WAAS407SG Vol2 PDF

Table of Contents
Volume 2
Implementation, Integration, and Management
Overview
Module Objectives
Installing and Configuring the WAE

Overview
Objectives
Initial Central Manager Configuration
Initial Accelerator Appliance Configuration
Initial Accelerator Network Module Configuration
Configuring WAE Interfaces
Commonly Used CLI Commands
The WAE Device GUI
Summary
Configuring Traffic Interception
3-1
3-1
3-1
3-3
3-3
3-3
3-4
3-11
3-14
3-23
3-29
3-49
3-58
3-59
Overview
Objectives
Configuring Inline Interception
Configuring WCCPv2
Configuring PBR
Configuring ACE for Interception
Summary
3-59
3-59
3-60
3-68
3-75
3-82
3-87
Cisco WAAS Central Management
3-89
Overview
Objectives
Introduction to Cisco WAAS Central Manager
Activating WAEs
Configuring Device Groups
Managing and Monitoring WAEs
Configuring Role-Based Access Control
Managing Software Distribution and Upgrade
Configuring High Availability
System Settings and Device Recovery
Summary
Configuring Application Traffic Policies

Overview
Objectives
Using Application Traffic Policies
Default Policies
Creating Application Definitions
Managing Policies
EPM Traffic Parameter
Configuring Adaptor Policies
Monitoring Optimizations
Summary
Configuring Application Acceleration

Overview
Objectives
Configuring CIFS Acceleration
CIFS Servers
Disconnected Mode of Operations
Using Prepositioning
Configuring Print Services
Distributing Printer Drivers
Summary
3-89
3-89
3-90
3-93
3-96
3-106
3-113
3-123
3-127
3-133
3-137
3-139
3-139
3-139
3-140
3-144
3-147
3-151
3-153
3-159
3-163
3-182
3-183
3-183
3-183
3-184
3-201
3-204
3-207
3-215
3-223
3-235
Module Summary
Module Self-Check
Module Self-Check Answer Key
3-239
3-241
3-245
Troubleshooting Cisco WAAS
4-1
Overview
Module Objectives
4-1
4-1
Introduction to Troubleshooting
Overview
Objectives
Troubleshooting Workflow
Common Issues
Platform Liveliness and Connectivity
Troubleshooting Management Services
Reporting Facilities
Summary
Troubleshooting Network Interception
ii
4-3
4-3
4-3
4-4
4-6
4-11
4-21
4-29
4-38
4-39
Overview
Objectives
Overview
Troubleshooting WCCPv2 Interception
Troubleshooting PBR Interception
Troubleshooting Inline Interception
Troubleshooting ACE Interception
Troubleshooting Automatic Discovery
Summary
4-39
4-39
4-40
4-43
4-52
4-56
4-59
4-66
4-74
Troubleshooting WAN Optimization
4-75
Overview
Objectives
Overview
Configured and Applied Policies
Examining Optimized Connections
TFO Transaction Logs
Compression Statistics
Summary
4-75
4-75
4-76
4-78
4-88
4-96
4-112
4-118
Troubleshooting Application Acceleration
4-119
Overview
Objectives
Overview
CIFS Acceleration Policies and Services
CIFS Configuration and Directives
Validating Client Connectivity
Statistics, Health Indicators, and Logs
Troubleshooting Print Services
Summary
Module Summary
Module Self-Check
4-119
4-119
4-120
4-123
4-129
4-133
4-142
4-146
4-154
4-155
4-157
4-160
Cisco Wide Area Application Services Technical Training (WAAS) v4.0.7
2007 Cisco Systems, Inc.
Module 3
Implementation, Integration,
and Management
Overview
This module describes the process used to implement and integrate Cisco Wide Area
Application Services (WAAS) into the network, and also configure the Cisco WAAS solution
for application acceleration and WAN optimization. This module also examines how to manage
Cisco Wide Area Application Engines (WAEs) running Cisco WAAS.
Module Objectives
Upon completing this module, you will be able to describe Cisco WAAS implementation,
integration, and management. This includes being able to meet these objectives:
Describe the WAE installation and configuration process
Explain how to configure traffic interception using physical inline deployment, WCCPv2,
PBR, and ACE
Explain how the WAAS Central Manager is used to centrally configure, manage, and
monitor a topology of WAE devices
Explain how to configure application traffic policies
Explain how to configure file and print services acceleration
3-2
Lesson 1
Installing and Configuring the

WAE
Overview
This lesson explains how to initially configure the WAE appliance and router-integrated
network module devices with the appropriate device mode. This lesson also explains how to
deploy Cisco WAAS within the network.
Objectives
Upon completing this lesson, you will be able to describe the WAE installation and
configuration process. This includes being able to meet these objectives:
Explain how to perform the initial installation of WAE appliance providing Central
Manager functionality
Explain how to perform the initial installation of WAE appliances configured as

accelerators
Explain how to perform the initial installation of WAE network modules configured as
accelerators
Explain how to configure the network interfaces on the WAE
Identify commonly used CLI commands
Describe the key features of the Cisco WAE device GUI
Initial Central Manager Configuration

This topic explains the process of initially configuring a Central Manager (CM) WAE
appliance using the CLI setup script.
Initialize Central Manager

The WAE that is to host Central Manager as the primary
node should be deployed first, using the following
sequence:
1. Complete the CLI setup script.
2. Assign a primary interface.
3. Specify device mode as Central Manager.
4. Save the device configuration and reload.
5. Enable Central Manager Services.
6. Save the configuration.
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.73-4
The first WAE that should be installed is the Central Manager. The Central Manager WAE can
be initialized using the CLI setup script, which is accessible with a serial connection to the
WAE. Connect a serial cable to the WAE and configure your terminal application to 9600
baud, no parity, 8 data bits, 1 stop bit, no flow control (hardware or software), and then turn on
the WAE.
After the WAE loads, a setup script is presented for initial device configuration. To revisit the
setup script at any time, execute the setup command from the CLI prompt.
After the device is configured with the setup script, specify the primary interface and device
mode, and then save the configuration and reload the WAE. After the WAE has rebooted,
specify the Central Manager role, enable Central Management Services (CMS), and save the
configuration again. After CMS is enabled, other WAEs are able to register against the CM.
Note
3-4
Cisco WAAS deployments require that a Central Manager be deployed.
WAE Setup Script

WARNING: Changing any of the network settings from a
telnet session may render the device inaccessible on
the network. Therefore it is suggested that you have
access to the console before modifying the network settings.
Please choose an interface to configure from the following list:
1: GigabitEthernet 1/0
2: GigabitEthernet 2/0
Enter choice: 1
Do you want to configure speed and duplex mode of this interface (y/n) [y]:
Please enter the speed of this interface (10/100/1000) [100]:
Please enter duplex mode (half/full) [full]:
Do you want to enable DHCP on this interface (y/n) [n]:
Full duplex is
required for
proper
operation unless
using Gigabit
Please enter the IP address of this interface [10.10.10.10]:

Please enter the netmask of this interface [255.255.255.0]:
WAAS v4.0.73-5
The first part of the setup script is shown in the figure. This portion of the setup script allows
you to configure the following:
Network interface speed and duplex
Network interface IP address and subnet mask
Full duplex is required to ensure proper operation and performance. If a system operates in
half-duplex mode, an alert is sent to the CM. GigabitEthernet forces the interface into
autonegotiate, because half-duplex is not possible with GigabitEthernet. For GigabitEthernet
configurations, be sure to leave the interface set to autosense, otherwise, set the interface to full.
3-5
WAE Setup Script (Cont.)

Please enter the default gateway [10.10.10.1]:
Please enter the domain name server ip [10.10.10.100]:
Please enter the domain name [cisco.com]:
Based on the input, the following CLIs will be configured:

interface GigabitEthernet 1/0
ip address 10.10.10.10 255.255.255.0
no autosense
bandwidth 100
full-duplex
exit
ip default-gateway 10.10.10.1
ip name-server 10.10.10.100
ip domain-name cisco.com
hostname waas-cm
This designation
applies
the configuration
defined in the setup
script.
Do you want to apply the configurations (y/n) [y]: y
WAAS v4.0.73-6
The second part of the setup script is shown in the figure. This portion allows you to configure
the following:
Default gateway
Domain Name Server (DNS) server IP address
Domain name
This portion also allows you to save and apply the configuration.
3-6
Initialize Central Manager

waas-cm#conf t
waas-cm(config)#
waas-cm(config)#primary-interface gigabitEthernet 1/0
waas-cm(config)#device mode central-manager
The new configuration will take effect after a reload
The device mode

must be specified
on each WAE in the
deployment
before a device can
be used.
The primary-interface
is the interface
that is used for
management
traffic and must be
defined on all
WAEs in the
deployment.
WAAS v4.0.73-7
After the network parameters have been configured, specify the primary interface of the WAE.
This is the interface that the WAE uses for management traffic.
Next, configure the device mode. Two devices modes exist in WAAS:
Central Manager: This WAE should act as a Central Manager in the WAAS network.
Application accelerator: This WAE should optimize or accelerate application traffic in

the WAAS network.
The device mode is configured via the device mode command under global configuration
mode. Be sure to save the running configuration using the copy run start command after
making the configuration changes.
3-7
Initialize Central Manager (Cont.)

waas-cm(config)#exit
waas-cm#copy run start
waas-cm#reload
Proceed with reload?[confirm]y
Shutting down all services, will timeout in 15 minutes.
Restarting system.
This command
reboots
the WAE device.
This command saves the

WAE running
configuration to a startup
configuration. This
configuration is preserved
through
a disruption or a reboot
situation.
WAAS v4.0.73-8
Use the copy run start command to save the running configuration to memory. The saved
configuration is persistent and is applied the next time the WAE is reloaded. The reload
command is used to reset the WAE. A WAE reload typically takes approximately 3 minutes.
With a console attached to the WAE, you can also specify the power-on and power-off
behavior of the WAE to ensure that the system boots as long as there is power in the outlet.
3-8

waas-cm#conf t
waas-cm(config)#central-manager role primary
waas-cm(config)#cms enable
Generating new RPC certificate/key pair
Restarting RPC services
Creating database backup file emerg-debug-db-01-25-2006-1531.dump
Registering Wide Area Application Services Central Manager...
Registration complete.
This command enables the Central Manager
on this WAE and generates the RPC
certificate key pairs to be used by this
Central Manager (and the devices registered
to it) to ensure secure communications.
This command
specifies that this
Central Manager WAE
should be the
primary Central
Manager.
WAAS v4.0.73-9
After the Central Manager WAE has reloaded, use the config term command to return to
global configuration mode, and then specify the Central Manager role as primary. Note that for
a standby CM, you specify the CM role as standby. After the Central Manager role has been
defined, enable CMS by issuing the cms enable command.
3-9

Please preserve running configuration using 'copy runningconfig startup-config'. Otherwise management service will not
be started on reload and node will be shown 'offline' in Wide
Area Central Manager UI.
management services enabled
waas-cm#copy run start
waas-cm#
WAAS v4.0.73-10
At this point, WAEs are able to register against the Central Manager WAE. Be sure save the
configuration of the Central Manager WAE.
3-10
Initial Accelerator Appliance Configuration

This topic explains the process of initially configuring WAE appliances configured as
accelerators within the Cisco WAAS network.
Initialize Application Accelerators

The WAE appliances that participate in the network as
application accelerators should be brought online after
Central Manager, and then registered with Central
Manager, using the following sequence:
1. Complete the CLI setup script.
2. Assign a primary interface.
3. Specify the device mode.
4. Specify the Central Manager IP or hostname.
5. Enable CMS.
6. Save the configuration.
WAAS v4.0.73-12
Initial setup tasks for application accelerator WAE appliances are similar to the Central
Manager WAE with the exception that a reload is not required during configuration.
Configuring an application accelerator requires the following:
Step 1
Complete the CLI setup script.
Step 2
Configure a primary interface.
Step 3
Configure the application-accelerator device mode
Step 4
Specify the Central Manager IP or hostname.
Step 5
Enable CMS.
Step 6
Save the configuration.
3-11
Initialize Application Accelerators (Cont.)

Note: This step assumes the setup script has been successfully
completed.
waas-core#conf t
waas-core(config)#primary-interface gigabitEthernet 1/0
waas-core(config)#device mode application-accelerator
This command
specifies that this
Cisco WAE should
be registered
as an application
accelerator
with Central
Manager.
The primary-interface is the interface

that is used for management
traffic and MUST be defined on ALL
WAEs in the deployment.
The primary-interface must be able
to reach Central Manager, and must be
deployed on a routable subnet.
WAAS v4.0.73-13
For an application accelerator WAE, specify the primary interface and configure the device
mode as application-accelerator.
3-12
Initialize Application Accelerators (Cont.)

Note: This step assumes the setup script has been successfully completed.
waas-core(config)#central-manager address 10.10.10.10
waas-core(config)#cms enable
Generating new RPC certificate/key pair
Restarting RPC services
Registering Wide Area Application Engine...
Please preserve running configuration using 'copy runningconfig startup-config'. Otherwise management service will not
be started on reload and node will be shown 'offline' in Wide
Area Central Manager UI.
management services enabled
waas-core(config)#end
waas-core#copy run start
This command enables Central Management
support for this WAE by registering
against the defined Central Manager.
This command specifies the IP address

or DNS name of the primary Central
Manager that this accelerator
should register to.
WAAS v4.0.73-14
Next, specify the IP address of the Central Manager using the central-manager address
command. Finally, run cms enable to register this WAE against the CM. Be sure to save the
configuration of the WAE at this point.
An alternative to using a statically defined Central Manager IP address is available when using
DHCP on the WAE. Within DHCP, a vendor class option (option number 43), can be set within
the DHCP scope to provide the IP address or hostname of the CM. The WAEs configured with
DHCP can be set to listen for this option by configuring them for autoregistration by issuing the
following command sequence:
WAE# configure
WAE(config)# auto-register enable gigabitEthernet 1/0
In this example, the interface supplied is the interface that should be used to receive DHCP
offers from the DHCP server. Autoregistration can be verified from the CLI by using the
following command:
WAE# show auto-register
3-13
Initial Accelerator Network Module Configuration

This topic explains the process of initially configuring WAE network modules configured as
accelerators within the Cisco WAAS network.
Initialize Application Accelerators

The NME-WAEs that participate in the network as
application accelerators should be brought online after
Central Manager, and then registered with Central
Manager, using the following sequence:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Insert network module into router.

Configure network module internal interfaces on the router.
Connect to the network module via router console.
Complete the CLI setup script.
Assign a primary interface.
Specify the device mode.
Specify the Central Manager IP.
Enable CMS.
Save the configuration.
WAAS v4.0.73-16
The NME-WAE platforms can be inserted into the following router platforms: 2811, 2821,
3825, 3845. The NME-WAE does not operate in a nonsupported router.
The NME-WAE service module REQUIRES at a minimum IOS v12.4(9)T1. The NME-WAE
does not operate in a nonsupported router, nor does the NME-WAE operate in a supported
router that is not at or above the minimum software version level.
Initial setup tasks for application accelerator WAE appliances are similar to the Central
Manager WAE with the exception that a reload is not required during configuration.
Configuring an application accelerator requires the following:
3-14
Insert network module into router: Ensure that the network module is properly inserted.
This must be done while the router is physically powered off. The network modules can not
be inserted while the router is powered on.
Configure network module internal interfaces on the router: The NME-WAE uses an
internal GigabitEthernet interface over the router backplane, and the router has a separate
internal interface that is used as the network module default gateway.
Connect to the network module via router console: The console of the NME-WAE can
be reached from the router console.
At this point, the NME-WAE is configured as any WAE appliance would be:
Completion of the CLI setup script: Identical to that of the WAE appliance.
Configuration of a primary interface: Identical to that of the WAE appliance.
Device mode: The NME-WAE can only be configured as an application-accelerator. The

NME-WAE can not be configured as a Central Manager.
Configuration of CMS: Include the Central Manager IP or hostname.
3-15
NME-WAE Router Verification

After the NME-WAE is inserted into the router, verify that the NMEWAE is online and ready (may take up to 5 minutes to allow Cisco
WAAS to boot):
R2821-edge#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ENTBASEK9-M), Version 12.4(9)T, RELEASE
SOFTWARE (fc1)
Cisco 2821 (revision 53.51) with 243712K/18432K bytes of memory.

Processor board ID FTX1010C45Q
2 Gigabit Ethernet interfaces
1 terminal line
1 Cisco Integrated Service Engine(s)
Cisco Wide Area Application Services Software 4.0.5
R2821-edge#service-module integrated-Service-Engine 1/0 status
Service Module is Cisco Integrated-Service-Engine1/0
Service Module supports session via TTY line 66
Service Module is in Steady state
Getting status from the Service Module, please wait..
Cisco Wide Area Application Services Software 4.0.5
Restarted at Mon May
8 21:13:47 2006
WAAS v4.0.73-17
The router CLI can be used to verify that the NME-WAE is properly inserted and powered up.
Use the sh ver command within the router CLI to validate that an Integrated Services Engine
appears in the hardware listing. Also, the service-module integrated-Services-Engine 1/0
status command validates that the NME-WAE is running Cisco WAAS software and a
hardware and software state.
3-16
NME-WAE Internal Architecture

Cisco Integrated Services Router
LAN
I/F
Router Internal Interface
Integrated-Services-Engine(slot)/0
ip address 10.10.100.1 255.255.255.0 ip
wccp redirect exclude in
NME-WAE default gateway
Router Interface
Integrated-Services-Engine(slot)/0
service-module ip address 10.10.100.2
255.255.255.0
service-module ip default-gateway 10.10.100.1
WAE Interface
GigabitEthernet0/0
ip address 10.10.100.2 255.255.255.0
WAN
I/F
IP
Network
Service Module
Internal
I/F
Service
Module
I/F
Cisco NME-WAE Network Module
WAAS v4.0.73-18
The NME-WAE has two GigabitEthernet interfaces. One interface is virtual and is connected to
the router via the router backplane as shown in the figure.
The NME-WAE internal interface connects directly over the router backplane to a router
interface that is dedicated to the service module. It is recommended that this router interface is
to be used as the default gateway for the NME-WAE; however, the NME-WAE can use the
external interface and an adjacent router (this configuration is not recommended). The router
internal interface should also be configured as being excluded from Web Cache
Communication Protocol (WCCP) redirection so that traffic coming into the interface from the
NME-WAE is not immediately redirected back to the NME-WAE. Issue the following
commands from the router CLI:
Router# config t
Router(config)# interface Integrated-Services-Engine (slot)/0
Router(config-if)# ip address 10.10.100.1 255.255.255.0
Router(config-if)# ip wccp redirect exclude in
Router(config-if)# no shut
This internal interface is identified as GigabitEthernet 1/0 in the WAE CLI. The IP address of
this interface can be configured from the router CLI by using:
Router# config t
Router(config)# interface Integrated-Services-Engine (slot)/0
Router(config-if)# service-module ip address 10.10.100.2 255.255.255.0
Router(config-if)# no shut
The IP address of this interface can also be configured in the WAE CLI, and should be
configured identically to the router CLI configuration:
NME-WAE# config t
NME-WAE(config)# interface GigabitEthernet 1/0
NME-WAE(config-if)# ip address 10.10.100.2 255.255.255.0
NME-WAE(config-if)# no shut
3-17
NME-WAE(config-if)# exit
NME-WAE(config)# ip default-gateway 10.10.100.1
Note
3-18
The NME-WAE internal interface and the router internal interface dedicated to the NMEWAE can not be configured with the same IP address. They do, however, need to be on the
same subnet. Configuring the NME-WAE IP address and default gateway also propagates
to the WAE configuration automatically.
NME-WAE Management Commands

The following commands are used to manage, configure,
monitor, and access the NME-WAE when installed within
the ISR chassis:
R2821-edge# service-module integrated-Service-Engine 1/0 ?
default-boot
Set/Clear Default Boot for the next reboot
reload
Reload service module
reset
Hardware reset of Service Module
session
Service module session
shutdown
Shutdown service module
statistics
Service Module Statistics
status
Service Module Information
WAAS v4.0.73-19
The service-module command, when executed at the privileged exec prompt of a router
running an IOS version that supports the NME-WAE, provides a series of commands that can
be executed relative to any installed service modules:
R2821-edge#service-module integrated-Service-Engine 1/0 ?
default-boot Set/Clear Default Boot for the next reboot
reload Reload service module
reset Hardware reset of Service Module
session Service module session
shutdown Shutdown service module
statistics Service Module Statistics
status Service Module Information
To reload the service module software:

R2821-edge#service-module integrated-Service-Engine 1/0 reload
To reset the service module hardware:

R2821-edge#service-module integrated-Service-Engine 1/0 reset
To establish a console session to the service module using the existing router session:
R2821-edge#service-module integrated-Service-Engine 1/0 session
To clear a console session that has been established to the service module:
R2821-edge#service-module integrated-Service-Engine 1/0 session clear
[confirm]y [OK]
To shut down a service module:

R2821-edge#service-module integrated-Service-Engine 1/0 shutdown
[confirm]y [OK]
To shut down a service module without being prompted for a confirmation:
3-19
R2821-edge#service-module integrated-Service-Engine 1/0 shutdown noconfirm
To view module statistics, including reset counters, reload counters:

R2821-edge#service-module integrated-Service-Engine 1/0 statistics
Module Reset Statistics:
CLI reset count = 0
CLI reload count = 0
Registration request timeout reset count = 0
Error recovery timeout reset count = 0
Module registration count = 2
To clear module statistics:

R2821-edge#service-module integrated-Service-Engine 1/0 statistics
clear
To view the status of a service module:

R2821-edge#service-module integrated-Service-Engine 1/0 status
Cisco Wide Area Application Services Software 4.0.4 (b100 Nov 28 2006
19:16:31)
Restarted at Fri Nov 3 00:01:04 2006
3-20
Configuring Router Internal Interface

Configure the router internal interface, NME-WAE
internal interface, WCCP redirect exclusion, and default
route:
R2821-edge# config t
R2821-edge(config)# interface Integrated-Service-Engine1/0
R2821-edge(config-if)# ip address 10.10.100.1 255.255.255.0
R2821-edge(config-if)# ip wccp redirect exclude in
R2821-edge(config-if)# service-module ip address 10.10.100.2 255.255.255.0
R2821-edge(config-if)# service-module ip default-gateway 10.10.100.1
R2821-edge(config-if)# no shut
R2821-edge(config-if)# exit
R2821-edge(config)# ip route 10.10.100.2 255.255.255.255 Integrated-ServiceEngine1/0
WAAS v4.0.73-20
The routers internal interface dedicated to the NME-WAE is configured from the router CLI.
This interface should be given an IP address on a subnet dedicated to WAEs. This interface
should also be configured for WCCP redirection exclusion so that traffic coming from the
NME-WAE is not immediately redirected back to the NME-WAE.
From the CLI configuration of the Integrated-Services-Engine(slot)/0 interface, you can also
configure the IP address of the NME-WAE as well as its default-gateway. The default-gateway
of the NME-WAE should be the routers internal interface. Be sure to enable the routers
internal interface using the no shut command, and add a static route to the NME-WAE on the
router.
The router internal interface and NME-WAE internal interface do not require speed or duplex
configuration.
3-21
Connecting to the NME-WAE

To connect to the NME-WAE from the router CLI:
R2821-edge#service-module integrated-Service-Engine 1/0 session
Trying 10.10.100.1, 2066 ... Open
Cisco Wide Area Application Services Engine Console

Username:
The NME-WAE can then be configured as any appliance

would be configured per the previous section on
configuring accelerator WAE appliances.
WAAS v4.0.73-21
After the NME-WAE is powered up and the interfaces are configured, the service-module
Integrated-Service-Engine(slot)/0 session command allows you to attach to the NME-WAE
via a console connection. This console connection is internal over the router backplane and
requires no serial cable be connected to the NME-WAE itself (it does not have a serial port).
The console line of the NME-WAE can be cleared using the command service-module
integrated-Service-Engine 1/0 session clear on the router.
After you have connected to the NME-WAE (via console, telnet, SSH, or other), you can then
configure it as any WAE appliance.
3-22
Configuring WAE Interfaces

This topic explains how to configure the network interfaces on the WAE.
WAE Interface Configuration

This sequence shows the configuring of a WAE interface IP address,
subnet mask, speed, mode, and operational state:
waas-cm(config)# interface GigabitEthernet 1/0
waas-cm(config-if)# ip address 10.10.10.10 255.255.255.0
waas-cm(config-if)# bandwidth 1000
waas-cm(config-if)# full-duplex
waas-cm(config-if)# no shutdown
When not using Gigabit speeds, always set the duplex to full and
set the speed correctly; otherwise, performance problems can occur.
WAAS v4.0.73-23
WAE interfaces are configured in a process similar to configuring interfaces in IOS. For proper
operation, it is required that full-duplex be explicitly configured on all WAEs. If interfaces are
operated in half-duplex mode, an alert is sent to the CM. Interfaces can be bundled into a
PortChannel for high availability if desired.
To configure an interface, use the config t command to enter global config mode, and then use
the interface gigabitEthernet 1/0 or interface gigabitEthernet 2/0 command to enter
interface configuration mode. You can also use the interface command to access configuration
mode for other types of interfaces, such as PortChannels. From here, the interface bandwidth,
duplex, and other settings can be applied.
Additionally, DHCP can be used on WAE interfaces. If DHCP is used, it is recommended that
reservations be created within the DHCP server so that the WAE receives the same IP address
each time.
Duplex and bandwidth settings do not need to be configured on the NME-WAE internal
interface. The external interface, however, which is GigabitEthernet 2/0, can be configured
with speed and duplex settings.
Note
Full-duplex should not be configured for interfaces that are connected to a Gigabit Ethernet
switch, as duplex is automatically set to full. Speed and duplex settings are only applicable
in non-Gigabit environments. Bandwidth and duplex settings do not need to be configured
on router internal interfaces supporting the NME-WAE, and do not need to be configured on
the internal interface within the NME-WAE.
3-23
WAE Interface Channeling

Interfaces can be bundled into a PortChannel for loadbalancing and high availability.
Interface channeling requires identical interface configurations
on both physical interfaces.
IP addresses are defined on the PortChannel interface.
waas-cm(config)# interface PortChannel 1
waas-cm(config-if)# no shut
waas-cm(config-if)# ip address 10.10.10.5 255.255.255.0
WAAS v4.0.73-24
To configure an interface PortChannel, assign the IP address to the PortChannel interface itself
and not to the interface members of the PortChannel. Be sure to enable the interface by using
the no shutdown command.
Note
3-24
This is not applicable to the NME-WAE or internal router interfaces that connect to the NMEWAE.
WAE Interface Channeling (Cont.)

waas-cm(config)# interface gigabitEthernet 1/0
waas-cm(config-if)# channel-group 1
waas-cm(config-if)# exit
waas-cm(config)# interface gigabitEthernet 2/0
waas-cm(config-if)# channel-group 1
WAAS v4.0.73-25
Next, assign each of the interfaces to the PortChannel using the channel-group command.
Make sure to enable the physical interfaces by using the no shutdown command.
Note
This is not applicable to the NME-WAE.
3-25
Network Configuration
Common CLI configuration commands include the following:
wafs30-edge(config)# ip default-gateway (ipaddr)
wafs30-edge(config)# ip domain-name (domainname)
wafs30-edge(config)# ip name-server (ipaddr)
wafs30-edge(config)# interface GigabitEthernet (slot/port)
wafs30-edge(config-if)# ip address (ipaddr) (subnetmask)
wafs30-edge(config-if)# no shut
These commands are required

to assign an IP address to an
interface and enable that
interface.
These commands are required to

reach nonsubnet-local
devices (other WAEs, for example)
and resolve names via DNS.
WAAS v4.0.73-26
The CLI provides facilities to configure all of the networking components of the WAE,
including default-gateway, DNS server list (IP addresses, used sequentially) and DNS domainname. Note that GigabitEthernet1/0 on the NME-WAE represents the internal network
interface facing the router backplane.
3-26
View Interface Statistics

waas-cm#sh int gigabitEthernet 1/0
Type:Ethernet
Ethernet address:00:11:25:AA:2B:1A
Internet address:10.10.10.10
Broadcast address:10.10.10.255
Netmask:255.255.255.0
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 26603
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 18662
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x2000
Flags:UP BROADCAST RUNNING MULTICAST
Mode: full-duplex, 100baseTX
These elements identify Layer 2

and Layer 3 addresses, the
network mask, and MTU.
These elements identify the
operational state, mode, and
speed.
WAAS v4.0.73-27
The show command provides information about the different functions of the WAE. In this
example, the show interface command was used to display interface configuration details and
statistics. Note that this command shows the configuration of the interface, including MAC
address, IP address, network mask, and maximum transmission unit (MTU), as well as statistics
(input packets, packets received, errors, drops, overruns, output packets, and more). Also note
that this command shows the operational state of the interface (up or down) and duplex. The
duplex should always be statically defined to full-duplex on each WAE. It is good practice to
use full-duplex on the switch ports and on the router interfaces as well.
3-27
View PortChannel Statistics

waas-cm#sh int portChannel 1
Interface PortChannel 1 (1 physical interface(s)):
GigabitEthernet 2/0 (active)
--------------------Type:Ethernet
These statistics show
Ethernet address:00:11:25:AA:2B:1B
physical interfaces and
interface state.
Netmask:255.255.255.0
Metric:1
Packets Received: 0
Input Errors: 0
These statistics show
Layer 2 and Layer 3 addresses,
The network mask, and MTU.
Packet Sent: 0
Output Errors: 0
Collisions: 0
Flags:UP BROADCAST RUNNING MASTER MULTICAST
WAAS v4.0.73-28
Issuing the show interface command against a PortChannel provides similar information. The
figure lists the PortChannel interface members and their current state.
Note
3-28
This is not applicable to the NME-WAE.
Commonly Used CLI Commands

This topic lists commonly used CLI commands and describes their function.
Syslog, SSH, and Telnet

wae511# config t
wae511(config)# hostname waas
waas(config)# ssh-key-generate key-length (512-1024)
waas(config)# sshd version 2
waas(config)# sshd enable
waas(config)# no telnet enable
Waas(config)# logging host (ipaddr)
This command is required

to enable Syslog external
Logging.
This command is required

to disable Telnet, which
is enabled by default.

to enable and configure SSHv2
Management.
WAAS v4.0.73-30
CLI commands are generally used to define common platform components and functions:
Telnet is enabled by default.
Secure Shell (SSH) is not enabled by default.
Up to four syslog servers can be listed through the logging host command.
3-29
SNMP Configuration
This command specifies the
SNMP community string.
These commands define

SNMP contact and
location information.
This command specifies

the SNMP traps to enable.
waas40-edge(config)# snmp-server community (string)

waas40-edge(config)# snmp-server contact (string)
waas40-edge(config)# snmp-server location (string)
waas40-edge(config)# snmp-server enable traps (alarm|config|event|wafs)
waas40-edge(config)# snmp-server group (string) (v1|v2c|v3)
waas40-edge(config)# snmp-server host (ipaddr) (community|user) (v2c|v3)
waas40-edge(config)# snmp-server user (username)

the SNMP user.

the SNMP hosts to
receive notifications.

the SNMP group
string and version number.
WAAS v4.0.73-31
The CLI allows you to configure almost every aspect of the Simple Network Management
Protocol (SNMP) on the WAE. The Central Manager GUI is recommended for performing
these tasks, because configurations defined through the GUI can be applied against a device
group, while the CLI only supports configuration for a single device.
Use the snmp-server ? command to configure the following SNMP options:
access-list: Configure a standard IP access list allowing access to the SNMP Agent
community: Enable SNMP and set the community string
contact: Text for mib object sysContact
enable: Enable SNMP traps
group: Define a user security model group
host: Specify hosts to receive SNMP Traps
location: Text for mib object sysLocation
mib: Configure a MIB
notify: Configure SNMP inform and Trap options
user: Define a user who can access the SNMP engine
view: Define an SNMPv2 MIB view
Note
3-30
Basic SNMP configuration can be performed via the device GUI by choosing Cisco WAE >
Configuration > SNMP. It is recommended that you use the Central Manager GUI for
SNMP configuration.
Syslog Configuration
waas40-edge(config)#logging host ?
Hostname or A.B.C.D Host IP address
waas40-edge(config)#logging host 1.1.1.1 ?
port
Port to use when logging to a host (default is 514)
priority
Priority level when logging to host (default is 'warning')
rate-limit Set messages per second limit
Defines a syslog
<cr>
server
Up to 4 can be
waas40-edge(config)#logging host 1.1.1.1 priority ?
defined
alert
(1) Immediate action needed
critical
(2) Critical conditions
Define the message priority
debug
(7) Debugging messages
required to trigger an alert
emergency
(0) System is unusable
to the syslog server
error
(3) Error conditions
Default is warning
information (6) Informational messages
notice
(5) Normal but significant conditions
warning
(4) Warning conditions
EDGE1(config)#logging host 1.1.1.1 priority warning ?
port
Port to use when logging to a host (default is 514)
rate-limit Set messages per second limit
<cr>
WAAS v4.0.73-32
The WAE CLI can be used to configure up to four syslog servers. Each syslog server definition
requires a separate command entry in the WAE CLI. The logging host command also allows
the administrator to specify which port to use, the limited rate for sending syslog messages, and
what the minimum message priority level is to send a message to the syslog server.
3-31
System Time
Common CLI configuration commands are required to
specify system time, date, or an NTP server:
waas40-edge(config)# clock timezone (timezone) (hoursoffset) (minutesoffset)
waas40-edge(config)# exit
waas40-edge# clock set (HH:MM:SS) (month) (day) (year)
waas40-edge# config term
waas40-edge(config)# ntp server (ipaddr)
WAAS v4.0.73-33
It is important to maintain and ensure consistent system time when using Cisco WAAS,
particularly for file or print services. When using WAAS for file or print services, or when
using Windows authentication for management, the time skew from each of the WAEs to the
domain controller should be no more than 5 minutes. Otherwise, Windows tickets expire and
services do not function correctly.
System time can be specified manually or by using the Network Time Protocol (NTP).
Note
3-32
It is important to synchronize the clocks on each of the WAEs in the Cisco WAAS network
with the Central Manager WAEs. This allows for proper reporting of statistics and
monitoring. Should a WAE not be synchronized with the Central Manager, an alert is
displayed for that device in the Central Manager GUI.
Setting User Passwords and Privilege

The system-configured administrator account credentials are:
Username = admin
Password = default
waas-edge(config)#user admin password cisco
Warning: Central Manager should be used for user account configuration
operations. User's access will be incomplete otherwise.
waas-edge(config)#user monitoruser privilege 0

waas-edge(config)#user admin privilege 15

WAAS v4.0.73-34
User passwords can be configured via the CLI, but it is recommended that you configure them
from Central Manager, because these configurations can be applied globally.
The CLI allows for the classification of users into one of two configured privilege levels:
0: A normal user with basic CLI monitoring access and no configuration capabilities
15: A super user with full access to the CLI
3-33
TACACS, RADIUS, and Authentication

waas40-edge(config)# tacacs host (ipaddr)
waas40-edge(config)# tacacs key (password)
waas40-edge(config)# radius-server host (ipaddr)
waas40-edge(config)# radius-server key (password)
waas40-edge(config)# authentication config tacacs enable primary
waas40-edge(config)# authentication config radius enable secondary
wafs30-edge(config)# authentication config local enable tertiary

to specify the AAA provider for WAE
configuration. TACACS is first,
then RADIUS, and finally local.

to specify RADIUS and
TACACS server, and
the keys for each.
WAAS v4.0.73-35
Cisco WAAS supports TACACS, RADIUS, and Windows as authentication providers in

addition to the local user database. Up to four authentication providers can be configured on the
WAE: primary, secondary, tertiary, and quaternary. Cisco WAAS Central Manager allows you
to configure authentication parameters against an entire device group, while the CLI is
restricted to configuring a single device.
Authentication configuration is granular in that you can specify different providers for different
tasks. For example, you can use Windows domain for print services, and RADIUS for
management, and so on.
The command syntax and options for these functions are listed and described as follows:
edge-wae(config)#authentication ?
Options include:
configuration: Configuration authentication
content-request: Authenticate a request for content
fail-over: Specify a condition to query the next authentication scheme
login: Login authentication
print-services: Configure authentication for print services
edge-wae(config)#authentication configuration ?
Options include:
local: Local authentication
radius: RADIUS server authentication
tacacs: TACACS+ server authentication
windows-domain: Windows domain server authentication
edge-wae(config)#authentication login ?
Options include:
3-34
local: Local authentication
radius: RADIUS server authentication
tacacs: TACACS+ server authentication
windows-domain: Windows domain server authentication
edge-wae(config)#authentication login local ?
Options include:
enable: Enable authentication method
edge-wae(config)#authentication login local enable ?
Options include:
primary: Set authentication method as primary
secondary: Set authentication method as secondary
tertiary: Set authentication method as tertiary
quaternary: Set authentication method as quaternary
3-35
Login Authentication
waas40-edge(config)# authentication login tacacs enable primary
waas40-edge(config)# authentication login radius enable secondary
waas40-edge(config)# authentication login local enable tertiary
waas40-edge(config)# authentication fail-over server-unreachable
This command is required to

define conditions that can cause
failover to an alternate AAA
provider.

specify the AAA provider for
the WAE login. TACACS is first,
then RADIUS, and finally local.
WAAS v4.0.73-36
Authentication can be configured so that the WAE fails over to an alternate authentication,
authorization, and accounting (AAA) provider should the configured provider be unavailable.
The command syntax and options for authentication functions are listed and described as
follows.
edge-wae(config)#authentication ?
Options include:
configuration: Authenticate the configuration
content-request: Authenticate a request for content
fail-over: Specify a condition to query the next authentication scheme
login: Authenticate the login
print-services: Configure authentication for print services
edge-wae(config)#authentication fail-over ?
Options include:
server-unreachable: Query the next authentication method only if the server is unreachable
edge-wae(config)#authentication fail-over server-unreachable
3-36
Examining Disk Details

This command displays the state
of installed disks, including capacity
and configured file systems.
waas-core#sh disk details

Physical disk information:
disk00: Normal
(h00 c00 i00 l00 - DAS)
238472MB(232.9GB)
disk01: Normal
(h01 c00 i00 l00 - DAS)
238472MB(232.9GB)
Mounted file systems:

MOUNT POINT
TYPE
DEVICE
SIZE
INUSE
root
/dev/root
35MB
30MB
5MB
85%
/swstore
internal
/dev/md1
495MB
327MB
168MB
66%
/state
internal
/dev/md2
4031MB
119MB
3912MB
2%
/disk00-04
CONTENT
/dev/md4
214232MB
/local/local1
SYSFS
/dev/md5
3967MB
.../local1/spool
PRINTSPOOL /dev/md6
/sw
internal
/dev/md0
FREE USE%
58MB 214174MB
0%
802MB
3165MB
20%
991MB
16MB
975MB
1%
991MB
431MB
560MB
43%
WAAS v4.0.73-37
Use the command shown in the figure to view disk details. When more than one disk drive is
installed in the WAE appliance, the WAE is configured to use RAID-1 mirroring for all file
systems. If all disks become unavailable, the WAE is still reachable on the network and
continues to apply Transport Flow Optimization (TFO) only, based on policy.
Note that the output of this command identifies the physical disks that are installed in the
system, including the state of the disks and their capacity. This command also lists the capacity
for each of the file systems that are configured on the disks.
The following are the file systems used by Cisco WAAS, as well as their purpose:
Root: /, the root file system, all file systems are children of the root file system
Software store: /swstore, any pending software updates and archived copy of previous
software image
State: /state, system read and write file system for internal system processes
Content: /disk00-04, used for data and metadata cache storage including application
acceleration and WAN optimization capabilities such as DRE and the Common Internet
File System (CIFS) file cache
Sysfs: /local/local1, capacity for log files and core dumps
Printspool: /local/local1/spool, capacity for spooled print jobs (1GB), reclaimed after print
job completed, shared among printer queues
Internal: /sw, storage repository for unpacked executable code
The content file system is used as a read-write dynamic cache storage area for the CIFS and the
Data Redundancy Elimination (DRE) compression history. The size of this file system is
dynamic based on the WAE model, memory configuration, and installed disks:
NME-WAE-302 with 512MB of memory, 80GB disk; 40GB for DRE
NME-WAE-502 with 1GB of memory, 120GB disk; 40GB for DRE, 40GB for CIFS
3-37
WAE-512 with 1GB of memory, 250GB disks; 75GB for DRE, 110GB for CIFS
Note
3-38
This capacity is allocated even if the services are not configured. These parameters can not
be changed by the administrator.
Default RAID Configuration

(continued)
Software RAID devices:
DEVICE NAME
TYPE
STATUS
PHYSICAL DEVICES AND STATUS
/dev/md0
RAID-1
NORMAL OPERATION
disk00/00[GOOD]
disk01/00[GOOD]
/dev/md1
RAID-1
NORMAL OPERATION
disk00/01[GOOD]
disk01/01[GOOD]
/dev/md2
RAID-1
NORMAL OPERATION
disk00/02[GOOD]
disk01/02[GOOD]
/dev/md3
RAID-1
NORMAL OPERATION
disk00/03[GOOD]
disk01/03[GOOD]
/dev/md4
RAID-1
NORMAL OPERATION
disk00/04[GOOD]
disk01/04[GOOD]
/dev/md5
RAID-1
NORMAL OPERATION
disk00/05[GOOD]
disk01/05[GOOD]
/dev/md6
RAID-1
NORMAL OPERATION
disk00/06[GOOD]
disk01/06[GOOD]
The RAID configuration

of each file system.
WAAS v4.0.73-38
The show disk details command also shows the redundant array of inexpensive disks (RAID)
configuration of each of the file systems as well as the status for each.
3-39
WAE Domain Integration via the CLI

Integrating a WAE into a Microsoft domain for the purposes of
centralized authentication or CIFS server disconnected mode of
operation requires configuration of the following items:
WAE NetBIOS name
Windows workgroup or domain name
Windows domain controller IP address
WINS server IP address (optional)
Following configuration, a command must be executed to join the

WAE into the domain using the supplied configuration parameters
Note: WAE clocks must be synchronized (within 5 minutes) with the Domain
Controller if integrating into Windows domains. Forward and reverse lookup
information MUST be configured within DNS.
WAAS v4.0.73-39
The following commands can be used to configure a WAE to integrate into a domain via the
CLI. This approach is not typically recommended, as Central Manager or the local GUI are
preferred for accomplishing these tasks.
Note
Windows domain integration is only necessary when configuring Active Directory

authentication for Cisco WAAS management or when configuring CIFS server disconnected
mode.
The following commands are global parameters that must be applied when configuring domain
integration from the CLI:
waas-cm#conf t
waas-cm(config)#windows-domain
Note
netbios-name "WAAS-CM"
workgroup "DOMAIN-NAME"
wins-server 10.10.10.100
password-server 10.10.10.100
Changing settings using the windows-domain command can cause updates to internal
configuration files. The results of these updates are displayed in the console.
The following commands are required when using Kerberos:

waas-cm(config)#kerberos local-realm domain-name.com
waas-cm(config)#kerberos realm domain-name.com domain-name.com
waas-cm(config)#kerberos server domain-name.com server.domain-name.com
port 88
Use the following syntax to join a domain from the CLI using NT LAN Manager version 1
(NTLMv1):
waas-cm#windows-domain diag net "join -S server U
administrator%password"
3-40
Where:
Joined domain is DOMAIN-NAME.
administrator%password is the credential needed to join the domain.
Use the following syntax to join a domain from the CLI using NTLMv2:
waas-cm#windows-domain diag net "rpc join -S server U
administrator%password"
Where:
Use the following syntax to join a domain from the CLI using Kerberos:
waas-cm#windows-domain diag net "ads join -S server U administrator%password"
Where:
The following commands might be required if the domain controller operating system version
is Windows 2000 Service Pack 4 or later, or Windows 2003 Service Pack 1 or later:
waas-cm#conf t
waas-cm(config)#smb-conf section global name "client schannel" value
"no"
waas-cm#windows-domain diag wbinfo "--set-authuser=administrator%password"
waas-cm#service restart winbindd
Where:
administrator%password is the name of the account used to join the domain, and the
password to be used with this account.
Note
WAE time must be within five minutes of the domain controller time for Windows integration
to be successful. Also, forward and reverse lookup entries must be created within the DNS,
or Windows integration and authentication fails to complete successfully.
3-41
Windows Domain Command Reference

The windows-domain diagnostics command in the WAE CLI provides
a set of powerful tools for integrating a WAE into a Windows domain
environment.
This command is used for the following purposes:
Troubleshooting NetBIOS name resolution and browsing
Integrating into the Microsoft domain
Inspecting domain integration status
Browsing the network neighborhood
Managing the winbindd service
A full reference for using this command can be obtained by issuing

the following command:
WAE# windows-domain diagnostics (command) --help
WAAS v4.0.73-40
Following are useful help references for the most commonly used options of the windowsdomain diagnostics command.
edge-WAE#windows-domain diagnostics ?
Options include:
findsmb: Utility for troubleshooting netbios name resolution and browsing
getent: Utility to get unified list of both local and Primary Domain Controller (PDC) users
and groups
net: Utility for administration of remote CIFS servers
nmblookup: Utility for troubleshooting netbios name resolution and browsing
smbclient: Utility for troubleshooting the windows environment and integration
smbstatus: Utility for inspecting the server status, connected clients, and related
components
smbtree: Utility for inspecting the Windows network neighborhood structure and content
tdb-list: Utility to list the database files
tdb-move: Utility to move the database files
tdbbackup: Utility for backing up, verifying, and restoring database files
tdbdump: Utility for inspecting the database files
testparm: Utility to validate smb.conf correctness
wbinfo: Utility for winbind and domain integration troubleshooting
Use the following command to view common options:

edge-WAE#win diag net --help
3-42
No command: /usr/bin/net
net time: Option to view or set time information
net lookup: Option to lookup hostname or IP address
net user: Option to manage users
net group: Option to manage groups
net groupmap: Option to manage group mappings
net join: Option to join a domain
net cache: Option to operate on cache tdb file
net getlocalsid [NAME]: Option to get the service ID (SID) for local name
net setlocalsid SID: Option to set the local domain SID
net changesecretpw: Option to change the machine password in the local secrets database
only; requires the -f flag as a safety barrier
net status: Option to show server status
net usersidlist: Option to get a list of all users and their SIDs
Use the following syntax to access different command modes:
net ads <command>: Request to run Active Directory Service (ADS) commands
net rap <command>: Request to run pre-remote procedure call (RPC) rooftop access point
(RAP) commands
net rpc <command>: Request to run RPC commands
Enter net help <option> to get more information on that option.

