
being handled by the WAE. This section examines the CLIs that provide granular details about
each connection.
4-88
client-ip
Source IP address
client-port
peer-id
server-ip
Dest. IP address
server-port
summary
Output Modifiers
<cr>
WAAS v4.0.74-19
The show tfo connection command is the command that provides insight into all the details
about an optimized connection. It can be filtered in a variety of ways, including:
Client IP address
Peer identifier
Server IP address
4-89
00:11:25:ac:3c:5c
Ext. Server
10.10.13.100
4709
10.10.10.100
80
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
Source <-> WAAS
(Optimized)
0x18996f2c
N. Read Wait
P. Read Wait
LZ
LZ
LZ
LZ
WAAS v4.0.74-20
If used with no parameters, that is, simply executing the show tfo connection command, a
detailed set of statistics appears for each connection handled by the WAE. This is analogous to
executing show interface on a switch that has a large number of interfaces. In most
deployment situations, the WAE is handling a large number of connections, so it is best to filter
the output of the show tfo connection command, as shown in the figure, where the command is
filtered to show only connections involving server TCP port 80, that is, web server.
The output of the command shows details about each connection that matches the filter list,
including:
Internal connection ID
Four-tuple of the connection, source IP, destination IP, source TCP port, and destination
TCP port
Policy flags, locally configured policy, peers configured policy, negotiated policy, and
applied policy
The next figure shows additional data found in the output of this command.
4-90
00:11:25:ac:3c:5c
Ext. Server
10.10.13.100
4709
10.10.10.100
80
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
Source <-> WAAS
(Optimized)
0x18996f2c
N. Read Wait
P. Read Wait
WAAS v4.0.74-21
The next section in the output of the command shows two columns:
The first column shows the data relative to the TCP proxy connection that is facing the
source of the connection.
The second column shows the data relative to the TCP proxy connection that is facing the
destination of the connection.
Source <-> WAAS is the unoptimized connection from the WAE to the client workstation
WAAS <-> Destination is the unoptimized connection from the WAE to the server.
The above is true for typical clients that are initiated from the client and terminated on the
server. For protocols that are initiated by the server to the client, for example, active mode FTP,
the values would be the reverse.
Notice that the output of the command displays the current read and write state for the
connection. The connection should be in a read or write state. The state is related to the buffers
allocated to the connection facing the source or the connection facing the destination.
4-91
two
virtual TCP connections
WAAS v4.0.74-22
Additional data is also provided in the output of the show tfo connection command. This
information includes:
Note
The bytes read and bytes written provide insight into the compression that has been
employed for the connection. This data is the foundation for calculating compression
statistics.
Note
Number of encodes and decodes are only relevant when the connection is being optimized
by Data Redundancy Elimination (DRE). An encode operation is called when data coming in
should be redundancy eliminated. A decode operation is called when data coming in was
previously encoded and needs to be decoded.
Latency data is sampled, and the number in the parentheses indicates the number of samples
that have been taken.
4-92
WAAS v4.0.74-23
When examining the current and previous read state, the states listed can be interpreted as:
N. Read Wait (network read wait): Waiting for data to arrive from the network
P. Read Wait (pacing read wait): Waiting for buffer space to become available for this
side of the connection
Read shutdown: Remote side has terminated the connection via a TCP FIN closing the
connection or RST resetting the connection
When examining the current and previous write state, the states listed can be interpreted as:
D. Write Wait (data write wait): Waiting for data to write, reading peer connection or
encode/decode data if DRE is being used
N. Write Wait (network write wait): Waiting for socket to become writable
Write shutdown: The WAE initiated a close by a FIN or RST due to the connection being
torn down by a FIN or RST
If the connection is configured for TFO only, with no compression, the TCP opt. only xfer
mode is set to a value other than n/a.
4-93
WAAS v4.0.74-24
The read and write buffer sizes are also displayed in the output of the show tfo connection
command. Because the WAE is a transparent TCP proxy, data that is written into the buffer on
one side of the connection is processed by the WAE and then transmitted through the buffer on
the optimized side of the connection. The command output also shows the number of bytes read
versus written, which indicates the amount of compression provided by the WAEs optimizing
the connection.
4-94
WAAS v4.0.74-25
The output of the command also shows the number of encode and decode operations that have
occurred for this connection. These values are only relevant if DRE is configured for the
connection. These counters increment as data is extracted from the TCP buffers and passed to
DRE for encode compression or decode decompression operations.
The read queue latency, in milliseconds, displays the average time data spends in the read
queue, entering the device. The number in the brackets is the number of samples taken against
data to generate the read queue latency. Similarly, the write queue latency, in milliseconds,
displays the average time data spends in the write queue, leaving the device.
The encode decode latency in milliseconds is the amount of time taken by DRE to perform
encode or decode operations against data from the flow.
4-95
WAAS v4.0.74-27
The TFO transaction logs provide a means by which to examine the behavior of previously
seen TCP connections. These files are stored in a rolling log and include all of the data relevant
to the connection, as shown in the figure.
4-96
WAAS v4.0.74-28
Before TFO transaction log data is written, TFO transaction logging must be enabled on the
WAE where the logging should occur. TFO transaction logging can be enabled by using the
transaction-logs tfo enable command from global configuration mode and verified via the
show transaction-logging command.
4-97
CORE1# pwd
/local1
CORE1# cd logs/tfo
CORE1# pwd
/local1/logs/tfo
CORE1# dir
size
--------------
name
-------------------------
-----------
155429
Wed Jan
3 06:00:00 2007
tfo_log_2.2.2.2_20070103_050000.txt
153701
Wed Jan
3 07:00:03 2007
tfo_log_2.2.2.2_20070103_060000.txt
52054
Wed Jan
3 07:20:52 2007
tfo_log_2.2.2.2_20070103_070000.txt
52054
Wed Jan
3 07:20:52 2007
working.log
WAAS v4.0.74-29
TFO transaction logs are stored in the /local1/logs/tfo directory. The working.log file contains
the latest TCP connections that have closed, whereas the tfo_log*.txt files contain connections
prior to the latest TCP connections that have closed.