Choose one of the following targets (none defaults to localhost):
-S or --server=<server>: Target server name
-I or --ipaddress=<ipaddr>: Target address of target server
-w or --workgroup=<wg>: Target workgroup or domain
Valid miscellaneous options include the following:
-p or --port=<port>: Option to define connection port on target
-W or --myworkgroup=<wg>: Option to define client workgroup
-d or --debuglevel=<level>: Option to define debug level (0-10)
-n or --myname=<name>: Option to define client name
-U or --user=<name>: Option to define user name
-s or --configfile=<path>: Option to define pathname of smb.conf file
-l or long: Option to display full information
-V or version: Option to print samba version information
-P or --machine-pass: Option to authenticate as machine account
3-43
Saving the WAE CLI Configuration

wafs30-edge(config)# exit
wafs30-edge# copy running-config startup-config
wafs30-edge# copy running-config tftp (ipaddr) (filename)

save the configuration for the
next system bootup. They are also
saved to the TFTP server.
If file and print services are configured on the WAE, it is strongly recommended
that the device GUI backup function be used.
WAAS v4.0.73-41
It is recommended that all WAE configuration changes be saved. Use the copy running-config
startup-config command for this purpose.
The copy command allows you to copy from many sources to many destinations. Valid sources
include those shown in the following command syntax reference:
edge-wae#copy ?
Options include:
cdrom: Copy file from cdrom
compactflash: Copy file from compactflash card
disk: Copy configuration or file from disk
ftp: Copy file from ftp server
http: Copy file from http server
running-config: Copy from current system configuration
startup-config: Copy from startup configuration
system-status: Copy system status for debugging reference
tech-support: System information for technical support
tftp: Copy image from tftp server
Valid destinations are based on the source. The following descriptions identify valid
destinations for each source:
edge-wae#copy cdrom ?
Options include:
install: Install software release file
edge-wae#copy http ?
Options include:
3-44
edge-wae#copy compactflash ?
Options include:
edge-wae#copy disk ?
Options include:
ftp: Copy a disk file to ftp server
startup-config: Copy configuration from disk to Startup (NVRAM) Config
edge-wae#copy ftp ?
Options include:
disk: To disk
edge-wae#copy http ?
Options include:
edge-wae#copy running-config ?
Options include:
disk: Copy configuration to disk
startup-config: Copy to startup configuration
tftp: Copy configuration to TFTP Server
edge-wae#copy startup-config ?
Options include:
disk: Copy configuration to disk
running-config: Copy configuration to running-config(merge)
edge-wae#copy system-status ?
Options include:
disk: Copy system-status to disk
edge-wae#copy tech-support ?
Options include:
disk: Copy to disk
edge-wae#copy tftp ?
Options include:
disk: To disk
running-config: To running-config (merge)
startup-config: To startup-config
3-45
Note
3-46
As the copy command only captures the CLI running-config or startup-config, the GUI
backup mechanism should be used if Wide Area File Services (WAFS) or print services are
configured.
WAE CLI Configuration Restore

To copy the WAE running configuration or startup
configuration from a network location, use the following
command:
WAE# copy (ftp | tftp) (running-config | startup-config) (ipaddr)
(filename)
If file and print services are configured on the WAE, it is strongly

recommended that the device GUI restore function be used instead.
WAAS v4.0.73-42
The running-config or startup-config can also be recovered from a FTP or TFTP server. If
WAFS or print services are configured on the WAE, and the GUI backup procedure was used,
use the GUI restore procedure instead.
3-47
Rebooting the WAE

The WAE can be rebooted by using this command
sequence:
waas-cm# reload
Proceed with reload?[confirm]yes
Shutting down all services, will timeout in 15 minutes.
reload in progress ..
WAAS v4.0.73-43
The WAE can be rebooted by using the reload command. The WAE can be shut down by
using the following command:
edge-wae#shutdown ?
Options include:
poweroff: An option to power-off after shutdown
The WAE boot sequence also allows you to enter the BIOS to configure power-on behavior.
3-48
The WAE Device GUI

This topic explains how to access the device GUI, and describes the functional components of
the device GUI.
WAE Device GUI

Each WAE also has a device GUI, accessible via a
browser directly, or through Central Manager:
https://(WAE_IP_address):8443/mgr
The device GUI is used to access the following:

Configuration of file and print services
Configuration backup
Logs
Graphs
System Reports
WAAS v4.0.73-45
The WAE device GUI provides access to device-specific configuration, reporting, monitoring,
and control functions. The device GUI allows you to backup configurations, restore
configurations, view logs and graphs, and create and view system reports, and control system
services. The default credentials for accessing the device GUI directly (not needed if accessing
the device GUI from the Central Manager) are:
username = admin
password = default
Note
The WAE device GUI is secured using HTTPS. You must use HTTPS and not HTTP.
3-49
WAE Device GUI Orientation

Device functions
Current location
Workspace tabs
Logout
Help
Service-specific
functions
Workspace
WAAS v4.0.73-46
The WAE GUI provides a taskbar on the left, which groups device functions and services. In
this example, two groupings are available; one for device functions called Cisco WAE and one
for service functions called WAFS Edge. If this WAE were a WAFS Core device you would
see a third grouping called WAFS Core.
The current location within the GUI is shown at the top of the window. A help button is located
at the top right of the window. The workspace area displays information that is relative to the
device function that is currently in view.
3-50
Configuring SMTP Notifications
WAAS v4.0.73-47
Using the WAE device GUI, Cisco WAAS can be configured to send Simple Management
Transport Protocol (SMTP) email notifications should a notification or error message be
generated due to a system condition. To configure SMTP notifications, from the WAE Device
GUI choose Cisco WAE > Configuration > Notifier and supply the following data:
E-mail address: The email address that emails should be sent to
Mail server host name: The SMTP server that the WAE should connect to
Time period: The frequency at which the WAE sends notifications
Notify level: The minimum severity level for notifications to generate an SMTP email alert
Mail server port: The TCP port that the SMTP server uses
Login to server: Check this box if the server requires user authentication
Server user name: Supply only if SMTP server authentication is required; the username
that the WAE should authenticate using
Server password: Supply only if SMTP server authentication is required; the password for
the defined username that the WAE should authenticate with
From: The text that should appear in the From line when the recipient receives email
notification of a WAE alert
Subject: The text that should appear in the Subject line when the recipient receives email
notification of a WAE alert
The SNMP notification level can also be set from this page. This level defines the minimum
severity level of messages that trigger the WAE to send SNMP traps when events are
encountered.
3-51
Cisco WAE System Report
WAAS v4.0.73-48
The WAE system report is a helpful tool for troubleshooting problems with the WAE. By
choosing Cisco WAE > Utilities > Support, an administrator can generate a full system report
(all logs) or a filtered system report (date range). The WAE compiles the system report and
compress it into a file that can be downloaded through the browser.
The system report contains the following information:
Command output: From commands such as show tech-support, show statistics tfo
connection, and others
Platform configuration: Internal configuration files for networking, routing, services, and
disk configuration
Platform state: Including memory consumption, CPU utilization, devices, file systems,
and partitions
Print services: Including SAMBA configuration and logs, Common Unix Printing System
(CUPS) configuration and logs
Authentication: Authentication configuration and logs
Internal services logs: Including web server (management), external packet memory
(EPM) error logs, compression, interception, and TCP proxy error logs
CIFS acceleration: Configuration files and service logs for Edge service, Core service,
preposition, manager, watchdog, and other utilities
Central management: Configuration files and service logs for local central management
(LCM) and audit logs for configuration changes
Syslog
The WAE CLI can also be used to generate a system report. The system report can then be
copied off of the WAE:
EDGE1#copy sysreport disk WAE start-date December 10 2006 end-date
December 2006
Generating sysreport ...
3-52
Successfully generated sysreport as WAE.tar.gz

EDGE1#dir WAE.*
size time of last change name
-------------- ------------------------- ----------9264850 Sat Dec 16 23:03:40 2006 /local1/WAE.tar.gz
EDGE1#copy disk ftp 10.10.10.100 / WAE.tar.gz WAE.tar.gz
Enter username for remote ftp server: administrator
Enter password for remote ftp server:
Initiating FTP upload...
Sending: USER administrator
Microsoft FTP Service
Password required for administrator.
Sending: PASS ********
User administrator logged in.
Sending: TYPE I
Type set to I.
Sending: PASV
Entering Passive Mode (10,10,10,100,44,36).
Sending: CWD /
CWD command successful.
Sending PASV
Sending: STOR WAE.tar.gz
Data connection already open; Transfer starting.
Transfer complete.
Sent 9264850 bytes
EDGE1#
Note
Cisco WAE system reports can be very large in size, in many cases over 10 MB.
3-53
Monitoring WAE CPU Utilization
WAAS v4.0.73-49
The WAE CPU utilization can be graphed from the device GUI by choosing Cisco WAE >
Monitoring, and selecting CPU Utilization. The graphs that appear chart the WAE CPU
utilization over the timespan of:
Last day (using a five-minute average)
Last week (using a 30-minute average)
Last month (using a two-hour average)
Last year (using a daily average)
The WAE CLI can also be used to see the real-time CPU utilization:
EDGE1#sh proc
CPU average usage since last reboot:
cpu: 0.56% User, 3.06% System, 8.75% User(nice), 87.63% Idle
-------------------------------------------------------------------PID STATE PRI User T SYS T COMMAND
----- ----- --- ------ ------ -------------------1 S 0 588 548 (init)
2 S 0 0 0 (migration/0)
3 S 19 0 0 (ksoftirqd/0)
4 S -10 0 0 (events/0)
3-54
Monitoring WAE Disk Utilization
WAAS v4.0.73-50
The WAE GUI can also graph the disk utilization by choosing Cisco WAE > Monitoring, and
selecting Disk Utilization. After you click View, a graph appears showing the disk utilization
characteristics of the WAE. The CLI command show disks details also provides per-file
system real-time utilization data.
3-55
WAE Full Configuration Backup

The WAE device GUI provides a backup and restore
facility that includes all relevant WAE configuration
information, including file and print information:
Choose Cisco WAE > Control > Backup.
Downloaded this facility via HTTP from the WAE.
WAAS v4.0.73-51
To back up the full WAE configuration, open the device GUI and choose Cisco WAE >
Control > Backup. The WAE zips the configuration and state files to be saved, and downloads
this file through the browser.
3-56
WAE Full Configuration Restore

The restore function of the WAE GUI provides restore
capabilities for full WAE configuration, including file and print
services.
Note that a configuration restore forces a WAE reboot.
WAAS v4.0.73-52
The GUI also provides a restore configuration function.

Note
Configuration files are version specific. A backup from one version can not be restored to a
WAE running a different version of the configuration.
3-57
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The WAE primary interface defines which interface should be
used for management traffic and must be configured.
One of two device modes must be specified on each Cisco WAE
in the WAAS topology; application accelerator or Central
Manager.
WCCPv2 configuration includes service group definition, routerlist configuration, and redirection configuration.
PBR configuration includes access list configuration, route map
definition, and optionally, availability verification using IP SLAs.
The WAE CLI enables configuration of many items, including
interface channeling, SNMP, syslog, authentication, and NTP.
The Cisco WAE Device GUI provides a device-specific interface
for controlling services, performing configuration backup and
restore, and examining device log files.
3-58
WAAS v4.0.73-53
Lesson 2
Configuring Traffic Interception

Overview
This lesson explains how to configure traffic interception on the network and the Wide Area
Application Engine (WAE) device using physical inline cards, Web Cache Communication
Protocol version 2 (WCCPv2), Policy-Based Routing (PBR), or Application Control Engine
(ACE) line cards for the Catalyst 6500 series switch.
Objectives
Upon completing this lesson, you will be able to explain how to configure traffic interception
using physical inline deployment, WCCPv2, PBR, and ACE. This includes being able to meet
these objectives:
Describe the configuration of the inline interception card within the WAE appliance
Describe the process of configuring WCCPv2 on the WAE and on the network router or
switch
Describe the configuration of PBR on the WAE and on the network router or switch
Describe the configuration of the ACE module to provide data center interception for Cisco
WAAS
Configuring Inline Interception

This topic explains how to configure inline interception for Cisco Wide Area Application
Services (WAAS).
WAE Inline Card - Ports and Groups

NME-WAE Inline Adapter
WAN1
Interface InlinePort1/1/WAN
LAN1
Interface InlinePort1/1/LAN
WAN0
Interface InlinePort1/0/WAN
Interface InlineGroup1/1
Interface InlineGroup1/0
LAN0
Interface InlinePort1/0/LAN
WAAS v4.0.73-4
WAE appliances can be configured for in-path operation whereby it is deployed physically
between two network devices such as the branch office router and branch office LAN switch.
Such configurations require that the WAE appliance be configured with the 4-port WAE inline
card, shown here.
The 4-port WAE inline card provides fail-to-wire functionality, that is, any software, hardware,
or power failure causes the card to automatically bridge the two ports within each port group
together. In a fail-to-wire state, the inline card acts as a wire, thereby ensuring that a failure of
any kind does not prevent traffic from going into or out of the network. In normal operating
mode, traffic passes through the card, and the card forwards packets to be optimized up to the
Cisco WAAS software.
The 4-port WAE inline card has four ports, which are divided into two groups. Each 2-port
inline group represents a pair of ports that are associated with one another. Traffic entering one
port of the inline group always exits through the other port in the same group. One of the ports
is labeled LAN and the other is labeled WAN, which defines which device the port should be
connected to. LAN ports should be connected in a LAN-facing fashion (that is, toward endnodes attached to the LAN) and the WAN ports should be connected facing the WAN (that is,
toward the edge WAN router). Given that the inline card has four ports split into two inline
groups, the WAE can sit physically inline between two distinct network paths, that is,
redundant WAN links.
3-60
Inline Configuration Overview

Cisco WAE Inline Card
InlineGroup1/0
InlinePort1/0/LAN
No IP address
InlinePort1/0/WAN
No IP address
InlineGroup1/1
InlinePort1/1/LAN
No IP address
InlinePort1/1/WAN
No IP address
IP
Network
GigabitEthernet1/0
ip address x.x.x.x
Management interface
WAAS v4.0.73-5
The inline card for the WAE appliance has four 10/100/1000 autosensing copper Ethernet
interfaces. The interfaces are labeled LAN0, WAN0, LAN1, and WAN1, and are split into two
port groups where each interface with the same trailing number is a member of the same group.
These inline groups defined inline port pairs, whereby traffic entering one interface exits the
other interface in the same inline group. Should an inline group go into bypass mode (fail-towire), traffic entering an interface would be immediately passed to the other interface. IP
addresses are not assigned to inline card ports. The LAN port within the inline group connects
to the LAN, and the WAN port within the inline group connects to the WAN router (or next
upstream device, such as a firewall). The WAE must have one of the standard interfaces (not
from the inline card) attached to the LAN for management purposes (for instance,
GigabitEthernet1/0 or GigabitEthernet2/0).
Inline interception is compatible with any interception mechanism being used in other remote
sites. For instance, some remote sites could use inline interception, whereas others might be
using WCCPv2. Configuring inline interception on a WAE, though, requires that WCCPv2 be
explicitly disabled on that WAE.
3-61
Verify Inline Card

EDGE1# sh hardware
Cisco Wide Area Application Services Software (WAAS)
Copyright (c) 1999-2006 by Cisco Systems, Inc.
Cisco Wide Area Application Services Software Release 4.0.5
Version: wae512-4.0.5
Display the hardware

configuration of the WAE.
Total 1 CPU.
1024 Mbytes of Physical memory.
1 CD ROM drive (CD-224E)
2 GigabitEthernet interfaces
The inline card is inserted, recognized

by the WAE, and ready for configuration.
2 InlineGroup interfaces.
1 Console interface
2 USB interfaces [Not supported in this version of software]

Manufactured As: WAE-511-K9
[8836PCC]
WAAS v4.0.73-6
The show hardware command displays the hardware configuration of the WAE. If the inline
card is inserted and recognized by the Cisco WAAS software, two InlineGroup interfaces
appears in the hardware inventory.
3-62
Inline Card Configuration

EDGE1#conf t
WCCPv2 must be disabled for

inline interfaces to be configured
and operational.
EDGE1(config)#no wccp version 2

EDGE1(config)#interface ?
FibreChannel
Select a fibre channel interface to configure
GigabitEthernet
Select a gigabit ethernet interface to configure
InlineGroup
Select an inline group interface to configure
InlinePort
Select an inline port interface to configure
PortChannel
Ethernet Channel of interfaces
Standby
Standby groups
EDGE1(config)#interface inlinegroup ?
<1-4>/
Slot number
EDGE1(config)#interface inlinegroup 1/?

<0-1>
Group number
EDGE1(config)#interface inlinegroup 1/0
Used to
configure a
specific
port within an
inline group.
Used to configure
the group
of inline ports.
EDGE1(config-if)#
WAAS v4.0.73-7
Before configuring inline interception on the WAE, ensure that WCCPv2 is explicitly disabled
on that WAE. To configure the inline interception card, enter global configuration mode
(config t) and then enter the inlinegroup interface configuration mode (interface
inlinegroup<slot>/<pair>). Only one inline card can be installed in a WAE appliance.
3-63
Inline Group Configuration

EDGE1(config)#interface inlinegroup 1/0
EDGE1(config-if)#?
exit
Exit from this submode
failover
Modify failover parameters
inline
Enable or Disable inline interception
no
Negate a command or set its defaults
shutdown
Put the inline interface in passthrough mode
EDGE1(config-if)#inline ?
vlan
Specify vlan list
<cr>
Specify which VLANs to perform

inline interception against.
Default is all VLANs.
EDGE1(config-if)#inline vlan ?
all
All vlans
native
Native vlan
WORD
Comma separated list of vlan id ranges
EDGE1(config-if)#inline vlan all

EDGE1(config-if)#failover ?
timeout
Specify time to transition to fail-to-wire
EDGE1(config-if)#failover timeout ?
<1-1>
1 second
<3-3>
3 seconds
<5-5>
5 seconds
Specify the amount of time

before fail-to-wire is engaged
upon detection of a failure.
Default is 3 seconds.
EDGE1(config-if)#failover timeout 3
EDGE1(config-if)#no shutdown
Enable the inline

interface group.
Enables interception.
WAAS v4.0.73-8
To configure an inline group, enter the inline group interface configuration mode. From here,
the administrator can enable the inline group, specify the failover timer, and define the VLANs
that should be intercepted.
3-64
Inline Port Configuration

EDGE1(config)#interface inlineport 1/0/LAN
EDGE1(config-if)#?
autosense
Interface autosense
bandwidth
Interface bandwidth
exit
Exit from this submode
full-duplex
Interface fullduplex
half-duplex
Interface halfduplex
no
Negate a command or set its defaults
Specify bandwidth and

duplex settings for the
interface.
Default is autosense.
Specify which interface in

the inline group to configure
LAN vs. WAN.
WAAS v4.0.73-9
Ports within an inline group are by default autosensing. To statically set inline group port
parameters, enter the inline group port interface configuration mode. From here, the duplex and
bandwidth for an interface can be configured. These interfaces can not be explicitly enabled or
disabled (no shut or shut), as this is controlled by the inline group.
3-65
Verify Inline Interception

EDGE1#sh interface inlinegroup 1/0
Interface is in intercept operating mode.
Standard NIC mode is off.
Verify inline interception

Intercept or bypass
operating modes.
Disable bypass mode is off.

Watchdog timer is enabled.
Timer frequency: 3200 ms.
Autoreset frequency 1500 ms.
Examine watchdog timer

statistics.
The watchdog timer will expire in 2054 ms.

EDGE1#sh int inlineport 1/0/LAN
Device name: eth4. Bypass master interface.
Packet counters: 2701 received 867 intercepted 1834 bridged
678 forwarded 0 dropped.
Device name helpful in

case use of tethereal or
tcpdump with interface
filtering is required.
0 inline pkt received on native.

0 flows enter through this interface.
EDGE1#sh int inlineport 1/0/WAN
Device name: eth5. Bypass slave interface.
Packet counters: 11345 received 6791 intercepted 4553 bridged
11416 forwarded 1 dropped.
0 inline pkt received on native.
Validate that
packets are
traversing the
inline group
and are being
intercepted or
bridged.
WAAS v4.0.73-10
To verify that inline interception is working, use the following commands:
3-66
show interface inlinegroup <slot/group>: This command displays whether the inline
group is in bypass or intercept mode. Bypass mode is when the inline group is simply
sending received traffic immediately out the other interface in the inline group. Intercept
mode is when the inline group is receiving incoming packets and handing them off to Cisco
WAAS for optimization. This command also shows the watchdog timer statistics and
configuration.
show interface inlineport <slot/group/(LAN | WAN)>: This command displays details

about an individual port within an inline group including the physical device name (helpful
when filtering traffic to capture when using tethereal or tcpdump), and packet counters.
Verifying Inline Interception
WAN1
LAN1
WAN0
LAN0
LEDs
State
Description
Link/Activity
ON
The interface is receiving power.
Blinking
The interface is receiving and

transmitting data.
100
ON
The speed of the interface is set to 100

Mbps.
1000
ON
The speed of the interface is set to 1000

Mbps.
Bypass
100 and 1000 ON The interface pair is operating in bypass

(fail-to-wire) mode.
WAAS v4.0.73-11
The figure shows how to interpret the LED status indicators on the WAE inline card.
3-67
Configuring WCCPv2
This topic explains how to configure WCCPv2 on the WAE and on the network router or
switch to function as the network interception and redirection mechanism.
WCCPv2 Configuration Overview

Gi0/0.10 (subinterface) (ingress interface)
Redirect in/service group 61
Serial0 (WAN interface)

Redirect in/service group 62
10.10.10.0/24
IP
Network
Gi0/0.11
TCP Promiscuous
Register with Router1
WAAS v4.0.73-13
Enabling WCCPv2 requires configuration changes to the network boundary router or switch as
well as to the WAE. Remember that the WAE optimization interface must be deployed on a
VLAN or physical interface that is separate from the nodes to be optimized.
In this example, the WAE is deployed in an off-router, one-arm mode, meaning that the WAE
is attached to a VLAN on the LAN switch that is separate from the users, and shared only with
the border router, and the subnet is routable throughout the enterprise. Note that WCCPv2
interception is configured twice per router; once for service group 61 and again for service
group 62. In this example, ingress redirection is used, which means that there is no need to use
the redirect exclude command on the router interface that is adjacent to the WAE because this
command is only necessary when egress redirection is configured.
Note
3-68
WAE appliances configured with the inline card must have inline interception disabled.
Otherwise, WCCPv2 is not configurable. Network module enhanced (NME) WAE devices
rely on WCCPv2 for interception, but can alternatively be configured to use PBR.
WCCPv2 Configurations
1
2
LAN
WAN
LAN
WAN
3
LAN
WAN
LAN
WAN
LAN
WAN
LAN
WAN
62 out
61 out
61 in
62 in
Redirect exclude
WAAS v4.0.73-14
This slide shows the possible WCCPv2 configurations that can be achieved with Cisco WAAS.
Situations 1 and 2 are the easiest to use and incur the least amount of overhead on the router.
Situations 3 through 6 are used if interception can only be performed on one interface, but this
approach requires the use of the redirect exclude command on the WAE interface and egress
redirection for one of the service groups. These configurations are common in service isolation
mode, whereby it is desirable to wholly contain WCCP interception to a single interface.
Configurations using egress interception only (that is, 61/out and 62/out, regardless of interface
configuration) are not recommended.
Situations 5 and 6 are common if configuration can not be performed on the LAN interface, or
if the router has a single WAN interface and multiple LAN interfaces. This approach, and any
other configuration that uses egress redirection, requires use of the ip wccp redirect exclude in
command on the interface adjacent to the WAE.
For environments where WCCP is configured on a LAN switch, WCCP can only be configured
on Layer 3 interfaces; for example, on switch virtual interfaces (SVIs). With WCCP
configuration using SVIs, only one of the two WCCP service groups should be configured on
an SVI. In most cases, one service group is configured on the SVI adjacent to the clients or
servers, and the other is configured on the SVI adjacent to the WAN connection.
Note
Service groups determine how the router load-balances traffic, and placement of services
should be considered in sites where multiple WAEs are present. Service group 61 loadbalances based on source-IP, and service group 62 load-balances based on destination-IP.
Be sure to use a load-balancing scheme that allows for all of the WAEs to be used
effectively.
3-69
Configuring WCCPv2
The WAE configuration process involves the following:
1. Enabling WCCPv2
2. Defining the list of routers to register against
3. Registering with the routers as a TCP promiscuous device
The router configuration process involves the following:

1. Enabling Cisco Express Forwarding (optional)
2. Enabling WCCPv2
3. Specifying the service groups to support
4. Configuring redirection on the appropriate interfaces
WAAS v4.0.73-15
WCCPv2 is easily configured on the WAE (appliance or NME-WAE) and the router. WAE
configuration involves three steps:
Step 1
Enable WCCP and specify version 2.
Step 2
Define the list of routers to register against.
Step 3
Register with the routers as a TCP promiscuous device, using service groups 61 and
62.
Router configuration involves four steps. Three steps are required, and one is optional:
Step 1
Enable Cisco Express Forwarding (CEF) (optional but recommended).
Step 2
Enable WCCP and specify version 2.
Step 3
Define the service groups that the router is to support.
Step 4
Configure redirection on the appropriate interfaces.
WCCPv2 also provides the following advanced capabilities:
3-70
Filtering redirection traffic based on access list
Filtering group membership based on access list
Controlling group membership through passwords
Using multicast to support a larger number of WAEs and routers
Changing the assignment method
WCCPv2 Configuration: WAE

This command enables WCCPv2.
Version 2 is required to support the
TCP promiscuous service groups.
WAE# config t
WAE(config)# wccp version 2
WAE(config)# wccp router-list 1 1.1.1.1
WAE(config)# wccp tcp-promiscuous router-list 1
This command specifies that the WAE should

register as a TCP promiscuous device with
each of the routers listed in router list
number 1. TCP promiscuous represents
WCCPv2 service groups 61 and 62.
This command specifies a router list with a

unique identifier of 1, thus defining the
IP addresses of each of the routers that are
referenced by the list. Up to four routers can
be specified here. All routers must be
reachable via the WAE optimization interface.
WAAS v4.0.73-16
Execute the commands shown in this figure to configure WCCPv2 on a WAE. Note that these
commands are issued from global configuration mode.
The wccp router-list command allows for the definition of up to four routers. If more than four
routers are needed, use multicast.
3-71
WCCPv2 Configuration: Router

This command enables CEF. It is
recommended that CEF be enabled on
any router where WCCPv2 is configured.
2811# config term
2811(config)# ip cef
2811(config)# ip wccp version 2
2811(config)# ip wccp 61
2811(config)# ip wccp 62
This command enables support for service

group 61 and 62, which are the service group
numbers used by TCP promiscuous
service groups on the Cisco WAE:
61: All TCP traffic, balanced by src-ip
62: All TCP traffic, balanced by dst-ip
This command enables WCCP

version 2. Version 2 is required to
support the TCP promiscuous
service groups used by WAAS.
WAAS v4.0.73-17
Execute the commands shown in this figure on the router to enable CEF, WCCPv2, and support
for service group numbers 61 and 62. These commands are issued from global configuration
mode.
3-72
WCCPv2 Configuration: Router (Cont.)

This command specifies that inbound
redirection for service group 61 is to be applied
to the user access VLAN.
2811(config)# interface GigabitEthernet0/0.10

2811(config-if)# ip wccp 61 redirect in
2811(config-if)# interface Serial0
2811(config-if)# ip wccp 62 redirect in
This command specifies that inbound

redirection for
service group 62 is to be applied to the WAN
interface.
WAAS v4.0.73-18
Next, enter interface configuration mode for each of the interfaces where redirection is to be
performed, and apply the appropriate redirection statements. Make sure that one service group
is present in one direction of traffic flow, and that the other service group is present in the
opposite direction of traffic flow.
3-73
WCCPv2 Configuration: Router (Cont.)

Redirection configuration using inbound redirection is most
common and is also recommended.
In cases where outbound redirection is required, an additional
statement must be applied to the interface or subinterface
where the WAE is connected.
2811(config-if)# interface GigabitEthernet0/0.11
2811(config-if)# ip wccp redirect exclude in
These elements are to be configured on the router WAE VLAN

interface. These commands specify that any packets
received on this interface are not candidates for redirection
when leaving another interface.
WAAS v4.0.73-19
In any situation where egress redirection is used, the command shown in this figure must be
issued on the router interface that is adjacent to the WAE. The ip wccp redirect exclude in
command ensures that packets received on the interface are not redirected again. This
command prevents an optimized packet from being rerouted directly back to the WAE. Instead,
the router sees the packet coming in and forwards it normally, and WCCP is bypassed for
packets received on that interface.
3-74
Configuring PBR
This topic explains how to configure PBR as a network interception and redirection mechanism
for Cisco WAAS.
PBR Configuration Overview

Gi0/0.10 (subinterface) (ingress interface)
Interesting traffic = anything from 10.10.10.0/24
IP next-hop 1.1.1.1 (WAE)
10.10.10.0/24
IP
Network
Gi0/0.11
Serial0 (egress interface)

Interesting traffic = anything to 10.10.10.0/24
IP next-hop 1.1.1.1 (WAE)
WAAS v4.0.73-21
Enabling PBR requires configuration changes to the network boundary router, but not to the
WAE. PBR is recommended only in situations where WCCPv2 is absolutely not an
interception option. Remember that the WAE optimization interface must be deployed on a
VLAN or physical interface that is separate from the nodes where traffic is to be optimized.
When configuring PBR, the WAAS Transport Flow Optimization (TFO) TCP maximum
segment size (MSS) can be increased from the default value, because generic routing
encapsulation (GRE) encapsulation is not used as it would be in cases where WCCPv2 is used
for network interception. This step is optional but recommended, as it can provide a slight
performance improvement.
Use the following commands on each WAE where PBR is used for interception:
WAE# configure
WAE(config)# tfo tcp original-mss 1460
Be sure to save the WAE configuration so that it becomes persistent.

To configure PBR, the router configuration involves the following steps:
Define access lists to specify interesting traffic for each direction of traffic flow
Create route maps and define next-hop WAEs
Apply route maps to appropriate interfaces
Note
PBR can be used for interception and redirection of traffic to an NME-WAE, but this is not a
recommended practice because the NME-WAE is already installed in an ISR that is well
capable of supporting WCCPv2.
3-75
Configuring PBR Access Lists

Access lists must be defined for each direction of traffic flow for
each site.
For this example, refer to the figure on the previous slide. Two
access lists are required for each site:
ACL1: TCP traffic leaving the local network
ACL2: TCP traffic entering the local network
This example displays PBR configuration for one of the two sites.
WAAS v4.0.73-22
To configure PBR in a location, two access lists are created:
Access list ACL1 identifies all TCP traffic leaving the local network, as classified by IP
subnet.
Access list ACL2 identifies all TCP traffic entering the network, as classified by IP subnet.
Note that generic access lists with no IP classification can be used, but are not recommended
because these lists lack information needed for the comparison of inbound and outbound packet
statistics. It is recommended that separate access lists be configured with the appropriate IP
subnets defined.
3-76
Configuring Outbound Access List

The outbound access list defines traffic that should be optimized
when transmitted from the branch office.
The outbound access list is configured on the branch office router.
The access list shown here generically matches any TCP traffic
coming from the branch office subnet.
Note that access lists can be customized to use specific ports or
nodes.
Rtr(config)# ip access-list extended 100
Rtr(config-ext-nacl)# permit tcp 10.10.10.0 0.0.0.255 any
WAAS v4.0.73-23
This example shows the creation of an access list that identifies TCP traffic leaving a branch
office.
3-77
Configuring Inbound Access List

The inbound access list defines traffic that should be optimized
when transmitted to the branch office.
The inbound access list is configured on the branch office router.
The access list shown here generically matches any TCP traffic
coming to the branch office subnet.
Note that access lists can be customized to use specific ports or
nodes.
Rtr(config)# ip access-list extended 101
Rtr(config-ext-nacl)# permit tcp any 10.10.10.0 0.0.0.255
WAAS v4.0.73-24
This example shows the creation of an access list that identifies TCP traffic entering a branch
office.
3-78
Configuring PBR Route Maps

Route maps identify the traffic to be considered for the policy
route, and specify how to handle such traffic.
Optimization interfaces from multiple WAEs can be listed as nexthops, but only the first available is used until failure.
One route map is required for each direction of traffic flow, and
each route map uses a separate access list.
Rtr(config)# route map OUTBOUND permit
Rtr(config-route map)# match ip address 100
Rtr(config-route map)# set ip next-hop 1.1.1.1
Rtr(config)# route map INBOUND permit
Rtr(config-route map)# match ip address 101
WAAS v4.0.73-25
Route maps provide two functions. First, they specify the match criteria as defined by access
lists. Second, a route map identifies the device receiving matched packets as an IP next-hop
router. The route map essentially says identify traffic based on this access list, and then forward
this packet to that router. Route maps must be configured for traffic entering the location and
also for traffic leaving the location.
This example shows the configuration of route maps for a branch office. Notice that all traffic
matching access list 100 and 101 is set to be forwarded to a WAE (IP addresses 1.1.1.1 and
1.1.1.2) as next hop routers. PBR can only use one next-hop at a time. Should that hop be
inaccessible, PBR references the next configured next-hop. PBR route map configurations for
WAAS and redirection should be identical for all routers in a given location so that they can
enable support for asymmetric routing environments.
3-79
Applying Route Maps

Apply the OUTBOUND route map to the LAN interface.
Apply the INBOUND route map to the WAN interface.
The following sequence instructs the router to intercept and redirect TCP traffic,
sending it to the WAE as a next-hop router.
Enter interface configuration mode:
Rtr(config)# interface GigabitEthernet0/0.10
Specify that the OUTBOUND route map should be used on this interface. This
route map searches for TCP traffic leaving the local network:
Rtr(config-if)# ip policy route map OUTBOUND
Rtr(config-if)# interface Serial0
Rtr(config-if)# ip policy route map INBOUND
WAAS v4.0.73-26
After the access lists are defined and the route maps are created, the route maps must then be
applied to interfaces on the router. Keep in mind that for WCCPv2, the WAE must be attached
to an interface where no interception or redirection is being performed. For PBR, the WAE
must be attached to an interface where no route map is applied that could possibly cause
routing loops.
Route maps are applied as IP policies on router interfaces. One route map should reference
traffic leaving the branch, including all TCP traffic from any inside IP address, and be applied
on the LAN interface of the router. The other route map should reference traffic entering the
branch, including all TCP traffic destined to any inside IP address, and be applied on the WAN
interface of the router.
3-80
PBR Availability Verification Example

This configuration shows that for the route map OUTBOUND the next-hop of
1.1.1.1 (the WAE optimization interface) should be tracked using IP SLA
number 1 and by starting immediately, and by running forever.
Rtr(config)# route map OUTBOUND permit

Rtr(config-route map)# set ip next-hop verify-availability 1.1.1.1 track 1
Rtr(config-route map)# exit
Rtr(config)# ip sla 1
Rtr(config-ip-sla)# icmp-echo 1.1.1.1 source-interface
GigabitEthernet0/0.11
Rtr(config-ip-sla)# frequency 20
Rtr(config-ip-sla)# exit
Rtr(config)# ip sla schedule 1 life forever start-time now
Rtr(config)# track 1 rtr 1
WAAS v4.0.73-27
PBR can use next-hop availability verification to periodically check the responsiveness of the
WAE optimization interface. This is accomplished with IP service level agreements (SLAs) and
Internet Control Message Protocol (ICMP) echo messages. If a WAE optimization interface
fails the responsiveness check, it is no longer considered a valid next-hop IP address. IP SLAs
are configured as part of the route map definition process and should be configured on all route
maps.
To configure an IP SLA, return to the route map definition sequence and specify next-hop
routers for tracking. In this example, the route map is configured to use tracking instance 1 to
track the availability of the next-hop router at 1.1.1.1. One configuration statement is added for
each WAE to be tracked.
Next, go to global configuration mode and configure the IP SLA instance. Configure the IP
SLA to track the availability of the WAE using ICMP messages (recommended), the Cisco
Discovery Protocol (CDP) neighbor database, or TCP connection attempts. Specify the interval
(frequency of check), the source interface to use, and then schedule the SLA to run.
3-81
Configuring ACE for Interception

This topic explains how to configure the Cisco ACE module for the Catalyst 6500 to provide
network interception and redirection for Cisco WAAS in the enterprise data center.
ACE Configuration Overview
10.3.1.0/24
WAE
VLAN 12
WAN
Toward WAN/clients
VLAN 10
IP
Network
Catalyst 6500 series

Toward Data Center
switch with ACE
VLAN 11
module
10.1.1.0/24
10.2.1.0/24
WAAS v4.0.73-29
Configuring the ACE module for the Catalyst 6500 series switch to provide network
interception for Cisco WAAS requires configuration of the following items:
1. Define VLANs on the Catalyst and assign the VLANs to the ACE.
2. Allocate the appropriate WAE interfaces into the WAE VLAN.
3. Ensure proper network routing from end to end.
4. Define WAE rservers (an rserver is a real server, that is, a WAE definition) and
serverfarms (groups of rservers).
5. Configure class maps, policy maps, and service policy.
3-82
VLAN Definition and Assignment

Cat6509# conf t
Enter configuration commands, one per line.
Cat6509(config)#
Cat6509(config)# vlan 10
Cat6509(config-vlan)# vlan 11
Cat6509(config-vlan)# vlan 12
Cat6509(config-vlan)# exit
End with CNTL/Z.
Define VLANs:
Client-facing (VLAN 10)
WAE-facing (VLAN 11)
Server-facing (VLAN12)
Cat6509(config)# svclc vlan-group 10 10-12

Cat6509(config)# svclc module 1 vlan-group 10
Cat6509(config)# interface Vlan10
Cat6509(config-if)# ip address 10.1.1.1 255.255.255.0
Cat6509(config-if)# no shut
Cat6509(config-if)# end
Cat6509# session 8
Telnet or
session to
the ACE
module.
Create a VLAN group

containing relevant VLANs
and assign to the ACE.
Assign an IP address to
a VLAN to be used as the
default gateway for the ACE.
WAAS v4.0.73-30
The VLANs that are used should be configured on the Catalyst 6500 and then assigned to the
ACE module. Notice that three VLANs (minimum) are required:
VLAN facing the WAN, or directing traffic toward the WAN (in this example, VLAN 10)
VLAN facing the WAEs, the destination for traffic to be optimized or unoptimized (in this
example, VLAN 11)
VLAN facing the servers or toward the data center (in this example, VLAN 12)
VLANs are assigned to the ACE module through the svclc vlan-group command in the
Catalyst IOS global configuration mode.
Ensure that each VLAN has the appropriate IP configuration as necessary, and that network
connectivity is operational between all endpoints in the network through the Catalyst 6500
VLANs.
After the VLANs are defined and assigned to the ACE module, connect to the ACE using the
session command from the privileged exec mode on the Catalyst 6500 IOS command-line
interface (CLI).
3-83
Configuring VLANs on the ACE

ACE# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ACE(config)# access-list PERMIT-ALL line 10 extended permit ip any any
ACE(config)# interface vlan 10
ACE(config-if)# ip address 10.1.1.1 255.255.255.0
ACE(config-if)# no normalization
ACE(config-if)# access-group input PERMIT-ALL
ACE(config-if)# access-group output PERMIT-ALL
ACE(config-if)# no shutdown
ACE(config-if)# exit
Configure client-facing
VLAN and explicitly permit
traffic. Disable TCP
normalization.

Configure server-facing
normalization.

ACE(config-if)# mac-sticky enable
Configure WAE-facing
normalization. Enable
mac-sticky.
WAAS v4.0.73-31
From the ACE CLI, each of the VLANs assigned to it must be configured. This configuration
includes the relevant IP address and subnet mask, along with the following:
Disable TCP normalization, which allows the ACE to permit the TCP options used by
Cisco WAAS automatic discovery.
Create an access-list that defines what traffic can be routed through the ACE (in this
example, the access list is called PERMIT-ALL and permits any IP traffic) and apply input
and output access-group policies to each of the VLANs. This allows traffic to pass through
the ACE module explicitly.
Enable each of the VLAN interfaces using the no shutdown command.
On the WAE VLAN interface, enable mac-sticky, which ensures that traffic returning to
the ACE that is to be redirected to a WAE is sent to the same WAE that saw the data
previously. If no WAE has seen data from this connection previously, the configured ACE
load-balancing policy (predictor) is used..
Note
3-84
The mac-sticky feature must be configured on the WAE VLAN when more than one WAE is
used. This feature ensures that flows coming back through the ACE module are forwarded
to the same WAE. This requires Layer 2 adjacency from the ACE module to the WAE. If this
is not configured, traffic can not be optimized because the same WAE might not be in the
path for each direction of traffic flow.
Defining WAEs and WAE Server Farm

ACE(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1
ACE(config)# rserver host
ACE(config-rserver-host)#
ACE(config)# rserver host
WAE1
ip address 10.3.1.2
inservice
exit
WAE2
ip address 10.3.1.3
inservice
exit
Specify the default

gateway for the ACE
ACE(config)# serverfarm host WAAS

ACE(config-sfarm-host)# transparent
ACE(config-sfarm-host)# predictor hash address source
ACE(config-sfarm-host)# rserver WAE1
ACE(config-sfarm-host-rs)# inservice
ACE(config-sfarm-host-rs)# rserver WAE2
ACE(config-sfarm-host-rs)# inservice
ACE(config-sfarm-host-rs)# exit
Define each of the

WAEs, specify their
IP addresses, and place
them in service.
Create a WAE server farm and include each of

the WAEs defined. Place each WAE in service. Define
the load-balancing algorithm (predictor).
WAAS v4.0.73-32
After the VLANs are created and configured, configure any necessary routes on the ACE to
ensure that end-to-end network connectivity is valid. This might require configuration of a
static route that tells the ACE module what its default gateway is.
The next step involves defining each of the WAEs that is used, and is accomplished by creating
rservers. An rserver is a real server and it is used as a means of defining what the real devices
that the ACE module interacts with are.
To configure a WAE rserver, use the rserver-host configuration command from the ACE
global configuration mode. Next, specify an IP address, and enable the rserver using the
inservice command. This should be done for each WAE that is used by the ACE module.
After the rservers have been defined, then define an rserver group, also called a server farm. A
server farm is a grouping of rservers and is used as the target for traffic that is load-balanced by
the ACE. When defining the server farm:
Ensure that the transparent command is used to notify the ACE that load-balancing to this
server farm should be done transparently.
Define a predictor (load-balancing policy). This example shows the use of a hash against
the source address.
Define the rservers that is assigned to the server farm, and place each rserver within the
server farm. Note that the rserver, when being defined, also has to be placed in service.
When assigning an rserver to a server farm, the rserver must be placed in service within the
server farm as well.
3-85
Configuring Load Balancing

Specify traffic to
intercept and redirect.
ACE(config)# class-map match-any ALL-TCP
ACE(config-cmap)# 10 match virtual-address 0.0.0.0 0.0.0.0 tcp any
ACE(config-cmap)# exit
ACE(config)# policy-map type loadbalance first-match TCP-POLICY-TYPE
ACE(config-pmap-lb)# class class-default
ACE(config-pmap-lb-c)# serverfarm WAAS
ACE(config-pmap-lb-c)# exit
ACE(config)# policy-map multi-match WAAS-INTERCEPT
ACE(config-pmap)# class ALL-TCP
ACE(config-pmap-c)# loadbalance vip inservice
ACE(config-pmap-c)# loadbalance policy TCP-POLICY-TYPE
ACE(config-pmap-c)# exit
ACE(config-if)# service-policy input WAAS-INTERCEPT
ACE(config-if)# service-policy input WAAS-INTERCEPT
ACE(config-if)# end
Define the serverfarm

to load-balance to.
Define the
load-balance policy.
Apply the policy to the

appropriate client
and server VLANs.
WAAS v4.0.73-33
The final step in configuring the ACE is to define the class maps, policy maps, and service
policy:
class-map: Defines the classifiers by which traffic that is considered for load balancing is
matched. In this example, all TCP traffic is matched. This can be filtered to only loadbalance a subset of traffic traversing the ACE. This works in concert with the access groups
defined on the VLANs in the ACE module config, that is, traffic must be permitted through
the ACE, and then traffic must be permitted for load-balancing.
Note
policy-map: Assigns the class that has been defined to a load-balancing policy and a server
farm.
service-policy: The service policy applies a policy map to an interface.
Note
3-86
The access group configuration must permit an equivalent or greater amount of traffic than
what is defined by the class-map. If the class map expects a broader set of traffic than what
is permitted through the VLANs by the access group, the class map does not see the traffic
due to the filtering done by the access group.
The service policy must be applied to WAN-facing and server-facing VLANs but not the
WAE VLANs.
Summary
Summary
The Cisco WAE inline card configuration requires that WCCPv2
be disabled and consists of inline groups and inline ports.
WCCPv2 is the recommended off-path interception mechanism
for most deployments. It involves network configuration and Cisco
WAE configuration.
PBR is an alternative off-path interception mechanism in which
the Cisco WAE is treated as a next-hop router by the network for
selected traffic flows. The flows are determined by an access list
or other classification mechanisms.
The Catalyst 6500 ACE module allows Cisco WAAS to integrate
into enterprise data centers via off-path interception.
WAAS v4.0.73-34
3-87
3-88
Lesson 3
Cisco WAAS Central

Management
Overview
This lesson explains how the Wide Area Application Services (WAAS) Central Manager is
used to centrally configure, manage, and monitor a topology of Wide Area Application Engine
(WAE) devices.
Objectives
Upon completing this lesson, you will be able to explain how the WAAS Central Manager is
used to centrally configure, manage, and monitor a topology of WAE devices. This includes
being able to meet these objectives:
Describe the purpose of the Cisco WAAS Central Manager
Explain the process of device activation
Describe how to assign devices to device groups to simplify configuration and reporting
Describe the WAE management capabilities of the WAAS Central Manager
Explain how to configure users and roles to control administrative privileges
Explain how to use Central Manager to distribute a WAAS software image to multiple
devices, and control the installation of software versions
Explain Central Manager high availability options
Describe WAAS Central Manager system settings and their purpose
Introduction to Cisco WAAS Central Manager

This topic explains how to access Central Manager, and describes the high-level features of
Central Manager.
Cisco WAAS Central Manager

The WAAS Central Manager is a powerful, scalable, and
secure central management tool.
The Central Manager provides policy configuration and
distribution functions, as well as systemwide statistics,
device statistics, and application statistics.
The Central Manager is available at:
https://(Central_Manager_IP):8443
Default credentials for the Central Manager are:

Username = admin
Password = default
WAAS v4.0.73-4
Central Manager is a device mode configured on a standalone WAE that provides scalable,
secure, robust, and centralized management for all of the WAEs within the deployment. Central
Manager is used to provide device-specific and systemwide configuration, monitoring, and
reporting capabilities. Central Manager is accessible via a web browser at
https://(central_mgr_ipaddr):8443.
The default credentials for Central Manager are the same as those for the default WAE
credentials:
username = admin
password = default
Central Manager is typically deployed in the data center and can be deployed in an activepassive failover capacity by using two WAEs.
3-90
Central Manager Login Screen
WAAS v4.0.73-5
Central Manager is accessible via a web browser at https://(central_mgr_ipaddr):8443. The first

screen to appear is the login screen, as shown in the figure.
The default credentials for Central Manager are the same as those for the default WAE
credentials:
username = admin
password = default
3-91
Central Manager Home Page
WAAS v4.0.73-6
The Central Manager home page provides a variety of information:
Notification of alerts (minor, major, critical)
The number of devices
The systemwide application traffic mix for last month
The systemwide reduction; the top ten applications for last month
The software versions installed
From here, you can click one of the following tabs or buttons:
3-92
View Detailed Report: This button provides additional data on systemwide behavior.
Devices: This tab allows you to examine configured devices and device groups, change the
configuration, monitor statistics, or generate reports.
Services: This tab allows you to configure application acceleration services or print
services.
System: This tab allows you to configure system management parameters.
Activating WAEs
This topic explains how to activate a Cisco WAE or a group of Cisco WAEs within a Cisco
WAAS topology.
Activate All Inactive WAEs
Activate all inactive WAEs
WAAS v4.0.73-8
WAE devices that register with Central Manager must first be activated before they can receive
a policy and interact with other WAEs. To activate all inactive WAEs, click the Devices tab
and then click the Activate all inactive WAEs icon, as shown in the figure.
3-93
Activate an Individual WAE
WAAS v4.0.73-9
To activate a single WAE, click the Edit icon at the left of the WAE entry in the main Devices
table, and then click Activate.
3-94
Devices Pending Activation
WAAS v4.0.73-10
After a device is selected for activation, its status changes to Pending. The device transitions to
Online after the activation process has finished, which generally takes two to three Central
Manager polling cycles. Central Manager polling cycles are configurable via the System tab.
3-95
Configuring Device Groups

This topic explains how device groups can simplify the configuration process, and describes
best practices for this process.
Device Groups
Legend
Device
Group
1
WAN
Device
Group
2
Device
Group
3
WAAS v4.0.73-12
Device groups are used to simplify configuration of the WAAS topology. Policy and other
settings can be applied to a device group to improve administrative efficiency. The running
WAE policy is always:
From the last device group that the WAE was added to
The last policy directly applied to the WAE
From the explicitly defined device group (if specified)
A WAE can be a member of multiple groups. The best practice is to configure device groups
for:
3-96
Time zones
Bandwidth or TCP parameters
Wide Area File Services (WAFS) Core Clusters
Windows integration
Network configuration
Print services
Acceleration policies
Other services
Device Groups (Cont.)

Application policy can be managed per device, but it is
recommended that application accelerators be joined to a
device group, with the application policy configured at the
group level, to ensure consistency.
WAAS v4.0.73-13
Device groups are configured from Central Manager by clicking the Device Groups link from
the Devices tab.
Application policies can be configured against a device via the command-line interface (CLI)
or GUI, or can be configured against a device group where the WAE is a member. It is highly
recommended that device groups be used when configuring application policy to help ensure
consistency throughout the enterprise.
Note
The AllDevicesGroup is configured automatically.
3-97
Creating a Device Group
WAAS v4.0.73-14
To create a new device group, click the Create New Device Group icon. After clicking Create
New Device Group, specify a unique name for the new group. Two types of device groups can
be created:
Configuration Group: This type is used to apply common application policy or other
configurations.
WAFS Core Cluster: This type is used only to group WAEs together as a WAFS Core
Cluster.
A device group can be specified as baseline for file services, acceleration, or platform.
Optionally, you can specify that new devices added to the system are automatically added to
this group.
3-98
Adding Devices to a Device Group

After the device group has been created, click Assign
Devices to add devices.
WAAS v4.0.73-15
After the device group is created, click Assign Devices to add devices to the new device group.
After the device group is configured, Central Manager can configure most aspects of the
individual WAEs that are members of that device group, including the following:
Software version
Configuration of file services optimization (Core Service, Edge Service)
Acceleration configuration, including policies and classifiers
Print services configuration
General settings, including network configuration, integration, name resolution, disk

configuration
Network interception configuration
Login access control (telnet, ssh, timeouts)
Login authentication mechanisms
WAE CLI users
Random array of inexpensive disks (RAID) settings
Notifications
Interception
To accomplish administrative tasks for the new group, click the Home entry in the Contents
pane on the left. This takes you to the Device Group home page and allows you to perform
configuration tasks such as:
Deleting the device group
Requesting an update from the device group WAEs on application statistics
3-99
3-100
Forcing a full database update from the device group WAEs
Rebooting all of the WAEs in a device group
Reapplying all device group settings against all device group WAEs
Restore default application policies
Explicit Policy Configuration
WAAS v4.0.73-16
To force a WAE to use a policy explicitly from a device group the WAE is assigned to, choose
Acceleration > Policies from the Devices link and select the desired device group from the
listing.
A WAE always uses the last policy applied, that is, the last device group that the WAE was
joined to, or the last policy explicitly configured against the WAE. The exception to this rule is
dependent on the status of the explicit policy device group. If the explicit policy device group is
already configured, these settings override the local configuration, and the configuration is
inherited from other groups. The explicit policy device group can be configured on individual
devices from the device policy page.
3-101
Configuring a Device Group as Baseline
WAAS v4.0.73-17
A baseline group is used to establish the default configuration for a particular feature:
File services
Acceleration
Platform configuration
Only one baseline group can be configured for each of these features within a WAAS topology.
Baseline groups are used to apply a common configuration across all WAEs.
3-102
Creating a Location Group
WAAS v4.0.73-18
Location groups can be configured as an administrative mechanism to classify WAEs based on

their geographic deployment. Unlike device groups, location groups are not used to propagate
configuration or policy. Location groups allow for the configuration of a location hierarchy, for
example, group San Jose can be a child of USA-West.
While location groups are not necessary, it is recommended that they be configured to support
future features. Each location requires a unique name. Each location can be created as a root
location (designated level 1), or as a child location beneath another location. Location trees can
be up to four levels deep.
Click the Create New Location icon to access the Creating New Location page. Notice that
the parent location can be specified to allow administrators to configure a hierarchy of WAEs.
3-103
Viewing the Location Tree

Central Manager allows you to view the device and location tree.
Devices are shown in black; locations are shown in red.
WAAS v4.0.73-19
To view the location tree, click the Locations link from the Devices tab and then click the
Location Trees icon. Note that locations appear in red and WAE devices appear in black. The
location view is hierarchical; child locations are nested beneath their parents.
3-104
Device Group Best Practices

Configure baseline groups for file services, acceleration, and
platform. Use these groups to establish common configurations
across all WAEs.
Avoid using device-specific configurations. Use group
configurations to simplify administration.
Assign WAEs to geographies using device locations for your
organization.
Remember that the last group or device configuration applied to a
WAE always determines policy. In cases where a WAE is a
member of multiple groups, specify the group from which policy is
inherited.
WAAS v4.0.73-20
The figure lists best practices for device group configuration.
3-105

This topic explains the device-specific configuration functions of the WAAS Central Manager.
Managing WAEs from Central Manager

Central Manager provides configuration capabilities for each WAE
that is registered.
To edit a device, click the Edit icon located next to the WAE Name
field.
Edit icons
WAAS v4.0.73-22
The WAAS Central Manager supports device-specific configurations in a manner similar to the
process of configuring device groups. Click the Devices link from the Devices tab and view the
list of individual devices currently resident in the WAAS topology. To edit a device, click the
Edit icon located next to the WAE Name field.
3-106
Activation
Configuration
Policies
Services
Monitoring
Device
Groups
View reports
WAAS v4.0.73-23
By default, only basic configuration items are initially shown. Click the Show Advanced
button to view the entire table of contents. In addition to other items, the device management
home page provides statistics on the application traffic mix from last week.
From the Device Management home page, the following configuration items can be modified:
Software version
Configuration of file services optimization (Core Service, Edge Service)
Acceleration configuration, including policies and classifiers
Print services configuration
General settings, including network configuration, integration, name resolution, disk

configuration
Network interception configuration
Login access control (telnet, ssh, timeouts)
Login authentication mechanisms
WAE CLI users
RAID settings
Notifications
Interception
These items can also be configured from the CLI.

From a monitoring perspective, the Device home page displays the following:
Alarm status is the number of alarms with the highest severity alarm displayed.
Number of device groups of which the WAE is a member.
3-107
3-108
Software version.
Hardware model.
IP address and host name
Gateway.
RAID level and number of installed disks.
Monitoring WAE Status

Central Manager provides an overview of system health in the status
bar located at the top of the Central Manager GUI. Click the system
status bar to view a summary of system errors.
Detailed WAE information is available in the status bar located on the

Device home page.
WAAS v4.0.73-24
A system status bar is displayed in two different locations within Central Manager. The first
location is at the top of most Central Manager pages. The second location is on the Devices
home page. From this location you can view the status of each of the devices within the Cisco
WAAS network.
Central Manager performs a health check and status update on each WAE at a configurable
interval.
The poll rate can be configured by choosing System > Configuration >
System.datafeed.pollRate. The poll rate is the interval at which devices poll the Central
Manager for configuration updates.
The collection rate can be configured by navigating to System > Configuration >
System.monitoring.collectRate. The collection rate is the interval at which devices send
application statistics to the Central Manager. These statistics are the basis for the graphs
presented in the GUI.
The information exchanged between the Central Manager and registered WAEs includes the
following:
Health and liveliness
Statistics
Configuration
3-109
Monitoring WAE Status

Highlight the alarm information field to view a menu that
allows the administrator to:
Edit or monitor the device

Telnet to the device
View the device log
Run show commands against the device
WAAS v4.0.73-25
To access additional WAE system functions, click the Alarm Information entry to edit or
monitor a device, telnet to a device, examine the device log, or run show commands. Alarms
are automatically cleared after they have been resolved, which occurs at the completion of a
Local Central Manager (LCM) polling cycle.
3-110
Configuring WAEs for High BDP Networks
WAAS v4.0.73-26
Although rarely needed, advanced TCP settings can be configured to provide optimizations for
high bandwidth delay product (BDP) networks. It is recommended that WAE devices be
bundled into common device groups based on the BDP of the networks they support. Advanced
TCP settings can then be applied against the BDP device group.
The Transport Flow Optimization (TFO) TCP settings configurable via the CLI and GUI
include the following:
Keepalive: This setting enables WAEs to exchange keepalive data for connections.
Optimized maximum segment size (MSS): This is the MSS of the optimized side of the
WAE. The default is 1432 bytes.
Optimized Send Buffer: This is the send buffer size of the optimized side. The default is
32 KB, and can go as large as 8192 KB.
Optimized Receive Buffer: This is the receive buffer size of the optimized side. The
default is 32 KB, and can go as large as 8192 KB.
Original MSS: This is the maximum segment size of the nonoptimized side of the WAE.
The default is 1432 bytes.
Original Send Buffer: This is the send buffer size of the nonoptimized side of the WAE.
The default is 32 KB.
Original Receive Buffer: This is the receive buffer size of the nonoptimized side of the
WAE. The default is 32 KB.
The buffer size values are only tuned in those situations where high BDP networks are
encountered. The BDP of the network can be calculated as follows:
BDP (bytes) = 2 * ( (link bandwidth in bps / 8) * roundtrip latency in seconds )
When multiple WAN links are serviced by a WAE, the BDP of the network is the sum of the
BDP of each of the WAN links supported by the WAE:
BDP (total) = (BDP(WAN1) + BDP(WAN2) + BDP(WAN3) + BDP(WANn))
3-111
If the BDP that is supported by the WAE exceeds the values set for the send and receive
buffers, you can compensate by adjusting the send and receive buffers for the optimized side
settings of the WAE. Modifications are not necessary to the original side settings.
To configure TCP buffers from the CLI, use the following command:
EDGE-WAE(config)#tfo tcp ?
keepalive
TCP keepalive, default enabled
optimized-mss Optimized side TCP MSS, default 1432 bytes
optimized-receive-buffer Optimized side Rx buffer size in KByte,
default 32 KB
optimized-send-buffer Optimized side Tx buffer size in KByte, default
32 KB
original-mss Original side TCP max segment size, default 1432 bytes
original-receive-buffer Original side Rx buffer size in KByte, default
32 KB
original-send-buffer Original side Tx buffer size in KByte, default 32
KB
Note
3-112
The original-side TCP buffers should not be changed unless it is deemed that the BDP of
the network is so high that not enough data from the transmitting node can be buffered to
keep the network fully utilized.
Configuring Role-Based Access Control

This topic explains how to create and manage users and roles to control administrative
privileges.
Creating and Managing Central Manager Users

Central Manager users can be created or managed from
the Users panel.
WAAS v4.0.73-28
Central Manager allows for the definition of administrative users and associated roles. User
credentials can be stored locally on each WAE or they can be authenticated using a third-party
authentication provider, such as TACACS, RADIUS, or Active Directory.
Roles determine the menus that can be accessed by the user. To create, modify, or manage
users, click the AAA link on the System tab. The User Accounts page appears with a list of
current users. Click the Create New User Accounts icon to create a new user, or click the Edit
User icon to modify an existing user.
3-113
Managing Central Manager Users
WAAS v4.0.73-29
The process of creating a new user allows you to specify the following information:
User name
Password
WAE Device Manager user and access level
CLI user (for Central Manager use only; this setting does not propagate)
CLI privilege level (normal user, super user)
Contact information
Note
No password is specified when using TACACS, RADIUS, or Active Directory authentication.

Usernames must be alphanumeric and can not contain spaces or special characters.
Central Manager allows you to delete accounts and assign roles to an account. Remember that a
role determines the screens within Central Manager that a user can access. A user can be
assigned multiple roles. The effective permissions of a user are the sum of the roles that are
assigned to that user.
Note
3-114
The admin user can not be deleted. The admin password must be set in the Central
Manager WAE CLI. It can not be set in the Central Manager GUI. Other user passwords can
be changed by clicking the Password link from the System tab. You must be logged in as
that user or editing the settings of that user to change the password of that user.
Managing Roles
WAAS v4.0.73-30
User roles allow the administrator to control who uses the different functions available through
Central Manager.
Roles are created by navigating to System > AAA > Roles and clicking the Create New Role
icon. Roles must have unique names. Assigning page accessibility to a role gives any user
associated with that role read-write access to those pages. Roles are read-write only. The Role
Configuration window allows administrators to control the functions that are accessible to the
users assigned to each role. Any GUI page within Central Manager can be selectively allowed
or disallowed during role configuration. Any GUI page that is selected in the role definition
will be made accessible in a read-write capacity to any user assigned to the role.
Note
Users can be assigned to multiple roles. The net effective permissions of the user are based
on the cumulative sum of all permitted pages for all roles that the user is assigned to.
3-115
Managing Domains
WAAS v4.0.73-31
A domain defines the devices or device groups within the Cisco WAAS topology that a user
assigned to that domain is able to access and configure. Domains are configured adjacent to
roles, which define Central Manager pages that the user can visit and manipulate. Domains can
be configured as device domains (specify individual devices that can or can not be accessed), or
group domains (specify device groups that can or can not be accessed). Users assigned to a
domain have the ability to configure the entities described by the domain based on the effective
permissions provided by the assigned roles.
3-116
Assigning a User to Roles and Domains
WAAS v4.0.73-32
After roles and domains are created, users can be assigned to one or more roles and one or more
domains. To accomplish this task, choose System > AAA > Users > (user) > Role
Management and make your role assignments. Then choose System > AAA > Users > (user)
> Domain Management to make your domain assignments. Effective user permissions are the
summation of all roles assigned to that user, and effective device permissions are the
summation of all domains assigned to that user.
3-117
Centralized Authentication and Central

Manager Users
WAAS v4.0.73-33
To configure centralized authentication for Central Manager, open the Central Manager WAE
Device home page and choose Devices > Devices > Central Manager WAE. From there,
choose General Settings > Authentication > Authentication Methods and choose an
authentication method.
Central Manager can be configured to use the following authentication providers:
3-118
TACACS
RADIUS
Active Directory
Local user account database
Domain Authentication Configuration

To integrate a WAE device into a Microsoft domain via the Central
Manager GUI for centralized authentication, click the Edit icon next to
the name of the WAE to be integrated.
Edit icon
WAAS v4.0.73-34
Central Manager is the preferred mechanism for integrating WAEs into Active Directory. The
majority of these tasks can be handled from the WAE home page by navigating to Devices >
Devices > (WAE).
3-119
Domain Integration
WAAS v4.0.73-35
A series of tasks must be completed before a WAE can be successfully integrated into a
Windows domain. These tasks include the following:
Configure time settings and time zone, or alternately, Network Time Protocol (NTP);
WAEs must not exceed 5 minutes variance from the domain controller and Kerberos Key
Distribution Center (KDC).
Forward and reverse domain name system (DNS) lookup entries must be created for the
WAEs before integrating into the domain
WAE devices are integrated into a Windows domain by choosing Devices > Devices > (WAE)
> General Settings > Authentication > Windows Domain. Ensure that advanced settings are
shown. From the table of contents choose General Settings > Authentication > Windows
Domain, and supply the following parameters:
3-120
Windows authentication for WAN failure: This setting enables WAFS disconnected
mode, because the domain controller must be reachable during WAN disconnection.
Windows authentication for login and configuration: This setting enables management
and domain integration.
Administrative group for normal users.
Administrative group for super users.
Windows authentication protocol: This parameter is set to NT LAN Manager (NTLM)

v1 or v2, or Kerberos; choose only one of these alternates.
Authentication protocol parameters: These include protocol version, Kerberos realm,

KDC, and organizational unit (OU).
Domain controller name or fully qualified domain name (FQDN): The FQDN is
preferred.
Credentials for user with sufficient rights for adding the WAE into the domain.
Click the Submit button first to ensure that your settings are saved. Next, resupply the domain
controller and credentials and click Register.
3-121
Domain Integration (Cont.)
WAAS v4.0.73-36
After completing the domain integration, you can use the Show Authentication Status button
to verify that the WAE joined the domain successfully.
From this page, Central Manager provides a utility to verify domain integration for a specific
WAE. Click Show Authentication Status to verify domain integration and identify problem
areas. The following areas are verified:
Domain trust secret
Domain sequence numbers
Domain information
Time skew
If any of the items fail, the utility tells you how to correct the situation. After correction, the
join can be attempted again.
Note
3-122
The Microsoft Active Directory Users and Computers MMC snap-in can be used to verify
that a WAE has properly joined the domain. If the domain join was successful, the WAE
should appear as a computer in the domain.
Managing Software Distribution and Upgrade

This topic explains how to use Central Manager to upgrade or downgrade WAEs within a Cisco
WAAS topology.
Managing Software Versions

Software images are not stored on Central Manager and
only download locations are defined. Many software
versions can be stored concurrently.
To edit a software URL, click the Edit icon. To add a new
software URL, click the New icon.
WAAS v4.0.73-38
Central Manager provides a facility for centralized software distribution, upgrade, and rollback.
Software download access can be configured to use either FTP or HTTP. Software updates can
be applied to individual devices or to entire device groups.
To add a software version to Central Manager, click the Software Files link from the System
tab.
Central Manager only stores links to download locations and credentials. The number of links
that can be stored in Central Manager is beyond practical measure, because each link entry is
less than 1024 bytes long and consumes no processor or memory resources.
3-123
Adding Software Images
WAAS v4.0.73-39
To add a software image, click the Add Software Image icon on the Software Files page.
From there, specify the following parameters:
3-124
URL: Protocol, server, path, and file name
User name to be used when acquiring the image
Password to be used when acquiring the image
Software version
File size
Automatic reload: Selecting this option causes WAEs to automatically reboot after the
image is downloaded. This selection causes an immediate upgrade.
Applying Software Images
WAAS v4.0.73-40
Software images can be applied directly against a WAE by navigating to Devices > Devices >
(WAE Device) > Home. Click the Update Software icon on the home page for the selected
device to complete this task.
Software images can be applied directly against a Device Group (the recommended update
method) by choosing Devices > Device Groups > (Device Group) > Software Update.
Note
Devices automatically reload if the software image definition is configured with autoreload.
Software images are not applied until the WAE reboots.
A WAE automatically stores two versions of software. The first or primary version is the
version the WAE uses for the boot. Any previously installed software version automatically
becomes the secondary version and is stored for backup use. Each software upgrade moves the
last primary version into secondary position. If the primary version fails to boot, it is discarded
and the WAE automatically boots from the secondary version.
3-125
Monitoring Software Installation Status

Software installation status can be viewed from the
Devices home page.
WAAS v4.0.73-41
After a WAE or device group is configured to install a particular software image, the WAEs
begin the installation processes. The status of these processes can be tracked by selecting the
Devices link from the Devices tab.
Device status can be one of the following:
Pending: The upgrade process has not started.
Proceeding with Download: The download begins.
Download in progress: The file is currently being transferred.
Proceeding with flash write: The file is being written to flash.
Rebooting: The WAE is rebooting to install the new software image.
Note
3-126
Software distribution and installation can not be cancelled from the Central Manager.
Configuring High Availability

This topic describes the configuration of High Availability options for Central Manager.
Central Manager High Availability

One WAE can be configured as a standby Central
Manager.
Configuration is replicated from the primary Central
Manager to the standby Central Manager based on the
datafeed.pollRate setting.
Information is exchanged using the same Central
Manager to WAE communication that occurs between
every WAE and the Central Manager.
WAAS v4.0.73-43
Up to two WAEs in a deployment can be configured as Central Manager WAEs: one to

function as the primary WAE and one to function as a standby. The standby Central Manager
WAE must register with the primary. Configuration tasks are replicated from the primary
Central Manager to the standby during the standard LCM polling cycle. This exchange and all
WAE communications are secured. The configuration coherency is limited only by the
specified value of the system datafeed pollrate.
3-127
Configuring a Standby Central Manager

Configuring a standby Central Manager WAE requires
the following designations:
Specify the device mode of central-manager
Specify the CDM role of standby
Enable the Cluster Management Suite
WAAS v4.0.73-44
The process of configuring a standby Central Manager is identical to the process of configuring
a primary Central Manager with the exception of assigning the Content Distribution Manager
(CDM) role as standby.
3-128
Central Manager Failover and Failback

Failover and failback are manual processes that must be
initiated on the WAE by the administrator.
To demote a primary Central Manager to standby, issue
WAE(config)# cdm role standby
To promote a standby Central Manager to primary, issue

WAE(config)# cdm role primary
WAAS v4.0.73-45
Central Manager is key based, and the key is shared by all of the WAEs in the deployment.
This approach allows a standby Central Manager to take over as a primary. In situations where
the primary fails and can not be explicitly configured as standby, you can manually promote the
standby to primary until the failed WAE is repaired or replaced. When the WAE is ready to
return to service, first demote the primary back to standby, and then bring the primary up.
3-129
Central Manager Backup

The Central Manager database can be backed up from
the primary or standby Central Manager WAE using the
following command:
cms database backup
The resulting database dump file then copied from the

Central Manager WAE to another location on the network
using ftp:
waas-cm#cms database backup
Creating database backup file cms-db-03-13-2006-05-07.dump
Backup file local1/cms-db-03-13-2006-05-07.dump is ready.
Please use `copy' commands to move the backup file to a remote host.
WAAS v4.0.73-46
Use the cms database backup command to initiate a backup of the Central Manager database.
The output of the backup file is placed in the /local/local1 directory, which is the default
directory for copy operations when copying from disk.
3-130
Central Manager Backup (Cont.)

waas-cm#copy disk ftp 10.10.10.100 / acns-db-03-13-2006-05-07.dump
/local1/acn$
Enter username for remote ftp server: administrator
Enter password for remote ftp server:
Initiating FTP upload...
Sending: USER administrator
Microsoft FTP Service
Password required for administrator.
Sending: PASS ***********
User administrator logged in.
Sending: TYPE I
Type set to I.
Sending: PASV
Sending: CWD /
CWD command successful.
Sending PASV
Sending: STOR acns-db-03-13-2006-05-07.dump
Data connection already open; Transfer starting.
Transfer complete.
Sent 146747 bytes
WAAS v4.0.73-47
Use the copy disk ftp command to move the Central Manager database backup file to an FTP
server. The format of this command follows:
WAE# copy disk ftp <ipaddr> <directory where file is
located><filename>
3-131
Central Manager Restore

Before restoring the Central Manager database, first
disable CMS services using the following command:
no cms enable
Next, copy the Central Manager database (if necessary)

from the network to a location on the Central Manager
WAE disk:
copy ftp disk (ipaddr) (ftp_dir) (filename) (local filename)
Finally, restore the database using the following

command:
cms database restore (dir/filename)
WAAS v4.0.73-48
The Central Manager restore process requires that you first disable Cluster Management Suite
(CMS). After disabling CMS, download the Central Manager database backup file from FTP
and issue the CMS restore command to reenable CMS.
3-132
System Settings and Device Recovery

This topic describes the system settings that can be configured in Central Manager and explains
the purpose of each.
Central Manager System Settings
WAAS v4.0.73-50
Systemwide settings for Central Manager can be configured by clicking the Configuration link
on the System tab.
These systemwide settings include the following commonly used parameters:
Central Manager Session Timeout: This is the amount of idle time before Central
Manager automatically logs out the current user.
Data Feed Pollrate: This is the frequency at which the Central Manager and WAE
exchange configuration information during the LCM cycle.
Device Identify Recovery Key: This key is used to recover device identity if the device is
replaced or otherwise rebuilt from factory conditions.
Health Monitor Data Collection Rate: This is the frequency at which the WAEs transfer
health monitoring information to the Central Manager.
Application Monitor Data Collection Rate: This is the frequency at which application
statistics are transferred from WAEs to the Central Manager.
It is recommended for most deployments that System.monitoring.collectRate and

System.datafeed.pollRate be set to 60:
System.monitoring.collectRate is the interval in which devices send application statistics up

to the Central Manager. These statistics are the basis for the graphs in the main Central
Manager window.
System.datafeed.pollRate is the interval at which devices poll the Central Manager for
configuration updates.
3-133
WAE Device Recovery
Deactivate
WAAS v4.0.73-51
Before device recovery can begin, the device must first be deactivated and specified as
replaceable. You can accomplish these tasks from the Device home page by choosing Devices
> <device> > Activation and selecting the device to be deactivated.
3-134
WAE Device Recovery (Cont.)

After the WAE is marked as deactivated and replaceable,
execute the following command from the WAE CLI to
recover its identity:
cms recover identity <key>
After recovery, the WAE must be reactivated from within

Central Manager:
edge-wae#cms recover identity default
Registering WAAS Application Engine...
Sending identity recovery request with key default
WAAS v4.0.73-52
Device identity recovery is initiated using the following command:

cms recover identity <key>
After recovery, the WAE registers itself as the device that was specified as replaceable.
3-135
Fast Device Offline Detection
WAAS v4.0.73-53
Central Manager can be configured to use Fast Device Offline Detection to proactively mark a
device as offline. To enable this feature, choose System > Configuration > Fast Device
Offline Detection.
Enabling this feature causes Central Manager to mark a device offline based on the settings
specified within this page. These settings include:
Enabling Fast Device Offline Detection
Heartbeat rate of exchange: This setting defines how frequently the WAEs and Central
Manager exchange heartbeat information. These exchanges are separate from those
performed in the LCM cycle.
Heartbeat fail count: This setting defines how many heartbeat exchanges can be missed
before Central Manager marks a WAE as offline.
Heartbeat User Datagram Protocol (UDP) port: This setting specifies the UDP port to
use for heartbeat information.
Normally, Central Manager marks a device as offline when three LCM cycles are unsuccessful.
The time interval associated with this function is based on the datafeed pollrate value in the
system settings.
3-136
Summary
Summary
Central Manager provides a robust, scalable, and secure single
point of management for a Cisco WAAS topology.
Devices must register with Central Manager and be activated
before they can participate as application accelerators.
Device groups provide an easy way for administrators to simplify
configuration of application policy and other acceleration features.
Role-based access control allows for the definition of features,
management pages, devices, and device groups that a user can
access.
Central Manager can be used to automate the distribution and
installation of device software to WAEs within a topology.
A standby Central Manager WAE can be configured to support
environments where high availability is critical.
WAAS v4.0.73-54
3-137
3-138
Lesson 4
Configuring Application Traffic

Policies
Overview
This lesson explains how to configure application traffic policies.
Objectives
Upon completing this lesson, you will be able to explain how to configure application traffic
policies. This includes being able to meet these objectives:
Explain the purpose and use of application traffic policies
Describe the default application traffic policy that can be used to minimize administrative
configuration tasks
Explain how application definitions can be used for reporting statistics
Explain how policy maps are used to assign a classifier to an application
Identify the traffic policies that are configured for file services and UUID-based
classification
Explain how to use the WAE device CLI to monitor WAAS optimizations and their
effectiveness
Using Application Traffic Policies

This topic describes the purpose and use of Application Traffic Policies (ATPs) in a Cisco
WAAS network.
ATP Functional Components
Application
Definition
Traffic
Classifier
Policy
Map
WAAS v4.0.73-4
The ATP is a device-specific or global policy that defines WAE behavior when specific traffic
types are encountered. ATPs can be configured for individual WAEs, or they can be configured
globally through the WAAS Central Manager. To perform global configuration, the WAEs in
the topology must first be registered with the Central Manager.
ATPs support up to 256 application definitions, 512 classifiers, and 1024 match conditions.
Cisco WAAS comes preloaded with an ATP configuration containing over 30 application
groups with over 150 unique application classifiers. The default configuration that is included
with Cisco WAAS addresses the majority of enterprise applications today.
3-140
Application Definition
The application definition
provides a logical grouping
of traffic types.
Statistics from traffic
classifiers mapped to an
application through a
policy map report through
the application definition.
Monitoring is enabled per
application definition.
Traffic
Classifier
Policy
Map
Application
Definition
Applications are
assigned to devices or
device groups.
WAAS v4.0.73-5
The application definition provides a logical grouping of traffic types to support the monitoring
and collection of statistics. Monitoring must be enabled on an application group before
statistics can be gathered through the Central Manager polling cycle. Application definitions
can be globally-configured within Central Manager and then assigned to devices or device
groups, or they can be defined directly on individual WAEs.
3-141
Traffic Classifier
The traffic classifier is used to
identify a connection as a
specific type.
Actions are taken against the
classifier based upon the
configured policy map.
Statistics count toward the
application definition that the
classifier is assigned to via the
policy map.
Classification is based on
source or destination L3 and
L4 parameters.
Application
Definition
Policy
Traffic
Classifier
Map
Valid match conditions include:

Source IP address
Source IP subnet
Destination IP address
Destination IP subnet
Source TCP port or range
Destination TCP port or range
All traffic
WAAS v4.0.73-6
A traffic classifier is used to classify the traffic that is received by a WAE. Traffic classifiers
are based on:
3-142
Source IP address or subnet
Destination IP address or subnet
Source TCP port or range
Destination TCP port or range
All traffic
Policy Map
A policy map performs
two primary functions:
Associates a traffic
classifier to an application
definition for reporting
purposes.
Assigns an action to be
taken against traffic that
matches a traffic classifier.
Policy maps are applied

based on their ordering
within Central Manager,
or on the device itself.
Traffic
Classifier
Application
Policy
Map
Definition
Policy map actions include:

Pass-through
Optimize
TFO
TFO + LZ
TFO + DRE
Full (TFO + DRE + LZ)
Accelerate
Application adaptor or UUID
WAAS v4.0.73-7
A policy map associates classified traffic to an application definition that enables reporting and
monitoring. The policy map also assigns the actions to be taken against matching traffic. These
actions or optimizations include the following:
Pass-through: This optimization is performed at a very low layer in the WAE.
TCP optimize: For Transport Flow Optimizations (TFO) only, this optimization is
commonly used for encrypted or previously-compressed traffic, and is not highly
repeatable.
TCP optimize and Lempel-Ziv (LZ) compression: This optimization is commonly used
for interactive applications that use very small exchanges, such as telnet, where Data
Redundancy Elimination (DRE) offers little value.
TCP optimize + DRE: This optimization is commonly used for applications where the
traffic is encrypted or previously compressed but highly repeatable, and where LZ does not
provide significant value
Optimize full: This optimization includes TFO, DRE, and LZ
Classified traffic can also be handed to an application adaptor, in a process called acceleration:
End Point Mapper (EPM): This adaptor allows the WAE to identify an applications
dynamically-assigned port number, which is useful for applications that first transmit a
universally unique identifier (UUID) on TCP port 135 to request a dynamically assigned
port. The WAE intercepts these messages and dynamically builds a policy based on the
dynamically-assigned port.
WAFS Accept: This adaptor allows the WAE to act as a file server proxy-cache.
WAFS Transport: This adaptor allows the WAE to optimize the Common Internet File
System (CIFS) flows that must traverse the WAN.
A policy that does not use an application adaptor is considered a basic policy, unless it is
defined for all traffic, in which case it is considered an other policy. Application policies are
applied based on the priority assignment of the policy within Central Manager.
3-143
Default Policies
This topic describes the Cisco-provided default application traffic policy and explains its use.
Default Application Policy Logic

The following logic was applied to the applications
identified for WAASv4 optimizations:
Condition
Action
Logic
Encrypted with
fixed keys
FULL
Encryption wont change, therefore DRE is effective

across multiple sessions
Encrypted with time

and session
TFO
Encryption will change, DRE is probably not effective
Compressed and
repeatable
FULL
DRE is effective because the sequences are likely to

be repeated. Example: video streams
Transient
compressible data
TFO+LZ
DRE is effective because the data being transferred is

small and probably not repeatable
Small packets but

repeatable
FULL
DRE is a good fit because the data is probably

repeatable
Anything using DRE
LZ
DRE signatures are compressible with LZ
WAAS v4.0.73-9
Cisco WAASv4 ships with an embedded, robust default application policy that provides the
following:
25+ application definitions
150+ traffic classifiers
associated actions (policy maps)
The default application policy can be enabled on a device or device group in Central Manager,
or it can be enabled through the command-line interface (CLI).
3-144
Enabling the Default Policy
WAAS v4.0.73-10
Enable the default policy on a WAE or group of WAEs by clicking the restore default policy
icon on the Device Groups page of Central Manager. After enabling the default policy, click ok
to verify this action and propagate the policy to the WAE or the device group during the Local
Central Manager (LCM) polling cycle.
To enable the default policy on an individual WAE using the WAE CLI, execute the following
commands:
WAE# config term
WAE(config)# policy-engine config restore-predefined
To enable the default policy on a device group of WAEs using Central Manager, open the
device group and click the Restore default application policies button. This lesson assumes that
the default policy has been applied to all WAEs in the WAAS topology.
3-145
Controlling WAE Optimization Features
WAAS v4.0.73-11
Global optimization capabilities for a WAE device or a WAE device group can be configured
at Devices > (Devices or Device Groups) > (Entity Name) > Acceleration > General Settings.
Any feature with a checkmark next to it is enabled. Any feature missing a checkmark is
disabled. If a WAE is configured to explicitly pull its policy and configuration from a device
group, as shown here, this page does not allow you to modify these settings. In this case,
modify the settings in the device group configuration page.
3-146
Creating Application Definitions