4-98
EDGE1#type-tail working.log
WAAS v4.0.74-30
The type-tail command can be used to view any of the TFO transaction log files, including the
working log file. Note that a single TFO transaction log entry can span many lines, and each
field within the transaction log is separated by a colon.
4-99
Pass-Through Connections
EDGE1#type-tail working.log
Wed Jan
Wed Jan
Timestamp
BP == bypass
Four-tuple of
bypassed connection
Reason connection
was bypassed
(including no peer
identified, also
asymmetric routing)
WAAS v4.0.74-31
Entries in the TFO transaction log for pass-through connections are very short and only contain
a few fields:
4-100
Timestamp: Indicates the date and time that the TCP connection was encountered
Bypass notification: The field immediately after the timestamp shows BP, indicating that
the connection is bypassed
Four-tuple: Source IP, destination IP, source TCP port, and destination TCP port
Reason for bypass: Including no identified peer, could not complete automatic discovery
Optimized Connection
EDGE1#type-tail working.log
WAAS v4.0.74-32
Entries in the TFO transaction logs for optimized connections, however, span many lines and
contain a great deal of data. The next few sections examine each of these fields and discuss
what they are useful for showing.
The first thing to note is that the START and END of a connection is logged. Notice these
indicators in the figure where it says START and END. There is also a statement immediately
after this, which says EXTERNAL. This means that the entries in the transaction log indicate
the START of a connection that is EXTERNAL to the WAE, that is, not started by the WAE
itself, and also indicating the END of the connection that is EXTERNAL to the WAE, that is,
not started by the WAE itself. Connections that were initiated by the WAE, for example, CIFS
acceleration connections or management connections, would be listed as INTERNAL.
4-101
EDGE1#type-tail working.log
WAAS v4.0.74-33
The transaction logs also indicate the four-tuple of the connection, as well as the peer ID of the
WAE identified during the automatic discovery process. This helps to identify who the other
WAE optimizing this particular connection was at the time.
4-102
WAAS v4.0.74-34
The three flags that are called out in the first log entry indicate:
The policy applied to the connection, which is the least common denominator of the two
configured policies unless overload conditions or service failures were present
In the bottom log entry, the flags that are called out include the number of bytes that are
exchanged on the optimized and non-optimized connection segments. These are explained in
the next few sections.
4-103
WAE
WAAS v4.0.74-35
The first field is the number of bytes read on the connection from the source to the WAE. The
directionality of traffic flow and posture of the WAE relative to the flow is shown in the figure.
4-104
WAE
WAAS v4.0.74-36
The second field is the number of bytes written on the connection from the WAE toward the
destination. The directionality of traffic flow and posture of the WAE relative to the flow is
shown in the figure.
4-105
WAE
WAAS v4.0.74-37
The third field is the number of bytes read on the connection from the destination to the WAE.
The directionality of traffic flow and posture of the WAE relative to the flow is shown in the
figure.
4-106
WAE
WAAS v4.0.74-38
The fourth field is the number of bytes written on the connection from the WAE to the source.
The directionality of traffic flow and posture of the WAE relative to the flow is shown in the
figure.
4-107
WAAS v4.0.74-39
The remainder of the transaction log entry contains information about read and write latencies,
as well as the number of samples. These are shown in the next few figures.
4-108
Source <->
WAAS
DRE
TCP Proxy
DRE Encode
or Decode Latency
WAAS <->
Destination
DRE
TCP Proxy
WAAS v4.0.74-40
First field: The amount of read latency for traffic coming into the WAE from the network
path toward the source of the connection. The number in the parentheses is the number of
samples taken to calculate the read latency.
Second field: The amount of latency spent passing the data through DRE for encoding or
decoding for traffic coming in from the source going toward the destination.
4-109
Source <->
WAAS
DRE
WAAS <->
Destination
Source <->
WAAS
TCP Proxy
DRE
WAAS <->
Destination
TCP Proxy
WAAS v4.0.74-41
4-110
Third field: The amount of write latency for traffic leaving the WAE to the network path
toward the source of the connection. The number in parentheses is the number of samples
taken to calculate the read latency.
Fourth field: The amount of read latency for traffic entering the WAE from the network
path toward the destination of the connection. The number in parentheses is the number of
samples taken to calculate the read latency.
Source <->
WAAS
DRE
DRE Encode
or Decode Latency
WAAS <->
Destination
TCP Proxy
Source <->
WAAS
WAAS <->
Destination
DRE
TCP Proxy
WAAS v4.0.74-42
Fifth field: The amount of latency spent passing the data through DRE for encoding or
decoding for traffic coming in from the destination going toward the source.
Sixth field: The amount of write latency for traffic leaving the WAE toward the destination
of the connection. The number in parentheses is the number of samples taken to calculate
the read latency.
4-111
Compression Statistics
This topic explains how to examine compression statistics and logs, and how to troubleshoot
compression problems including low compression.
Compression Statistics
The Cisco WAE CLI presents a number of important
compression-related statistics on a connection-by
connection basis.
This data is helpful in verifying that compression is
working, or for resolving problems associated with:
Low compression ratio
Uncompressible content
Loss of DRE synchronization between WAEs
WAAS v4.0.74-44
Compression statistics for each connection optimized by way of DRE and persistent LZ
compression an be viewed from the WAE CLI. This data is helpful in not only verifying that
compression is working, but also identifying problems associated with low compression ratios,
uncompressible content, or loss of synchronization.
4-112
Peer
No
0
0
0
0
Client-ip:port
10.10.13.100:3828
1.1.1.100:60080
1.1.1.100:60078
1.1.1.100:54663
Server-ip:port
10.10.10.100:80
2.2.2.100:4050
2.2.2.100:4050
2.2.2.100:4050
Connection four-tuple
Encode-in/
Decode-in
15MB/
0B/
0B/
17B/
29B
0B
0B
22B
Status
(A-Active)
(C-Closed)
A
A
A
A
WAAS v4.0.74-45
The show tfo connection command is helpful in examining statistics about each connection,
including the configured and applied policy. If the policy includes compression, either DRE or
LZ compression, the show statistics dre connection command provides a tabular list of all
connections that are being optimized by DRE. This table provides:
Peer number
4-113
WAAS v4.0.74-46
The show statistics dre connection command can be filtered in a similar fashion to the show
tfo connection command. It is recommended, given the large number of connections a WAE
might be handling, to always filter the output of this command to show only the relevant
connections.
Using the show statistics dre connection <filter> command allows you to gather additional
data about each connection that is being optimized by compression. The output of this
command is examined in more detail in this and the next few figures.
The first portion of the output shows:
This data is similar to the output of the tabular view provided by the show statistics dre
connection command, but the remainder of the output provides far more detail.
4-114
Encode:
Overall: msg:
908, in: 15608 KB, out:
311 KB, ratio: 98.00%
DRE: msg:
908, in: 15608 KB, out:
337 KB, ratio: 97.84%
LZ: msg:
235, in:
137 KB, out:
111 KB, ratio: 18.59%
Bypass: msg:
0, in:
0 B, partial chunks: 80744 B
Latency: (Last 3 sec)max 2 ms, (Last 3 sec)avg 0 ms (cumulative)total 988 ms
Message size distribution:
0-1K=2% 1K-5K=10% 5K-15K=41% 15K-25K=25% 25K-40K=15% >40K=5%
Decode:
Overall: msg:
1, in:
29 B, out:
406 B, ratio: 92.86%
DRE: msg:
1, in:
29 B, out:
406 B, ratio: 92.86%
LZ: msg:
0, in:
0 B, out:
0 B, ratio:
0.00%
Bypass: msg:
0, in:
0 B
Latency: (Last 3 sec)max 0 ms, (Last 3 sec) avg 0 ms, (cumulative) total 0 ms
Message size distribution:
0-1K=0% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
WAAS v4.0.74-47
When the connection was open, and if the connection is active or closed
Bypass: The statistics relative to portions that were not compressed. A counter for partial
chunks is also listed; a partial chunk is a portion of data that is a remainder at the end of a
data set, generally not very likely to find repeatability in a partial chunk.
Message size distribution: This shows the size of the message that was handed to the
compression library from the TCP buffers. This is helpful in identifying whether or not an
application is using small messages or large messages.
4-115
Cache:
Status: Usable, Oldest Data (age): 23d8h
Total usable disk size:
Hash table RAM
Connections:
size:
57720 MB,
Used: 7.90%
230 MB,
Used: 6.00%
Active: 6
The show statistics dre command displays data about the usability
of the DRE cache, age of the oldest data, percentage of capacity
utilized, and number of DRE-optimized connections.
This command also reports system-wide data relating to
compression ratios, message size distribution, and latency.
WAAS v4.0.74-48
The oldest data in the DRE compression history; this resets if the cache is cleared.
If the oldest data is less than a week old, there is probably too little compression history in the
device, and additional capacity might be necessary if performance is not meeting expectations.
4-116
Low Compression
Smaller message distribution sizes
protocol
that either
exchanges
Conn-ID: 38837 10.10.13.100:1515 -- 10.10.10.10:23reflect
Peera No:
0 Status:
Active
only small amounts of information (telnet)
-----------------------------------------------------------------------------or is bound by application-layer latency
Open at 01/04/2007 06:42:24, Still active
Encode:
Overall: msg:
135, in: 14060 B, out:
12808 B, ratio: 3.01%
DRE: msg:
135, in: 14060 B, out:
13476 B, ratio: 2.62%
DRE Bypass: msg:
0, in:
0 B
LZ: msg:
46, in: 12322 B, out:
12008 B, ratio: 1.09%
LZ Bypass: msg:
89, in:
1154 B
Avg latency:
0.000 ms
Message size distribution:
0-1K=97% 1K-5K=3% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Decode:
Overall: msg:
65, in:
517 B, out:
156 B, ratio:
0.00%
DRE: msg:
65, in:
513 B, out:
156 B, ratio:
0.00%
DRE Bypass: msg:
0, in:
0 B
LZ: msg:
1, in:
56 B, out:
52 B, ratio:
0.00%
LZ Bypass: msg:
64, in:
461 B
Avg latency:
0.000 ms
Message size distribution:
0-1K=100% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
WAAS v4.0.74-49
Small message size distribution: Latency-sensitive applications that use small messages
and small buffers are typically difficult for DRE to compress due to how small they are.
This can be verified by looking at the message size distribution in the output of the show
statistics dre connection filter command.
4-117
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Cisco WAAS optimization policy is negotiated amongst
automatically-discovered peers. The applied policy is the least
common denominator of the two configured policies
The Cisco WAE CLI provides granular details about each
connection being handled by a WAE, including applied policy,
buffer utilization, latency, and state
TFO transaction logs provide a history of previously-seen
connections, both optimized and pass-through, with data such as
that provided by the CLI for existing connections
The Cisco WAE CLI provides insight into compression
performance including compression ratios for DRE and persistent
LZ, message distribution sizes, and latency
Low compression is commonly attributed to transactional
application behavior, previously-applied compression or
encryption
4-118
WAAS v4.0.74-50
Lesson 4
Troubleshooting Application
Acceleration
Overview
This lesson explains how to troubleshoot application acceleration capabilities of Cisco Wide
Area Application Services (WAAS), including Common Internet File System (CIFS)
acceleration and print services.