This topic explains how to configure application definitions, enable monitoring, and assign
application definitions to devices or device groups.
Managing Application Definitions
WAAS v4.0.73-13
Application definitions are groups used to bundle classifiers into a common reporting entity.
Application definitions are configured from the Applications panel of Central Manager. When
using the default application traffic policy, all of the applications shown on this panel are
preconfigured.
The Applications panel allows you to create a new application definition or modify existing
application definitions. Statistics from associated classifiers are gathered and reported
cumulatively by the application definition, and individual classifier statistics are available.
To edit an existing application definition or enable an application for monitoring, click the edit
application icon next to the application name. To create a new application definition, click the
new icon.
Use the edge-wae#show policy-engine application name command to view a list of
application definitions that are provided by the Cisco WAAS default application policy. The
number shown in parentheses represents an identifier that is used internally:
Number of Applications: 28
1. Authentication (15)
2. Backup (17)
3. Call-Management (18)
4. Conferencing (8)
5. Console (4)
6. Content-Management (20)
3-147
7. Directory-Services (6)
8. Email-and-Messaging (12)
9. Enterprise-Applications (13)
10. File-System (2)
11. File-Transfer (16)
12. Instant-Messaging (22)
13. Name-Services (25)
14. Network-Analysis (26)
15. Peer-to-peer (P2P) (9)
16. Printing (14)
17. Remote-Desktop (5)
18. Replication (21)
19. Structured Query Language (SQL) (1)
20. Secure Shell (SSH) (24)
21. Storage (27)
22. Streaming (10)
23. Systems-Management (3)
24. Virtual private network (VPN) (23)
25. Version-Management (7)
26. WAFS (11)
27. Web (19)
28. Other (0)
Note
3-148
Enabling an application for monitoring enables the exchange of application data between the
Central Manager and the WAEs to which the application is assigned.
Managing Application Definitions (Cont.)
WAAS v4.0.73-14
An application must be assigned to a WAE or a device group before statistics on that

application can be gathered. Application assignment is performed from the Applications panel
of Central Manager.
After an application is defined, it must be assigned to a WAE or group of devices before
statistics on that application can be gathered.
Note
Check the enable statistics box to gather statistics relative to this application from the
assigned WAEs.
3-149
Assigning Applications to a Device

Group
WAAS v4.0.73-15
Select the devices or device groups to be added to the WAE and click the submit button. All
configuration changes are propagated to the WAEs that are in the device group.
3-150
Managing Policies
This topic examines the purpose and use of policy maps.
Managing Policies
WAAS v4.0.73-17
A policy map associates an action with a classifier, and assigns optimization statistics to an
application.
Policy Maps are configured on a device or a device group through Central Manager by
navigating to Devices > Device Groups > (name) > Acceleration > Policies > Definitions.
The device group policies page allows you to perform the following functions:
Edit an existing policy
Create a new policy
Change the order of applied policy
Restore default policy
Force policy settings on device group members
Policy maps have assigned priorities, as indicated by the Type - Position column shown in the
figure. These assigned priorities can be changed from within Central Manager. An Other
policy, located at the bottom of the policy definition list, is used when no classifiers match the
traffic found. The Other policy is required for the system to function properly and is added
automatically when the default policy is installed. The Other policy can be adjusted to tune the
level of optimization applied to flows that could not be classified.
3-151
Editing Policies
WAAS v4.0.73-18
Policy configuration requires the definition of several parameters:
Type
Application
Classifier
Action
EPM traffic
Position
The type parameter can be:
Basic: A basic policy is identified by Layer 3 or Layer 4 identifiers such as IP or TCP

information.
EPM: An EPM policy is identified by a UUID, for instance, Exchange or Active Directory
Replication.
WAFS accept: A WAFS accept policy is used to route CIFS traffic for file servers
configured for acceleration to the CIFS application adaptor.
WAFS transport: A WAFS transport policy is used to optimize CIFS flows between
WAEs traversing the WAN for file servers that are configured for acceleration.
This application parameter defines the application that is associated with the statistics.
The classifier parameter is used to identify relevant traffic.
The action parameter specifies how the WAE is to respond to a flow when identified, and
determines the optimizations to list as desirable during the automatic discovery process:
3-152
Passthrough: No optimizations are applied.
TFO only: Only TFO optimizations are applied to this flow.
TFO with Data Redundancy Elimination: TFO and DRE are applied to this flow.
TFO with LZ Compression: TFO and LZ compression are applied to this flow.
Full Optimization: DRE, TFO, and LZ compression are applied to this flow.
The position parameter can be manually set here to one of the following:
First (in the list): This policy is the first policy that flows are compared against.
Last (in the list): This policy is the last policy that flows are compared against.
Specific (position): This policy must be inserted at a specific position within the list.
Additionally, policy prioritization can be manually adjusted by clicking the Prioritization table
of contents item at the left of the panel.
Note
DRE and LZ compression require the use of TFO, as TFO is the data path for the WAEs.
EPM Traffic Parameter

Only select the Inspect for EPM traffic parameter if the policy is an EPM policy.
Policies can also be created via the CLI of an individual WAE; however, this is not
recommended, because it can easily lead to policy overlap, policy underlap, or misconfigured
policies when working in large networks.
3-153
Managing Policy Priority
WAAS v4.0.73-19
When traffic is received by a WAE, it scans the policy list for a TCP synchronize (SYN)
message and uses the first match it finds. This approach is helpful when policies overlap, or
when a specific policy is preferred.
For example, an IT organization can choose to have all HTTP traffic configured for full
optimization, with the exception of traffic originating from the server with IP address 2.2.2.2,
which is configured for pass-through. To fulfill this example, two policies are created:
Policy 1: This policy matches traffic on destination port TCP 80 (HTTP), and specifies full
optimization.
Policy 2: This policy matches traffic on destination port TCP 80 (HTTP) and destination IP
address of 2.2.2.2, and specifies pass-through.
To continue this example, policy 2 is configured with a higher priority than policy 1, so that
any traffic to 2.2.2.2 on TCP 80 (HTTP) is passed-through with no optimizations, while all
other HTTP traffic is fully optimized.
Policy priority can be changed through the policy definition page by specifying first, last, or
specific position, or by using the arrows found in the move column of the policy definition
page.
3-154
Managing Classifiers
WAAS v4.0.73-20
Classifiers are used to identify flows and associate those flows to the assigned policy. Each
classifier must have a unique name. A classifier can contain one or more match conditions.
Each match condition can contain parameters the WAE can use when identifying traffic:
Source IP address or subnet
Destination IP address or subnet
Source TCP port or port range
Destination TCP port or port range
To edit a match condition within a classifier, click the Edit icon on the Application Classifier
panel. To create a new match condition within a classifier, click the New icon.
3-155
Configuring Match Conditions
WAAS v4.0.73-21
The Match Conditions panel allows you to define classifier match conditions. The following
parameters can be supplied:
Match all: Any and all traffic is considered a match by this classifier.
Destination IP address: Enter a specific IP address or a subnet in this field to classify a

specific destination node or network.
Destination IP wildcard: This parameter is the inverse of the subnet mask. Use this field
only when supplying a specific destination IP address or subnet.
Destination port start: To specify a single destination port definition, enter the port
number in this field. To configure a range of destination ports, enter the first port of the
range in this field.
Destination port end: Use this field only when defining a port range. Enter the last port of
the range in this field.
Source IP address: Supply a specific IP address or a subnet to assign classifications

against a specific source node or network.
Source IP wildcard: This parameter is the inverse of the subnet mask. Use this field only
when supplying a source IP address or subnet.
Source port start: To specify a single source port definition, enter the port number in this
field. To configure a range of source ports, enter the first port of the range in this field.
Source port end: Use this field only when defining port ranges. Enter the last port of the
range in this field.
Supply the necessary information and click the Update Classifier button at the bottom of the
panel to save the match criteria.
3-156
Examining Configured Policies
Edit
icons
WAAS v4.0.73-22
The Central Manager allows an administrator to view the policies that have been applied to
each device and device group. This function is useful for identifying policies that overlap or
conflict with other classifications. Click the Edit icon next to the device or the device group, to
view the policy listing page for that device or group.
3-157
Examining Configured Classifiers
WAAS v4.0.73-23
The Central Manager allows an administrator to view all of the classifiers that are defined
within the system. This function is useful for identifying overlapping or conflicting classifiers.
Click the View icon next to the classifier to view the parameters defined for that classifier.
From this page, click the Edit icon next to the appropriate device or device group to modify the
settings for that classifier.
3-158

This topic describes adaptor policies and explains how to configure them.

Adaptor policies define the optimization to apply to a
specific type of flow:
Adaptor policies are automatically configured as part of the default
application policy.
Valid adaptors in WAASv4 include:

CIFS-Accelerator
WAFS Transport
EPM
WAAS v4.0.73-25
Adaptor policies define the optimization to apply to a specific type of flow. Adaptor policies
are automatically configured as part of the default application policy. Valid adaptors in
WAASv4 include the following:
CIFS-Accelerator: This adaptor accepts incoming CIFS traffic on TCP139 or TCP445

(subject to Edge services port configuration) and is used by the CIFS policy
WAFS Transport: This adaptor specifies TCP4050, which is used between WAFS Edge
and Core devices for CIFS acceleration and, more specifically, messages that must be sent
across the WAN for CIFS-accelerated connections.
EPM: This adaptor listens on TCP135, identifies the UUIDs of an application, and assigns
policy to the dynamically-assigned port.
3-159
CIFS Policy
WAAS v4.0.73-26
The CIFS policy in this figure is configured to perform two actions:
Full optimization, when a server can not be CIFS accelerated due to Server Message Block
(SMB) signing
CIFS acceleration, when a server can be CIFS accelerated by WAAS
The application classifier used by the CIFS policy is CIFS, which references TCP ports 139 and
445. When a user attempts a connection to a CIFS file server through a edge WAE running the
WAFS Edge service, it initiates a query of the connected core cluster (containing WAEs
running the WAFS Core service) to find who is closest. A connection is then established to the
core cluster that responds the fastest.
The configuration of the CIFS policy should be as follows (and is configured this way by
default):
3-160
Type: Basic
Application: File-System
Application Classifier: CIFS
Action: Full Optimization
Accelerate: CIFS Accelerator
Enabled: Yes
WAFS Transport Policy
WAAS v4.0.73-27
The WAFS Transport adaptor dynamically builds its own classifier based on the WAFS
service, directive configuration, and file servers that have been explicitly defined or
automatically discovered. This policy is used to define full optimization for traffic from the
CIFS accelerator that needs to traverse the WAN. This policy is already built as part of the
default application traffic policy, and must be enabled on any WAE that is participating in file
services optimizations as a Core or Edge WAFS device.
The WAFS Transport policy is configured as follows:
Type: WAFS Transport
Application: WAFS
Application Classifier: Match All Traffic
Action: Full Optimization
Enabled: Yes
3-161
EPM Policy Configuration
WAAS v4.0.73-28
The EPM adaptor is used for applications that use dynamic port assignment via TCP135. The
EPM adaptor intercepts exchanges for dynamic port requests to allow WAAS to apply
optimization against the port assigned. UUIDs are predefined and associated with canonical
names in the GUI:
Messaging Application Programming Interface (MAPI) Exchange
MicroSoft SQL (MS-SQL)
File Replication Service
Active Directory Replication
The default application policy includes policies for each.
3-162
Monitoring Optimizations
This topic explains how to use the WAE device CLI to examine the optimizations applied to
traffic flows, and how to judge the effectiveness of those optimizations.
Optimization Topology and Peers

Central Manager provides an overview of optimization
effectiveness, device-specific optimizations, and
connected peers:
WAE Details
Connection
WAAS v4.0.73-30
Central Manager allows the administrator to view established optimized connections between
WAEs. To perform this function, navigate to the Topology page and examine the statistics
related to a connection, or to an individual device.
3-163
Optimization Topology and Peers (Cont.)

From the topology view, select a WAE and then click
Traffic Statistics Details to view detailed traffic statistics:
WAAS v4.0.73-31
From the topology panel, select a WAE and click the Traffic Statistics Details link to view
detailed traffic statistics for that device. Note the following information, which can be filtered
by timeframe or direction of flow:
3-164
Bytes transmitted
Bytes per hour average
Bytes savings
Percent reduction (with or without pass-through)
Pass-through traffic
WAN capacity increase
Central Manager Detailed Report

Export to CSV
Application Traffic Mix
Application Traffic
Pass-through Traffic Mix
Pass-through Traffic
Reduction Percentage
Optimized vs. Pass-through
Hour, Day, Week,
Month, Custom
Applications to include
or All
WAAS v4.0.73-32
The Central Manager detailed report allows you to specify the type of chart to examine:
Application traffic mix
Reduction (including pass-through)
Reduction (excluding pass-through)
This chart can be small, medium, or large in size, and can be filtered for a specific timeframe:
Hour
Day
Week
Month
Date range
Specific applications can be selected, or all applications can be selected.
3-165
Central Manager Detailed Report

Example
WAAS v4.0.73-33
This example of a large report shows statistics for the past month for traffic reduction excluding
pass-through. Four traffic types provide the basis for this report. This particular report shows
the percentage of bandwidth reduction provided by Cisco WAAS over the previous month for
all traffic and three specific application groups.
3-166
CLI Optimized Connection Monitoring

The CLI provides full visibility into optimizations applied
and their effectiveness:
Health of acceleration services
Auto-discovery statistics
Summary of optimizations with a specific peer
Summary of connections being optimized
Optimizations applied to connections
Optimizations applied for specific applications
Savings for specific applications
WAAS v4.0.73-34
The device CLI provides full visibility into optimizations applied and their effectiveness,
including:
Health of acceleration services
Auto-discovery statistics
Summary of optimizations with a specific peer
Optimizations applied to connections
Optimizations applied for specific applications
Savings for specific applications
3-167
Health of Acceleration Services

To view the health of acceleration services on a WAE,
use the show tfo accelerators command:
edge-wae# sh tfo accelerators
Name: TFO
State: Registered, Handling level: 100%
Keepalive timeout: 3.0 seconds, Session timeouts: 0, Total timeouts: 0
Last keepalive received 00.1 Secs ago
Last registration occurred 03:57:27.6 Hours:Mins:Secs ago
Name: EPM
Name: CIFS
WAAS v4.0.73-35
Acceleration services maintain keepalives with the policy engine. This function ensures that
packets are redirected using the remaining policy engine rules if an accelerator service fails.
The handling level is the load an accelerator service can handle, and is reported to the policy
engine. A handling level of 100 percent indicates the accelerator is healthy, and is capable of
handling all of the workload identified by the policy engine. A handling level of less than 100
percent indicates the accelerator is under load, and is telling the policy engine how much traffic
can be processed.
Generally, the accelerator handling level remains at 100 percent unless the WAE encounters an
overload scenario, based on static system limits. An overload scenario is reached when 98
percent of maximum system limits are encountered. The WAE does not leave the overload
situation until less than 95 percent of maximum system limits are encountered.
Note
3-168
The CIFS accelerator only shows up if the WAE is configured with the WAFS Edge service.
WAFS Core WAEs do not have the CIFS accelerator registered with TFO. WAFS Edge
WAEs operating in non-transparent mode show a handling level of 0 percent.
Auto-Discovery Statistics
Auto-discovery statistics on a WAE can be viewed by
using the show tfo auto-discovery command:
edge-wae# sh tfo auto-discovery
Auto discovery structure allocations failure:
Auto discovery structure allocations success:
Auto discovery structure deallocations:
Auto discovery table bucket overflows:
Auto discovery table overflows:
Auto discovery table entry adds:
Auto discovery table entry drops:
Auto discovery table lookups:
Auto discovery table entry count:
Packets sent during auto discovery:
Packets received during auto discovery:
Number of route lookup failures:
Number of successful route lookups:
Bind hash add failures:
0
1092
526
0
0
1092
526
528
566
1577
1620
0
39
0
(continued on next page)
WAAS v4.0.73-36
The show tfo auto-discovery command provides an overview of the auto-discovery situations
encountered. This command is helpful for identifying the cause of auto-discovery failure.
3-169
Auto-Discovery Statistics (Cont.)

(continued from previous page)
Accept socket pair allocation failures:
Sock allocation failures:
Sock(u) allocation failures:
Connect socket lookup failures:
Auto discovery failures:
Number of resets received during auto discovery:
Packet memory allocation failures:
Auto discovery failures due to insuff. option space:
Invalid connection state during auto discovery:
Auto discovery failures due to missing ack conf:
Successful auto discovery to internal server:
Successful auto discovery to external server:
Successful auto discovery for an internal client:
Successful auto discovery for an external client:
Intermediate device:
SYNs found with our device id:
0
0
0
0
10
0
0
0
0
0
37
0
478
1
0
0
WAAS v4.0.73-37
This listing is a continuation from the previous page.
3-170
Optimized Connections Summary

EDGE-WAE# sh stat tfo
Total number of optimized connections
No. of active connections
Total number of peers
No. of entries into overload mode
No. of connections reset due to Socket write failure
Socket read failure
Opt socket close while waiting to write
Unopt socket close while waiting to write
Opt socket error close while waiting to read
Unopt socket error close while waiting to read
DRE decode failure
DRE encode failure
Connection init failure
Opt socket unexpected close while waiting to read
Exceeded maximum number of supported connections
Buffer allocation or manipulation failed
:
:
:
:
272
7
1
0
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0
250
0
2
0
0
0
0
0
0
WAAS v4.0.73-38
The show statistics tfo command displays the total number of connections that are optimized
by the system, the number of active connections, and the number of peers. This command is
helpful for determining if the system is operating within static system limits.
3-171
TCP Connection Summary

To view of all optimized and pass-through connections
use the show tfo connection summary command:
edge-wae# sh tfo connection summary
Optimized Connection List
F: Full optimization, D: DRE only, L: LZ Compression, T: TCP Optimization
Local-IP:Port
Remote-IP:Port
ConId
PeerId
Policy(O,P,F,A)
1.1.1.100:39556
2.2.2.100:4050
3
00:11:25:ac:3c:5c
F,F,F,F
1.1.1.100:39557
2.2.2.100:4050
4
00:11:25:ac:3c:5c
F,F,F,F
1.1.1.100:39558
2.2.2.100:4050
5
00:11:25:ac:3c:5c
F,F,F,F
10.10.13.100:1336
10.10.10.100:80
6
00:11:25:ac:3c:5c
F,F,F,F
10.10.13.100:1339
10.10.10.100:80
7
00:11:25:ac:3c:5c
F,F,F,F
Pass-Through Connections
Local-IP:Port
Remote-IP:Port
1.1.1.100:39555
2.2.2.100:4050
Conn Type
App Dyn Mtch Optimized
WAAS v4.0.73-39
The show tfo connection summary command displays all of the connections that are optimized
and passed-through by the WAE. A table displays the tuple information (source IP, destination
IP, source port, destination port), and the internal connection ID, peer WAE ID, and policy.
Policy descriptors are described as follows:
3-172
O: Our policy; this is the policy that is configured on the local WAE
P: Peer policy; this is the policy that is configured on the peer WAE
F: Negotiated policy; this is the least common denominator of the two configured policies
A: Applied policy; this is the policy applied, based on the WAE capabilities and load
Optimizations with a Specific Peer

To view optimization statistics with a specific peer on a
WAE, use the show stat tfo peer command:
edge-wae# sh stat tfo peer
Peer Id:
NonOpt Bytes Read:
NonOpt Reads:
Opt Bytes Reads:
Opt Reads:
NonOpt Bytes Written:
NonOpt Writes:
Opt Bytes Written:
Opt Writes:
Number Encodes:
Number Decodes:
Active Connections:
Total Connections:
Last contact time:
00:11:25:ac:3c:5c
1690902
2070
808211
2158
802415
1589
1689237
2766
49
80
2
520
Sun Mar 12 20:04:52 2006
WAAS v4.0.73-40
Use the show statistics tfo peer command to examine the optimization statistics for all peer
WAEs. Notice the number of encodes, decodes, active connections, and total connections.
Also, note the number of bytes read versus the number of bytes written.
3-173
Optimizations Applied to Connections

edge-wae# show tfo connection
Connection Id: 40
Peer Id:
Connection type:
Source IP Address:
Source Port Number:
Destination IP Address:
Destination Port Number:
Our policy:
Peer policy:
Negotiated policy:
Applied policy:
00:11:25:ac:3c:5c
Int. Client
1.1.1.100
51524
10.10.10.100
389
TCP_OPTIMIZE + DRE + LZ
TCP_OPTIMIZE
WAAS v4.0.73-41
Use the show tfo connection command to view the optimizations applied to all connections on
a WAE device, and the statistics associated with those optimizations.
This command can be filtered to minimize the output by specifying the following parameters:
client-ip
client-port
peer-id
server-ip
server-port
Note the socket information (source and destination IP, and source and destination port), and
the policy information (our policy, peer policy, negotiated policy).
3-174
Optimizations Applied to Connections

(Cont.)
(continued from previous page)
Current Read State:

Previous Read State:
Current Write State:
Previous Write State:
TCP opt. only xfer mode:
Read Buffer Size:
Write Buffer Size:
Work Buffer Size:
Bytes Read:
Bytes Written:
Number of Reads:
Number of Writes:
Number of Encodes:
Number of Decodes:
Read Q. latency in msec:
Encode/decode latency in
Write Q latency in msec:
Source <-> WAAS

(Unoptimized)
0x904595c
N. Read Wait
P. Read Wait
D. Write Wait
Init
N/A
0
0
0
0
0
0
0
0
0
0.000(0)
msec:
0.000(0)
0.000(0)
WAAS <-> Dest

(Optimized)
0x90457fc
Read Shutdown
N. Read Wait
D. Write Wait
Writing
N/A
0
0
0
0
9
0
1
0
0
0.000(0)
0.000(0)
0.000(0)
WAAS v4.0.73-42
This figure is a continuation from the previous page. Notice the number of reads and writes,
and encodes and decodes.
3-175
Optimizations for a Specific Application

edge-wae# sh stat tfo application Web
Application
In
out
---------------------- ---------------------Web
Optimized:
Bytes
15397841
348637
Packets
11020
5896
Non Optimized:
Bytes
866974
32552768
Packets
15294
22188
Internal Client:
Bytes
1029719
1659575
Packets
4880
5436
Internal Server:
Bytes
43780
33423
Packets
239
199
PT No Peer:
Bytes
0
0
Packets
0
0
PT Configured:
Bytes
0
0
Packets
0
0
PT Intermediate:
Bytes
0
0
Packets
0
0
WAAS v4.0.73-43
Use the show stat tfo application command to view optimizations applied to traffic for a
specific application. This command can be filtered to minimize display output by appending an
application name to the end of the command line.
Use the edge-wae#sh policy-engine app name command to view a list of available
applications.
3-176
Savings for a Specific Application (Cont.)

To view savings for one or all applications on a WAE, use
the show stat tfo saving command:
edge-wae# sh stat tfo sav Web
Application
Inbound
Outbound
---------------------- ---------------------Web
Bytes Savings
20993723
611381
Packets Savings
13705
11070
Compression Ratio
9
9
WAAS v4.0.73-44
Use the show stat tfo saving command to view savings statistics for all configured
applications. This command can be filtered to include a single application as shown in the
figure. Note the bytes savings, packets savings, and perceived compression ratio.
3-177
Summary information for DRE and LZ

To view DRE and LZ performance information use the
show statistics dre command :
edge-wae# sh statistics dre
Cache:
Status: Usable, Oldest Data (age): 4d2h
Total usable disk size: 30394 MB, Used: 0.13%
Hash table RAM size:
121 MB, Used: 0.00%
Connections:
Total (cumulative): 4
Active: 4
Encode:
Overall: msg:
2, in:
207 B, out:
45 B, ratio: 78.26%
DRE: msg:
2, in:
207 B, out:
45 B, ratio: 78.26%
LZ: msg:
0, in:
0 B, out:
0 B, ratio:
0.00%
Bypass: msg:
0, in:
0 B, partial chunks:
17 B
Latency(Last 3 sec): max 0 ms, avg 0 ms
Message size distribution:
0-1K=0% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Decode:
Overall: msg:
901, in:
323 KB, out: 15608 KB, ratio: 97.92%
DRE: msg:
901, in:
375 KB, out: 15608 KB, ratio: 97.60%
LZ: msg:
234, in:
110 KB, out:
161 KB, ratio: 31.68%
Bypass: msg:
0, in:
0 B
Latency (Last 3 sec): max 0 ms, avg 0 ms
0-1K=1% 1K-5K=13% 5K-15K=36% 15K-25K=22% 25K-40K=20% >40K=5%
WAAS v4.0.73-45
The device CLI provides full visibility into DRE and LZ compression statistics and
effectiveness:
Summary information for DRE and LZ
DRE statistics for specific peers
DRE statistics for specific applications
The show statistics dre command displays information relative to the state of the DRE cache,
including the age of the oldest data, the amount of disk capacity consumed and maximum
available, the amount of RAM consumed and maximum available, and the number of active
connections. Note that it also shows overall encode and decode statistics, including
compression ratio and bytes-in versus bytes-out.
3-178
DRE Statistics for All Peers

To view DRE statistics for all connected peers use the
sh stat dre conn command :
edge-wae#sh stat dre conn
Conn-ID
Client-ip:port
540
10.10.13.100:3002
539
10.10.13.100:3001
106
10.10.13.100:2736
95
1.1.1.100:56894
92
1.1.1.100:28989
88
1.1.1.100:19122
Server-ip:port Encode-in Decode-in PID Status

10.10.10.100:80
189 B 4020 KB
0 Closed
10.10.10.100:80
769 B 11014 KB
0 Closed
10.10.10.100:389
2005 B 2088 B
0 Closed
10.10.10.100:389
0 B
0 B
0 Closed
10.10.10.100:389
0 B
0 B
0 Closed
10.10.10.100:389
0 B
0 B
0 Closed
WAAS v4.0.73-46
Use the show statistics dre conn command to view statistics for all of the connections
optimized by DRE. Note that this command can be filtered based on:
Active connections only
Client IP or client port
Server IP or server port
Connection ID
Peer number
Last connection
The syntax and options for this command are listed and described as follows.
edge-wae#sh stat dre con ?
active: Display all active connection statistics
client-ip: Display connection statistics for client ip
client-port: Display connection statistis for client port
id: Display connection statistics for connection id
last: Display last connection statistics
peer-no: Display connection statistics for the peer number
server-ip: Display connection statistics for server ip
server-port: Display connection statistics for server port
3-179
DRE Statistics for Specific Peers

edge-wae# sh stat dre peer
Peer-No : 0
Context: 45821
Peer-ID : 00:11:25:ac:3c:5c
Hostname: waas-core
-----------------------------------------------------------------------------Cache:
Used disk: 40 MB, Age: 4d2h
Connections:
Total (cumulative): 4, Active: 4
Concurrent Connections (Last 2 min): max 0, avg 0
Encode:
Overall: msg:
8, in:
1484 B, out:
545 B, ratio: 63.27%
DRE: msg:
8, in:
1484 B, out:
1199 B, ratio: 19.20%
LZ: msg:
2, in:
1066 B, out:
412 B, ratio: 61.35%
Bypass: msg:
0, in:
0 B, partial chunks:
85 B
Latency(Last 3 sec): max 0 ms, avg 0 ms
0-1K=100% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Decode:
Overall: msg:
907, in:
324 KB, out: 15608 KB, ratio: 97.92%
DRE: msg:
907, in:
375 KB, out: 15608 KB, ratio: 97.60%
LZ: msg:
234, in:
110 KB, out:
161 KB, ratio: 31.68%
Bypass: msg:
0, in:
0 B
Latency (Last 3 sec): max 0 ms, avg 0 ms
0-1K=1% 1K-5K=13% 5K-15K=36% 15K-25K=22% 25K-40K=20% >40K=5%
WAAS v4.0.73-47
Note that DRE statistics are relative to working with a specific peer. Note the number of bytesin versus bytes-out, the compression ratios, and the latency that is imposed due to compression.
Use the sh stat dre peer command to view DRE statistics for specific connected peers.
This command can be filtered to show information related to any of the following:
Contexts
Peer IP address
Peer MAC address
Peer ID
The syntax and options for this command are listed and described as follows:
edge-wae#sh stat dre peer ?
Options include:
3-180
context: Display peer statistics for context
ip: Display peer statistics for peer ip
peer-id: Display peer statistics for peer ID
peer-no: Display peer statistics for peer number
Clearing the DRE Cache

To clear the DRE cache, use the WAE# clear cache dre
command:
edge-wae# clear cache dre
TFO application needs to be restarted (all existing
connections will be reset, alarms may be raised and system may reboot
if required).
Do you want to Continue? [yes/no]yes
Restarting processes..
Clearing DRE cache
Clearing DRE statistics
Done. No reboot was required.
WAAS v4.0.73-48
Clearing the DRE cache stops and restarts the TCP proxy service and any CIFS acceleration
services. Any sessions or connections that are active are broken and must be automatically
regenerated by the communicating nodes. This action removes the compression history of the
DRE cache on the local WAE. A reboot is required only in cases where the TCP proxy service
is unable to be restarted after it has been stopped. Otherwise the WAE reboots automatically.
3-181
Summary
Summary
Application traffic policies define the behavior of the WAEs in the network and
dictates what optimizations are applied when traffic of a specific type is
encountered.
The default traffic policy can be used for simple optimization configurations and
includes policies for over 150 classifiers.
Application definitions are a top-level object used for reporting statistics for all
associated classifiers and optimizations.
Policy maps are used to associate traffic classifiers with an application definition
for statistical purposes. They also define the optimizations to apply.
Traffic classifiers are used to specify the qualifiers to look for before associating a
traffic flow with a specific application.
Traffic policies are commonly configured from Central Manager for synchronization
and simplicity. They can also be configured on each WAE using the CLI.
Adaptor policies are used for specific applications where the TCP port assignment
is dynamic or additional latency reduction is required.
You can monitor the impact of optimizations using the CLI.
3-182
WAAS v4.0.73-49
Lesson 5
Configuring Application
Acceleration
Overview
This topic explains how to use Central Manager as a centralized driver repository and describes
how to configure driver upload and distribution.
Objectives
Upon completing this lesson, you will be able to explain how to configure file and print
services acceleration. This includes being able to meet these objectives:
Explain the basic file services optimization configuration for WAAS, including file server
definition, core cluster configuration, edge server configuration, controlling services, and
connectivity directives
Explain the behavior of WAAS file services during periods of intermittent and prolonged
network disconnection
Explain how WAAS can prepopulate an edge cache and DRE to improve performance for
the first user and for subsequent users
Explain how to configure Cisco WAAS print services
Explain how to upload drivers to Central Manager and configure distribution
Configuring CIFS Acceleration

This topic explains how to configure Cisco WAAS file services optimizations using Central
Manager. These optimizations include file server definition, core cluster configuration, edge
server configuration, controlling services, and connectivity directives.
CIFS Acceleration Capabilities

Intelligent local handling and optimization of
protocol mitigates latency
Sessions are maintained end-to-end to

ensure no security reconfiguration
File caching removes the need to

unnecessarily transfer files; validation
ensures stale data is never served
Auditing, access-control, and quotas are

fully preserved
Transparent integration ensures no client or

server changes to apply optimization
Scheduled preposition to prepopulate DRE

and edge data cache
WAN
Files
FILE.DOC
Cache
Disconnected mode of operation

allows R/O access to fully-cached
content when the server is unreachable
Advanced WAN optimization layer improves

throughput and efficiency
DRE eliminates redundant network data
TCP optimizations to improve protocol ability to
fully use the network
WAAS v4.0.73-4
Cisco WAAS provides the industries most innovative and robust file services optimizations:
Application protocol interface for CIFS to handle protocol message workload at the Edge
to mitigate the impact of latency through message suppression, local response handling,
protocol caching, operation batching, message prediction, read-ahead, and pre-fetch
Application data and meta data cache to serve usable content at the Edge to mitigate
unnecessary data transfers when safe; validate-on-open to verify that file data has not
changed; global locking to ensure coherency and enable global collaboration scenarios
Network compression through DRE and Lempel-Ziv (LZ) persistent compression to

minimize bandwidth usage during data transfer situations
Transport Flow Optimizations (TFO) to improve utilization of the available network

capacity
The Wide Area File Services (WAFS) Benchmark Tool is available for download on Cisco
Connection Online (CCO). This utility stages data to a file server and then executes a script that
makes calls against these files, including OPEN, READ, WRITE, SAVE, and CLOSE
operations. The amount of time taken to perform these tests can then be saved to a comma
separated value (CSV) file for viewing and graphing. The results shown in the figure represent
the typical performance improvement provided by Cisco WAAS in CIFS environments.
Cisco WAAS acceleration is safe and requires no coherency configuration. The level of
optimization applied is directly related to the type of file being opened, and the state of the
opportunistic lock that is granted to the user. For single-user situations, Cisco WAAS can
employ the breadth of its optimizations to dramatically improve performance. For multi-user
3-184
situations or no-oplock situations, Cisco WAAS can safely apply many optimizations to
improve performance.
For example, when a Microsoft Word file that is being edited by a single user, WAAS employs
all of the optimizations available to improve performance. This is true for Microsoft Access
database files and other collaborative data sets; when a single user is working with an object,
Cisco WAAS employs the full optimization suite. When multiple users are working with the
same file, WAAS automatically adjusts its level of optimization to maintain data integrity and
safety.
Cisco WAAS is proven effective for the most common CIFS applications including Microsoft
Office (Word, PowerPoint, Excel), MS Access (and other database applications that use CIFS),
computer-aided design/computer-aided manufacturing (CAD/CAM) applications, My
Documents storage, desktop backup and restore, and other applications such as imaging.
3-185
CIFS Acceleration
WAAS v4.0.73-5
The default policy contains two policies that are required for WAFS to operate:
CIFS policy: This policy allows the system to send appropriate traffic to the CIFS
accelerator. The classifier used is CIFS (TCP 139 and TCP 445). The actions include Full
Optimization and CIFS acceleration.
WAFS transport policy: This policy allows the system to optimize traffic sent between
WAFS application adaptor instances (Core and Edge nodes) using TFO, DRE, and LZ.
Note
3-186
These policies are included in the default Cisco WAAS policy and do not require
modification. Cisco WAAS dynamically builds match conditions based on service
configuration which allows for the WAEs to accurately handle and accelerate CIFS traffic.
For this reason administrators do not need to modify or manipulate these policies.
Defining a Core Server Cluster

Configure a WAFS Core Server cluster at:
Central Manager > Devices > Device Groups > New
Type should be set to WAFS Core Cluster
WAAS v4.0.73-6
A Core Server cluster must first be defined before file services optimizations can be configured.
A Core Server cluster can have a single WAE as a member, or many WAEs as members. When
an Edge Server connects to a Core Server cluster, it is provided a list of all of the Core Server
members. It then randomizes the list and connects to one of the nodes. If that node fails, the
Edge Server removes the failed node from the list, re-shuffles, and connects to another node.
3-187
Core Cluster Configuration
WAAS v4.0.73-7
The credentials supplied on the Core cluster configuration allow the Core Server nodes to
browse the origin servers and read from the origin servers when configuring the preposition
function. High priority messages can be marked with a configurable Differentiated Services
Code Point (DSCP) value to enable higher priority handling within the network, which can lead
to improved performance.
Note
3-188
The file server access username and password are only required when using the preposition
capabilities of Cisco WAAS. The credentials provided here should be for a user that has
read-access to any file servers where preposition is needed, and the user should be a
member of a domain that has trusted access to any domain that a file server participating in
preposition resides in.
Configuring WAFS Core Service
WAAS v4.0.73-8
One or more WAE nodes deployed near the origin file servers should be configured as WAFS
Core Servers. This WAE must be assigned to a WAFS Core Cluster group. This assignment is
configured in Central Manager by navigating to Devices > Device > (node) > File Services >
Core Configuration. A Core Server WAE can be a member of only one Core Cluster.
3-189
Configuring WAFS Core Service (Cont.)

Verify that the Core
Server service is
running by browsing
directly to the WAE
or by using the local
GUI icon in Central
Manager:
https://(ipaddr):8443
If the service is not
running, click the
service name and
then click Start.
WAAS v4.0.73-9
Launch the local GUI of the Core Server WAE and verify that the WAFS Core service is
running. If the service is not running, be sure to start the service.
3-190
Configuring WAFS Edge Service
WAAS v4.0.73-10
One or more WAE nodes deployed in the remote office should be configured as a WAFS Edge
Server. No WAFS Edge Server group configuration is required, and you can use a standard
configuration group, but this is not necessary. The Edge Server service is configured in Central
Manager by navigating to Devices > Device > (node) > File Services > Edge Configuration.
Specify the following configuration options for the device or device group:
Listening ports (TCP139, TCP445, or both)
Transparent mode
Active Directory site name
QoS DSCP settings for control traffic
3-191
Configuring WAFS Edge Service (Cont.)