Objectives
Upon completing this lesson, you will be able to describe the process of troubleshooting
application acceleration. This includes being able to meet these objectives:
Overview
This topic provides an overview of the process of troubleshooting application acceleration
issues.
Troubleshooting Workflow
Validate platform liveliness including management services,
examine common issues, and understand system log files
and locations
Validate network interception and automatic discovery to
ensure that traffic is received and handled by the WAEs
within the Cisco WAAS network
Examine WAN optimization features relative to optimized
connections, optimization policy, statistics, and log files and
locations
Examine application acceleration features relative to
optimized sessions, configured policies, features, statistics,
and log files and locations
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.74-4
This lesson explains how to troubleshoot application acceleration capabilities of Cisco Wide
Area Application Services (WAAS), including Common Internet File System (CIFS)
acceleration and print services.
4-120
Troubleshooting Workflow
Examine application acceleration features relative to
optimized sessions, configured policies, features, statistics,
and log files and locations.
Verify CIFS acceleration policies and services.
Examine system configuration and directives.
Examine statistics, health indicators, and logs.
Troubleshoot print services.
WAAS v4.0.74-5
4-121
WAN
FILE.DOC
FILE.DOC
DRE CACHE
LZ
LZ
Edge
Core
Cluster
WAFS Edge
service configured
and running
Connectivity
directive and WAFS
transport activity
WAFS Core
service
configured
and running
WAFS Core
cluster
configured and
members defined
WAAS v4.0.74-6
CIFS acceleration within Cisco WAAS relies on a number of components being correctly
configured:
Wide Area File Services (WAFS) services (CIFS acceleration) on the edge WAE, located
near the user, and core WAE, located near the server, with proper configuration, and core
cluster configuration
CIFS policy and WAFS transport policy within the Central Manager
Having incorrect CIFS acceleration configuration can lead to one of many symptoms,
including:
4-122
WAAS v4.0.74-8
First, verify that the policies in Central Manager are configured correctly. Two policies are
required to facilitate CIFS acceleration. The first policy, shown above, is the CIFS policy. This
policy should be set to Full Optimization under action and CIFS Adaptor under accelerate.
Ensure that each of the WAEs in question are configured with this policy, or, are configured to
explicitly pull their policy from a device group where these policies are configured correctly.
If the CIFS policy is not configured correctly:
Action set to something other than Full Optimization results in traffic not CIFS-accelerated
being handled with a policy other than full optimization
Accelerate set to something other than CIFS Adaptor results in Cisco WAAS not
performing latency mitigation, caching, and other acceleration techniques for a server
In a case where CIFS acceleration is not functioning properly, Cisco WAAS might be
employing only TFO/DRE/LZ for optimization of the CIFS session. This can result in
bandwidth savings, but little to no response time improvement. Cisco WAAS relies on CIFS
acceleration to provide response time improvements.
The policies can be verified from the command line interface (CLI) of each WAE by issuing
the command show run | include CIFS. The resultant output shows any lines in the runningconfiguration that include the word CIFS. Verify that the policy is set to optimize full and
accelerate CIFS-adaptor as shown in the figure.
4-123
WAAS v4.0.74-9
The second policy that is required is for the transmission of data between the WAFS Edge
adaptor and the WAFS Core adaptor. This policy is called the WAFS Transport policy, and
should be configured for full optimization. This policy should not be configured with anything
under Accelerate; instead it should be configured to do not set.
The CLI can also be used to verify that the WAFS transport policy is configured correctly by
examining the running-configuration.
If the WAFS Transport policy is not configured correctly, the system could show that CIFS is
being accelerated, but bandwidth savings are not significant for write operations or readoperation on changed files.
4-124
WAAS v4.0.74-10
After the policies have been verified, ensure that each of the WAEs is running the appropriate
WAFS service. For the WAE deployed close in proximity to the user, the WAFS Edge service
should be enabled, configured, and running. Verify in the Central Manager that the Edge Server
is enabled and configured either in transparent or non-transparent mode. Further, verify that the
boxes next to the ports enabled are checked. Finally, visit the device GUI to ensure that the
service appears and is started.
If the service is not configured properly (ports to listen on), some connections might be
accelerated (those on the ports that are configured), and some might not be (those on the ports
that are not configured).
If the service is not enabled, CIFS connections can not be accelerated, and the only
optimization applied is based on the policy configured for CIFS less the CIFS-adaptor policy
(only DRE, TFO, and LZ are applied if set to optimize-full). The WAFS Edge service can not
be verified via the CLI.
4-125
Member list
WAAS v4.0.74-11
Verify that a WAFS Core Cluster is defined. The WAFS Core Cluster configuration includes:
File server access credentials: These fields are required only if using prepositioning
capabilities for a particular server. For interactive user access, credentials do not need to be
configured
WAFS Core WAE members: Any WAE that should be a member of this WAFS core
cluster should be configured as a member.
If no members are present in the WAFS core cluster, any WAFS Edge WAEs assigned to the
cluster via a connectivity directive does not have a peer to connect to. This results in CIFS
connections being optimized by DRE/TFO/LZ only, based on the configured policy.
If no WAFS Core Cluster is configured, a connectivity directive can not be configured, and as
such, CIFS connections are optimized by DRE/TFO/LZ only, based on the configured policy.