Verify that the Edge
Server service is
running by browsing
directly to the WAE
or by using the local
GUI icon in Central
Manager:
https://(ipaddr):8443
If the service is not
running, click the
service name and
then click Start.
WAAS v4.0.73-11
Launch the local GUI of the Edge Server WAE and verify that the WAFS Edge service is
running. If the service is not running, be sure to start the service.
3-192
Defining File Servers
WAAS v4.0.73-12
Cisco WAAS does not explicitly require definition of each file server that is to be accelerated.
However, if preposition or disconnected mode or both are to be used, the file servers associated
with each of those features must be defined at Services > File > File Servers.
File servers that are accelerated but not participating in preposition or disconnected mode of
operation do not need to be configured on this page.
When defining file servers (to configure preposition or disconnected mode of operation), you
must specify the following:
File Server Name (must be resolvable)
Available on WAN Failure (R/O disconnected mode)
WAFS Core Cluster assignment
Clicking the magnifying glass icon next to the Core Cluster definition causes the Core WAEs in
the cluster to attempt to resolve the name of the file server. WAEs configured with the WAFS
Core service must be able to resolve the name of the file servers being optimized to an IP
address if they are defined on this page.
To serve the needs of organizations with a large list of file servers that need to participate in
disconnected mode of operation or preposition, an import utility is available from the Central
Manager. This utility allows an administrator to import a CSV file that can be used to define
the appropriate file servers. The CSV file for importing file server information should be
defined as follows:
The first row should be populated with the following words in each column, each as a column
header: Name,AllowDisconnected,Cluster
Multiple columns in the first row should be created with the name Cluster if multiple WAFS
Core Clusters are to be listed in the data rows that follow.
Next, create rows beneath the column header row, each with the following values:
Name,AllowDisconnected,Cluster
3-193
Note
This row will contain data, and not the actual words Name, AllowDisconnected, and
Cluster.
Where:
Name is the name of the file server. This name must be resolvable.
AllowDisconnected is TRUE or FALSE. This value is required for CIFS servers only, to
enable read-only disconnected mode. The default is TRUE if left blank.
Cluster is name of the WAFS Core Cluster. This value can include more than one cluster
name, with each name separated by a comma.
For example:
server1,TRUE,cluster1:
In this example, the file server name server1 is a CIFS server accessible in read-only
disconnected mode, and is accessible via cluster cluster1.
server2,FALSE,cluster2,cluster3:
In this example, the file server name server2 is a CIFS server not accessible in readonly disconnected mode, and is accessible via clusters cluster2 and cluster3.
The import tool can be found in the file servers toolbar at Services > File > File Servers.
Note
3-194
Cisco WAAS will inspect Server Message Block (SMB) headers in packets exchanged
between clients and servers to see if SMB signing is required or optional. If set to optional,
Cisco WAAS will dynamically change the setting of the packets to off to allow for full
acceleration capabilities to be applied. If SMB signing is set to required, SMB-signed CIFS
traffic will not benefit from the full acceleration capabilities, but will benefit from other
optimizations (DRE, TFO, and Persistent LZ) provided by WAAS. File servers that require
SMB signing should not be defined in Central Manager.
Configuring a Connectivity Directive
WAAS v4.0.73-13
Connectivity directives define a permitted connection between a WAFS Edge WAE, or

Configuration Group of WAFS Edge WAEs, and a WAFS Core Cluster. Connectivity
directives also define expected WAN conditions and any selected file servers (file servers that
are to be accelerated do not have to be explicitly defined). Connectivity directives are
configured in Central Manager by navigating to Services > File > Connectivity > New.
After the connectivity directive is created, assign WAFS Edge WAE devices or WAFS Edge
WAE configuration groups to the directive. An Edge WAE Group target should only be
selected if using transparent interception and no name publishing.
The connectivity directive is used to notify a WAE running the WAFS Edge service (close to
the user) of:
Which core cluster of WAEs to use when optimizing a file server that is explicitly defined
Which core cluster of WAEs to have query the file server and respond to the edge to
dynamically determine which core cluster is closest in proximity to an undefined file server
3-195
Configuring a Connectivity Directive

(Cont.)
WAAS v4.0.73-14
You must specify the file server settings for file servers that are manually defined and configure
expected WAN utilization. The WAN utilization settings perform two functions:
Limits the amount of WAN bandwidth that the CIFS acceleration service can provide, and
Automatically performs tune-up of the CIFS acceleration services to better leverage WAN
capacity
Correct bandwidth allocation is assumed. WAEs automatically tune up their optimizations

based on the bandwidth and delay indicated on this screen. Allocating more than WAN
capacity can impact performance, and result in the WAE sending more traffic than the router or
WAN link can handle.
Administrators need to make sure that CIFS settings, Original Names or Name suffix and prefix
are unique when using name publishing in non-transparent mode. No validation of these
settings is performed so it is up to the administrator to ensure they are correct.
Any defined file server that is to be accelerated should have a checkbox in the exported
column, regardless of the type of acceleration that is being performed (transparent versus nontransparent). CIFS name settings must be unique across directives when using Windows
Internet Naming Service (WINS) or domain name system (DNS) for name resolution. No
automatic validation is performed on these settings.
3-196
Verifying WAFS Connectivity
WAAS v4.0.73-15
The WAE Device GUI is useful for verifying that the Edge WAEs and Core WAE clusters are
connected correctly. The WAE Device GUI can be accessed from the Central Manager device
home page by clicking the Device GUI link, or by browsing directly to the WAE at
https://(ip_addr_of_WAE):8443.
To view Edge WAE connectivity information, navigate to WAFS Edge > Configuration >
Connectivity. This panel shows which Core Clusters the Edge WAE connects to based on the
connectivity directive definition. A connected cluster is identified by a green checkmark, and a
nonconnected cluster is identified by a red X.
To view statistics on the connectivity between an Edge WAE and a Core cluster, navigate to
WAFS Edge > Monitoring from the Edge WAE Device GUI. This panel provides additional
information on the connection to the Core Cluster, including the number of messages sent and
received, and the number of bytes sent and received.
Similar data can be found on the Core WAE by navigating to WAFS Core > Monitoring >
Connectivity from the Core WAE Device GUI.
The WAFS Edge > Configuration submenu allows the administrator to view the configuration
of CIFS, open print services administration, and configure Simple Management Transport
Protocol (SMTP) notifications.
The WAFS Core > Configuration submenu allows the administrator to view the configured
CIFS servers, and configure SMTP notifications.
3-197
Examining WAFS Statistics
WAAS v4.0.73-16
The WAFS Edge Device GUI allows administrators to view CIFS protocol optimization
statistics and cache statistics. The following functions are available within the Device GUI, by
navigating to WAFS Edge > Monitoring.
The CIFS tab allows the administrator to:
Examine traffic read and written, in Kilobytes
Examine request counts, local and remote, including how many were handled locally and
thus optimized, and how many were handled remotely
Examine total network time, local and remote, including how much time was spent on the
LAN versus the WAN
Examine connected session counts; these counts are useful for verifying that a user session
is being optimized
Examine the number of open files; this value is useful for verifying that a user session is
being optimized
The Cache tab allows the administrator to:
3-198
Examine the cache disk statistics, including maximum capacity and amount of capacity
used
Examine the cache resource statistics, including maximum objects and current cached
objects
Examine eviction statistics, including number of objects evicted, last eviction; these values
are useful for determining if the cache size is too small
Cache eviction watermark for both capacity and number of objects; the high watermark
indicates the percentage of capacity or cached objects that must be reached before LRUbased eviction begins; the low watermark indicates the percentage of capacity or cached
objects that must be reached before LRU-based eviction ends
The contents of the file cache are not visible to the administrator. Files can not be selectively
removed from the cache.
3-199
Graphs of WAFS Statistics
WAAS v4.0.73-17
The WAE Device GUI provides graphs for examining statistics over time. All graphs are
presented in Multi Router Traffic Grapher (MRTG) format and show daily graphs with a 5minute average, weekly graphs with a 30-minute average, monthly graphs with a 2-hour
average, and yearly graphs with a 1-day average.
The WAFS Edge Device GUI provides the following graphs:
Cache disk space utilization
Cache hit rate
Cache resource and object count
Cache disk utilization
Connected sessions count
Connected WAFS Core count
Open files count
Local and remote requests count
Traffic to connected Core WAEs
Client throughput
The WAFS Core Device GUI provides the following graphs:
Connected WAFS Edge count
Traffic to connected Edge WAEs
All of the data contained within these graphs is also exposed via Simple Network Management
Protocol (SNMP).
3-200
Verification of WAFS Functionality

WAFS operation can be
verified by accessing a file
server after configuration and
network integration have
been completed.
To verify functionality,
access a file share on a
remote server through the
WAAS topology.
Next, access the server, and
open the Computer
Management console by
right-clicking My Computer
and selecting Manage.
WAAS v4.0.73-18
CIFS Servers
To verify file services operation, connect to a share on the server through a client while WAAS
is deployed and configured between them. This can be performed using one of the following:
Network Neighborhood: Browse to the file server
Universal Naming Convention (UNC) Paths: Use the Run dialog box (Start > Run >
\\servername)
Disk operating system (DOS) command line
The Windows NET command provides a powerful utility to connect to and manage SMB
resources. This utility can be accessed by navigating to C:\Documents and Settings\User>net.
The syntax of the NET command is:
NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]
To map a drive when logged in as a user with permissions to access the resource, use the
following NET command:
C:\> net use X: \\servername\sharename
Where:
X: is the drive letter
servername is the NetBIOS name, fully qualified domain name (FQDN), or IP address of
the server
sharename is the name of the share, printer, or resource being accessed
To map a drive using alternate credentials, use the following NET command:
3-201
C:\> net use X: \\servername\sharename userpassword

/user:domain\username
Where:
X: is the drive letter
servername is the NetBIOS name, FQDN, or IP address of the server
sharename is the name of the share, printer, or resource being accessed
userpassword is the password for the user account
domain is the NetBIOS name or FQDN of the user domain
username is the name of the user
To view the shares on a file server, assuming you can net use to the server, use the following
NET command:
C:\> net view \\servername
To delete a drive mapping, use the following NET command:

C:\> net use X: /delete
To delete a CIFS session, use the following NET command:

C:\> net use \\servername /delete
Alternately, rebooting a workstation forces a CIFS session to be deleted. If the drive mapping is
configured as persistent, or as part of a login script, the session is reestablished upon reboot.
After the drive is mapped, go to the server and verify that the user session is coming from the
Core Server and not the client workstation. This task is shown on the next slide.
Note
For WAAS file services optimizations configured in transparent mode, the server name is
that of the file server in the data center. For WAAS file services optimizations configured in
non-transparent mode, the server name is that of the server name that is being published by
the WAE.
Note that the WAE is designed to not provide optimizations for pre-existing CIFS sessions. If a
CIFS session is already active at the time WCCPv2 is enabled, any CIFS traffic that is
redirected to the WAE is not accelerated at the application layer. Cisco WAAS must see the
session brought up from the beginning before any optimizations can be applied to verify user
authenticity, user authorization, and file state. When verifying WAFS functionality, it might be
necessary to shut down any existing CIFS sessions before application layer acceleration can be
seen.
To verify that a file server is being accelerated by a WAFS Edge WAE via the file server itself,
navigate to Computer Management > System Tools > Shared Folders > Sessions. If the IP
address of the WAFS Core WAE appears under computer, then the session is being accelerated
by Cisco WAAS CIFS acceleration. If the IP address of the client appears under computer, then
the session is not being accelerated by Cisco WAAS CIFS acceleration.
To verify that a file server is being accelerated by a WAFS Edge WAE, use the show bypass
list command on the WAFS Edge WAE to verify that the CIFS server appears with appropriate
ports listed:
Edge-WAE# sh bypass list
3-202
Client
Server
Entry type ------------------- any-client:0
CIFS_server_IP:139
accept anyclient:0
CIFS_server_IP:445
accept
The WAFS Edge WAE device GUI can be examined to see if CIFS cache counters are
incrementing. This can provide a clear indication that CIFS acceleration is functioning.
If the WAAS file services optimizations are configured correctly, the WAAS Core Device IP
address appears in the computer name field in the sessions listing of the Computer Management
panel if CIFS over TCP is used. For cases where CIFS over NetBIOS is used, the client
computer name will appear in the computer name field in the sessions listing. In such cases
(where CIFS over NetBIOS is used), other metrics, such as the request counters and session
count in the Edge WAE Device GUI, must be used to validate that the session is indeed being
accelerated. If the user workstation IP address is displayed, there might be a configuration
error, or the session might have existed before WAFS services were enabled. In the last case,
the user session must be deleted and restarted. Use one of the following alternative procedures
to delete an existing CIFS session:
Right-click the session and select Close session.
Use the net view command on the client workstation to view existing sessions, and then
use the net use /delete command on the client workstation to delete the session. Finally,
issue the net use command to reconnect to the server and share. Note that IPC$ sessions
must also be deleted.
Disable the client network interface card and then re-enable it.
Reboot the client.
If the session is active before enabling WAFS functionality, it might be necessary to delete it
before acceleration can be verified.
3-203
Disconnected Mode of Operations

This topic explains how to use and configure the WAAS file services disconnected mode of
operations.
R/O Disconnected Mode of Operation

The file services application adaptor handles network outages in
the following ways:
Intermittent disconnection: For periods of less than 90 seconds, user
operations are buffered, with no impact to the user.
Prolonged disconnection: In this situation, sessions are disconnected by the
edge WAE and the core WAE.
In prolonged disconnection mode, user sessions can be reestablished to access cached files in a read-only fashion
assuming a domain controller is reachable. The WAE must be
configured to join the Windows domain.
WAAS v4.0.73-20
WAAS is designed to be resilient during periods of WAN disconnection. Two types of WAN
outages are identified by Cisco WAAS, and each is handled in a different manner:
Intermittent disconnection: This term refers to periods of loss of WAN connectivity

lasting less than 90 seconds, in which case the WAFS Edge WAE buffers user operations.
If the WAN returns to service and the WAFS Edge WAE is able to successfully reconnect
to the WAFS Core WAE, the user sees no impact. The WAFS Edge WAE always attempts
to reconnect to the Core WAE that it was originally connected to. If the WAFS Edge WAE
is unable to reconnect to the original WAFS Core WAE, the session is broken and
regenerated. The user might see a disconnection to the file server in this case. If this
happens, the user can save their data locally and merge the changes back into the document
on the file server after reconnection.
Prolonged disconnection: This term refers to periods of loss of WAN connectivity lasting
longer than 90 seconds, in which case the WAE enters a prolonged disconnection mode,
and all state is cleaned up on the Edge WAE and the Core WAE. At this point, the Edge
WAE can enter into read-only disconnected mode, assuming the file server is configured
for this mode in Central Manager. If this mode is not configured, the file server is no longer
accessible through WAAS, although offline files and folders within Windows can be
configured.
WAASv4 provides a R/O disconnected mode of operation that allows users to have read-only
access to fully-cached files during periods of prolonged WAN disconnection. A series of
functions are implemented specifically to support servers and shares defined for R/O
disconnected access:
3-204
Aggressive file caching of files accessed on-demand (read-ahead and file read-ahead):
This function ensures that files are fully cached in the Edge WAE so they can be available
if the WAE enters a prolonged disconnection mode lasting more than 90 seconds.
Metadata and access list prefetch: This function ensures that access control information
is cached by the Edge WAE for the purposes of authorization during disconnection.
Preposition: This optional function is used to continually update the Edge WAE cache and
ensure that files are available in the Edge WAE cache if the WAE enters a prolonged
disconnection mode.
When WAAS file services enters prolonged disconnected mode, all CIFS sessions are
disconnected in both the remote office and the data center. If read-only disconnected mode is
not configured, the user does not have access to the file server. Windows Offline Files and
Folders can be configured as an alternative to read-only disconnected mode, providing users
with the ability to continue working during the period of disconnection, and resynchronizing
changes back to the origin file server when the connection is re-established.
If read-only disconnected mode is configured, the WAEs still enter prolonged disconnected
mode, which destroys user sessions in the remote office and in the data center. User sessions
must be restarted, which requires authentication with a domain controller, which must be
reachable on the network. The WAFS Edge WAE can self-authorize the user based on cached
ACLs from the origin file server. After the user re-authenticates successfully, the Edge WAE
exports the server and acts on its behalf, providing read-only access to cached files and folders
based on the cached access control information. With read-only disconnected mode, the last set
of cached files and last set of cached ACLs is used. If the file server is unreachable through
WAAS for a long period of time and files or access control information has changed, the
contents in the Edge WAE will not be the same as those on the origin file server.
For read-only disconnected mode to work properly, the WAE must be configured for Windows
authentication and be successfully joined to the domain. Also, the file server must be defined at
Services > File > File Servers within the Central Manager.
3-205
Configuring Disconnected Mode

To configure R/O disconnected mode for a file server, define the
file server at Services > File > File Servers
WAE must be added to the domain as per the steps in the Central
Manager lesson
Disconnected mode applies to an entire file server.
Preposition should be used to ensure the contents are
accessible during disconnection:
WAAS v4.0.73-21
To configure a file server to be accessible during periods of prolonged disconnection, the file
server must first be defined at Services > File > File Servers. In the file server configuration
page, check the Available on WAN Failure checkbox on the file server definition page. It is
recommended that preposition be configured to ensure that a larger set of content is made
accessible during the disconnected mode.
The WAE must be configured as a domain member in order to be capable of supporting readonly disconnected mode. The steps to join a WAE to the domain are discussed in the Central
Manager lesson.
Use of disconnected mode of operation requires that the WAE be able to reach a domain
controller during periods of network disconnection. If a domain controller is not reachable, then
disconnected mode of operation will not work.
3-206
Using Prepositioning
This topic explains how WAAS prepositioning can be used to prepopulate an edge file services
cache and DRE cache to improve the performance for first user access to content. The process
of configuring and monitoring prepositioning tasks is also described.
File Preposition
Files can be prepositioned into an Edge WAFS device cache to
improve performance for first-user access:
Schedules the acquisition and distribution of files
Populates DRE database on WAEs
Provides a cache hit on first user access, and local delivery
Used in environments with a need to deliver large amounts of

critical data, such as:
CAD/CAM packages
Engineering, software development
Software distribution, patch management
Imaging
WAAS v4.0.73-23
Files can be prepositioned into an Edge device cache to improve performance for first-user
access. Prepositioning is the process of scheduling the acquisition and distribution of files.
Prepositioning populates file data into the DRE database of the WAE. This approach allows
users to obtain a cache hit on first user access, and provide local delivery of the content.
Prepositioning is commonly used in environments where the need to deliver large files or large
amounts of data is critical. Examples of these environments include the following:
CAD/CAM packages
Engineering, software development
Software distribution, patch management
Imaging
3-207
File Preposition Job Flow

The Core WAE scans the file server and filters the file set according to
directive criteria.
The results of the filtered scan are sent to the Edge WAE, and the Edge
WAE again filters against the contents of the cache to see what is
necessary to preposition.
The Edge WAE requests each needed file or file segment from the Core
WAE, which leverages DRE and LZ compression for the data transfer.
LIST
LIST
Send FILE123.DOC
NAS
Files
Core
WAE
FILE123
DOC
Edge
WAE
WAAS v4.0.73-24
When the administrator defines a preposition directive in Central Manager, the following
processes are executed:
Step 1
The Edge WAE connects to the Core WAE and sends preposition parameters. These
include:
File server to connect to
Share to gather data from
Root path to search from
File pattern to attempt to match
Whether or not to search subdirectories from the root path
Time filters
File size filters
Step 2
The Core WAE performs the scan against the server based on the criteria provided
and returns a match list, representing the results of a filtered scan, to the Edge WAE.
Step 3
The Edge WAE compares the match list against the current state of the file cache
and creates a delta list. Any file that does not exist in the cache or has been changed
is added to the delta list.
Step 4
The Edge WAE then submits requests sequentially to the Core WAE based on the
files contained within the delta list.
Step 5
The Core WAE fetches the file and stores it in the preposition staging area. The
Core WAE then instructs the Edge WAE to download the file.
Steps 4 and 5 are repeated until the delta list has been exhausted or the limitation parameters of
the preposition directive have been met.
3-208
Note
Preposition is only available for CIFS file servers. Preposition populates the DRE cache on
both WAEs involved in the transaction. This ability is useful when users access files that
have changed, as the rebuild of the cache is efficient and high-performance, assuming the
segments that made up the original transfer of the file still exist in the DRE context.
Preposition can also be used as a mechanism for warming the DRE context for other
applications, including web, email, video, database, and others.
3-209
Configuring File Preposition
Access
sitemap to
browse
server
shares
WAAS v4.0.73-25
To create a new preposition directive, navigate to Services > File > Preposition and click the
New icon. To edit an existing preposition directive, click the edit icon next to the desired
preposition task.
File preposition directives are optional and are designed for CIFS file servers only. To
configure file preposition from Central Manager, navigate to Services > File > Preposition.
The Core WAE will use preconfigured privileges to access and retrieve requested files from the
file server. The job definition includes the following information:
Content path and filename pattern
Schedule and job duration
File size limits, modification and creation dates
Maximum cache capacity to consume
Note that a Browse button is provided to help simplify the selection of root share and directory.
Clicking the Browse button causes the Core Server WAE to use preconfigured credentials to
read the share and directory structure from the file server selected. This sitemap allows the
administrator to use the GUI to select the share and directory.
A file name match pattern can be applied in the preposition definition.
3-210
File Preposition Sitemap

The sitemap allows you to browse the server share
structure to identify root directories for preposition.
WAAS v4.0.73-26
To use the sitemap function, the Core Server must have appropriate privileges to view the share
and directory structure on the server which is generally accomplished by providing a set of
credentials to the Core Cluster.
3-211
Preposition Schedule
WAAS v4.0.73-27
The schedule for a preposition job can be configured by navigating to Services > File >
Preposition > (job) > Schedule.
From this window, the administrator specifies the following information:
3-212
Job start time
Job execution day, date, and recurrence
Preposition Status
To display preposition status, select
Preposition Status from the table of contents.
WAAS v4.0.73-28
Preposition status shows the following information:
WAFS Edge WAEs involved in the job
Start time of the preposition task
Duration of the preposition task in seconds
Amount of data copied in bytes
Status of the job
Reason for completion
Preposition jobs are dependent upon the WAFS Core WAE having the appropriate permissions
to read from the share, directory, and files. Additionally, the files must be unlocked and
available for reading at the time of the preposition task.
3-213
Preposition Job Control
WAAS v4.0.73-29
Preposition status can be viewed from Central Manager or from the local GUI of the WAFS
Edge WAE. The preposition job is controlled by the Edge WAE, so preposition statistics can
not be viewed on a Core WAE. To examine preposition jobs, navigate to WAFS Edge >
Preposition.
To view or terminate a particular preposition job on an Edge Server, open the Device GUI and
navigate to WAFS Edge > Preposition.
Note
3-214
Preposition directives are controlled by the WAFS Edge WAE and not the WAFS Core WAE.
Configuring Print Services

This topic explains how to configure Cisco WAAS print services.
Cisco WAAS Print Services

Many organizations have difficulty consolidating file services
because of the WAN burden that is created by print services
traffic.
Cisco WAAS provides Windows-compatible print services to
eliminate the need for print jobs to traverse the WAN.
Data Center
Branch Office
Router
NAS
WAN
Driver
Distribution
JOB
JOB
FILE
Print
FILE.DOC
WAAS v4.0.73-31
Cisco WAAS provides Windows-compatible print services. Any printer is supported, as the
WAE does not require special software to support a particular printer because it uses Raw mode
queues, and the client handles the rendering. Cisco WAAS printing provides printing to any
user regardless of whether the WAN is connected or disconnected, as it does not need to
integrate into a Windows domain.
Cisco WAAS allocates 1GB of data to the PRINTSPOOL file system. This storage capacity can
not be manually allocated and is shared by all of the print queues. Although this storage
capacity can support a recommended maximum of 100 concurrent queues, 20-25 is the
recommended number for adequate storage allocation per queue, and there is no hard limit or
enforced maximum number of queues that can be defined.
Cisco WAAS supports up to a maximum of 100 concurrent printing users and up to a
maximum of 500 concurrent print jobs. The print job timeout is 60 seconds.
Cisco WAAS print services eliminates the need to leave a server in the branch office to provide
local printing capabilities. Cisco WAAS print services leverages Samba and Common Unix
Printing System (CUPS) to enable branch office printing. By using Cisco WAAS, Windowscompatible print services can remain in the branch, keeping print jobs from needing to traverse
the WAN.
WAAS print services rely on users configured through the command-line interface (CLI) for
print queue administration and print driver repository administration. No authentication or
authorization is provided for print services, so any user in the remote office can print to a print
queue that is configured on the WAE regardless of whether the WAN is connected or
disconnected.
Cisco WAAS self-authenticates users that are attempting to print, and usernames are
maintained with the active job set. As such, a user can only modify or manipulate their own
3-215
jobs using standard Windows printer management tools. Users that authenticate to the print
server using administrative credentials can manipulate any job running on the WAE.
Note
3-216
When using WAAS to optimize access to a centralized print server, that is not running print
services on the WAE, this configuration is not necessary.
Enabling Edge Print Services
WAAS v4.0.73-32
Cisco WAAS print services are a function of the WAFS Edge service. The WAFS Edge service
must be enabled before print services can be enabled and configured.
Print services are enabled through the Edge print server WAE device GUI by navigating to
WAFS Edge > Configuration > Print Services.
On the Print Services panel, click the Print services enabled checkbox, and then click the Save
button at the bottom of the page.
Note
Edge print services do not function unless the WAE is configured as a WAFS Edge WAE,
and the WAFS Edge service is started.
Alternately, print services can be enabled on a WAE configured as a WAFS Edge through the
CLI using the following command sequence:
WAE# configure
WAE(config)# print-services enable
WAE(config)# print-services guest-print enable
Note
All users are able to print to printer queues configured on the WAE print server.
3-217
Configuring a Print Administration User
WAAS v4.0.73-33
After enabling print services on the WAE, the next step is to configure print administrator users
on each WAE that is running print services. This user and associated credentials are used for
managing the print queues and printers defined on the print server WAEs. It is recommended
that a device group be configured for Print Servers, and that the user be defined within the
context of the device group. This is configured by navigating to Devices > Device Groups >
(Print Server Device Group) > General Settings > Login Access Control > Users.
From the Usernames panel, click the new user icon.
Note
This user is not used for managing the Central Manager printer driver repository.
Define the print administrator user, specify and verify a password, and select the print admin
checkbox. The user privilege is automatically set to super user.
Next, click Submit, and Central Manager propagates the change to the device group.
Note
3-218
This print user is used to manage the configuration of print queues and printers on the Edge
WAE print servers. A separate user is configured on the Central Manager for the purposes
of managing the driver repository.
Creating an Edge Print Queue

To configure an edge print queue, open the print services
administration tool from the Edge print server device GUI
by navigating to WAFS Edge > Configuration > Print
Services.
WAAS v4.0.73-34
After the Edge print service is enabled, a print queue is configured on the WAE. To perform
this task, navigate to WAFS Edge > Configuration > Print Services and click the Open link.
Any time a new queue is created, the print service must be restarted.
Note
Restarting print services is disruptive to current print operations on the WAE.
From the Print Services Administration panel, click the new icon to create a new print queue, or
click the edit icon next to an existing print queue to modify that queue. If you are prompted to
authenticate, specify the user name and password of the user that is configured on the WAE
print server as a print administrator user.
Note
Do not supply the print driver repository user credentials.
3-219
Creating an Edge Print Queue (Cont.)
WAAS v4.0.73-35
The Add New Printer panel appears. To add a new printer, specify the following parameters
and click the Submit button:
Printer name
Specify if the printer is a Postscript printer
Location: Specify the physical location of the printer
Description: Specify an additional description of the printer, if desired
Device Uniform Resource Identifier (URI): This is the mechanism by which the WAE
communicates with the printer. This value is supplied by the printer vendor.
Creating a new printer requires a restart of the Edge print services. If you are unsure of which
device URI to use, refer to the documentation supplied with your printer.
3-220
Creating an Edge Print Queue (Cont.)

After the Edge print queue is created, it appears in
Central Manager on the printers panel at
Services > Print > Servers > Printers.
WAAS v4.0.73-36
After the Edge print queue is created, it is displayed in Central Manager on the Print panel at
Services > Print > Servers > Printers.
All of the configured print queues appear on this panel.
Note
The Central Manager is updated with the status of queues and new queues during Local
Central Manager (LCM) polling cycle. This process can take a few moments to complete.
3-221
Restarting Edge Print Services

Edge print services are restarted by opening the Device
GUI and clicking the Restart Print Server button on the
Print Services page at WAFS Edge > Configuration >
Print Services.
WAAS v4.0.73-37
When a new print queue is added, or when a queue becomes jammed, the print server can be
restarted by opening the device GUI and navigating to WAFS Edge > Configuration > Print
Services.
Click the Restart print server button on the Print Services panel to restart the server. Restarting
the print server is disruptive to any jobs that are using other printers managed by the WAE.
Restarting the print server takes less than a minute.
3-222
Distributing Printer Drivers

This topic explains how to use Central Manager as a centralized driver repository and describes
how to configure driver upload and distribution.
Print Driver Distribution

Print drivers are uploaded to the Central Manager WAE and then
distributed to edge print servers or groups of devices.
Printer drivers are then accessible at the edge of the network for
local download from PRINT$ share to support Click-N-Print
functionality.
Data Center
WAN
DC
Upload
Drivers
Print
Download
Driver
and
PRINT!
Branch Office
Distribute HP
LaserJet
Driver
JOB
Print
FILE
WAAS v4.0.73-39
Central Manager can be configured as a repository for print drivers. After it is configured as a
repository, Central Manager can be accessed directly and print drivers can be uploaded to it.
After the drivers have been uploaded, they can then be distributed to Edge print server WAEs.
3-223
Configure Print Driver Administration

User
WAAS v4.0.73-40
The next step is to configure a print driver administration user. This user is used to manage the
driver repository on the Central Manager. To perform this task, navigate to System > AAA >
Users > Account Management.
Note
This is not the same user account that is used for Edge WAE print server queue and printer
administration. Both users can share the same name and credentials if desired, as the print
driver administration user is configured on the Central Manager WAE directly.
Click the new user icon to create the print driver administrator user. Provide a username, and be
sure to select create CLI user and print admin. Notice that the privilege level is automatically
set to 15, indicating super user, when configuring a print administrator. Be sure to provide a
password, and click Submit when finished.
This process creates the print driver administrator user. This user and the associated credentials
are used when connecting to the Central Manager WAE via its UNC path for the purposes of
uploading drivers.
3-224
Configuring Print Driver Repository
WAAS v4.0.73-41
To configure Central Manager as a print driver repository within Central Manager, navigate to
Services > Print > Repository and click the checkbox for Enable Central Manager as Driver
Repository. Click the Submit button to save your settings.
After the print driver repository is enabled and a print driver administration user is configured,
you can connect to the Central Manager WAE to manage the driver repository.
3-225
Uploading Drivers
Connect to Central Manager via the UNC path to upload
and manage drivers:
Start > Run > \\(NetBIOS name of CM WAE)
WAAS v4.0.73-42
Connect to the Central Manager by typing in the UNC path from the Run dialog box in
Windows. When prompted for credentials, supply the credentials of the print driver
administration user. Next, double-click the Printers and Faxes entry from the \\WAAS-CM
panel.
Alternately, a session can be established to the print server prior to uploading drivers, by
issuing the following command from the command line:
C:\> net use \\(NetBIOS name of CM WAE) /user:(print admin)
Where:
print admin is the username of the print driver repository administrator
You will be prompted for the password for this account.

Note
3-226
When prompted, supply the credentials of the print driver repository administrator, and not
the credentials for the Edge WAE print server administrator.
Uploading Drivers (Cont.)

To access the server
properties on Central
Manager:
Right-click in the
explorer window
and select
Server Properties
Click File and then
click Server Properties
WAAS v4.0.73-43
After connecting to Central Manager, right-click anywhere in the workspace area of the
explorer window and select Server properties from the menu, or select File and then Server
Properties to accomplish the same task.
Note
Do not use the Add Printer icon, as a printer is not being added. It is only necessary to
upload drivers, so Server Properties must be used.
3-227

From the server properties page, click Drivers to display a list of
available drivers in the Central Manager.
Click Add to add additional print drivers through the Add Print
Driver wizard.
WAAS v4.0.73-44
When the server properties page appears, click the drivers tab. A list of all of the drivers
installed on the Central Manager is displayed. From this panel, you can remove drivers,
reinstall drivers, examine driver properties, or add drivers.
Click the Add tab to open the Add Printer Driver Wizard dialog box. Follow the wizard to
identify the drivers you want to upload. At the conclusion of this process, the wizard uploads
the drivers for you.
If the server properties window does not give you permissions to control the drivers that are
available on the Central Manager, you might be connected to the Central Manager using
credentials that are not those of the print driver repository administrator.
To correct this situation, open a command prompt, and delete the session to the Central
Manager using the following command:
C:\> net use \\(NetBIOS name of Central Manager WAE) /delete
This command deletes the session. Next, establish a new session to the Central Manager using
C:\> net use \\(NetBIOS name of Central Manager WAE) /user:(user name)
Where:
user name is the name of the print driver repository administrator
Central Manager prompts you for a password for this account and then establishes the new
session.
3-228

When finished, the print drivers appear in Central
Manager at Services > Print > Drivers.
WAAS v4.0.73-45
After the drivers have been uploaded, they can be viewed through Central Manager by
navigating to Services > Print > Drivers.
Print drivers can be distributed from Central Manager to individual devices or to entire Device
Groups. To distribute a driver, open the driver from within Central Manager by navigating to
Services > Print > Drivers. Next, select a driver by clicking the edit icon next to the desired
entry.
3-229
Distributing Print Drivers (Cont.)

To select the device or device group to which to distribute
the driver, click the blue X and the Submit button.
WAAS v4.0.73-46
From the driver properties page, a driver can be distributed to individual print servers or to
entire device groups.
3-230

The Central Manager uses file transport protocol (FTP)
to distribute the print driver to the appropriate
destinations. Driver distribution status can be monitored
at Services > Print > Servers.
WAAS v4.0.73-47
After clicking the Submit button, the Edge WAE print server FTPs to the Central Manager and
downloads the drivers from the hidden PRINT$ share on the Central Manager. The status of
this distribution can be tracked by navigating to Services > Print > Servers.
Note that this table provides information on the following quantities:
Number of installed printers
Number of distributed drivers (completed)
Number of drivers awaiting distribution (pending)
Number of drivers currently being distributed (in process)
Number of drivers that did not distribute successfully.
To view additional details on the drivers that are being installed and distributed, click the edit
icon next to the name of the desired print server.
3-231

Examine an individual print server to see which drivers
have been successfully distributed, and which are in
progress, and which have failed:
Go to Services > Print > Servers > Drivers.
WAAS v4.0.73-48
This screen displays additional information on an individual print server WAE. Click the failed
download icon to repeat the download process for drivers that did not download correctly.
3-232

After a driver has been distributed, it is listed on the print
server driver home page at Services > Print > Servers.
WAAS v4.0.73-49
On-screen counters and status values change as each driver is successfully distributed.
3-233

Print driver download can also be configured at:
Devices > (device name) > Print Services > Download Drivers
WAAS v4.0.73-50
The WAE device home page can also be used to select print drivers for download. Be sure
advanced settings are displayed, and navigate to Print Services > Download Drivers.
3-234
Summary
Summary
Cisco WAAS provides CIFS acceleration services such as latency reduction, data
caching, and metadata caching to provide LAN-like access to centralized file
server or NAS storage.
Configuring Cisco WAAS file services includes policy configuration, service
configuration, and directive configuration.
Prepositioning is a tool that helps to distribute content to an edge cache based on
a schedule and is useful in environments that make use of engineering packages,
imaging and multimedia, and software distribution environments.
Print services configuration includes enabling the WAFS Edge service, enabling
the print service, and configuring the service, administrative users, driver
repository, and print queue.
Two user accounts are required for print services administration; one is for printer
administration on the WAEs, and one is used for Central Manager driver
repository
WAAS v4.0.73-51
3-235
3-236
Module Summary
This topic summarizes the key points that were discussed in this module.
Module Summary
One of two device modes must be specified on each Cisco WAE in the
WAAS topology; application accelerator or Central Manager.
Cisco WAE devices interact with the network either as an in-path device
or as an off-path device, using network interception techniques such as
WCCPv2, PBR, or ACE.
The Cisco WAAS Central Manager provides holistic system and device
management, configuration, and reporting capabilities, along with policy
and service management for WAN optimization, application acceleration,
and print services.
Central Manager device groups streamline the configuration and
management of a large number of WAE devices.
Cisco WAAS Application Traffic Policies enable flexible, prioritized
configuration of WAN optimization capabilities.
Configuring Cisco WAAS file services includes policy configuration,
service configuration, and directive configuration.
WAAS v4.0.73-2
In this module, you learned how to configure Cisco WAAS, integrate WAAS into the network
through traffic interception, centrally manage WAAS using the Central Manager secure web
GUI, and configure traffic policies for WAN optimization and application acceleration.
3-239
3-240
Module Self-Check
Use the questions here to review what you learned in this module. The correct answers and
solutions are found in the Module Self-Check Answer Key.
Q1)
Which configuration mode would you use if the WAE is directly-attached to the router
but the WAE VLAN is non-routable? (Source: Configuring WAE Interfaces)
A)
B)
C)
D)
Q2)
Which configuration mode would allow for higher levels of WAFS performance for
users that are Layer 2-adjacent to one of the WAE interfaces? (Source: Configuring
WAE Interfaces)
A)
B)
C)
D)
Q3)
Specify primary interface

Assign IP address
Specify device group
Activate devices
How many standby Central Manager WAEs can be configured? (Source: Configuring
High Availability)
A)
B)
C)
D)
Q6)
60
61
62
63
A device has recently registered against Central Manager. What must be done before
the device can be used? (Source: Activating WAAS Devices)
A)
B)
C)
D)
Q5)
One-arm
Two-arm
Active-Standby
DRE
Which two of the following WCCP service groups are used by Cisco WAAS? (Choose
2.) (Source: Configuring WCCPv2)
A)
B)
C)
D)
Q4)
Off-router, One-arm
Off-router, Two-arm
On-router, One-arm
On-router, Two-arm
1
2
3
4
Which commonly-used Central Manager system setting specifies the frequency of

configuration data exchanges? (Source: Central Manager System Settings)
A)
B)
C)
D)
system.datafeed.Pollrate
system.healthmonitor.Collectrate
system.monitoring.Collectrate
All of the above
3-241
Q7)
What is the purpose of application definitions? (Source: Creating Application

Definitions)
A)
B)
C)
D)
Q8)
Which four of the following are valid, configurable parameters within an application
classifier? Choose four. (Source: Using Traffic Classifiers)
A)
B)
C)
D)
E)
F)
G)
Q9)
To specify the traffic associated with an optimization

To provide grouping for statistics and monitoring
To differentiate priority on a congested link
To identify an applications dynamically assigned port number
Which command shows the load level offered to each of the acceleration services?
(Source: Monitoring Optimized Connections)
A)
B)
C)
D)
3-242
WAFS Terminate
Connectivity Directive
WAFS Accept
WAFS Transport
What is the purpose of the EPM adaptor? (Source: Configuring Adaptor Policies)
A)
B)
C)
D)
Q13)
Auto discovery
Device GUI
Default Policy
Auto learning
Which two of the following traffic policies are used by WAFS? Choose two. (Source:
Configuring Adaptor Policies)
A)
B)
C)
D)
Q12)
To associate a classifier to an optimization and an application definition

To differentiate priority and policy on a congested link
To specify the traffic associated with a port number
Which WAAS feature simplifies configuration of optimization? (Source: Default

Application Traffic Policy)
A)
B)
C)
D)
Q11)
source TCP port or range

source User Datagram Protocol (UDP) port or range
source IP protocol
destination IP address or range
destination TCP port or range
destination UDP port or range
source IP address or range
What is the purpose of a policy map? (Source: Using Policy Maps)

A)
B)
C)
D)
Q10)
To specify the traffic associated with an optimization

To differentiate priority on a congested link
To specify the traffic associated with a port number
show tfo accelerators

show statistics dre
show tfo connection
show accelerator load
Q14)
Which command shows the connections that are optimized and how they are
optimized? (Source: Monitoring Optimized Connections)
A)
B)
C)
D)
Q15)
Which command shows global DRE statistics? (Source: Monitoring Optimized

Connections)
A)
B)
C)
D)
Q16)
1
2
3
4
What is the purpose of the connectivity directive? (Source: Configuring WAAS File
Services)
A)
B)
C)
D)
Q19)
Protocol proxy
Data cache
Meta data cache
Intelligent read-ahead
Operation batching
Message prediction
Preposition
Disconnected mode
All of the above
What is the minimum number of WAEs that must be in a core cluster for WAFS to
work? (Source: Configuring WAAS File Services)
A)
B)
C)
D)
Q18)
show global dre

show statistics dre
show tfo dre statistics
What optimizations for file services protocols does WAAS provide? (Source: WAAS
Optimizations for File Protocols)
A)
B)
C)
D)
E)
F)
G)
H)
I)
Q17)
show tfo accelerators

show connection optimize
show tfo connection
To define which users can access the share

To define which WAEs can access the share
To define which WAEs can communicate and file servers to optimize
To define which files to pin in the cache
How does WAAS handle a brief WAN outage of less than 90 seconds? (Source:
Disconnected Mode of Operations)
A)
B)
C)
D)
The user session is disconnected and reconnected immediately

The user session is disconnected and reconnected after the document change
The user session is disconnected and reconnected manually
The disruption is masked and the user is not impacted
3-243
Q20)
What level of access does WAAS file server disconnected mode provide? (Source:
Disconnected Mode of Operations)
A)
B)
C)
D)
Q21)
What is a common usage scenario for WAAS file preposition? (Source: Using
Prepositioning)
A)
B)
C)
D)
E)
Q22)
1
2
3
4
When an administrator uploads a driver directly to an Edge WAE, how long does it
take before the driver appears in the Central Manager repository? (Source: Distributing
Drivers)
A)
B)
C)
D)
3-244
WAFS Edge service

Print administrator user
Print driver administrator user
All of the above
How many versions of a print driver can exist in the repository at any one time?
(Source: Distributing Drivers)
A)
B)
C)
D)
Q24)
Software distribution environments

CAD/CAM environments
Medical imaging environments
Software development environments
All of the above
What must be configured for print services and driver distribution to work properly?
(Source: Distributing Drivers)
A)
B)
C)
D)
Q23)
Read-only
Read-write
Local file server
Asynchronous write-back
One polling cycle

Two polling cycles
Immediately
Never

Q1)
Q2)
Q3)
B,C
Q4)
Q5)
Q6)
Q7)
Q8)
A,D,E,G
Q9)
Q10)
Q11)
C,D
Q12)
Q13)
Q14)
Q15)
Q16)
Q17)
Q18)
Q19)
Q20)
Q21)
Q22)
Q23)
Q24)
3-245
3-246
Module 4

Overview
This module describes how to troubleshoot Cisco Wide Area Application Services installations,
including platform and network connectivity issues, network interception issues, WAN
optimization issues, and application acceleration issues.
Module Objectives
Upon completing this module, you will be able to describe how to troubleshoot Cisco WAAS
installations, including platform and network connectivity issues, network interception issues,
WAN optimization issues, and application acceleration issues. This includes being able to meet
these objectives:
Identify key tools and steps for troubleshooting Cisco WAAS deployments
Explain how to troubleshoot network interception
Describe the process of troubleshooting WAN optimization
Describe the process of troubleshooting application acceleration
4-2
Lesson 1
Introduction to Troubleshooting
Overview
This lesson provides an introduction to troubleshooting Cisco WAAS, including common
issues, device liveliness, management services, reporting, and device logs.
Objectives
Upon completing this lesson, you will be able to identify key tools and steps for
troubleshooting Cisco WAAS deployments. This includes being able to meet these objectives:
Describe the process of troubleshooting Cisco WAAS
Identify the common issues that are encountered in Cisco WAAS deployments
Explain how to validate WAE platform liveliness and connectivity
Describe the process of troubleshooting Cisco WAAS management services
Describe Cisco WAE reporting and notification capabilities
This topic defines a workflow that can be followed while troubleshooting Cisco Wide Area
Application Services (WAAS). This workflow is referred to in other lessons in this module as
well.
Validate platform liveliness including management services,
examine common issues, and understand system log files
and locations
Validate network interception and automatic discovery to
ensure that traffic is received and handled by the WAEs
within the Cisco WAAS network
Examine WAN optimization features relative to optimized
connections, optimization policy, statistics, and log files and
locations
Examine application acceleration features relative to
optimized sessions, configured policies, features, statistics,
and log files and locations
WAAS v4.0.74-4
The first step in troubleshooting Cisco WAAS is to examine the system for commonly
encountered issues, verify that devices are online and reachable, ensure that management
services are configured correctly, and examine system log files. The framework listed in the
figure is used in the remainder of the lessons in this module to provide a consistent model for
troubleshooting Cisco WAAS.
4-4
Troubleshooting Workflow (Cont.)

Validate platform liveliness including management
services, examine common issues, and understand
system log files and locations.
Examine common issues with Cisco WAAS
Validate platform liveliness and connectivity
Troubleshoot management services issues
Examine device system reports, error logs, and notifications
WAAS v4.0.74-5
In this lesson, you learn how to validate platform liveliness including management services,
understand commonly encountered issues, and use system log files such as the system report to
understand system behavior.
4-5
Common Issues
This topic examines the common issues that are encountered in Cisco WAAS deployments,
symptoms of each, and resolution for each.
Common Issue #1: Poor Performance

Poor performance is characterized as situations where
Cisco WAAS shows connections being optimized but
performance is lackluster.
Performance problems are commonly caused by WAE
devices with interfaces that have been configured with
or negotiated to half-duplex.
Always check duplex end-to-end, including WAEs,
switches, routers, WAN devices (including emulators),
firewalls, and servers.
Statically configure full-duplex in Fast Ethernet
environments, and use autosense for Gigabit Ethernet
environments.
WAAS v4.0.74-7
The most commonly encountered issue is when the system is configured correctly, traffic is
being intercepted and optimized, yet performance is poor. This can be caused by a number of
factors, but is most commonly caused by having a node somewhere between the client and the
server configured for half-duplex (or auto-negotiated to half-duplex). Duplex should be
examined end-to-end, which means everything including:
Client PCs
Servers
Switches
Routers
WAN emulation devices (if present)
Wide Area Application Engine (WAE) devices
This issue is so pervasive that it should be considered the first place to look when experiencing
poor performance, and should not be overlooked under any circumstances.
Note
4-6
Cisco WAEs are configured to, by default, automatically detect link speed and duplex. It is a
best practice to statically set the duplex to full when working with a Fast Ethernet switch, and
set the interface into autosense mode when using Gigabit Ethernet (as half-duplex is not a
valid configuration).
Common Issue #1: Duplex

EDGE1# sh int gigabitEthernet 1/0
Type:Ethernet
Ethernet address:00:11:25:AC:3C:5C
Netmask:255.255.255.0
Metric:1
Input Errors: 0
Packet Sent: 8468
Output Errors: 0
Collisions: 0
Base address:0x2000
Flags:UP BROADCAST MULTICAST
Mode: half-duplex, 100baseTX
Examine each interface participating

in optimization using the CLI
show interface command.
Ensure that each interface has either

been statically configured for full
duplex or otherwise negotiated to
full duplex.
WAAS v4.0.74-8
The show interface command displays configuration data and statistical data about an
interface. Note that the last two entries in the output of this command show the state of the
interface and the mode that the interface is operating in. If the interface is operating at halfduplex due to negotiation, an alarm is sent via syslog and Simple Network Management
Protocol (SNMP) to notify the administrator. If the interface is operating at half-duplex due to
administrative configuration, no alarm is raised.
4-7
Common Issue #2: Off-path and Subnets

Cisco WAEs that are deployed off-path must be
deployed on dedicated subnets due to transparency
and redirection filtering.
WAEs must be deployed in such a way that the native
routing path causes traffic to traverse the WAE devices.
WAAS v4.0.74-9
When Cisco WAE devices are deployed off-path, and interception such as Cisco Web Cache
Communication Protocol Version 2 (WCCPv2), policy-based routing (PBR), or Cisco
Application Control Engine (ACE) is configured, the WAE must be deployed on a separate
subnet, that is, not on the same subnet as users or servers. This is required, because the packets
leaving the WAE that are optimized have the same header information as the unoptimized
packets. Interfaces adjacent to the WAE must be configured in such a way that they are
excluded from further redirection, so that the traffic is not continuously routed back to the
WAE. If the Cisco WAE is deployed off-path and in the same subnet or VLAN as the users or
the servers, common issue #3 will be encountered.
Note
4-8
Cisco WAE devices that are deployed in-path do not need such consideration.
Common Issue #3: Black Hole

Misconfiguration of network interception for off-path
WAE devices can lead to traffic being black-holed.
Distant devices are able to respond to a ping request,
but no application traffic can pass.
This is commonly caused by incorrect assignment of
WCCP service groups or by neglecting to use the ip
wccp redirect exclude in command on WCCP server
devices adjacent to WAEs.
WAAS v4.0.74-10
An extension to common issue #2, common issue #3 is a virtual black hole, whereby Internet
Control Message Protocol (ICMP) messages (pings) are able to pass, but application traffic is
not able to pass through a location where network interception is configured to support off-path
Cisco WAE devices. This can be because of common issue #2 (WAE deployed on the same
subnet or VLAN as the users or servers) or because the network interception (WCCPv2, PBR,
ACE) is not configured correctly.
Always ensure that off-path WAEs are deployed on a subnet that is separate from users and
servers. When using WCCPv2, ensure that the interface adjacent to the WAEs (on the
WCCPv2 server device) is configured with the ip wccp redirect exclude in command to
ensure that packets returning on that interface (from a WAE) are not immediately redirected
again.
In the case where ping is successful but application traffic is not, recall that WCCPv2 when
used by WAAS only redirects TCP traffic to the WAE. Ping uses ICMP, and as such, is not
redirected.
4-9
Common Issue #4: WCCPv2

Performance and Stability
Legacy IOS versions might contain unresolved bugs that could
impact performance or stability in WCCPv2 environments. Validate
IOS versions on WCCP server devices and use recommended IOS
versions.
IOS Routers
Switches
Major Version
M Train
T Train
12.1
12.1(14)
12.1(3)T
12.2
12.2(26)
12.2(8)T0c
12.3
12.3(13)
12.3(14)TS
12.4
12.4(10)
12.4(9)T1
Platform
Version
Catalyst 6500, Supervisor 1a or 2
12.1(27)E
Catalyst 6500, Supervisor 32
12.1(27)E
Catalyst 6500, Supervisor 720 (Native)
12.2(18)SXF5
Catalyst 6500, Supervisor 720 (Hybrid)
12.2(31)SG
WAAS v4.0.74-11
Common issue #4 is related to WCCPv2 performance and stability. Generally speaking,

WCCPv2 is a very stable and high-performance means of intercepting and redirecting traffic
from a WCCPv2 server (that is, a router) and a WCCPv2 client (that is, a WAE). However,
there are recommended minimum versions of IOS that should be used when working with
WCCPv2 and WAAS to ensure a high performance and stable deployment environment. The
figure shows recommended versions based on major version and hardware platform.
It is possible to use a version that is lower than one recommended on this list, however, the
versions displayed in this list are recommended based on known bugs in WCCPv2 that would
make a deployment situation less conducive to performance or stability.
Note
4-10
If using WCCPv2 with Cisco WAAS, it is strongly recommended that you use this table
during the design phase to ensure that devices where WCCPv2 will be configured are at an
appropriate IOS version. If the IOS version can not be upgraded, another interception
mechanism should also be strongly considered.
Platform Liveliness and Connectivity

This topic explains how to examine the WAE appliance and network module to ensure that the
device is online and available on the network.
Validate WAE Liveliness

Check the following to verify the liveliness of a WAE and
the NME-WAE module installed within an ISR router:
Is the NME-WAE properly inserted and recognized by the router
(includes module insertion and IOS version)?
Is there network connectivity via the router internal interfaces to
the NME-WAE?
Can the WAE reach its default gateway and other devices on the
network, such as the Central Manager?
WAAS v4.0.74-13
When optimization is not occurring or not occurring correctly, the first thing to do is to
understand the network path being taken by the client and the server for the exchange in
question. Identify each of the WAEs in the network path between the client and the server, and
verify from each WAE that it is online and network connectivity is present.
For NME-WAE network modules installed in an integrated services router (ISR):
Verify that the network module is properly inserted
Verify that the network module is recognized by the router
Verify that the network module is running a version of IOS that recognizes the NME-WAE
Verify connectivity between the network module and the router internal interface
For the NME-WAE and appliances both:
Verify connectivity to the default gateway
Verify connectivity beyond the default gateway
Verify connectivity to both of the end nodes
If you are unable to reach the default gateway or beyond the default gateway, check the IP
address configuration, subnet mask, interface configuration and state, switch port configuration,
VLAN configuration, and routing.
4-11
Verify that the NME-WAE Is Recognized

Examine the hardware configuration
of the router (can also use show ver)
Verify that IOS version

supports NME-WAE
R2821-edge# show hardware

Cisco IOS Software, 2800 Software (C2800NM-ENTBASEK9-M), Version
12.4(9)T1, RELEASE SOFTWARE (fc2)
(portions removed)
Processor board ID FTX1029A114
Verify that the NME-WAE is
recognized by the router
1 terminal line
1 cisco Integrated Service Engine(s)
Cisco Wide Area Application Services Software 4.0.5 (Dec 29 2006
21:03) in slot 1
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
WAAS v4.0.74-14
The show hardware command on an ISR with the NME-WAE installed can be useful for
verifying that the network module is properly inserted, recognized, and configured with the
correct version of software. An example of the output is partially shown in the figure, and
shown in full here:
R2821-edge# show hardware
Cisco IOS Software, 2800 Software (C2800NM-ENTBASEK9-M), Version
12.4(9)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 30-Aug-06 16:22 by prod_rel_team
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE
(fc1)
R2821-edge uptime is 7 weeks, 4 days, 5 hours, 37 minutes
System returned to ROM by power-on
System restarted at 22:29:34 UTC Wed Nov 29 2006
System image file is "flash:c2800nm-entbasek9-mz.124-9.T1.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are
unable to comply with U.S. and local laws, return this product
immediately.
A summary of U.S. laws governing Cisco cryptographic products can be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
4-12
If you require further assistance please contact us by sending email

to export@cisco.com.
Processor board ID FTX1029A114
1 terminal line
1 cisco Integrated Service Engine(s)
Cisco Wide Area Application Services Software 4.0.6 (b150 Jan 20 2007
20:15:42) in slot 1
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of nonvolatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
4-13
Verify Internal Interfaces

R2821-edge# show run
Cisco Integrated Services Router
Building configuration...
!
!
interface Integrated-Service-Engine1/0
ip address 10.10.1.1 255.255.255.0
ip wccp redirect exclude in
service-module ip address 10.10.1.2 255.255.255.0
!
LAN
WAN
Service
Module
internal
interface
Service
Module
interface
R2821-edge# service-module integrated-Service-Engine 1/0 status

Cisco NME-WAE
Network Module
Cisco Wide Area Application Services Software 4.0.6 (b60 Dec 29 2006 21:03:33)
Restarted at Sat Dec 30 17:54:14 2006
WAAS v4.0.74-15
Examine the running configuration of the ISR to look for network configuration errors that
could prevent the NME-WAE from performing optimization. Recall that the ISR has an
internal interface that is adjacent to the NME-WAE service module, which should be
configured as the NME-WAEs default gateway. The interface Integrated-Service-Engine is
where the NME-WAE network configuration is applied, as shown in the figure.
R2821-edge# show run
!
! (portions removed)
!
interface Integrated-Service-Engine1/0
ip address 10.10.100.1 255.255.255.0
// this is the IP address of the interface adjacent to the NME-WAE
ip wccp redirect exclude in
// should always be added to the NME-WAE internal interface
service-module ip address 10.10.100.2 255.255.255.0
// the IP address of the network module itself
// the default-gateway of the network module, should be identical to
the interface IP address
4-14
Verify Internal Interfaces (Cont.)

R2821-edge# show interface Integrated-Service-Engine 1/0
Examine the internal

service engine interface
and ensure it is up/up
Integrated-Service-Engine1/0 is up, line protocol is up

Hardware is BCM5703, address is 000a.b82e.21a0 (bia 000a.b82e.21a0)
Internet address is 10.10.100.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
Verify the IP address
reliability 255/255, txload 1/255, rxload 1/255
and other network
Encapsulation ARPA, loopback not set
configuration details
Keepalive not set
Full-duplex, 1000Mb/s, link type is force-up, media type is internal
Last clearing of "show interface" counters never
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 0 bits/sec, 1 packets/sec
6498418 packets input, 1201358567 bytes, 0 no buffer
Received 53148 broadcasts, 0 runts, 0 giants, 0 throttles
Verify that interface
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
counters are
0 watchdog, 44311 multicast, 0 pause input
incrementing and no
6659352 packets output, 4073318680 bytes, 0 underruns
errors are being
reported
0 output errors, 0 collisions, 1 interface resets
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
WAAS v4.0.74-16
The show interface Integrated-Service-Engine command can be used to verify that the
interface adjacent to the network module is operational and configured properly. Verify that the
network configuration is correct and permitting packets to flow from the network module
through the router:
R2821-edge# show interface Integrated-Service-Engine 1/0
Integrated-Service-Engine1/0 is up, line protocol is up
Hardware is BCM5703, address is 000a.b82e.21a0 (bia 000a.b82e.21a0)
Internet address is 10.10.100.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, link type is force-up, media type is internal
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:20, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/512 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
10143177 packets input, 1633482832 bytes, 0 no buffer
Received 91837 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 76535 multicast, 0 pause input
0 input packets with dribble condition detected
9954042 packets output, 1285373698 bytes, 0 underruns
4-15
0
0
0
0
4-16
output errors, 0 collisions, 1 interface resets

babbles, 0 late collision, 0 deferred
lost carrier, 0 no carrier, 0 pause output
output buffer failures, 0 output buffers swapped out
Validate WAE Network Connectivity

R2821-edge# service-module integrated-Service-Engine 1/0 session
Trying 10.10.100.1, 2066 ... Open
Establish a console
session to the WAE
network module
Cisco Wide Area Application Services Engine Console
Be sure to validate connectivity
Username: admin
to the default gateway (router)
Password:
and through the network for both
System Initialization Finished.
directions of traffic flow!
EDGE-NM# ping 10.10.100.1
PING 10.10.100.1 (10.10.100.1) from 10.10.100.2 : 56(84) bytes of data.
64 bytes from 10.10.100.1: icmp_seq=0 ttl=255 time=467 usec
--- 10.10.100.1 ping statistics --1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.409/0.438/0.467/0.029 ms
EDGE-NM# ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) from 10.10.100.2 : 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=0 ttl=62 time=83.315 msec
--- 10.10.10.10 ping statistics --1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 83.315/98.378/113.442/15.066 ms
WAAS v4.0.74-17
The service-module integrated-service-engine x/y session command can be used to establish

a console session to the NME-WAE. This is, in effect, identical to attaching a serial cable to the
back of a WAE appliance and connecting to it using terminal software such as HyperTerminal.
From within the NME-WAE console, verify that you can:
Reach the routers internal interface adjacent to the NME-WAE
Reach a device on another subnet that the router is attached to directly
Reach another device beyond the router
Reach the Cisco WAAS Central Manager WAE
Always be sure to verify network connectivity in both directions of traffic flow, for example,
from the Cisco WAAS Central Manager WAE back to the NME-WAE.
4-17
PortChannel Interface Verification

For WAEs configured with interfaces bundled in a
PortChannel, validate that the interface is online and
usable:
Are both of the interfaces up and online? Validate interface
configuration and cabling.
Is the PortChannel up and online? Validate that child interfaces
are bound to the channel-group and enabled.
Can the WAE ping the PortChannel interface and also the default
gateway? Validate interface configuration, channel group, defaultgateway configuration, VLAN, and switchport configurations.
Can you ping a distant (nonadjacent) device from the
PortChannel interface? Validate routing.
WAAS v4.0.74-18
When a PortChannel is configured, the physical interfaces assigned to the PortChannel do not
have an IP configuration applied to them. Instead, the IP configuration is applied to the
PortChannel interface instead, and each of the physical interfaces are configured as members of
the PortChannel using the channel-group command.
When a PortChannel is configured, verify that the physical interfaces are up and online, and
configured as members of the PortChannel:
EDGE1# sh int portChannel 1
!
(portions removed)
!
GigabitEthernet 2/0 (inactive)
Verify that the PortChannel interface is UP and online. If the interface is down, either the
member interfaces are both down, or the PortChannel interface itself is down. Enabling a
PortChannel interface is identical to enabling a physical interface; use the no shutdown
command.
EDGE1# sh int portChannel 1
GigabitEthernet 2/0 (inactive)
--------------------Type:Ethernet
Netmask:255.255.255.0
4-18

Metric:1
Input Errors: 0
Packet Sent: 10215
Output Errors: 0
Collisions: 0
Flags:UP BROADCAST RUNNING MASTER MULTICAST
The following shows an example configuration where a PortChannel is properly configured:

EDGE1# sh run
!
(portions removed)
!
primary-interface PortChannel 1
!
interface PortChannel 1
ip address 1.1.1.2 255.255.255.0
exit
!
channel-group 1
exit
channel-group 1
exit
!
Notice that the PortChannel interface has an IP configuration, but the physical interfaces do
not. When examining the physical interfaces using the show interface command, it should be
noted that the IP configuration of the PortChannel is inherited:
!
(portions removed)
!
Type:Ethernet
Netmask:255.255.255.0
Flags:UP BROADCAST RUNNING SLAVE MULTICAST
4-19
Mode: autoselect, full-duplex, 1000baseTX

!
(portions removed)
!
Type:Ethernet
Netmask:255.255.255.0
Flags:UP BROADCAST SLAVE MULTICAST
Mode: autoselect
After you have verified that the PortChannel is online and operational, verify network
connectivity to an adjacent node. If the adjacent node is not reachable, check the PortChannel
and physical interface configuration, IP address, subnet mask, switch port configuration, and
VLAN configuration on the switch. Also verify connectivity to the default gateway and beyond
the default-gateway. Verify that connectivity to the Cisco WAAS Central Manager is also
present.
4-20

This topic explains how to troubleshoot the management services of Cisco WAAS on the
Central Manager and also on the managed WAEs within the Cisco WAAS network.

Each WAE and NME-WAE runs a process called Local Central
Management (LCM), which manages connectivity to the Central
Management Services (CMS).
This process ensures synchronization of configuration data with
the Central Manager WAE and reports statistics and alarms.
Each WAE LCM process has a status based on service state and
connectivity to the CM WAE.
If the service or connectivity is unavailable, statistical data can not
be reported, configuration data is not exchanged, and errors are
generated.
WAAS v4.0.74-20
The LCM process is used to ensure that each Cisco WAE and NME-WAE deployed throughout
the network is regularly synchronized with the Central Manager WAE in terms of configuration
and statistical data. The LCM cycle causes WAEs, including the Central Manager, to regularly
exchange such data based on the configuration of the system.Datafeed.pollrate variable in the
Central Manager (found at System > Configuration > System Properties).
If the network is down, or the service is offline, the WAAS Central Manager is unable to make
configuration changes, synchronize configuration data, or extract reporting data from that
particular WAE. It is important to ensure that the LCM process is running on the WAE, and
that the WAE has network connectivity to the Central Manager.
4-21
Troubleshooting Management Services (Cont.)
CMS status Offline

could be device is
offline or CMS
service disabled
WAAS v4.0.74-21
The Cisco WAAS Central Manager devices page provides a quick status overview of each of
the WAEs deployed throughout the network that are registered against that particular Central
Manager. Each device reports a CMS Status, which alerts the administrator to the state of the
WAE at that time. This state could include online or offline, and if the CMS service is disabled
or network connectivity is unavailable to that particular WAE, it is reported as offline. When a
WAE is reported as offline, the Central Manager is unable to synchronize configuration data
with that WAE and unable to fetch new reporting data.
4-22
Verifying WAE CMS Services

Examine service status
CM1# sh cms info
Device registration information :
Device registered as
= WAAS Central Manager
Device mode and
service configuration
Current WAAS Central Manager role
= Primary
CMS services information :
Service cms_httpd is not running
CMS service is not running, device will
report Offline even if network connectivity is
Service cms_cdm is not running
available
CM1# conf t
CM1(config)# cms enable
Enable CMS
Please preserve running configuration using 'copy running-config startup-config'.
Otherwise management service will not be started on reload and node will be shown
'offline' in WAAS Central Manager UI.
CM1(config)# exit
CM1# sh cms info
Service cms_httpd is running
Service cms_cdm is running

= Primary
CMS service is running, device will

report Online if network connectivity
is available
WAAS v4.0.74-22
The show cms info command can be executed on a WAE to see the status of the CMS service.
The following output is from a WAE configured as an application accelerator:
CORE1# sh cms info
Device Id
= 194
= WAAS Application Engine
Current WAAS Central Manager = 10.10.10.10
Registered with WAAS Central Manager = 10.10.10.10
Status
= Online
Time of last config-sync = Sat Dec 30 17:38:23 2006
Service cms_ce is running
The following output is from a WAE configured as a Central Manager:

CM2# sh cms info
Device Id
= 183
Current WAAS Central Manager role = Standby
Current WAAS Central Manager = 10.10.10.10
Registered with WAAS Central Manager = 10.10.10.10
Status
= Online
Time of last config-sync = Sat Dec 30 17:39:28 2006
4-23
Notice that the application accelerator WAE has a single service called cms_ce, with the
Central Manager running two services: cms_httpd and cms_cdm. This is because the cms_ce
service is a child process, and the cms_cdm process is a server process. The cms_httpd is a
web server process used to provide the user with access to the Central Manager GUI via a
browser.
4-24
Verifying CM WAE Services
CM1# sh cms info

...
CM1# sh cms info

...
WAAS v4.0.74-23
The cms_httpd service on the Cisco WAAS Central Manager is the web server interface that
provides users with access to the Central Manager GUI via a web browser. If the service is
down, a page can not be displayed (or similar) error is returned when trying to access the
Central Manager GUI via https://<ipaddress>:8443.
4-25
CMS Database Downgrade

When downgrading software
versions on the CM WAE, the
CMS database must be
downgraded
CM1# sh cms info

DOWNGRADE REQUIRED
------------------
A database downgrade is required to enable CMS services. Please use

the 'cms database downgrade' command to perform the database downgrade.
Device Id
= 142
= Primary

CMS services and status remain

offline until the downgrade occurs
WAAS v4.0.74-24
If a Central Manager WAEs services are set to not running and can not be enabled through
the cms enable, it is possible that a change in software version has created an incompatibility
between the Central Manager database files and the currently installed Cisco WAAS software.
By using the show cms info on the Central Manager, you can see an alarm that notifies the
administrator that a database downgrade is required.
When this situation is encountered, it is recommended that a CMS database backup be
performed before performing the database downgrade:
CM1# cms database backup
Backup file local1/cms-db-12-30-2006-18-57.dump is ready.
Please use copy commands to move the backup file to a remote host.
Before restoring, disable CMS with no cms enable
CM1#
After the CMS database has been backed up, a database downgrade can be initiated, as shown
in the figure.
Note
If the database needs to be restored at a later point, use the cms database restore
command.
CM1# cms database restore cms-db-12-30-2006-18-57.dump

Database restore can restore all the CLIs to the state when backup was
taken:
- Press 1 if you want all CLIs to be restored.
- Press 2 if you want all CLIs except network configurations to be
restored.
- Press 3 to not restore any CLIs.
Please enter your choice : [2]
4-26
Please enable the cms process using the cms enable command to complete
the cms database restore procedure.
Preserving restored identity and certificate/key pair
Database files and node identity information successfully restored
from file cms-db-12-30-2006-18-57.dump
After the CMS database has been restored, execute cms enable.
4-27
CMS Database Downgrade (Cont.)

Downgrade the CMS database to
match the installed version of
software
CM1# cms database downgrade
The system will perform a database downgrade without applying a downgrade script.
Please refer to product documentation to confirm that the previously-installed
software release does not require a downgrade script for this release.
Proceed with database downgrade [no]? yes
Database downgrade succeeded.
CM1# sh cms info
Device Id
= 142
= Primary

CMS services and status will remain

offline until enabled using the
cms enable command on the CM
WAAS v4.0.74-25
The cms database downgrade command instructs the Central Manager to examine the Central
Manager database files and remove portions that can not be configured or managed by the
Central Manager based on the installed software version. After the database downgrade has
finished, use the sh cms info command and verify that the database downgrade required
error is no longer present. The services will be listed as not running and will stay in this state
until the cms enable command is executed on the WAE.
4-28
Reporting Facilities
This topic explains each of the facilities used by Cisco WAAS for reporting and notification,
including the system report, SNMP, syslog, SMTP, and device logs.
Cisco WAE Reporting Facilities

Each WAE within the Cisco WAAS topology is able to
generate alerts, alarms, and notifications through a variety
of interfaces:
Simple Network Management Protocol (SNMP v1/2c/3)
Syslog and WAE console
Central Manager alarm facility
Log files and system report
This section focuses on the data that can be reported from

each of these facilities.
WAAS v4.0.74-27
Each Cisco WAE is capable of sending alarms, alerts, and notifications through a number of
interfaces including the following:
SNMP versions 1, 2c, and 3
Syslog (up to four servers), internal syslog files, and WAE console
Central Manager alarm facility
Local log files for each service
System report
Each WAE should be configured with the relevant reporting configuration to ensure that, when
problems arise, the administrator is notified quickly with a concise error message about the
behavior that is being exhibited or symptoms that have been identified.
4-29
SNMP MIB Support

Cisco WAE devices support the following Cisco MIBs:
ACTONA-ACTASTOR-MIB: statistics and data associated with CIFS
acceleration capabilities
CISCO-CDP-MIB: statistics and data associated with the Cisco
Discovery Protocol (CDP) process
CISCO-CONTENT-ENGINE-MIB: platform-specific configuration
and reporting data
CISCO-CONFIG-MAN-MIB: configuration management data
CISCO-ENTITY-ASSET-MIB: asset information
Cisco WAEs also support the following industry-standard

MIBs:
EVENT-MIB
HOST-RESOURCES-MIB (as per RFC-1514)
MIB-II (as per RFC-1213)
WAAS v4.0.74-28
Cisco WAEs configured with Cisco WAAS software support a number of SNMP Management
Information Bases (MIBs). Some of the SNMP MIBs are owned and managed by Cisco, and
others are industry-standard MIBs that are broadly accepted throughout the networking and
systems community. This list can also be found on Cisco Connection Online (CCO) at:
http://www.cisco.com/en/US/products/ps6870/products_configuration_guide_chapter09186a00
8076386c.html
4-30
Syslog and WAE Console

Up to four syslog servers can be defined on a Cisco WAE.
Any system messages that meet or exceed the configured
alert level are reported to syslog and also to the WAE
console:
Notification timestamp
Device
Subsystem
Notification
Jan 5 04:17:20 EDGE1 config: %WAAS-PARSER-6-350232:

CLI_LOG shell_parser_log: exit
A list of messages that are reported can be found at the

link for the error book in the student notes.
WAAS v4.0.74-29
Each Cisco WAE can be configured with up to four syslog servers and an alert level. Any
system messages that meet or exceed the configured alert level are not only reported to syslog,
but also are appended to the internal system log file and sent to the Cisco WAE console.
The error book contains a list of all of the messages that can be encountered in the syslog. The
error book can be found at (CCO login required):
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/contentdelivery/waas/4.0/WAAS-4.0.3.9-Error_Book&app=Tablebuild&status=showC2A
To enable syslog and console logging:
EDGE1(config)# logging con priority ?
This command sets the minimum alert level, where:
Alert (1): Indicates immediate action is needed
Critical (2): Indicates critical conditions
Debug (7): Indicates debugging messages
Emergency (0): Indicates system is unusable
Error (3): Indicates error conditions
Information (6): Indicates informational messages
Notice (5): Indicates normal but significant conditions
Warning (4): Indicates warning conditions
EDGE1(config)# logging con priority error

EDGE1(config)# logging con enable
EDGE1(config)# logging host 10.10.10.100 priority ?
Where:
Alert (1): Indicates that immediate action is needed
4-31
Critical (2): Indicates critical conditions
Debug (7): Indicates debugging messages
Emergency (0): Indicates system is unusable
Error (3): Indicates error conditions
Information (6): Indicates informational messages
Notice (5): Indicates normal but significant conditions
Warning (4): Indicates warning conditions
EDGE1(config)# logging host 10.10.10.100 priority warning
Each system alert contains a notification timestamp, name of the device, subsystem generating
the alert, name of the alert (notification), and text provided by the subsystem on the alert.
4-32
Central Manager Alarms

The Cisco WAAS Central Manager provides an alarm
reporting facility.
Device alarms can be triggered, which cause the system
or device status to change, notifying the administrator of a
condition that requires attention.
WAAS v4.0.74-30
As discussed earlier in this lesson, each WAE reports a status to the Central Manager, which
can be seen in three places:
Devices page
Device home page
System status bar
Events such as loss of network connectivity, disabled service, and overload conditions all
trigger alarms with the Central Manager. These alarms raise the system status from green to
yellow to orange to red to ensure that the administrator is alerted to such conditions. Such
alarms include:
Service disabled or failed
An overload condition has been encountered
Keepalive failure for an internal service or process
Failed disk, failing disk, or disk full
User core files or kernel crash dump files are present (indicating a crash)
Network issues
Clock synchronization issues
A full list of the alarms that can be raised can be found in the alarm book on CCO at:
http://ftp-sj.cisco.com/cisco/content-delivery/waas/4.0/WAAS-4.0.3.9-Alarm_Book.html
Note
These alarms are also reported via SNMP and syslog.
4-33
Central Manager Alarms (Cont.)

When you click the severity column in the device list, or
click the system status severity indicator, a popup window
appears.
This window contains a list of all alarms that require
attention. Moving the mouse over the alarm provides a
menu of options for troubleshooting the alarm.
A list of alarms and a download location for the alarm book
are contained in the notes.
WAAS v4.0.74-31
From any location where the system status indicator or device status indicator can be seen,
clicking the indicator takes you to the system status window. The system status window shows:
Device that raised an alarm
IP address of the device
Current status of the device
Severity of the alarms raised by the device
Details about the alarm
Hovering over an alarm with the mouse provides a pop-up window containing actions that can
be performed. These actions include:
4-34
Edit or monitor the device: links you to the device home page within the Central Manager
Telnet to the device
View device log: this log is maintained on the Central Manager and by the Central
Manager
Run show commands against the device
WAE System Report

The WAE system report (also called sysreport) provides a single
downloadable compressed object containing all relevant support and
health data.
The WAE system report includes the following:
CLI command output

Platform configuration and logs
Platform state information
Print services configuration and logs
Authentication configuration and logs
Log files for internal services and acceleration
Central management configuration and logs
Syslog
The sysreport is accessible via the Device GUI or device CLI and
can be filtered based on date.
WAAS v4.0.74-32
The WAE can provide the administrator with a downloadable file called the system report. The
system report is a compressed file that contains all of the relevant configuration, statistical,
reporting, and health information about a particular WAE. The system report should be
considered the first item that is collected from the Cisco WAE devices, along with detailed
information about the network that Cisco WAAS is integrating into.
The system report can be downloaded from the device GUI (see Cisco WAE > Utilities >
Support) or from the device CLI. Because this file can be quite large, a filtering capability is
provided to allow the administrator to specify a date range to keep the size of the file
manageable.
The system report includes the following data:
CLI command output, including show tech, show stat tfo connection, many others
Platform configuration files from internally used directories (/etc, /proc), networking
configuration, disk configuration, file system configuration
Platform state information, including running processes, CPU and memory utilization,
swap utilization, status of modules
Network state information, including open sockets and connections, listening ports
Service state information including TFO, DRE, LZ, CIFS, CMS, authentication, print
services, and others
Service configuration files
Local error logs for the device and services
Note
Generating a system report consumes WAE CPU cycles and memory capacity and might
temporarily decrease system performance.
Use these commands to generate and copy a system report:
4-35
EDGE1# copy sysreport disk WAE start-date December 10 2006 end-date

December 2006
Generating sysreport ...
Successfully generated sysreport as WAE.tar.gz
EDGE1# dir WAE.*
size time of last change name
-------------- ------------------------- ----------9264850 Sat Dec 16 23:03:40 2006 /local1/WAE.tar.gz
EDGE1# copy disk ftp 10.10.10.100 / WAE.tar.gz WAE.tar.gz
Note
4-36
Cisco WAE system reports can be very large in size, in many cases over 10MB.
Cisco WAE Log Files

The Cisco WAE CLI provides direct access to the management file
system and log files. Log files can be viewed or copied from the
WAE for offline analysis.
The following directories are used by Cisco WAAS for log files:
/local1 - root directory for all management files

/local1/logs - service log files
/local1/errorlogs - error log files
/local1/core_dir - kernel crash and core dump files
File system navigation commands:
cd (dirname) - change directory to (dirname)

pwd - display working directory
dir - display the contents of a directory
type-tail - examine the contents of a file
WAAS v4.0.74-33
The Cisco WAE CLI allows the administrator direct access to the management file system and
log files stored within. Log files can then be viewed directly or copied off of the WAE for
offline analysis. The root of the file system that is accessible from the CLI is the /local1 folder.
Within this folder, subfolders exist that provide access to a variety of log files. Navigating the
filesystem structure on a WAE is nearly identical to navigating the filesystem structure on a
Linux or UNIX system. The following directories are of note when looking for log files:
/local1: root of the user-accessible WAE filesystem
/local1/logs: log files for WAE services
/local1/errorlogs: error log files
/local1/core_dir: kernel crash files and core dump files are stored here when a WAE
crashes
4-37
Summary
Summary
The first step in troubleshooting Cisco WAAS to look at common
issues, including duplex and redirection configuration.
WAE and NME-WAE liveliness can be verified from the Central
Manager GUI as well as from the device CLI.
Each WAE, including the NME-WAE, runs a local service for
central management. Troubleshooting management issues
begins with understanding the configuration and state of this
service.
Cisco WAE devices report alarms and notifications through a
variety of interfaces, including SNMP, syslog, device console, and
Central Manager alarm facilities.
The Cisco WAE system report is an excellent repository of
configuration, logging, and alarm data contained on a Cisco WAE
and should be gathered for any troubleshooting situation.
4-38
WAAS v4.0.74-34
Lesson 2
Troubleshooting Network
Interception
Overview
This lesson examines how to troubleshoot network interception mechanisms such as Cisco Web
Cache Communication Protocol Version 2 (WCCPv2), policy-based routing (PBR), physical
inline, and Cisco Application Control Engine (ACE). This lesson also examines how to
troubleshoot automatic discovery problems.
Objectives
Upon completing this lesson, you will be able to explain how to troubleshoot network
interception. This includes being able to meet these objectives:
Describe the process of troubleshooting network interception
Describe the process of troubleshooting WCCPv2 interception
Describe the process of troubleshooting PBR interception
Describe the process of troubleshooting inline interception
Describe the process of troubleshooting ACE interception
Describe the process of troubleshooting automatic discovery
Overview
This topic provides an overview of the process of troubleshooting interception issues.
and locations
locations
WAAS v4.0.74-4
The workflow shown in the figure is used throughout all the lessons within the troubleshooting
module. In the first lesson, you learned how to validate Wide Area Application Engine (WAE)
liveliness, management services, reporting infrastructure, and about common issues. In this
lesson, you learn about the mechanisms that are employed to have traffic redirected to the
WAE for optimization. These redirection mechanisms include WCCPv2, PBR, ACE, and
physical inline.
4-40
Troubleshooting Workflow (Cont.)

ensure that traffic is being received and handled by the
WAEs within the Cisco WAAS network:
Examine and validate WCCPv2 interception
Examine and validate PBR interception
Examine and validate inline interception
Examine and validate ACE interception
Verify automatic discovery
WAAS v4.0.74-5
In this lesson, you learn how to examine network interception configuration (WCCPv2, PBR,
physical inline, and ACE) to ensure that traffic is being redirected to the Cisco WAE. You also
learn how to diagnose network interception issues through the course of the lesson. This lesson
also shows you how to examine automatic discovery statistics to determine if peers are not able
to be identified or other situations are occurring.
4-41
Incorrect Interception Configuration

Having incorrect interception configuration can lead to many
symptoms, including:
Application traffic being black-holed
Traffic not being properly optimized
A correct network interception configuration consists of redirection

for both directions of traffic flowing through a common set of network
elements:
WCCPv2 with one service group in the path of each direction of traffic flow
PBR with a route-map for each direction of traffic flow
Inline with WAE in the physical path for both directions of network traffic flow
ACE with interception for both directions of traffic flow and WAE stickiness for
return traffic
WAAS v4.0.74-6
An incorrect network interception configuration can lead to a number of issues. These can
include application traffic being black-holed (similar to one of the common issues presented in
the first lesson) or traffic not being properly optimized. Another symptom is that traffic is not
being optimized at all.
In general, Cisco WAAS requires four-way interception. This means that interception must
occur in each location where a WAE is deployed, and for both directions of traffic flow. Simply
put, in a single branch office, single data-center deployment, network interception would need
to be configured in the branch office for traffic leaving the branch and for traffic entering the
branch. In the data center, network interception would need to be configured in the data center
for traffic leaving the data center and for traffic entering the data center. In this way, any traffic
going into or out of a location is first sent through a WAE to see if optimization can be applied
or a peer can be automatically discovered.
For WCCPv2, this equates to having one service group in the path of each direction of traffic
flow. For policy-based routing, this equates to having a route-map for each direction of traffic
flow. For physical inline, the WAE sees all traffic traversing the link between the two network
devices that the WAE sits in between, so it naturally sees traffic for both directions of traffic
flow (assuming it is inline for each LAN to WAN connection). As with other interception
mechanisms, with the ACE, traffic interception needs to be configured for both directions of
traffic flow, and WAE stickiness needs to be configured to ensure that the return flow is always
routed through the same WAE in both directions.
4-42
Troubleshooting WCCPv2 Interception

This topic describes the process of verifying WCCPv2 configuration and troubleshooting
WCCPv2 interception issues for WAE appliances and router-integrated network modules.
Troubleshooting WCCP: Overview

WCCP troubleshooting
checklist:
Client
61 in
62 in
Correctly configured services
exclude
in
GRE/L2 redirection, hash/mask

Redirect exclude in configured
WAE
CEF enable/disable on the router

Client
61 out
62 in
Duplex and BW on interfaces

Are all WAEs seeing all routers
and vice versa?
exclude
in
61 out
62 in
exclude
in
Is any device causing fragments?
Server
WAE
Counters incrementing
Correct IOS version
61 in
62 in
Server
exclude
in
WAE
WAAS v4.0.74-8
Cisco WAAS uses two service groups with WCCPv2:
Service group 61, which uses a load-balancing hash based on source IP
Service group 62, which uses a load-balancing hash based on destination IP
One of these service groups must be placed in the path for traffic going in one direction, and the
other service group must be placed in the path for traffic going in the opposite direction.
With WCCPv2, you should examine a number of items to validate the configuration and isolate
any WCCPv2-related issues:
Correctly configured services: is one service group in the path for each direction of traffic
flow?
Is redirection configured on the appropriate interfaces?
Is the correct redirection mechanism (Generic Routing Encapsulation (GRE), L2) and
return mechanism configured?
Is the interface adjacent to the WAE configured for redirection exclusion? (this could cause
a black-hole)
Is a recommended version of IOS installed? (this could lead to lower stability and
performance)
Can network connectivity end-to-end be verified?
After these items have been examined, check to make sure that the counters are incrementing
properly on the router and on the WAE.
4-43
WCCPv2 Interception Verification (Router)

WAAS-CORE-RTR# sh ip wccp
Global WCCP information:
Router information:
Router Identifier:
Protocol Version:
Service Identifier: 61
Number of Cache Engines:
Number of routers:
Total Packets Redirected:
Process:
Fast:
CEF:
Redirect access-list:
Total Packets Denied Redirect:
Total Packets Unassigned:
Group access-list:
Total Messages Denied to Group:
Total Authentication failures:
Total Bypassed Packets Received:
Examine data about each of

the configured service groups
10.10.11.1
2.0
1
1
345635
33
0
345602
-none0
3
-none0
0
0
Validate version
two is running
Verify that service
group 61 is
configured
Verify that WAEs

have registered and
packets are being
redirected

WAAS v4.0.74-9
The first step in troubleshooting WCCPv2 network interception issues is to examine the state of
WCCP on the WCCP server, that is, the router (or whatever device is performing the
redirection). Use the show ip wccp command to examine the global WCCP configuration and
statistics. This command shows:
The version of WCCP that is running (look for version 2)
The services that are configured (look for 61 and 62)
That packets are being redirected
If the WCCP version configured is version 1, Cisco WAAS interception does not work. Cisco
WAAS requires WCCPv2. In such a case, you need to fix your WCCPv2 configuration.
If the output does not show that both service groups 61 and 62 are configured, WCCPv2 is
configured incorrectly. Verify your device configuration.
If the output does show that WCCPv2 is configured, and service groups 61 and 62 are running,
but counters are not incrementing, verify that traffic is indeed traversing the router in question.
4-44
Interception Verification (Router) (Cont.)