4-126
WAAS v4.0.74-12
Verify that each of the WAEs is running the appropriate WAFS service. For the WAE deployed
close in proximity to the server, the WAFS Core service should be enabled, configured, and
running. Verify in the Central Manager that the Core Server is enabled and configured and that
the WAE is assigned to a configured Core Cluster. Finally, visit the device GUI to ensure that
the service appears and is started.
If the service is not configured or running, WAFS Edge WAEs do not consider this node a peer
to connect to. Any CIFS acceleration that occurs happens with an alternate node in the cluster.
If no WAFS Core WAEs are configured, all CIFS connections will be accelerated by
DRE/TFO/LZ only, based on the configured policy.
The WAFS Core service can not be verified via the CLI.
4-127
WAAS v4.0.74-13
After the WAFS Core service is configured and operational on a Core WAE, test connectivity
from the location where the Edge WAE is deployed. If a connection can be established to the
Core WAE on TCP port 4050, then the WAFS Core service is running, network connectivity is
present, and nothing in the network is blocking packets to this port.
If a connection can not be established, verify network connectivity, service state, and ensure
that nothing in the network is preventing a connection from being established on TCP port
4050.
4-128
WAAS v4.0.74-15
The connectivity directive is a required component for CIFS acceleration. This component
establishes a long-lived connection between the WAFS Edge WAE and the WAFS Core WAE
on TCP port 4050 that is used for CIFS acceleration. This connection is not used for any other
traffic.
Verify that the connectivity directive is configured properly:
The correct edge devices or groups are assigned to the connectivity directive.
File servers that are configured as part of a preposition directive or for disconnected mode
of operation are explicitly configured.
If the wrong core cluster is listed, WAFS Edge WAEs might connect to the wrong set of WAEs
based on the currently-configured core cluster. This can lead to erratic network traffic patterns.
4-129
WAAS v4.0.74-16
Within the connectivity directive, ensure that file servers participating in a preposition job or
otherwise configured for disconnected mode are explicitly listed. Only file servers that meet
this criteria need to be explicitly configured. If a file server is not configured, Cisco WAAS
attempts to discover the file server automatically based on interactive user access and user
requests. If a file server is configured, verify that the box in the experted column is checked. If
this box is not checked, even if Cisco WAAS is operating in transparent acceleration mode, no
acceleration will be applied for CIFS connections to that server.
Verify that each of the edge WAEs that should connect to the defined core cluster are assigned
to the connectivity directive. If a connectivity directive is not defined, or an edge-core pair is
not configured, the WAEs is not able to perform CIFS acceleration. Instead, only DRE/TFO/LZ
optimization is applied, based on the configured policy.
Verify that WAN bandwidth parameters are also set correctly. The WAEs use these values to
calculate the bandwidth delay product (BDP) of the network and open a variable number of
connections based on the network BDP. The bandwidth setting also helps to throttle the amount
of physical WAN bandwidth that can be consumed by the long-lived connection between the
edge-core WAEs. The edge-core connection be throttled to a maximum of 150 percent of the
configured bandwidth value. This throttling also applies to preposition jobs that use the edgecore pair.
4-130
Remote-IP:Port
2.2.2.2:4050
2.2.2.2:4050
2.2.2.2:4050
Pass-Through Connections
Local-IP:Port
Remote-IP:Port
1.1.1.2:48361
2.2.2.2:4050
2007 Cisco Systems, Inc. All rights reserved.
ConId
7361
7362
7364
PeerId
00:14:5e:41:eb:78
00:14:5e:41:eb:78
00:14:5e:41:eb:78
Policy
F,F,F,F
F,F,F,F
F,F,F,F
Conn Type
App Dyn Mtch Optimized
WAAS v4.0.74-17
After verifying service configuration and connectivity directive configuration, verify that the
long-lived connections on TCP-4050 are established between the edge-core pairs. This can be
accomplished by using the command show tfo connection summary. The output of this
command should show a number of connections established between edge-core pairs. One
connection always appears as pass-through, because this connection is used for high-priority
control messages where compression serves only to slow the message exchange down.
If these connections do not appear, check the service on each of the WAEs, along with the
service configuration, core cluster, and connectivity directive. If the configuration is correct,
and these connections still do not appear, verify network connectivity and ensure that nothing is
blocking use of TCP port 4050. As a last resort, try restarting the WAFS Edge and WAFS Core
services, followed by clearing the data redundancy elimination (DRE) cache, which restarts the
TCP proxy.
4-131
Server
Entry type
------
----------
any-client:0
10.10.10.100:139
accept
any-client:0
10.10.10.100:445
accept
WAAS v4.0.74-18
The WAE CLI includes a command that allows the administrator to view which file servers are
being CIFS accelerated. The output of this command lists any servers that are statically defined
and included in a connectivity directive that is applied to the local WAE, and also any file
servers that have been automatically discovered during interactive user access. This command
only produces these results on a WAE that is running the WAFS Edge service. A WAE that is
only running the WAFS Core service, or neither service, will not return any entries.
If the list is empty, a service is not configured or configured properly, a connectivity directive
is not in place, or the long-lived CIFS acceleration connection could not be established between
the edge-core WAEs.
4-132
WAAS v4.0.74-20
Cisco WAAS does not accelerate any CIFS session that was established before CIFS
acceleration was configured, or before interception of packets began.
This is by design, and performed as a safety measure to ensure that cached contents are not
served to unauthorized users. This is also done to ensure that optimizations are not employed
on a connection when it is not safe to employ optimization. Cisco WAAS dynamically adjusts
the level of optimization employed based on data seen within the connection between the client
and the server. If the WAE has no visibility to this data, as is the case when the connection
existed before CIFS acceleration was configured or before interception was configured, Cisco
WAAS does not understand the state of the session and thus can not perform any acceleration.