(continued from previous slide)
Service Identifier: 62
Number of Cache Engines:
Number of routers:
Total Packets Redirected:
Process:
Fast:
CEF:
Redirect access-list:
Total Packets Denied Redirect:
Total Packets Unassigned:
Group access-list:
Total Messages Denied to Group:
Total Authentication failures:
Total Bypassed Packets Received:
1
1
827530
0
0
827530
-none0
2
-none0
0
0
Verify that service

group 62 is
configured
Verify that the
majority of
packets are CEF
forwarded
If redirect-list defined
and applied, verify
If service group
password is configured
and incorrect password
defined, this counter
increments
WAAS v4.0.74-10
The show ip wccp command also shows how packets are being redirected. This includes:
Process switching: done in the router processor, which is the least scalable (highest router
CPU utilization) and provides the least performance
Fast switching: done in an interface cache on the router, which provides better scale
(lower CPU utilization) and performance than process switching
Cisco Express Forwarding (CEF) switching: done in router hardware, which provides
best scalability (lowest CPU utilization) and highest performance
If a large number of packets are redirected using process switching or fast switching, configure
CEF.
If a redirection access-list (also called a redirect-list) is configured, verify that the redirect-list is
configured correctly and allows the traffic patterns in question to traverse the WAE. The
counter packets denied redirect increments if packets are received that match the criteria in
the access-list. Such traffic is not redirected to the WAE, and as such, automatic discovery for
that traffic does not take place, and optimization is not applied.
If authentication is configured, and passwords are not synchronized or configured properly, the
counter total authentication failures increments. This can be indicative of a WAE not being
able to join the service group due to misconfiguration.
4-45

WAAS-CORE-RTR# sh ip wccp int
WCCP interface configuration:
FastEthernet0/0
Output services: 0
Input services: 1
Mcast services: 0
Exclude In:
FALSE
FastEthernet0/1.40
Output services:
Input services:
Mcast services:
Exclude In:
0
1
0
FALSE
FastEthernet0/1.41
Output services:
Input services:
Mcast services:
Exclude In:
0
0
0
TRUE
Examine per-interface WCCP configuration
Verify that service groups 61 and 62

are configured properly and assigned
to the appropriate interfaces
Verify that redirect exclude in is configured

on the interface or subinterface adjacent
to the Cisco WAE devices
WAAS v4.0.74-11
The next command to use to verify WCCPv2 configuration when troubleshooting interception
problems is show ip wccp interfaces. This command shows you which interfaces have
WCCPv2 redirection configured. Ensure that WCCPv2 is configured to provide interception for
both directions of traffic flow. Furthermore, ensure that the interface adjacent to the WAE is
configured with redirect exclude in such that optimized packets are not considered candidates
for redirection when they return through the router from the WAE.
4-46

Examine per-service group child
WCCPv2 devices, state, hash allotment,
uptime, and redirected packets
WAAS-CORE-RTR# sh ip wccp 61 detail

WCCP Cache-Engine information:
Web Cache ID:
2.2.2.100
Protocol Version:
2.0
State:
Usable
Initial Hash Info:
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Assigned Hash Info:
Hash Allotment:
256 (100.00%)
Packets Redirected:
345810
Connect Time:
6d03h
Bypassed Packets
Process:
0
Fast:
0
One entry should appear per WAE device. Each
CEF:
0
WAE device should receive a portion of the hash
assignment. Verify that each WAE is listed and
is receiving packets.
WAAS v4.0.74-12
The show ip wccp <service_group> detail command provides per WCCPv2-client (WAE)
details about the service group. For instance, when executing show ip wccp 61 detail, the
command shows:
IP address of the WCCPv2 client (WAE)
Version of WCCPv2 in use
State of the WCCPv2 client
Initial and current hash allocation
Number of packets redirected
How long the client has been in the service group
By using the output of this command, you can determine if the WAE has been registered for a
significant period of time or a short period of time, which might indicate loss of connectivity,
device reboot, configuration problem, or software process problems. Also, this command helps
the administrator to validate that the WAE is supposed to be receiving a portion of the traffic
that is to be redirected.
If the WAE does not appear in the output of this command, it is not registered to the service
group. This could be caused by an interface configuration issue, WCCPv2 configuration issue
(on the router or on the WAE), or network connectivity issue. In such cases, traffic would not
be redirected to the WAE.
4-47
WCCPv2 Interception Verification (Router)

(Cont.)
Debug WCCP packet exchange
WAAS-CORE-RTR# debug ip wccp packets
WCCP packet info debugging is on
*Sep 19 00:41:20.494: WCCP-EVNT:D61: Built new router view: 0
routers, 0 usable web caches, change # 00000001
*Sep 19 00:41:33.570: WCCP-PKT:D61: Received valid Here_I_Am
packet from 2.2.2.100 w/rcv_id 00000001
*Sep 19 00:41:33.574: WCCP-PKT:D61: Sending I_See_You packet to
2.2.2.100 w/ rcv_id 00000002
*Sep 19 00:41:33.574: %WCCP-5-CACHEFOUND: Web Cache 2.2.2.100
acquired
*Sep 19 00:41:33.574: WCCP-PKT:D62: Received valid Here_I_Am
packet from 2.2.2.100 w/rcv_id 00000001
WAAS v4.0.74-13
If necessary, debug commands can be used to examine the exchange of HERE_I_AM and
I_SEE_YOU messages that are sent between WCCPv2 clients (WAEs) and servers (routers).
These messages should be exchanged every 10 seconds. Upon adding a WAE to a service
group, the cache acquired message should be displayed. If a WAE is lost, a cache lost
message is displayed. This, coupled with a packet capture on the WAE, can help isolate
problems associated with a WAE joining a WCCPv2 service group on a router.
4-48
WCCPv2 Interception Verification (WAE)

waas-core# sh wccp services
Services configured on this File Engine
TCP Promiscuous 61
TCP Promiscuous 62
waas-core# sh wccp routers
Router Information for Service: TCP Promiscuous
Routers Configured and Seeing this File
Router Id
Sent To
10.10.11.1
2.2.2.1
Routers not Seeing this File Engine
-NONERouters Notified of but not Configured
-NONEMulticast Addresses Configured
-NONE-
Examine services configured

on the WAE
Display routers that the WAE

has registered against
61
Engine(1)
Recv ID
0000000D
(continued on next slide)
WAAS v4.0.74-14
On the WAE, verify that WCCPv2 is configured, TCP promiscuous services are running, and
that the router is able to see the WAE. If these are not configured correctly, the router can not
redirect traffic to this particular WAE using WCCPv2.
4-49

(Cont.)
(continuation of previous slide)
Router Information for Service: TCP Promiscuous
Routers Configured and Seeing this File
Router Id
Sent To
10.10.11.1
2.2.2.1
Routers not Seeing this File Engine
-NONERouters Notified of but not Configured
-NONEMulticast Addresses Configured
-NONE-
62
Engine(1)
Recv ID
0000000D
WAAS v4.0.74-15
Verify that all applicable routers see the WAE for both service groups 61 and 62. Any routers
that do not see this WAE can not redirect traffic to it, because the router does not consider it to
be a member of the service group.
4-50

(Cont.)
waas-core# sh wccp gre
Transparent GRE packets received:
Transparent non-GRE packets received:
Transparent non-GRE non-WCCP packets received:
Total packets accepted:
Invalid packets received:
Packets received with invalid service:
Packets received on a disabled service:
Packets received too small:
Packets dropped due to zero TTL:
Packets dropped due to bad buckets:
Packets dropped due to no redirect address:
Packets dropped due to loopback redirect:
Connections bypassed due to load:
Packets sent back to router:
Packets sent to another WAE:
GRE fragments redirected:
Packets failed GRE encapsulation:
Packets dropped due to invalid fwd method:
Packets dropped due to insufficient memory:
Packets bypassed, no conn at all:
Packets bypassed, no pending connection:
Packets due to clean wccp shutdown:
Packets bypassed due to bypass-list lookup:
Packets received with client IP addresses:
Examine WCCP statistics

on the WAE
2549655
0
0
963891
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
951564
WCCPv2 GRE packets received if

GRE configured on the WAE
and router
WCCPv2 Non-GRE packets
received indicates L2-redirect
packets received on the WAE
Non-WCCPv2 non-GRE packets
indicates packets received via
PBR or ACE interception
WAAS v4.0.74-16
The show wccp gre command is one of the most versatile troubleshooting commands on the
WAE. This command can be used to examine packet counters for traffic that:
Has been redirected to the WAE using GRE encapsulation (WCCPv2 GRE redirect)
Has been redirected to the WAE using Layer-2 forwarding (WCCPv2 L2-forwarding)
Has been redirected to the WAE using non-GRE and non-Layer 2 (non-WCCP
interception)
For example, if the transparent non-GRE non-WCCP packets counter increments, that is a
sign that a non-WCCP interception mechanism is configured, such as ACE.
If the transparent GRE packets received or transparent non-GRE packets received
increments, this is a sign that WCCP is configured and operational. Verify that the forwarding
mechanism configured (GRE or Layer-2) aligns with the counter that is incrementing:
If using Layer-2 redirect, the transparent non-GRE packets received counter increments.
If using GRE redirect, the transparent GRE packets received counter increment.
If counters in this command are not incrementing:
Generate some network traffic and try again
Check adjacent WAEs (if present)
Check redirection statements on router interfaces
Validate the network routing path to ensure that traffic flows through the router and the
configured interfaces
4-51
Troubleshooting PBR Interception

This topic describes the process of verifying PBR configuration and troubleshooting PBR
interception issues for WAE appliances.
Troubleshooting PBR: Overview

PBR troubleshooting checklist:
Correctly defined access
lists
Route-map definition
Client
Interface configuration
with route-maps
Server
WAE
WAE
Counters incrementing
CEF enable/disable on
the router
Duplex and bandwidth
on interfaces
Client
Server
WAE
WAE
WAAS v4.0.74-18
When using PBR with Cisco WAAS, the router must be configured in such a way that any
traffic going toward the WAN or coming in from the WAN is first routed through the WAE as
a next-hop router. This requires:
A minimum of one access-list that permits TCP traffic. This access-list is referenced by the
route-map
A route-map that specifies the access-list as the definition of traffic that is interesting, and
specifies the WAE as a next-hop router
The interface is configured to use the route-maps accordingly
If some traffic is being redirected but some is not, check the access-list configuration. If no
traffic is being redirected, check the route-map definition, WAE to router network connectivity,
and interface configuration.
4-52
PBR Verification (Router)

Verify access-lists permit all TCP
traffic or only specific flows
R3845# show ip access-lists

Extended IP access list 100
10 permit tcp any any
20 deny ip any any
Verify that route-maps utilize the appropriate
R3845# show route-map

access-lists and the WAE as a next-hop router
route-map OUTGOING, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.10.11.250
Policy routing matches: 344 packets, 388032 bytes
route-map INCOMING, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.10.11.250
Policy routing matches: 65 packets, 78994 bytes
R3845# show ip policy
Interface
Route map
Gi0/0
INCOMING
Gi0/1
OUTGOING
Verify that the route-maps are applied

to the correct interfaces
WAAS v4.0.74-19
PBR configuration is done on the router only. The WAE does not require any configuration
commands for PBR to work. For PBR to work, the WAE must simply be reachable on the
network and connectivity must be possible in both directions of traffic flow. To verify the
access-list configuration, use the show access-list command. The output should:
Correctly identify any TCP traffic that should and should not be redirected to the WAE
Contain a deny ip any any at the end to ensure that non-TCP traffic is not redirected to the
WAE
If the access-list configuration is not correct, some or all traffic might not get redirected to the
WAE.
Next, verify that the route-map is configured properly. The route-map associates the access-list
(which defines interesting traffic) to a set of next-hop routers (WAEs):
Check to make sure that the correct access-list number is referenced
Check to make sure that the correct WAE IP addresses are listed
Verify that the router can indeed reach the WAE over the network
If the route-map is not configured correctly:
With an incorrect access-list, some traffic might not be redirected properly
With an incorrect set ip next-hop configuration, traffic might be forwarded to an incorrect

destination or potentially be black-holed
Finally, use the show ip policy configuration to verify that the correct route-maps are applied
to the correct interfaces. Ensure that each interface on the router that could be a source or
destination for traffic that needs to be optimized has a route-map configured:
If a route-map is not configured on an interface, traffic coming into or leaving that interface
is not redirected. The WAE does not complete automatic discovery and thus can not
optimize traffic.
4-53
4-54
If route-maps are only configured for one direction of traffic flow, the WAE does not
successfully complete automatic discovery, because they do not see both directions of
traffic flow and thus can not optimize traffic.
PBR Verification (WAE)

on the WAE
...
17364
0
946527
963891
0
0

WAAS v4.0.74-20
The show wccp gre command on the WAE is useful for verifying that PBR interception is
working correctly. The transparent non-GRE non-WCCP packets received counter
increments as packets are forwarded to the WAE as a next-hop router based on PBR
configuration.
4-55
Troubleshooting Inline Interception

This topic describes the process of verifying inline configuration and troubleshooting inline
interception issues for WAE appliances.
Troubleshooting Inline: Overview

Inline troubleshooting checklist:
Verify that the inline card is recognized
Verify inline group, inline port, VLAN configuration, and status
MGMT
WAN
WAE1
WAAS v4.0.74-22
When using the inline adapter in the WAE for interception, be sure to validate that:
4-56
The card is recognized by the WAE, plugged into the network correctly. If the card is not
recognized, it is in pass-through mode and not intercepting packets for automatic discovery
or optimization.
The correct connections are made: the LAN port is plugged into the LAN, and the WAN
port is plugged into the router. Interception continues to work if not connected correctly,
but it is a best practice to plug them in correctly.
The thin piece of paper covering the ports that displays the port descriptions is not pushed
into the port itself by the cable, thereby blocking electrical connections from the cable to
the port.
The LED status indicators show the appropriate speed and link condition.
The interface group and interface ports are configured correctly in terms of speed and
duplex. A mismatch here can cause performance problems.
Inline Card Recognition and Verification

The router should see CDP advertisements from
the device on the opposite side of the inline WAE
R3845# sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID
C3750G-48
Local Intrfce
Gig 0/1
Holdtme
164
Capability
S I
Platform Port ID
WS-C3750G-Gig 1/0/16
Verify that the card is recognized
CORE1# show hardware

Cisco Wide Area Application Services Software Release 4.0.6 (b100 Jan
Version: oe611-4.0.6.100
...
4 2007)
CPU 0 is GenuineIntel Intel(R) Pentium(R) 4 CPU 3.00GHz (rev 4) running at

3001MHz.
Total 1 CPU.
2048 Mbytes of Physical memory.
1 CD ROM drive (CD-224E)
2 GigabitEthernet interfaces
2 InlineGroup interfaces.
1 Console interface
Manufactured As: WAE-611-K9
[8836PBN]
WAAS v4.0.74-23
When using inline interception, any packet that is received on a port on the inline card is
analyzed to see if it is a candidate for interception. Traffic is handled as follows:
Non-TCP traffic is hardware-forwarded to the other port in the group (not intercepted).
TCP traffic is handed to the Policy Engine to determine if automatic discovery should
occur (intercepted) based on configured policy.
In this way, any traffic that is not TCP, such as User Datagram Protocol (UDP), Internet
Control Message Protocol (ICMP), and Cisco Discovery Protocol (CDP), is transparently
bridged. As such, CDP can be a helpful tool to verify Layer 2 connectivity between devices that
are separated by a WAE with an inline card. Use the show cdp neighbors (IOS version
dependent) command to make sure that CDP is traversing the WAE between the two devices.
This, of course, requires that both devices on opposite sides of the WAE are running CDP.
The show hardware command can be used to validate that the WAE recognizes the inline
card. Note that versions of software that do not support the inline card do not show that 2
InlineGroup interfaces are present.
If the show hardware command does not show that the inlinegroups are present, verify the
level of software installed on the WAE.
4-57
Inline Port, Group, and VLAN Configuration

Examine the LAN interface
CORE1# show int inlineport 1/0/LAN
of inlinegroup 1/0
Device name
: eth4. Bypass master interface.
Packets Received
: 3400
Packets Intercepted: 672
Ensure that packets are being
Packets Bridged
: 2724
received and intercepted or bridged
Packets Forwarded : 582
Packets Dropped
: 4
...
Examine the WAN interface
CORE1# show int inlineport 1/0/WAN
of inlinegroup 1/0
Device name
: eth5. Bypass slave interface.
Packets Received
: 3918
Packets Intercepted: 534
Packets Bridged
: 3384
Packets Forwarded : 725
Packets Dropped
: 0
Examine the inlinegroup interface
and ensure that it is operating in the
...
intercept or bypass mode
CORE1# show int inlinegroup 1/0
Interface is in intercept operating mode.
Standard NIC mode is off.
Ensure that the inlinegroup is
Disable bypass mode is off.
configured to intercept for the
VLAN IDs configured for inline interception: All
correct VLANs
Watchdog timer is enabled.
Timer frequency: 6400 ms.
Autoreset frequency 2500 ms.
The watchdog timer will expire in 4387 ms.
WAAS v4.0.74-24
The show inlineport command allows you to view data about each of the four ports on the
inline card. The command should be executed in the form of show inlineport
<slot/group/port>, where:
Slot: generally set to 1
Group: which port group is being referenced; ports labeled as WAN0 and LAN0 belong to
group 0, whereas ports labeled as WAN1 and LAN1 belong to group 1
Port: either LAN or WAN
Verify that traffic is being seen on both the LAN and WAN interfaces. If the interfaces do not
see packets, ensure that the interfaces are not disabled for some reason. Also, check duplex and
speed configuration on the interfaces themselves as well as the switch. If all else fails, check
the cabling.
Then, check the inlinegroup interface. Note that the inlinegroup interface is the interception
interface, whereas the ports are the physical ports within the inlinegroup. The inlinegroup is set
to either intercept operating mode or bypass operating mode. If the inlinegroup is set to:
Intercept operating mode: packets received on ports in this inline group are sent to the
Policy Engine to see if automatic discovery or optimization should take place.
Bypass operating mode: packets received on ports in this inline group are forwarded to
the other port in the group without being examined by the policy engine.
If the inlinegroup is in bypass operating mode, some common causes include:
4-58
Inline group configuration: if the inline group is not configured properly (VLAN
configuration, interface enabled), then the group is in bypass.
Watchdog timer expiration: if there is a software process failure, kernel panic, or power
outage, the inlinegroup transitions to bypass.
Troubleshooting ACE Interception

This topic describes the process of verifying ACE configuration and troubleshooting ACE
interception issues for WAE appliance data center deployments.
Troubleshooting ACE: Overview

ACE troubleshooting checklist:
WAN
Module verification
VLAN assignments on Cat6K/ACE
Optimized
Flow
WAE rserver and serverfarm

Service policy
Catalyst
6509 with
ACE
Original
Flow
WAAS v4.0.74-26
Troubleshooting the ACE module requires that the ACE configuration be verified step-by-step.
This section examines each of the components of ACE configuration and identifies potential
root causes for issues that might be encountered.
4-59
ACE Module Verification

Examine the modules inserted into the
Cat6k# show module
chassis Serial No.
Mod Ports Card Type
Model
--- ----- -------------------------------------- ------------------ ----------1
48 SFM-capable 48-port 10/100 Mbps RJ45
WS-X6548-RJ-45
SAD0616055U
3
4 SLB Application Processor Complex
WS-X6066-SLB-APC
SAD061507SM
4
1 Application Control Engine Module
ACE10-6500-K9
SAD1046038A
5
2 Supervisor Engine 720 (Active)
WS-SUP720-BASE
SAL09094QX7
Mod MAC addresses
Hw
Fw
Sw
Status
--- ---------------------------------- ------ ------------ ------------ ------1 0002.7ee3.1e90 to 0002.7ee3.1ebf
4.2
6.3(1)
8.5(0.46)RFW Ok
3 0002.fce1.68d6 to 0002.fce1.68dd
1.4
Unknown
Unknown
PwrDown
4 0019.aacc.aa1a to 0019.aacc.aa21 1.3
8.6(0.252-En 3.0(0)A1(3) Ok
5 0013.c347.4784 to 0013.c347.4787
3.5
8.4(2)
12.2(18)SXF4 Ok
Mod
---5
5
Sub-Module
--------------------------Policy Feature Card 3
MSFC3 Daughterboard
Mod
---1
3
4
5
Online Diag Status

------------------Pass
Not Applicable
Pass
Pass
Model
-----------------WS-F6K-PFC3A
WS-SUP720
Serial
Hw
Status
----------- ------- ------SAL1009ENLF 2.6
Ok
SAL10392MVL 2.7
Ok
WAAS v4.0.74-27
The first step is to verify that the ACE module is properly installed into the Catalyst 6500
chassis and recognized by the IOS software. Note that the ACE module requires a Supervisor
720 module. Use the show module command within IOS to make sure that the card is properly
recognized.
If the card is not recognized, it can not perform interception, which can lead to flows not being
optimized by Cisco WAAS.
4-60
VLAN Assignments
Ensure that VLANs are defined properly
Cat6k# show vlan

VLAN Name
---- -------------------------------499 VLAN0499
500 VLAN0500
501 VLAN0501
...
Cat6k# session slot 4 processor 0
Status
--------active
active
active
Ports
------------------------------Fa1/3
Fa1/7, Fa1/9
Fa1/5, Fa1/6
Connect to the ACE module from the

Cat6K
The default escape character is Ctrl-^, then x.

You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.40 ... Open
ACE login: admin
Password:
Cisco Application Control Software (ACSW)
ACE/Admin# show vlans
Vlans configured on SUP for this module
vlan499-501
Verify that the appropriate

VLANs have been assigned
to the ACE module
WAAS v4.0.74-28
The next step is to verify that all the appropriate VLANs are configured on the switch and that
the VLANs are also assigned to the ACE module. First, use the show vlan command in IOS to
verify that the VLANs are defined and the appropriate interfaces are configured in each VLAN.
Then, establish a console connection to the module using the session command within IOS
(that is, session slot 4 processor 0) and log in to the ACE. From the ACE console, execute the
show vlans configuration to make sure that the appropriate VLANs are assigned to the ACE
module.
If the appropriate VLANs are not assigned to the ACE module, traffic might not be intercepted,
which could lead to flows not being optimized.
4-61
WAE Server Definitions

ACE/Admin# show rserver detail
Verify that the WAE rservers are

defined, operational, and have
the appropriate configuration
rserver
: WAAS-CORE1, type: HOST
state
: OPERATIONAL
max-conns
: 4294967295, min-conns
: 4294967295
weight
: 8
real
weight state
current
total
---+---------------------+------+------------+----------+-------------------Verify that the WAE rservers are
serverfarm: WAAS
assigned
to the correct serverfarm
172.16.2.10:0
8
OPERATIONAL 0
47
and are operational
max-conns : 4294967295, total conn-failures : 24
min-conns : 4294967295
rserver
: WAAS-CORE2, type: HOST
state
: OUTOFSERVICE
max-conns
: 4294967295, min-conns
: 4294967295
weight
: 8
real
weight state
current
total
---+---------------------+------+------------+----------+-------------------serverfarm: WAAS
172.16.2.12:0
8
OUTOFSERVICE 0
0
max-conns : 4294967295, total conn-failures : 0
min-conns : 4294967295
WAAS v4.0.74-29
The next step is to verify that the rservers have been defined for each of the WAEs. Note that
the rserver is a real server, that is, a definition of each of the WAEs that are adjacent to the
ACE module and are available for operation (to optimize TCP connections). Use the show
rserver detail command to verify that each of the WAEs are defined, that the server-farm
assignment is correct, that the server-farm IP is correct, and that the state of the WAE is
operational.
If a WAE appears to be outofservice, verify that the WAE is online and available on the
network. Also verify the rserver configuration on the ACE module to make sure it is not
disabled.
If no WAEs are operational, traffic is not optimized. If the wrong serverfarm IP address is
supplied, the ACE module might not be able to reach the server farm and traffic might not be
optimized.
4-62
WAE Serverfarm Definitions
RackACE/Admin# show serverfarm WAAS

serverfarm
: WAAS, type: HOST
total rservers : 2
Verify the serverfarm configuration

and ensure that each rserver is
configured and operational
real
weight state
current
total
---+---------------------+------+------------+----------+-------------------rserver: WAAS-CORE1
172.16.2.10:0
8
OPERATIONAL 0
47
rserver: WAAS-CORE2
172.16.2.12:0
8
OUTOFSERVICE 0
0
WAAS v4.0.74-30
Another helpful command in validating the rserver and serverfarm configuration is show
serverfarm <name>, where <name> is the name of the serverfarm being used. This command
provides a useful table that lists all the rservers, total number of rservers, and state of each.
4-63
Service Policy Configuration

RackACE/Admin# show service-policy L4_LB_WAAS_POLICY detail
Status
: ACTIVE
Examine the service policy and
Description: ensure it is configured with the
----------------------------------------correct load-balance policy, match
Interface: vlan 499 500
conditions, and serverfarm
service-policy: L4_LB_WAAS_POLICY
class: L4_ANY_TCP
loadbalance:
L7 loadbalance policy: WAAS_POLICY
VIP Route Metric
: 77
VIP Route Advertise : DISABLED
VIP ICMP Reply
: DISABLED
VIP State: INSERVICE
curr conns
: 0
, hit count
: 71
dropped conns
: 0
client pkt count : 8046
, client byte count: 390206
server pkt count : 24969
, server byte count: 37257562
L7 Loadbalance policy : WAAS_POLICY
class/match : class-default
LB action :
serverfarm: WAAS
hit count
: 71
dropped conns
: 0
WAAS v4.0.74-31
Use the show service-policy command from the ACE module to verify that the service-policy
is active on the appropriate VLANs. An inactive service policy results in traffic not being
intercepted and load-balanced to the WAE rservers. An invalid VLAN configuration leads to
traffic not being redirected from the right locations within the network, and flows potentially
might not be optimized. From within this command, you can also see the class assigned to the
service-policy. Verify that the class adequately encompasses all traffic that is intended to be
load-balanced.
This command also shows the load-balancing policy as well as the serverfarm that should be
used by this service-policy. Ensure that the correct serverfarm is defined and also verify that the
serverfarm is inservice. Make sure that mac-sticky is configured on the WAE VLAN; if not,
traffic might be load-balanced to a different WAE for each direction of traffic flow, thereby
rendering WAAS unable to automatically discover or otherwise optimize a flow.
4-64
ACE Interception Verification (WAE)

on the WAE
...
17364
0
946527
963891
0
0

WAAS v4.0.74-32
On the WAE, the show wccp gre command can be used to validate that the WAE is indeed
receiving traffic that has been load-balanced to it from the ACE module. Validate that the
transparent non-GRE non-WCCP packets received counter increments as traffic flows
through the WAE. If this counter does not increment, check:
WAE rserver definition in the ACE module
WAE rserver is placed inservice
WAE rserver is included in a serverfarm and is inservice within the serverfarm
VLAN configuration and access-group configuration
4-65

This topic describes the process of verifying Cisco WAAS automatic discovery.

The Cisco WAE CLI exposes data about the automatic discovery
mechanism to allow an administrator to validate proper system
operation and become aware of potential problems.
Automatic discovery must be verified on the two outermost WAE
endpoints, because connections can be optimized only if two or
more WAEs exist in the network path between nodes.
The following data is exposed for the administrator:
Counters for automatic discovery success vs. failure
Indicators warning of a routing loop condition
Presence of intermediary WAE devices
WAAS v4.0.74-34
Automatic discovery is the foundational component that enables optimization within Cisco
WAAS. Each WAE needs to be able to advertise its availability for each connection that is to
be optimized, and a peer WAE at the distant end of the network must respond to this
advertisement with its own information. From there, the two negotiate a policy (least-commondenominator of the configured policies on each WAE) and can begin employing optimization
against a connection.
In environments with asymmetric routing, you should ensure that interception is configured in
such a way that both directions of traffic flow for a given connection traverse the same WAE
device. This can be verified by ensuring that:
For WCCPv2 environments with multiple WAN routers and WAN connections, WCCPv2
interception is identical across all entry/exit routers and the WAE is registered against all of
these routers
For PBR environments with multiple WAN routers and WAN connections, the same routemap configuration is applied consistently across all entry/exit routers and the WAE is
defined as a next-hop at each
For ACE environments, the ACE module or a cluster of ACE modules exists physically in
the path of each direction of traffic flow, and mac-sticky is configured
For inline environments, the WAEs are physically connected in-path to all WAN
connections (up to 2)
If only one WAE exists in the path symmetrically, then no optimization can take place. This
means that if two WAEs are in the path for one direction of traffic flow, but only one WAE
exists in the reverse path, no optimization can be applied. The WAE CLI provides useful
insight into issues with automatic discovery, including asymmetric routing events.
4-66
Examining Automatic Discovery Statistics

Examine automatic
CORE1# show tfo auto-discovery
discovery statistics
...
20967
Auto discovery failures due to insuff. option space: 0
Successful auto discovery to internal server:
49
Successful auto discovery to external server:
39103
Successful auto discovery for an internal client:
0
Successful auto discovery for an external client:
26
0
0
...
Indicates automatic discovery

failure due to lack of peer or
other reason
Successful automatic discovery

External client/server is a
connection initiated/terminated
by a node on the network
Internal client/server is a
connection initiated/terminated
by a WAE
Number of TCP SYN packets

received with our own local
device ID (routing loop)
Number of times an intermediary
device was encountered during
automatic discovery
WAAS v4.0.74-35
The show tfo auto-discovery command on the WAE CLI shows counters related to automatic
discovery events. This includes auto discovery success and failure conditions. Of note are the
allocations success (where automatic discovery completed successfully, structures are
deallocated when connections are torn down) and autodiscovery failures, which are shown in
the figure:
EDGE1# show tfo auto-discovery
Auto discovery structure allocations failure: 0
Auto discovery structure allocations success: 12377
Auto discovery structure deallocations: 12377
Auto discovery structures timed out:
10
Auto discovery table bucket overflows: 0
Auto discovery table overflows:
0
Auto discovery table entry adds:
12206
Auto discovery table entry drops:
12206
Auto discovery table lookups:
13140
Auto discovery table entry count:
0
Packets sent during auto discovery:
34496
Packets received during auto discovery: 25513
Number of route lookup failures:
0
Number of successful route lookups:
1948
Bind hash add failures:
0
Accept socket pair allocation failures: 0
Sock allocation failures:
0
Sock(u) allocation failures:
0
Connect socket lookup failures:
0
4
Number of resets received during auto discovery: 1830
Packet memory allocation failures:
0
4-67
Auto discovery failures due to insuff. option space: 0

Invalid connection state during auto discovery: 10
Auto discovery failures due to missing ack conf: 0
Successful auto discovery to internal server: 62
Successful auto discovery to external server: 1
Successful auto discovery for an internal client: 9640
Successful auto discovery for an external client: 939
0
0
Packets received with incorrect length or checksum: 0
Packets received with invalid filtering tuple: 0
Packets received for dead auto discovered connecion: 0
Ack packets dropped in synack received state: 0
Non Syn packets dropped in nostate state: 0
4-68
Automatic Discovery Verification

Each WAE has two built-in packet capture tools that can be used
for the purposes of troubleshooting automatic discovery.
Capture packets at three locations to determine if automatic
discovery is able to complete successfully:
Edge WAE
Core WAE LAN interface
Server LAN interface
Successful automatic discovery is dependent on TCP option 33
being seen on TCP SYN and SYN ACK packets.
WAAS v4.0.74-36
Each WAE has two tools that are user-accessible via the CLI and assist in troubleshooting
automatic discovery issues: tethereal and tcpdump. Both can be used to capture packets and
save a capture file to the WAE disk. This file can then be copied off of the WAE via FTP or
other means using the copy command.
To use tethereal to capture a trace file:
EDGE1# tethereal -w capture.cap
Capturing on eth0
28
The capture continues until stopped using the Ctrl-break (or Ctrl-C)
keys. When the capture is finished, the file is written to the WAE
filesystem in the current working directory:
EDGE1# ls
!
capture.cap
!
EDGE1# Jan 27 21:14:0
Tethereal can also be filtered for a specific interface. This is especially helpful when using an
inline card when you want to capture packets from the LAN-side or the WAN-side of an inline
group. Use the show interface inlineport <slot/group/port> command (that is, show interface
inlineport 1/0/LAN) to determine the interface identifiers from an inlineport:
EDGE1# show int inlineport 1/0/LAN
Device name : eth5. Bypass slave interface.
!
To filter tethereal to use a specific interface and write a capture
file:
EDGE1# tethereal -w capture.cap -I eth5
TCPdump uses the same configuration options as tethereal. The choice of using tethereal versus
tcpdump is based strictly on preference.
4-69
Automatic Discovery Verification (Cont.)

WAE
Client
WAE
Server
Client:Server
TCP SYN
WAAS v4.0.74-37
A trace taken from the client PC shows the TCP SYN packet with the appropriate IP addresses
and TCP port information. This packet is intercepted and redirected to the WAE (depending on
type of interception used).
4-70

WAE
Client
Client:Server
TCP SYN
WAE
Server
Client:Server
TCP SYN+OPT
WAAS v4.0.74-38
This capture, taken on the WAE (configured using WCCPv2 interception) shows that the
original SYN packet is seen (upper packet) and the SYN packet with TCP option 0x21 (option
33) applied, indicating that the WAE near the user is attempting automatic discovery. Notice
the appearance of an unknown option (0x21) that is 12-bytes in length. This indicates Cisco
WAAS automatic discovery.
If the SYN packet coming out of the WAE does not include TCP option 0x21, check:
Network interception: Are the packets being redirected to the WAE?
Globally enabled features: Are the right optimization features enabled?
Policy configuration: Is the correct policy configured for this traffic?
TFO accelerator load: Is the accelerator under too much load?
4-71

Client
WAE
WAE
Client:Server
TCP SYN+OPT
Server
Client:Server
TCP SYN+OPT
WAAS v4.0.74-39
Notice that the SYN with options propagates all the way to the origin server. This is done to
identify every WAE in the network path between the client and the server.
If the SYN packet coming into WAE does not include TCP option 0x21, check:
4-72
Network interception: Are the packets being redirected to the WAE?
Globally enabled features: Are the right optimization features enabled?
Policy configuration: Is the correct policy configured for this traffic?
TFO accelerator load: Is the accelerator under too much load?
Device scrubbing options: Is there a firewall or other device between the WAEs that
might be scrubbing TCP options?

Client
WAE
WAE
Server:Client
TCP SYN-ACK
OPT
Server
Server:Client
TCP SYN-ACK
WAAS v4.0.74-40
This capture is taken from the core WAE near the server. The top packet is the SYN/ACK
packet sent by the server back to the user. The bottom packet is the SYN/ACK packet after the
WAE has applied TCP option 0x21 (option 33) to attempt to complete automatic discovery. A
packet capture on the WAE close to the user shows the receipt of a TCP SYN/ACK packet with
TCP option 0x21 set.
If the SYN/ACK packet coming out of the core WAE does not include TCP option 0x21,
check:
Network interception: are the packets being redirected to the WAE?
Globally enabled features: are the right optimization features enabled?
Policy configuration: is the correct policy configured for this traffic?
TFO accelerator load: is the accelerator under too much load?
4-73
Summary
Summary
Troubleshooting network interception issues involves validation of
configuration on the interception device and on the Cisco WAE.
WCCPv2 interception troubleshooting starts with service group
definition, interception configuration, and WCCPv2 statistics.
WCCPv2 statistics on the WAE are also helpful in troubleshooting
other interception mechanisms such as PBR and ACE.
PBR troubleshooting involves verifying access-list configuration
and route-map configuration.
ACE troubleshooting involves verification of VLANs, WAE
rservers, serverfarms, and service policies.
Automatic discovery counters provide valuable insight into Cisco
WAAS troubleshooting by identifying routing loops, intermediary
devices, successful discoveries, and failed discoveries.
4-74
WAAS v4.0.74-41
Lesson 3
Troubleshooting WAN
Optimization
Overview
This module explains how to initially configure the Cisco Wide Area Application Engine
(WAE) and Wide Area Application Services (WAAS) software, activate WAE devices, and
define network interception options including Web Cache Communication Protocol version 2
(WCCPv2) and Policy-Based Routing (PBR).
Objectives
Upon completing this lesson, you will be able to describe the process of troubleshooting WAN
optimization. This includes being able to meet these objectives:
Describe the process of troubleshooting WAN optimization
Examine the policy applied to a flow, the configured policy, and the negotiated policy
Describe the process of examining optimized connections on the WAE
Interpret TFO transaction logs
Describe the process of examining compression statistics and troubleshooting compression
Overview
This topic provides an overview of the process of troubleshooting WAN optimzation issues.
and locations
locations
WAAS v4.0.74-4
This is the third module of four that cover troubleshooting Cisco WAAS. The first two discuss
common issues, device liveliness, management services, reporting, network interception, and
automatic discovery. This module focuses on the WAN optimization features included in Cisco
WAAS and troubleshooting optimization issues. This module covers examination of
connections that are optimized or passed-through, configured and negotiated optimization
policy, statistics for each of the optimizations, and log files and locations related to
optimization functions. The last segment in this module discusses Common Internet File
System (CIFS) acceleration and print services.
4-76

connections, optimization policy, statistics, and log files
and locations
Examine configured policy and applied policy
Examine optimized connection data
Examine TFO transaction logs
Examine compression data and error reporting
WAAS v4.0.74-5
To appropriately troubleshoot the WAN optimization capabilities of Cisco WAAS, you must be
able to understand how to identify the way a connection is being handled, how policies are
negotiated and applied, and how to find data about connections that are optimized or passedthrough, and understand statistics.
4-77
Configured and Applied Policies

This topic explains how to examine the policy applied to a flow optimized by Cisco WAAS and
compare against configured policies.
Incorrect Policy Configuration

Having incorrect policy configuration can lead to one of
many symptoms, including:
Traffic not properly optimized, slow, bad performance
Traffic not being optimized at all
Connection not established or no data flow
Miscalculated statistics
Error messages in syslog or on console
A correct policy configuration can be guaranteed by using

device groups and explicit policy configuration from a
device group
WAAS v4.0.74-7
The policy is the component that determines how an optimization is applied to a connection
that has successfully completed automatic discovery. Before troubleshooting WAN
optimization features, ensure that the connection is going through automatic discovery
successfully, and ensure that you are able to identify which WAEs are optimizing the flow.
If the policy applied is incorrect or there is an issue with policy negotiation or configuration, a
number of symptoms can appear:
Traffic not being optimized to the degree that one would expect
Miscalculated statistics
Error messages in syslog or console
A best practice in ensuring that the appropriate policy configuration is synchronized across all
devices within a Cisco WAAS network is to employ policies at a device group level. This
requires statically configuring each WAE to use the device group as its parent for retrieving
configured policy.
4-78
Display Connection Summary

Display list of connections
encountered by this WAE
waas-core#sh tfo connection summary

Policy summary order: Our's, Peer's, Negotiated, Applied
Local-IP:Port
1.1.1.100:54663
1.1.1.100:60078
1.1.1.100:60080
10.10.10.100:14829
10.10.13.100:3802
10.10.13.100:3817
10.10.13.100:3826
10.10.13.100:3827
Remote-IP:Port
2.2.2.100:4050
2.2.2.100:4050
2.2.2.100:4050
10.10.13.100:3389
10.10.10.100:1025
10.10.10.100:1025
10.10.10.100:80
10.10.10.100:80
Local-IP:Port
Remote-IP:Port
2.2.2.100:25737
10.10.10.10:443
2.2.2.100:11496
10.10.10.100:445
10.10.13.100:3813
10.10.10.100:135
10.10.13.100:3793
10.10.10.100:135
ConId
15637
15638
15639
34735
34739
34747
34755
34756
PeerId
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
Policy
F,F,F,F
F,F,F,F
F,F,F,F
T,T,T,T
F,F,F,F
F,F,F,F
L,F,L,L
L,F,L,L
Four-tuple (source and destination

IP address and TCP port information)
Conn Type
Internal Client
App Dyn Mtch Non-Optimized
Accelerator Optimized
WAAS v4.0.74-8
The show tfo connection summary command is useful for examining a list of connections that
the WAE is seeing. Any connections that are being optimized appear in the optimized
connection list, and any connections that are being passed-through appear in the pass-through
connections list. Any connection that appears as pass-through also displays the type of
connection that is being passed through.
In terms of the optimized connections, each connection consumes one line of the output. This
line includes the four-tuple of the connection; source IP, destination IP, source port, destination
port, as well as an internal connection identifier, internal to the Cisco WAAS software. The
WAE peer that was automatically discovered is also listed based on device ID, which is equal
to the WAE MAC address, as well as the policy flags.
The policy flags are split into four columns. The first column is the configured policy on the
local device. The second column is the configured policy on the auto-discovered peer. The third
column is the policy that was negotiated , least common denominator of the two configured
policies, and the fourth column is the applied policy, the negotiated policy applied if system
resources permit.
4-79

Policy column legend

Local-IP:Port
1.1.1.100:54663
1.1.1.100:60078
1.1.1.100:60080
10.10.10.100:14829
10.10.13.100:3802
10.10.13.100:3817
10.10.13.100:3826
10.10.13.100:3827
Remote-IP:Port
2.2.2.100:4050
2.2.2.100:4050
2.2.2.100:4050
10.10.13.100:3389
10.10.10.100:1025
10.10.10.100:1025
10.10.10.100:80
10.10.10.100:80
Local-IP:Port
Remote-IP:Port
2.2.2.100:25737
10.10.10.10:443
2.2.2.100:11496
10.10.10.100:445
10.10.13.100:3813
10.10.10.100:135
10.10.13.100:3793
10.10.10.100:135
ConId
15637
15638
15639
34735
34739
34747
34755
34756
PeerId
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8
Policy
F,F,F,F
F,F,F,F
F,F,F,F
T,T,T,T
F,F,F,F
F,F,F,F
L,F,L,L
L,F,L,L
Peer WAE device and
Conn Type
policy summary, including
Internal local
Client
policy, peer policy,
App Dyn Mtch
Non-Optimized
negotiated
policy, and
applied policy
WAAS v4.0.74-9
The figure shows the same output of the show tfo connection summary command. Notice the
peer identification and policy flags for each policy.
4-80

Local-IP:Port
1.1.1.100:54663
1.1.1.100:60078
1.1.1.100:60080
10.10.10.100:14829
10.10.13.100:3802
10.10.13.100:3817
10.10.13.100:3826
10.10.13.100:3827
Remote-IP:Port
2.2.2.100:4050
2.2.2.100:4050
2.2.2.100:4050
10.10.13.100:3389
10.10.10.100:1025
10.10.10.100:1025
10.10.10.100:80
10.10.10.100:80
Local-IP:Port
Remote-IP:Port
2.2.2.100:25737
10.10.10.10:443
2.2.2.100:11496
10.10.10.100:445
10.10.13.100:3813
10.10.10.100:135
10.10.13.100:3793
10.10.10.100:135
ConId
15637
15638
15639
34735
34739
34747
34755
34756
PeerId
Policy
00:11:25:aa:c1:e8 F,F,F,F
00:11:25:aa:c1:e8 F,F,F,F
00:11:25:aa:c1:e8 F,F,F,F
00:11:25:aa:c1:e8 T,T,T,T
Pass-through
connections
00:11:25:aa:c1:e8
F,F,F,F
Connection
00:11:25:aa:c1:e8
F,F,F,Fdetails
Reason L,F,L,L
for pass-through
00:11:25:aa:c1:e8
00:11:25:aa:c1:e8 L,F,L,L
Conn Type
Internal Client
App Dyn Mtch Non-Optimized
WAAS v4.0.74-10
The figure shows the same output of the show tfo connection summary command. Notice the
pass-through connections are each identified, along with what type of connection it is. Some
internally-generated connections, such as a connection between Wide Area File Services
(WAFS) Edge WAEs and WAFS Core WAEs are configured for pass-through based on the
policy. Such connections might be transferring latency-sensitive data in small packet sizes
where optimization provides no benefit.
4-81
Policy Engine CLI

EDGE1#show run
policy-engine application
Name of the application group.
name Web
Statistics from each associated
classifier HTTP
Classifier name
classifier roll up to this group.
match dst port eq 80
Match criteria for the classifier
Bind the classifier to the
exit
application group for
classifier HTTPS
statistics rollup
exit
map basic
name Web classifier HTTP action optimize full
name Web classifier HTTPS action optimize DRE no compression none
exit
map adaptor EPM mapi
name Email-and-Messaging All action optimize full Action to perform when traffic
of this kind is encountered by
exit
this particular WAE
map other optimize full
WAAS v4.0.74-11
After you have identified connections that are being handled by a WAE, either as optimized or
as pass-through, the next step is to validate the policy configuration on both the WAE and its
peer. If the policy applied is incorrect, this could be caused by one of the following:
Policy configured on local device is incorrect
Policy configured on peer device is incorrect
Policy configured on device group that either local device or peer device is configured to
use is incorrect
Service not functioning or one of the two devices is experiencing heavy load. See the show
tfo accelerators command later in the module. The policy configuration on each WAE in
the path can be examined either from the command line interface (CLI) or from the Central
Manager. From the CLI, use the show running-config command (that is, just show run)
and verify that:
Application definition is present, that is, name <application name>
Classifier is configured, that is, classifier <classifier name>
Match conditions for the classifier are correct, that is, match <src|dst> <ip|port> eq
<identifier>
Policy map exists, that is, map basic, followed by name <application name> classifier
<classifier name>, followed by the appropriate action
If a policy is not explicitly configured, no classifier is configured, and an application definition

is not configured, verify that the other policy is set appropriately, that is, map other <policy>.
Note
4-82
Traffic that is not explicitly classified and associated with a policy is optimized based on the
configuration of the map other statement. This is considered the default policy.
Verifying Policy Configuration
WAAS v4.0.74-12
The Central Manager GUI can also be used to verify the application definition, classifier and
match conditions, and policy map.
4-83
Explicit Policy Configuration
WAAS v4.0.74-13
To ensure consistency throughout the WAAS network, it is best to configure each WAE in the
topology to explicitly pull its optimization policy from a device group. This device group
should be where all policy configuration changes are applied. Devices that are configured to
explicitly receive policy from this device group automatically receive any changes made to the
policies via the Central Manager LIM Controller Module (LCM) cycle.
4-84
Verify Accelerators are Enabled

Examine the configured
optimization capabilities
for this specific WAE
CORE1#show tfo status

Optimization Status:
Configured: optimize full
Current: optimize full
This device's ID:
Displays which optimizations are

configured on the WAE and
capable of being applied to
flows
00:14:5e:41:eb:78
TFO is up since Sat Dec 30 17:56:25 2006

TFO is functioning normally.
Displays the status of TFO

as a whole within this particular
WAE device
WAAS v4.0.74-14
Another possible reason why specific optimizations are not being employed is that the
optimizations are not enabled or are under significant amounts of load. Use the show tfo status
CLI command to validate whether or not each of the optimization components are enabled.
These components include DRE, LZ compression, and TFO. If all components are enabled, the
command reports optimize full. The output of the command also reports the state of TFO.
4-85
Verify Accelerators are Enabled
WAAS v4.0.74-15
Global optimization capabilities for a WAE device or a WAE device group can be configured
at Devices > (Devices or Device Groups) > (Entity Name) > Acceleration > General Settings.
Any feature with a checkmark next to it is enabled. Any feature missing a checkmark is
disabled. If a WAE is configured to explicitly pull its policy and configuration from a device
group, as shown in the figure, then this page does not allow you to modify these settings. In
such a case, they need to be modified in the device group configuration page.
4-86
Verify Accelerator Liveliness

Examine liveliness and load level
reported by each of the accelerators
EDGE1#show tfo accelerators

Name: TFO
State: Registered,
Keepalive timeout: 3.0 seconds,
Handling Level: 100%
Session timeouts: 0,
Total timeouts: 0

Last registration occurred 3:01:51:56.7 Days:Hours:Mins:Secs ago
Name: EPM
State: Registered,
Keepalive timeout: 5.0 seconds,
Handling Level: 100%
Session timeouts: 0,
Total timeouts: 0

Indicates the amount of workload
acceleratorLevel:
has notified
State: Registered,the Handling
100%the
policy engine that it is able to
Keepalive timeout: 4.0 seconds, Session timeouts:
0,
Total
timeouts:
0
handle (100% is good)
Name: CIFS
WAAS v4.0.74-16
The show tfo accelerators command shows the liveliness of each of the acceleration
components. This includes:
TFO: TFO is the data-path of the Cisco WAE, and includes TCP optimization, DRE, and
LZ compression.
EPM: EPM is the end-point mapper classification system for DCOM traffic (dynamically
assigned ports).
CIFS: CIFS is the CIFS acceleration service on the WAE.
The handling level is of interest, as it reports the amount of load the subsystem is able to
receive based on current workload. If the handling level for an accelerator is set to 100%, it is
operating correctly and able to receive workload. If the handling level for an accelerator is set
to 0%, it is experiencing one of the following:
Excessive workload: The accelerator has gone into an overload condition.
Service down: The accelerator service is disabled or not configured.
Note
The WAFS Core service always reports the CIFS accelerator handling level of 0%.
4-87

This topic explains how to examine connections being optimized by the WAE.