To have CIFS acceleration applied against a connection, when that connection pre-existed
before CIFS acceleration was configured or interception was enabled, the session must be
broken and re-established.
4-133
WAAS v4.0.74-21
The Microsoft Management Console (MMC) snap-in or Computer Management, can be used to
examine the sessions that exist on a file server or on a PC. If the data in the Computer field
shows the IP address of the Core WAE, the session is being accelerated by Cisco WAAS. If the
data in the Computer field shows anything other than the IP address of the Core WAE, one of
following situations are possible:
The session is being accelerated by WAAS, but the Core WAE is using CIFS over
NetBIOS to connect to the file server.
If the situation being encountered is the last one in the list, the operations found in the Edge
WAE expert mode can be used to determine if the user is being CIFS-accelerated.
4-134
The net command can be used for a variety of purposes, including establishing CIFS sessions
and drive mappings to a server. The net view command displays a list of devices in the local
network, based on the browse list. This command can be used against a server to display the list
of shared resources that are available on that particular server.
The net use command allows for management of sessions. Using this command, the user can
establish a session to another PC, map a drive on another PC, or delete an existing session.
If you are unable to view a list of servers with shared resources, verify network connectivity
and ensure that the servers are configured properly. If you are unable to view the shared
resources on a particular server, verify network connectivity, server configuration, security
settings, as well as the credentials being supplied.
Note
If credentials are not supplied while using a net use command, the credentials of the
logged-in user are used. If the logged-in user has no privileges on the server, the net use
command can be used to establish a session to the server using alternate credentials.
4-135
Type
Used as
Comment
------------------------------------------------------------------------------Address
Disk
backup
Disk
NETLOGON
Disk
SERVER.LOG
Disk
share
Disk
SYSVOL
Disk
WAAS v4.0.74-23
The figure shows an example of using the net view command to view the list of shared
resources available on a server. The net use command can then be used to map a drive to a
shared resource.
4-136
WAAS v4.0.74-24
Some operation systems, such as Microsoft Windows Server 2003 with Service Pack 1, are
configured, by default, to use digital signatures for Server Message Block (SMB)
communications. Digital signatures are a security feature that is included with Windows that
help to validate a message that is received actually came from the sender, preventing man-inthe-middle attacks. Cisco WAAS will, by default, override digital signature message markings
if digital signatures are set to optional, but not required. If digital signatures are set to required,
Cisco WAAS can not employ CIFS acceleration capabilities against that particular server.
Using CIFS acceleration with such a server requires that digital signatures be set to optional or
disabled. Any server configured with digital signatures can still be optimized with
DRE/TFO/LZ, based on the configured CIFS policy.
4-137
WAAS v4.0.74-25
The Cisco WAE expert mode is a hidden interface that can be used to verify which clients are
being CIFS accelerated. The expert mode is not a documented interface and should only be
used when working with documented parameters, such as those found in this training, or when
working with Cisco support personnel.
Note
Care should be taken when using expert mode, as its contents directly impact services
running on the WAE.
4-138
Rx is displayed in the table of contents when you are on a WAE configured with the WAFS
Edge service. Tx is displayed in the table of contents when you are on a WAE configured
with the WAFS Core service. Verifying clients that are CIFS accelerated must be done from
a WAFS Edge WAE, and can not be done from a WAFS Core WAE.
WAAS v4.0.74-26
You can also click the Operations tab, followed by the Invoke button (next to) queryAll to
display a list of sessions that are being CIFS accelerated by this WAFS Edge WAE.
4-139
WAAS v4.0.74-27
The WAFS Edge WAE expert mode can also display the files that are being CIFS accelerated.
Navigate to Rx > CifsFileSystemDB.
4-140
WAAS v4.0.74-28
Under the Operations tab, click the Invoke button next to query. This returns a list that includes
the server name, path, and file name of all files that are open with CIFS acceleration being
applied to them. The optimization level describes the level of optimization being applied to the
file; a higher number indicates a broader set of optimizations are being applied. The remainder
of data within each entry lists information relevant to the session, the user, and flags set within
the session.
4-141
76324MB( 74.5GB)
76324MB( 74.5GB)
TYPE
RAID-1
RAID-1
RAID-1
RAID-1
RAID-1
RAID-1
RAID-1
STATUS
NORMAL OPERATION
NORMAL OPERATION
NORMAL OPERATION
NORMAL OPERATION
REBUILDING
REBUILDING
REBUILDING
PHYSICAL DEVICES
disk00/00[GOOD]
disk00/01[GOOD]
disk00/02[GOOD]
disk00/03[GOOD]
disk00/04[GOOD]
disk00/05[GOOD]
disk00/06[GOOD]
AND STATUS
disk01/00[GOOD]
disk01/01[GOOD]
disk01/02[GOOD]
disk01/03[GOOD]
disk01/04[GOOD]
disk01/05[GOOD]
disk01/06[GOOD]
EDGE1#
WAAS v4.0.74-30
The first system health indicator to examine when troubleshooting system problems,
particularly those related to acceleration, is the health of the disks in the WAE. The output of
the show disks details command verifies that the installed disks are recognized and that the
random array of inexpensive disks (RAID) devices (software RAID-1) are healthy or
unhealthy. If a disk fails to appear, or appears failed, the drive might require replacement.
4-142
WAAS v4.0.74-31
The show disks failed-sectors and show disks SMART-info commands allow you to examine
additional data about the disks, including a report that displays any failed sectors found on the
disk, and the results of the disk self-assessment. If the SMART test results fail the drive
requires replacement.
4-143
WAAS v4.0.74-32
The CIFS acceleration service log (also referred to as the WAFS Edge service log and WAFS
Core service log) can be found in the /local1/logs/actona directory on the WAEs file system.
This log file (RxLogging.log for the WAFS Edge service and TxLogging.log for the WAFS
Core service) contains logging, reporting, and error data for the service. Such events that are
listed include when a service starts or stops, configuration changes, and error conditions. These
logs are helpful when trying to isolate problematic situations with CIFS acceleration.
4-144
EDGE1# cd logs/actona
EDGE1# type-tail RxLogging.log 10
[2005-09-20 14:33:07,281][ INFO] - The connection of session:
[SessionImpl: id=1551958072, clusterId=13, clusterName=ast6-fe05,
inetAddress=/10.88.80.15, port=4050, initiator=true, state=3] has been
lost.
[2005-09-20 14:33:27,562][ INFO] - Unable to reconnect session to
[SessionImpl: id=1551958072, clusterId=13, clusterName=ast6-fe05,
inetAddress=/10.88.80.15, port=4050, initiator=true, state=3].
[2005-09-20 14:33:27,569][ INFO] - The session: [SessionImpl:
id=1551958072, clusterId=13, clusterName=ast6-fe05,
inetAddress=/10.88.80.15, port=4050, initiator=true, state=-1] has been
closed.
EDGE1#
WAAS v4.0.74-33
The same log file also displays events related to the connections established between edge and
core WAEs. As shown in the figure, the connections established between WAEs are logged in
this log file. Session close events are also logged in this log file.
4-145
Printer
Drivers
JOB
WAN
FILE.DOC
Edge
WAFS Edge
service configured
and running
WAAS v4.0.74-35
Using print services on Cisco WAAS requires that a number of items be properly configured:
4-146
WAFS Edge service must be configured on the WAE that is acting as a print server.
Drivers should be distributed to the WAE print server from the Central Manager (optional).
WAAS v4.0.74-36
Print services requires that the WAFS Edge service be running on the WAE. First, verify that
the service is configured and running by visiting the appropriate pages in the Central Manager
as well as the device GUI. Next, navigate to and verify that the checkbox next to is checked.
The WAE CLI can also be used to verify that print services are running by executing the show
print-services process command. The output of this command, which is also discussed in the
next section, shows the status of the print server, status of the print spooler, status of the print
scheduler, default print queue, configured print queues, and the state of each of the print
queues.
4-147
by the manufacturer
scheduler is running
system default destination: HP_Laserjet_500
device for HP_Laserjet_4000: socket://laserjet4000:9100
device for HP_Laserjet_500: socket://laserjet500:9100
HP_Laserjet_4000 accepting requests
HP_Laserjet_500 accepting requests
printer HP_Laserjet_4000 is idle. enabled
printer HP_Laserjet_500 is idle. enabled
By clicking the open link on the print services page in the device GUI (WAFS Edge >
Configuration > Print Services), you can configure and manage all print queues, print queue
clusters, and jobs. Validate that each configured print queue is idle and accepting jobs, or
otherwise in use, and that the device Universal Resource Identifiers (URIs) are correct. In many
cases, telnet can be used to establish a connection to the device on the specified URI port to
validate that network connectivity between the print server WAE and the printer is available.
4-148
WAAS v4.0.74-38
To verify that the appropriate drivers are copied to a WAE print server, first validate that the
WAAS Central Manager is configured as a print driver repository and that the appropriate
drivers are uploaded to the CM.
4-149
WAAS v4.0.74-39
After the WAAS Central Manager print driver repository and drivers have been verified, verify
network connectivity from a device adjacent to the print server WAE to the Central Manager by
using FTP. The Central Manager, while configured as a print driver repository, runs an FTP
service locally that accepts anonymous connections. When connected to the Central Manager
via FTP, the file system structure shows a variety of directories, including logs, printers, and
System32. The printers directory contains files for any drivers that have been uploaded to the
Central Manager WAE.
Note
Viewing files in the directories requires use of the dir command, or ls la, as opposed to the
ls command. The ls command reports that directories are empty.
If you are unable to FTP to the Central Manager, then the print driver repository is not enabled,
or network connectivity is unavailable. Otherwise, FTP might be blocked by an access-list or
firewall policy in the network.
4-150
WAAS v4.0.74-40
Printer queues appear as shared resources when using the net view command against a print
server WAE. Because the WAE uses guest printing, any user is able to connect to the WAE and
attach to one of the print queues. The net use command can be used to map a shared printer,
similar to how a shared drive is mapped.
To examine printer queues using Windows Explorer, go to Start > Run and type in the
Universal Naming Convention (UNC) path to the WAE (that is, \\WAE1).
If net view, net use, or Windows Explorer fail to show the printer queues, verify that the
services are properly configured and running, and that the printer queues are defined. Also,
verify that the print-services enable command, as well as the print-services guest-print
enable commands appear in the running configuration.
4-151
WAAS v4.0.74-41
Each Cisco WAE that is configured as a print server also maintains two logs for print services;
the Samba log, and the Common Unix Printing System (CUPS) log.
The samba.log file found in /local1/errorlog provides useful debugging information related to
the Samba print process.
4-152
WAAS v4.0.74-42
The CUPS log provides insight into the jobs that have been received and processed by the print
server WAE. This log also helps to highlight any issues associated with connecting to a
particular printer, which could be helpful in identifying network connectivity issues or device
URI configuration issues.
The CUPS log can also be found in the /local1/errorlog directory under the file name
cups_error_log. Any entries that begin with an I are merely informational, where as entries
that begin with an E are errors that have been identified.
4-153
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
CIFS acceleration services are configured and operational on
the WAFS Edge WAEs and WAFS Core Clusters.
Correct policies are defined in Central Manager and propagated
to each WAE for the CIFS protocol and WAFS transport
protocol.
WAE expert mode provides a detailed view of which clients are
accelerated and which files are open through the accelerated
CIFS connections.
Service logs provide insight into issues with CIFS acceleration
services and connectivity between WAEs.
SAMBA and CUPS print service logs on the WAFS Edge server
provide detailed data about job management and printer
connectivity.
4-154
WAAS v4.0.74-43
Module Summary
This topic summarizes the key points that were discussed in this module.
Module Summary
The first step in troubleshooting Cisco WAAS is to validate
platform liveliness, including management services, examine
common issues, and understand system log files and locations
Network interception configuration should be examined to
ensure that traffic is being correctly redirected for both
directions of traffic flow.
Troubleshooting automatic discovery involves the WAE CLI as
well as packet capture tools.
Troubleshooting optimization issues involves examination of
networking aspects as well as configured policy for devices in
the network path of the connection.
Troubleshooting acceleration services, such as CIFS and print,
involves examination of service configuration, directives, and
health indicators, as well as information that can be examined
from the WAE CLI and the server.
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.74-2
This module described how to troubleshoot Cisco Wide Area Application Services
installations, including platform and network connectivity issues, network interception issues,
WAN optimization issues, and application acceleration issues.
4-155
4-156
Module Self-Check
Use the questions here to review what you learned in this module. The correct answers and
solutions are found in the Module Self-Check Answer Key.
Q1)
Which common issue can cause poor performance when the system seems to be
operating correctly? (Source: Common Issues)
A)
B)
C)
D)
Q2)
Which common issue can lead to TCP connections becoming blackholed? (Source:
Common Issues)
A)
B)
C)
D)
Q3)
show management
show central manager
show lcm
show cms info
Which of the following is included in the WAE system report? (Source: Cisco WAE
Reporting Facilities)
A)
B)
C)
D)
E)
Q6)
show NME-WAE
show hardware
show portcard
show system
Which command shows the status of the CMS services on a WAE? (Source:
Troubleshooting Cisco WAAS Management Services)
A)
B)
C)
D)
Q5)
Network interception
Configured policy
Central Manager
Duplex
Q4)
Network interception
Configured policy
Central Manager
Duplex
Device configuration
Log files
Service logs
Platform data
All of the above
Which is the root directory for all management and log files? (Source: Cisco WAE
Reporting Facilities)
A)
B)
C)
D)
/mgmt
/local
/local1
/local1/mgmt
4-157
Q7)
Which command shows the number of WCCP packets received that are GRE
encapsulated? (Source: Troubleshooting WCCPv2 Interception)
A)
B)
C)
D)
Q8)
Which PBR component defines the type of traffic that should be routed via the routemap? (Source: Troubleshooting PBR Interception)
A)
B)
C)
D)
Q9)
TCP_OPTIMIZE
TCP_OPTIMIZE + LZ
TCP_OPTIMIZE + DRE + LZ
PASS_THROUGH
With TFO accelerator status, what does a handling level of zero indicate? (Source:
Configured and Applied Policies)
A)
B)
C)
D)
4-158
Ifdump
tethereal
tcpdump
capture-tool
With automatic discovery, if one WAE is configured for FULL_OPTIMIZE and the
other is configured for TCP_OPTIMIZE, what policy will be negotiated? (Source:
Configured and Applied Policies)
A)
B)
C)
D)
Q13)
show rserver
show serverfarm
show detail rservers
show summary serverfarm
Which two of the following tools can be used on the WAE to capture packets for the
purposes of troubleshooting issues such as automatic discovery? (Choose 2.) (Source:
Troubleshooting Automatic Discovery)
A)
B)
C)
D)
Q12)
With ACE, which command provides a summary view of the rservers and their
operational state within a serverfarm? (Source: Troubleshooting ACE Interception)
A)
B)
C)
D)
Q11)
route map
access list
next hop
source address
With inline interception, what will the show cdp neighbors command on one of the two
adjacent devices show? (Source: Troubleshooting Inline Interception)
A)
B)
C)
D)
Q10)
Q14)
When viewing an optimized connection in the WAE CLI, what optimization feature
will cause the encode and decode values to change? (Source: Examining Optimized
Connections)
A)
B)
C)
D)
Q15)
When examining a TFO transaction log, what does the string BP indicate about a
connection? (Source: TFO Transaction Logs)
A)
B)
C)
D)
E)
Q16)
WAFS
CIFS
WAFS Transport
TCP445
What command shows the list of CIFS-accelerated servers in the WAE CLI? (Source:
CIFS Configuration and Directives)
A)
B)
C)
D)
Q20)
WAFS
CIFS
WAFS Transport
TCP139
Which policy is responsible for WAN optimizing a cache miss when working with a
CIFS file server? (Source: CIFS Acceleration Policies and Services)
A)
B)
C)
D)
Q19)
Which policy is responsible for routing traffic to the CIFS accelerator? (Source: CIFS
Acceleration Policies and Services)
A)
B)
C)
D)
Q18)
What command is used to examine the DRE disk and memory capacity and utilization?
(Source: Compression Statistics)
A)
B)
C)
D)
Q17)
TFO
LZ
DRE
None
show bypass-list
show cifs servers
show bypass-cifs
show servers cifs
What industry-standard utility can be used to verify that drivers exist in the Central
Manager printer driver repository? (Source: Print Services Troubleshooting)
A)
B)
C)
D)
TCP
FTP
DNS
WINS
4-159
4-160
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Q7)
Q8)
Q9)
Q10)
Q11)
B,C
Q12)
Q13)
Q14)
Q15)
Q16)
Q17)
Q18)
Q19)
Q20)