The Cisco WAE CLI provides facilities to examine details
about each of the connections identified by that particular
WAE, including:
State of the connection
Details about the two virtual connections managed
Buffer capacity and utilization
Number of encode and decode operations
WAAS v4.0.74-18
After automatic discovery has been verified, policy has been verified, and accelerator liveliness
has been verified, the WAE CLI can be used to examine details about each of the connections
being handled by the WAE. This section examines the CLIs that provide granular details about
each connection.
4-88
Examining Optimized Connection Details
CORE1# show tfo connection ?
Examine data about an individual

connection, all connections, or
connections matching specific criteria
client-ip
Source IP address
client-port
Source port number
peer-id
Display connections optimized with a specific peer
server-ip
Dest. IP address
server-port
Dest port number
summary
connection summary information
Output Modifiers
<cr>
WAAS v4.0.74-19
The show tfo connection command is the command that provides insight into all the details
about an optimized connection. It can be filtered in a variety of ways, including:
Client IP address
Client TCP port
Peer identifier
Server IP address
Server TCP port
Output modifiers or statements
4-89

Examine the details associated
with a particular connection
CORE1# sh tfo connection server-port 80

Connection Id: 30177
Peer Id:
Connection type:
Source IP Address:
Source Port Number:
Our policy:
Peer policy:
Negotiated policy:
Applied policy:
Current Read State:

00:11:25:ac:3c:5c
Ext. Server
10.10.13.100
4709
10.10.10.100
80
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
Source <-> WAAS
(Optimized)
0x18996f2c
N. Read Wait
P. Read Wait
Peer ID and connection type

Four-tuple associated with the
connection
+
+
+
+
Configured policy on local

WAE, configured policy on
remote WAE, negotiated policy,
and policy applied to the
connection
LZ
LZ
LZ
LZ
WAAS <-> Dest

(Original)
0x1899708c
N. Read Wait
P. Read Wait
WAAS v4.0.74-20
If used with no parameters, that is, simply executing the show tfo connection command, a
detailed set of statistics appears for each connection handled by the WAE. This is analogous to
executing show interface on a switch that has a large number of interfaces. In most
deployment situations, the WAE is handling a large number of connections, so it is best to filter
the output of the show tfo connection command, as shown in the figure, where the command is
filtered to show only connections involving server TCP port 80, that is, web server.
The output of the command shows details about each connection that matches the filter list,
including:
Internal connection ID
ID of the peer identified during automatic discovery
Type of connection internal versus external
Four-tuple of the connection, source IP, destination IP, source TCP port, and destination
TCP port
Policy flags, locally configured policy, peers configured policy, negotiated policy, and
applied policy
The next figure shows additional data found in the output of this command.
4-90

CORE1# sh tfo connection server-port 80
Connection Id: 30177
Peer Id:
Connection type:
Source IP Address:
Source Port Number:
Our policy:
Peer policy:
Negotiated policy:
Applied policy:
Current Read State:

00:11:25:ac:3c:5c
Ext. Server
10.10.13.100
4709
10.10.10.100
80
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
TCP_OPTIMIZE + DRE
Source <-> WAAS
(Optimized)
0x18996f2c
N. Read Wait
P. Read Wait
Connection statistics are then

broken into two. One represents the
optimized connection between WAEs
+ LZ and the other is the connection from
+ LZ the WAE to the adjacent end node
+ LZ
+ LZ
WAAS <-> Dest
(Original)
0x1899708c
N. Read Wait
P. Read Wait
WAAS v4.0.74-21
The next section in the output of the command shows two columns:
The first column shows the data relative to the TCP proxy connection that is facing the
source of the connection.
The second column shows the data relative to the TCP proxy connection that is facing the
destination of the connection.
If the WAE is adjacent to a client, then:
Source <-> WAAS is the unoptimized connection from the WAE to the client workstation
WAAS <-> Destination is the optimized connection to the peer WAE
If the WAE is adjacent to a server, then:
Source <-> WAAS is the optimized connection to the peer WAE.
WAAS <-> Destination is the unoptimized connection from the WAE to the server.
The above is true for typical clients that are initiated from the client and terminated on the
server. For protocols that are initiated by the server to the client, for example, active mode FTP,
the values would be the reverse.
Notice that the output of the command displays the current read and write state for the
connection. The connection should be in a read or write state. The state is related to the buffers
allocated to the connection facing the source or the connection facing the destination.
4-91

Statistics for each of the
two
virtual TCP connections
Current Read State:

Read Buffer Size:
Write Buffer Size:
Work Buffer Size:
Bytes Read:
Bytes Written:
Number of Reads:
Number of Writes:
Number of Encodes:
Number of Decodes:
Source <-> WAAS

(Optimized)
0x18996f2c
N. Read Wait
P. Read Wait
N. Write Wait
D. Write Wait
N/A
0
433
46667
140071
4374694
1794
12038
0
9327
4.526(9327)
msec:
0.000(0)
0.976(12037)
WAAS <-> Dest

(Original)
0x1899708c
N. Read Wait
P. Read Wait
D. Write Wait
Writing
N/A
0
0
0
413324628
114
13215
1
13844
0
0.119(13180)
1.213(13844)
0.063(1)
WAAS v4.0.74-22
Additional data is also provided in the output of the show tfo connection command. This
information includes:
Current and previous read and write state
If the connection is configured only for TCP optimization
Read and write buffer sizes
Bytes read and bytes written
Note
The bytes read and bytes written provide insight into the compression that has been
employed for the connection. This data is the foundation for calculating compression
statistics.
Number of encodes and decodes
Note
Number of encodes and decodes are only relevant when the connection is being optimized
by Data Redundancy Elimination (DRE). An encode operation is called when data coming in
should be redundancy eliminated. A decode operation is called when data coming in was
previously encoded and needs to be decoded.
Latency associated with read queue and write queue
Latency associated with encode and decode operations
Latency data is sampled, and the number in the parentheses indicates the number of samples
that have been taken.
4-92
Current read and write

state of each of the two
connections
Current Read State:

Read Buffer Size:
Write Buffer Size:
Work Buffer Size:
Bytes Read:
Bytes Written:
Number of Reads:
Number of Writes:
Number of Encodes:
Number of Decodes:
Source <-> WAAS

WAAS <-> Dest
(Optimized)
(Original)
0x18996f2c
0x1899708c
N. Read Wait
N. Read Wait
P. Read Wait
P. Read Wait
N. Write Wait
D. Write Wait
D. Write Wait
Writing
N/A
N/A
0
0
433
0
46667
0
Indicates
if TCP connection is
140071
413324628
TFO-optimized only
4374694
114
1794
13215
12038
1
0
13844
9327
0
4.526(9327)
0.119(13180)
msec:
0.000(0)
1.213(13844)
0.976(12037)
0.063(1)
WAAS v4.0.74-23
When examining the current and previous read state, the states listed can be interpreted as:
N. Read Wait (network read wait): Waiting for data to arrive from the network
P. Read Wait (pacing read wait): Waiting for buffer space to become available for this
side of the connection
Reading: Reading data from the socket into a buffer
Read shutdown: Remote side has terminated the connection via a TCP FIN closing the
connection or RST resetting the connection
When examining the current and previous write state, the states listed can be interpreted as:
D. Write Wait (data write wait): Waiting for data to write, reading peer connection or
encode/decode data if DRE is being used
N. Write Wait (network write wait): Waiting for socket to become writable
Writing: Writing the data from the buffer to the socket
Write shutdown: The WAE initiated a close by a FIN or RST due to the connection being
torn down by a FIN or RST
If the connection is configured for TFO only, with no compression, the TCP opt. only xfer
mode is set to a value other than n/a.
4-93
Current Read State:

Read Buffer Size:
Write Buffer Size:
Work Buffer Size:
Bytes Read:
Bytes Written:
Number of Reads:
Number of Writes:
Number of Encodes:
Number of Decodes:
Source <-> WAAS

WAAS <-> Dest
(Optimized)
(Original)
0x18996f2c
0x1899708c
N. Read Wait
N.Lists
Readthe
Wait
amount of data
buffered
for this connection
P. Read Wait
P.
Read Wait
N. Write Wait
D. Write Wait
D. Write Wait
Writing
N/A
N/A
0
0
433
0
46667
0
140071
413324628
4374694
114
1794
13215
12038
1
0
13844
9327
0
Indicates the number
of read versus write
4.526(9327)
0.119(13180)
operations along
with the amount of data
msec:
0.000(0)
1.213(13844)
read versus written 0.063(1)
by these connections
0.976(12037)
WAAS v4.0.74-24
The read and write buffer sizes are also displayed in the output of the show tfo connection
command. Because the WAE is a transparent TCP proxy, data that is written into the buffer on
one side of the connection is processed by the WAE and then transmitted through the buffer on
the optimized side of the connection. The command output also shows the number of bytes read
versus written, which indicates the amount of compression provided by the WAEs optimizing
the connection.
4-94
Source <-> WAAS

WAAS <-> Dest
(Optimized)
(Original)
0x18996f2c
0x1899708c
Current Read State:
N. Read Wait
N. Read Wait
P. Read Wait
P. Read Wait
The
average queuing latency (in
N. Write Wait
D. Write Wait
millisecond)
per operation and
D. Write Wait
Writing
per connection along with the
N/A
N/A
number of samples (in parenthesis)
taken to achieve
Read Buffer Size:
0
0 this measurement
Write Buffer Size:
433
0
Work Buffer Size:
0
The number46667
of encode and decode
Bytes Read:
413324628
operations140071
performed against this
Bytes Written:
4374694by this WAE
114
connection
Number of Reads:
1794
13215
Number of Writes:
12038
1
Number of Encodes:
0
13844
Number of Decodes:
9327
0
4.526(9327)
0.119(13180)
Encode/decode latency in msec:
0.000(0)
1.213(13844)
0.976(12037)
0.063(1)
WAAS v4.0.74-25
The output of the command also shows the number of encode and decode operations that have
occurred for this connection. These values are only relevant if DRE is configured for the
connection. These counters increment as data is extracted from the TCP buffers and passed to
DRE for encode compression or decode decompression operations.
The read queue latency, in milliseconds, displays the average time data spends in the read
queue, entering the device. The number in the brackets is the number of samples taken against
data to generate the read queue latency. Similarly, the write queue latency, in milliseconds,
displays the average time data spends in the write queue, leaving the device.
The encode decode latency in milliseconds is the amount of time taken by DRE to perform
encode or decode operations against data from the flow.
4-95

This topic explains how to enable TFO transaction logging, how to use the logs to provide
detailed data about optimized connections, and how to troubleshoot problems with this data.

TFO transaction logging, when enabled, allows the WAE
to retain key statistical data on a per-connection basis in
a rolling log file, including:
Unique identifiers for each connection identified
Reason for pass-through handling of a connection
Peer discovered for the connection
Configured local/remote, negotiated, applied policy
Bytes read versus written on each managed connection
Read versus write latency
WAAS v4.0.74-27
The TFO transaction logs provide a means by which to examine the behavior of previously
seen TCP connections. These files are stored in a rolling log and include all of the data relevant
to the connection, as shown in the figure.
4-96
Enabling TFO Transaction Logs

CORE1# config term
Enable TFO transaction logging.

This provides detailed per-connection
statistics on the WAE via local
log files.
CORE1(config)# transaction-logs tfo enable

CORE1(config)# end
CORE1# show transaction-logging
Verify that transaction logging

for TFO connections is enabled
Transaction log configuration:

--------------------------------------TFO Logging is enabled.
TFO Archive interval: every-day every 1 hour
TFO Maximum size of archive file: 2000000 KB
TFO logging to remote syslog host is disabled.
TFO remote syslog host is not configured.
TFO facility is the default "*" which is "user".
Exporting files to ftp servers is disabled.
WAAS v4.0.74-28
Before TFO transaction log data is written, TFO transaction logging must be enabled on the
WAE where the logging should occur. TFO transaction logging can be enabled by using the
transaction-logs tfo enable command from global configuration mode and verified via the
show transaction-logging command.
4-97
Examining TFO Transaction Logs

TFO transaction logs are
stored in the /local1/logs/tfo
directory
CORE1# pwd
/local1
CORE1# cd logs/tfo
CORE1# pwd
TFO transaction logs generated

hourly when TFO transaction
logging enabled
/local1/logs/tfo
CORE1# dir
size
--------------
time of last change
name
-------------------------
-----------
155429
Wed Jan
3 06:00:00 2007
tfo_log_2.2.2.2_20070103_050000.txt
153701
Wed Jan
3 07:00:03 2007
tfo_log_2.2.2.2_20070103_060000.txt
52054
Wed Jan
3 07:20:52 2007
tfo_log_2.2.2.2_20070103_070000.txt
52054
Wed Jan
3 07:20:52 2007
working.log
Working log file used to build

the latest TFO transaction log
WAAS v4.0.74-29
TFO transaction logs are stored in the /local1/logs/tfo directory. The working.log file contains
the latest TCP connections that have closed, whereas the tfo_log*.txt files contain connections
prior to the latest TCP connections that have closed.
4-98
TFO Transaction Log Structure

The type-tail command can be used to
display the contents of a file - either the
working.log or a historical tfo
transaction log file included
EDGE1#type-tail working.log
Wed Jan 3 07:40:40 2007:OT:15867:END:EXTERNAL

CLIENT:10.10.13.100:4797:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:56116:1327155:126732291: 0.000(0):
0.000(0): 0.588(3728): 9.314(3730): 0.787(3730): 0.066(1):4:0:
TFO transaction log entry. Each

field is separated by a colon
WAAS v4.0.74-30
The type-tail command can be used to view any of the TFO transaction log files, including the
working log file. Note that a single TFO transaction log entry can span many lines, and each
field within the transaction log is separated by a colon.
4-99
Wed Jan
3 07:42:09 2007:BP:10.10.10.10:443:10.10.100.2:60107:NO_PEER: OPT:
Wed Jan
3 07:42:23 2007:BP:10.10.10.10:443:10.10.100.2:47196:NO_PEER: OPT:
Timestamp
BP == bypass
Four-tuple of
bypassed connection
Reason connection
was bypassed
(including no peer
identified, also
asymmetric routing)
WAAS v4.0.74-31
Entries in the TFO transaction log for pass-through connections are very short and only contain
a few fields:
4-100
Timestamp: Indicates the date and time that the TCP connection was encountered
Bypass notification: The field immediately after the timestamp shows BP, indicating that
the connection is bypassed
Four-tuple: Source IP, destination IP, source TCP port, and destination TCP port
Reason for bypass: Including no identified peer, could not complete automatic discovery
Optimized Connection
Start of an external connection

(not initiated by a WAE)
Wed Jan 3 07:49:29 2007:OT:15880:START:EXTERNAL

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:0:0:0:0: 0.000(0): 0.000(0): 0.000(0):
0.000(0): 0.000(0): 0.000(0):0:0:

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627: 0.000(0):
0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
End of an external connection
(not initiated by a WAE)
WAAS v4.0.74-32
Entries in the TFO transaction logs for optimized connections, however, span many lines and
contain a great deal of data. The next few sections examine each of these fields and discuss
what they are useful for showing.
The first thing to note is that the START and END of a connection is logged. Notice these
indicators in the figure where it says START and END. There is also a statement immediately
after this, which says EXTERNAL. This means that the entries in the transaction log indicate
the START of a connection that is EXTERNAL to the WAE, that is, not started by the WAE
itself, and also indicating the END of the connection that is EXTERNAL to the WAE, that is,
not started by the WAE itself. Connections that were initiated by the WAE, for example, CIFS
acceleration connections or management connections, would be listed as INTERNAL.
4-101
Optimized Connection (Cont.)
Four-tuple identifying the

optimized connection

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:0:0:0:0: 0.000(0): 0.000(0): 0.000(0):
0.000(0): 0.000(0): 0.000(0):0:0:

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627: 0.000(0):
0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Identifier of the peer WAE
performing optimization
on this connection
WAAS v4.0.74-33
The transaction logs also indicate the four-tuple of the connection, as well as the peer ID of the
WAE identified during the automatic discovery process. This helps to identify who the other
WAE optimizing this particular connection was at the time.
4-102

Local WAE
Peer WAE
configured
configured
Applied
EDGE1#type-tail
policy
policy working.log
Policy

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:
LZ DRE:LZ DRE:LZ DRE:0:0:0:0: 0.000(0): 0.000(0): 0.000(0):
0.000(0): 0.000(0): 0.000(0):0:0:

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627: 0.000(0):
0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Number of bytes exchanged on the
optimized and non-optimized
connection segments
WAAS v4.0.74-34
The three flags that are called out in the first log entry indicate:
The locally configured policy on this WAE
The policy configured on the peer WAE
The policy applied to the connection, which is the least common denominator of the two
configured policies unless overload conditions or service failures were present
In the bottom log entry, the flags that are called out include the number of bytes that are
exchanged on the optimized and non-optimized connection segments. These are explained in
the next few sections.
4-103

Source <-> WAAS
bytes read

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627: 0.000(0):
0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Source <-> WAAS
WAAS <-> Destination
WAE
WAAS v4.0.74-35
The first field is the number of bytes read on the connection from the source to the WAE. The
directionality of traffic flow and posture of the WAE relative to the flow is shown in the figure.
4-104

bytes written

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627: 0.000(0):
0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Source <-> WAAS
WAE
WAAS v4.0.74-36
The second field is the number of bytes written on the connection from the WAE toward the
destination. The directionality of traffic flow and posture of the WAE relative to the flow is
shown in the figure.
4-105

bytes read

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627: 0.000(0):
0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Source <-> WAAS
WAE
WAAS v4.0.74-37
The third field is the number of bytes read on the connection from the destination to the WAE.
The directionality of traffic flow and posture of the WAE relative to the flow is shown in the
figure.
4-106

Source <-> WAAS
bytes written

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627: 0.000(0):
0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Source <-> WAAS
WAE
WAAS v4.0.74-38
The fourth field is the number of bytes written on the connection from the WAE to the source.
The directionality of traffic flow and posture of the WAE relative to the flow is shown in the
figure.
4-107


CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:
LZ DRE:LZ DRE:LZ DRE:0:0:0:0: 0.000(0): 0.000(0): 0.000(0):
0.000(0): 0.000(0): 0.000(0):0:0:

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627:
0.000(0): 0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Read and write latencies

Number of samples contained
within parenthesis
WAAS v4.0.74-39
The remainder of the transaction log entry contains information about read and write latencies,
as well as the number of samples. These are shown in the next few figures.
4-108

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627:
0.000(0): 0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Source <-> WAAS

Read latency
Source <->
WAAS
DRE
TCP Proxy
DRE Encode
or Decode Latency
WAAS <->
Destination
DRE
TCP Proxy
WAAS v4.0.74-40
The first two fields indicate:
First field: The amount of read latency for traffic coming into the WAE from the network
path toward the source of the connection. The number in the parentheses is the number of
samples taken to calculate the read latency.
Second field: The amount of latency spent passing the data through DRE for encoding or
decoding for traffic coming in from the source going toward the destination.
4-109

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627:
0.000(0): 0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:
Source <-> WAAS

Write latency
Source <->
WAAS
DRE

Read Latency
WAAS <->
Destination
Source <->
WAAS
TCP Proxy
DRE
WAAS <->
Destination
TCP Proxy
WAAS v4.0.74-41
The third and fourth fields indicate:
4-110
Third field: The amount of write latency for traffic leaving the WAE to the network path
toward the source of the connection. The number in parentheses is the number of samples
taken to calculate the read latency.
Fourth field: The amount of read latency for traffic entering the WAE from the network
path toward the destination of the connection. The number in parentheses is the number of
samples taken to calculate the read latency.

CLIENT:10.10.13.100:4813:10.10.10.100:80:00.14.5e.41.eb.78:LZ
DRE:LZ DRE:LZ DRE:114:222356:5309262:511459627:
0.000(0): 0.000(0): 3.794(14813): 28.433(14813): 0.797(14813):
0.052(1):5:0:

Write Latency
Source <->
WAAS
DRE
DRE Encode
or Decode Latency
WAAS <->
Destination
TCP Proxy
Source <->
WAAS
WAAS <->
Destination
DRE
TCP Proxy
WAAS v4.0.74-42
The fifth and sixth fields indicate:
Fifth field: The amount of latency spent passing the data through DRE for encoding or
decoding for traffic coming in from the destination going toward the source.
Sixth field: The amount of write latency for traffic leaving the WAE toward the destination
of the connection. The number in parentheses is the number of samples taken to calculate
the read latency.
4-111
This topic explains how to examine compression statistics and logs, and how to troubleshoot
compression problems including low compression.
The Cisco WAE CLI presents a number of important
compression-related statistics on a connection-by
connection basis.
This data is helpful in verifying that compression is
working, or for resolving problems associated with:
Low compression ratio
Uncompressible content
Loss of DRE synchronization between WAEs
WAAS v4.0.74-44
Compression statistics for each connection optimized by way of DRE and persistent LZ
compression an be viewed from the WAE CLI. This data is helpful in not only verifying that
compression is working, but also identifying problems associated with low compression ratios,
uncompressible content, or loss of synchronization.
4-112
Examining Compressed Connections

Each DRE-optimized connection
will be displayed in the output
of this command - one connection
per line
Status of the connection
waas-core# show statistics dre connection

Conn
Id
34775
15639
15638
15637
Peer
No
0
0
0
0
Client-ip:port
10.10.13.100:3828
1.1.1.100:60080
1.1.1.100:60078
1.1.1.100:54663
Server-ip:port
10.10.10.100:80
2.2.2.100:4050
2.2.2.100:4050
2.2.2.100:4050
Connection four-tuple
Encode-in/
Decode-in
15MB/
0B/
0B/
17B/
29B
0B
0B
22B
Status
(A-Active)
(C-Closed)
A
A
A
A
Bytes-in versus bytes-out
WAAS v4.0.74-45
The show tfo connection command is helpful in examining statistics about each connection,
including the configured and applied policy. If the policy includes compression, either DRE or
LZ compression, the show statistics dre connection command provides a tabular list of all
connections that are being optimized by DRE. This table provides:
Connection ID of the connection; an internal value
Peer number
Four-tuple of the connection
Encode bytes in and decode bytes in
Status of the connection, A is active and C is closed
4-113
Examining Per-Connection Compression

Display DRE statistics for
a filtered set of connections
waas-core#sh statistics dre connection server-port 80
Conn-ID: 34775 10.10.13.100:3828 -- 10.10.10.100:80 Peer No: 0 Status: Active
-----------------------------------------------------------------------------Open at 09/18/2006 18:11:11, Still active
Encode:
Overall: msg:
908, in: 15608 KB, out:
311 KB, ratio:
98.00% identifier
Connection
DRE: msg:
908, in: 15608 KB, out:
337 KB, ratio:
97.84% four-tuple
Connection
LZ: msg:
235, in:
137 KB, out:
111 KB, ratio:
Status 18.59%
of the connection
Bypass: msg:
0, in:
0 B, partial chunks: 80744 B
Latency: (Last 3 sec)max 2 ms, (Last 3 sec)avg 0 ms (cumulative)total 988 ms
0-1K=2% 1K-5K=10% 5K-15K=41% 15K-25K=25% 25K-40K=15% >40K=5%
Decode:
Overall: msg:
1, in:
29 B, out:
406 B, ratio: 92.86%
DRE: msg:
1, in:
29 B, out:
406 B, ratio: 92.86%
LZ: msg:
0, in:
0 B, out:
0 B, ratio:
0.00%
Bypass: msg:
0, in:
0 B
Latency: (Last 3 sec)max 0 ms, (Last 3 sec) avg 0 ms, (cumulative) total 0 ms
0-1K=0% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
WAAS v4.0.74-46
The show statistics dre connection command can be filtered in a similar fashion to the show
tfo connection command. It is recommended, given the large number of connections a WAE
might be handling, to always filter the output of this command to show only the relevant
connections.
Using the show statistics dre connection <filter> command allows you to gather additional
data about each connection that is being optimized by compression. The output of this
command is examined in more detail in this and the next few figures.
The first portion of the output shows:
Connection ID of the connection
Four-tuple of the connection
Identifier of the peer
Status of the connection
This data is similar to the output of the tabular view provided by the show statistics dre
connection command, but the remainder of the output provides far more detail.
4-114
Examining Per-Connection Compression

When the connection was opened
State of the connection
DRE encode statistics including

Overall, DRE, LZ statistics:
Bytes in versus bytes out
Conn-ID: 34775 10.10.13.100:3828 -- 10.10.10.100:80 Peer No: Compression
0 Status: Active
ratio
-----------------------------------------------------------------------------Latency max, average, cumulative
Open at 09/18/2006 18:11:11, Still active
Message size distribution
waas-core#sh statistics dre connection server-port 80
Encode:
Overall: msg:
908, in: 15608 KB, out:
311 KB, ratio: 98.00%
DRE: msg:
908, in: 15608 KB, out:
337 KB, ratio: 97.84%
LZ: msg:
235, in:
137 KB, out:
111 KB, ratio: 18.59%
Bypass: msg:
0, in:
0 B, partial chunks: 80744 B
Latency: (Last 3 sec)max 2 ms, (Last 3 sec)avg 0 ms (cumulative)total 988 ms
0-1K=2% 1K-5K=10% 5K-15K=41% 15K-25K=25% 25K-40K=15% >40K=5%
Decode:
Overall: msg:
1, in:
29 B, out:
406 B, ratio: 92.86%
DRE: msg:
1, in:
29 B, out:
406 B, ratio: 92.86%
LZ: msg:
0, in:
0 B, out:
0 B, ratio:
0.00%
Bypass: msg:
0, in:
0 B
Latency: (Last 3 sec)max 0 ms, (Last 3 sec) avg 0 ms, (cumulative) total 0 ms
0-1K=0% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
WAAS v4.0.74-47
The output of the command also displays:
When the connection was open, and if the connection is active or closed
Statistics about encoding, compressing data
The encode statistics are broken into:
Overall: The statistics relative to the overall compression function applied.
DRE: The statistics relative to only the DRE compression.
LZ: The statistics relative to only the LZ compression.
Bypass: The statistics relative to portions that were not compressed. A counter for partial
chunks is also listed; a partial chunk is a portion of data that is a remainder at the end of a
data set, generally not very likely to find repeatability in a partial chunk.
Latency: The amount of latency added to the connection.
Message size distribution: This shows the size of the message that was handed to the
compression library from the TCP buffers. This is helpful in identifying whether or not an
application is using small messages or large messages.
Identical statistics for decode are also supplied.
4-115
Verify DRE Operation and Cache Size

CORE1#show statistics dre
Examine DRE status and system-wide statistics
Cache:
Status: Usable, Oldest Data (age): 23d8h
Total usable disk size:
Hash table RAM
Connections:
size:
57720 MB,
Used: 7.90%
230 MB,
Used: 6.00%
Total (cumulative): 1043
Active: 6
The show statistics dre command displays data about the usability
of the DRE cache, age of the oldest data, percentage of capacity
utilized, and number of DRE-optimized connections.
This command also reports system-wide data relating to
compression ratios, message size distribution, and latency.
WAAS v4.0.74-48
It is recommended that, when designing a WAAS solution, storage capacity to be used as

compression history be considered. It is generally best if no less than one week of compression
history be retained per WAE, and it is preferred if 2 weeks can be retained. The output of the
show statistics dre command shows:
If DRE is usable or unusable.
How many connections are being optimized by DRE.
The oldest data in the DRE compression history; this resets if the cache is cleared.
The total usable disk size and amount used.
The total usable memory capacity and amount used.
If the oldest data is less than a week old, there is probably too little compression history in the
device, and additional capacity might be necessary if performance is not meeting expectations.
4-116
Low Compression
Smaller message distribution sizes
protocol
that either
exchanges
Conn-ID: 38837 10.10.13.100:1515 -- 10.10.10.10:23reflect
Peera No:
0 Status:
Active
only small amounts of information (telnet)
-----------------------------------------------------------------------------or is bound by application-layer latency
Open at 01/04/2007 06:42:24, Still active
Encode:
Overall: msg:
135, in: 14060 B, out:
12808 B, ratio: 3.01%
DRE: msg:
135, in: 14060 B, out:
13476 B, ratio: 2.62%
DRE Bypass: msg:
0, in:
0 B
LZ: msg:
46, in: 12322 B, out:
12008 B, ratio: 1.09%
LZ Bypass: msg:
89, in:
1154 B
Avg latency:
0.000 ms
0-1K=97% 1K-5K=3% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Decode:
Overall: msg:
65, in:
517 B, out:
156 B, ratio:
0.00%
DRE: msg:
65, in:
513 B, out:
156 B, ratio:
0.00%
DRE Bypass: msg:
0, in:
0 B
LZ: msg:
1, in:
56 B, out:
52 B, ratio:
0.00%
LZ Bypass: msg:
64, in:
461 B
Avg latency:
0.000 ms
0-1K=100% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
WAAS v4.0.74-49
Low compression ratios are generally caused by one of three situations:
Small message size distribution: Latency-sensitive applications that use small messages
and small buffers are typically difficult for DRE to compress due to how small they are.
This can be verified by looking at the message size distribution in the output of the show
statistics dre connection filter command.
Previously compressed data: It is difficult for a WAE to employ compression on a

previously compressed flow. DRE, however, is probably effective on the second
(redundant) transmission of the previously compressed content, unless the content was
recompressed, which could rescramble the entire objects internals.
Previously encrypted data: It is difficult for a WAE to employ compression or DRE on a

previously encrypted flow. If the session keys are long-lived and shared across multiple
users, DRE can prove effective. However, for most encryption implementations, DRE is
probably not effective, and such traffic should be configured for TCP optimization only to
conserve WAE resources.
4-117
Summary
Summary
Cisco WAAS optimization policy is negotiated amongst
automatically-discovered peers. The applied policy is the least
common denominator of the two configured policies
The Cisco WAE CLI provides granular details about each
connection being handled by a WAE, including applied policy,
buffer utilization, latency, and state
TFO transaction logs provide a history of previously-seen
connections, both optimized and pass-through, with data such as
that provided by the CLI for existing connections
The Cisco WAE CLI provides insight into compression
performance including compression ratios for DRE and persistent
LZ, message distribution sizes, and latency
Low compression is commonly attributed to transactional
application behavior, previously-applied compression or
encryption
4-118
WAAS v4.0.74-50
Lesson 4
Troubleshooting Application
Acceleration
Overview
This lesson explains how to troubleshoot application acceleration capabilities of Cisco Wide
Area Application Services (WAAS), including Common Internet File System (CIFS)
acceleration and print services.
Objectives
Upon completing this lesson, you will be able to describe the process of troubleshooting
application acceleration. This includes being able to meet these objectives:
Describe the process of troubleshooting application acceleration
Examine the CIFS acceleration policies and configured services
Examine the CIFS configuration, including directives
Verify client connectivity to file servers and verify acceleration
Examine the CIFS acceleration statistics, health indicators, and logs
Explain how to troubleshoot print services
Overview
This topic provides an overview of the process of troubleshooting application acceleration
issues.
and locations
locations
WAAS v4.0.74-4
This lesson explains how to troubleshoot application acceleration capabilities of Cisco Wide
Area Application Services (WAAS), including Common Internet File System (CIFS)
acceleration and print services.
4-120
and log files and locations.
Verify CIFS acceleration policies and services.
Examine system configuration and directives.
Examine statistics, health indicators, and logs.
Troubleshoot print services.
WAAS v4.0.74-5
To adequately troubleshoot issues with application acceleration services (CIFS acceleration,

local print services), you must examine the system configuration to validate that all components
related to the services are configured correctly. For CIFS acceleration, this includes the policies
and services configured on each of the Wide Area Application Engine (WAE) devices. System
configuration, including connectivity directives and other global settings, must also be
examined. Statistics, health indicators, and logs also provide guidance into where a potential
issue might be located.
4-121
CIFS Acceleration Components

CIFS policy, WAFS transport
policy, and connectivity directive
WAN
FILE.DOC
TRANSPORT FLOW OPTIMIZATION

DRE CACHE
FILE.DOC
DRE CACHE
LZ
LZ
Edge
Core
Cluster
WAFS Edge
service configured
and running
Connectivity
directive and WAFS
transport activity
WAFS Core
service
configured
and running
WAFS Core
cluster
configured and
members defined
WAAS v4.0.74-6
CIFS acceleration within Cisco WAAS relies on a number of components being correctly
configured:
Wide Area File Services (WAFS) services (CIFS acceleration) on the edge WAE, located
near the user, and core WAE, located near the server, with proper configuration, and core
cluster configuration
Connectivity directive establishing connection between edge and core WAEs
CIFS policy and WAFS transport policy within the Central Manager
Having incorrect CIFS acceleration configuration can lead to one of many symptoms,
including:
4-122
Little or no improvement in response time
CIFS Acceleration Policies and Services

This topic explains how to validate CIFS server acceleration by examining configured policies
and WAFS services.
Verify CIFS Acceleration Policies
Ensure that policy is configured

for full optimization and
accelerate via CIFS adaptor
EDGE1# show run | include CIFS

classifier CIFS
name File-System classifier CIFS action optimize full accelerate CIFSadaptor
WAAS v4.0.74-8
First, verify that the policies in Central Manager are configured correctly. Two policies are
required to facilitate CIFS acceleration. The first policy, shown above, is the CIFS policy. This
policy should be set to Full Optimization under action and CIFS Adaptor under accelerate.
Ensure that each of the WAEs in question are configured with this policy, or, are configured to
explicitly pull their policy from a device group where these policies are configured correctly.
If the CIFS policy is not configured correctly:
Action set to something other than Full Optimization results in traffic not CIFS-accelerated
being handled with a policy other than full optimization
Accelerate set to something other than CIFS Adaptor results in Cisco WAAS not
performing latency mitigation, caching, and other acceleration techniques for a server
In a case where CIFS acceleration is not functioning properly, Cisco WAAS might be
employing only TFO/DRE/LZ for optimization of the CIFS session. This can result in
bandwidth savings, but little to no response time improvement. Cisco WAAS relies on CIFS
acceleration to provide response time improvements.
The policies can be verified from the command line interface (CLI) of each WAE by issuing
the command show run | include CIFS. The resultant output shows any lines in the runningconfiguration that include the word CIFS. Verify that the policy is set to optimize full and
accelerate CIFS-adaptor as shown in the figure.
4-123
Verify WAFS Transport Policies
Ensure that policy is configured

for full optimization and no
acceleration via an adaptor
EDGE1# show run | include WAFS

name WAFS
map adaptor WAFS transport
name WAFS All action optimize full
WAAS v4.0.74-9
The second policy that is required is for the transmission of data between the WAFS Edge
adaptor and the WAFS Core adaptor. This policy is called the WAFS Transport policy, and
should be configured for full optimization. This policy should not be configured with anything
under Accelerate; instead it should be configured to do not set.
The CLI can also be used to verify that the WAFS transport policy is configured correctly by
examining the running-configuration.
If the WAFS Transport policy is not configured correctly, the system could show that CIFS is
being accelerated, but bandwidth savings are not significant for write operations or readoperation on changed files.
4-124
Verify WAFS Edge Service Configuration

Verify that the WAFS
Edge service is
configured and in the
correct operating mode
Verify that the WAFS Edge

service is running
Verify that the WAFS Edge

service is configured to intercept
on the correct TCP ports
WAAS v4.0.74-10
After the policies have been verified, ensure that each of the WAEs is running the appropriate
WAFS service. For the WAE deployed close in proximity to the user, the WAFS Edge service
should be enabled, configured, and running. Verify in the Central Manager that the Edge Server
is enabled and configured either in transparent or non-transparent mode. Further, verify that the
boxes next to the ports enabled are checked. Finally, visit the device GUI to ensure that the
service appears and is started.
If the service is not configured properly (ports to listen on), some connections might be
accelerated (those on the ports that are configured), and some might not be (those on the ports
that are not configured).
If the service is not enabled, CIFS connections can not be accelerated, and the only
optimization applied is based on the policy configured for CIFS less the CIFS-adaptor policy
(only DRE, TFO, and LZ are applied if set to optimize-full). The WAFS Edge service can not
be verified via the CLI.
4-125
Verify WAFS Core Cluster Configuration

Credentials are only
required for preposition
Member list
WAAS v4.0.74-11
Verify that a WAFS Core Cluster is defined. The WAFS Core Cluster configuration includes:
File server access credentials: These fields are required only if using prepositioning
capabilities for a particular server. For interactive user access, credentials do not need to be
configured
WAFS Core WAE members: Any WAE that should be a member of this WAFS core
cluster should be configured as a member.
If no members are present in the WAFS core cluster, any WAFS Edge WAEs assigned to the
cluster via a connectivity directive does not have a peer to connect to. This results in CIFS
connections being optimized by DRE/TFO/LZ only, based on the configured policy.
If no WAFS Core Cluster is configured, a connectivity directive can not be configured, and as
such, CIFS connections are optimized by DRE/TFO/LZ only, based on the configured policy.
4-126
Verify Core Service Configuration
Verify that the WAFS Core

service is configured
Verify that the WAFS Core

service is running
Verify that the WAE is
assigned to the correct
WAFS Core cluster
WAAS v4.0.74-12
Verify that each of the WAEs is running the appropriate WAFS service. For the WAE deployed
close in proximity to the server, the WAFS Core service should be enabled, configured, and
running. Verify in the Central Manager that the Core Server is enabled and configured and that
the WAE is assigned to a configured Core Cluster. Finally, visit the device GUI to ensure that
the service appears and is started.
If the service is not configured or running, WAFS Edge WAEs do not consider this node a peer
to connect to. Any CIFS acceleration that occurs happens with an alternate node in the cluster.
If no WAFS Core WAEs are configured, all CIFS connections will be accelerated by
DRE/TFO/LZ only, based on the configured policy.
The WAFS Core service can not be verified via the CLI.
4-127
Verifying CIFS Acceleration Services

Troubleshoot connectivity problems using basic CLI tools such
as ping and traceroute.
After IP connectivity is verified, verify that the WAFS transport
port is usable and reachable.
WAFS Core WAE listens
on TCP 4050
Check network
connectivity
EDGE1# telnet 10.88.80.18 4050
Trying 10.88.80.18...
telnet: Unable to connect to remote host: Connection timed out
Check WAFS Core configuration,
EDGE1# telnet 10.88.80.18 4050
status, firewall rules, and access lists
Trying 10.88.80.18...
telnet: Unable to connect to remote host: Connection refused
WAAS v4.0.74-13
After the WAFS Core service is configured and operational on a Core WAE, test connectivity
from the location where the Edge WAE is deployed. If a connection can be established to the
Core WAE on TCP port 4050, then the WAFS Core service is running, network connectivity is
present, and nothing in the network is blocking packets to this port.
If a connection can not be established, verify network connectivity, service state, and ensure
that nothing in the network is preventing a connection from being established on TCP port
4050.
4-128
CIFS Configuration and Directives

This topic explains how to examine the CIFS configuration, including connectivity directives
and preposition directives.
Verify Connectivity Directives
Verify that the correct

WAFS Core WAEs and
cluster are present
WAAS v4.0.74-15
The connectivity directive is a required component for CIFS acceleration. This component
establishes a long-lived connection between the WAFS Edge WAE and the WAFS Core WAE
on TCP port 4050 that is used for CIFS acceleration. This connection is not used for any other
traffic.
Verify that the connectivity directive is configured properly:
The correct core cluster is assigned to the connectivity directive.
The correct edge devices or groups are assigned to the connectivity directive.
The correct WAN utilization settings are present.
File servers that are configured as part of a preposition directive or for disconnected mode
of operation are explicitly configured.
If the wrong core cluster is listed, WAFS Edge WAEs might connect to the wrong set of WAEs
based on the currently-configured core cluster. This can lead to erratic network traffic patterns.
4-129
Verify Connectivity Directives (Cont.)
Only file servers configured

for disconnected mode or
used in preposition need to
be configured
Ensure that the appropriate

WAFS Edge WAEs are
assigned to the
connectivity directive and
online
WAAS v4.0.74-16
Within the connectivity directive, ensure that file servers participating in a preposition job or
otherwise configured for disconnected mode are explicitly listed. Only file servers that meet
this criteria need to be explicitly configured. If a file server is not configured, Cisco WAAS
attempts to discover the file server automatically based on interactive user access and user
requests. If a file server is configured, verify that the box in the experted column is checked. If
this box is not checked, even if Cisco WAAS is operating in transparent acceleration mode, no
acceleration will be applied for CIFS connections to that server.
Verify that each of the edge WAEs that should connect to the defined core cluster are assigned
to the connectivity directive. If a connectivity directive is not defined, or an edge-core pair is
not configured, the WAEs is not able to perform CIFS acceleration. Instead, only DRE/TFO/LZ
optimization is applied, based on the configured policy.
Verify that WAN bandwidth parameters are also set correctly. The WAEs use these values to
calculate the bandwidth delay product (BDP) of the network and open a variable number of
connections based on the network BDP. The bandwidth setting also helps to throttle the amount
of physical WAN bandwidth that can be consumed by the long-lived connection between the
edge-core WAEs. The edge-core connection be throttled to a maximum of 150 percent of the
configured bandwidth value. This throttling also applies to preposition jobs that use the edgecore pair.
4-130
Verify WAFS Connections

Verify that the peer is
connected and messages
are being exchanged
EDGE1# show tfo connection summary

WAFS transport connections will
Policy summary order: Our's, Peer's, Negotiated,
Applied
appear
in TFO connection list, one
F: Full optimization, D: DRE only, L: LZ Compression,
T: TCPbe
Optimization
will always
pass-through
Local-IP:Port
1.1.1.2:28213
1.1.1.2:28214
1.1.1.2:35539
Remote-IP:Port
2.2.2.2:4050
2.2.2.2:4050
2.2.2.2:4050
Local-IP:Port
Remote-IP:Port
1.1.1.2:48361
2.2.2.2:4050
ConId
7361
7362
7364
PeerId
00:14:5e:41:eb:78
00:14:5e:41:eb:78
00:14:5e:41:eb:78
Policy
F,F,F,F
F,F,F,F
F,F,F,F
Conn Type
App Dyn Mtch Optimized
WAAS v4.0.74-17
After verifying service configuration and connectivity directive configuration, verify that the
long-lived connections on TCP-4050 are established between the edge-core pairs. This can be
accomplished by using the command show tfo connection summary. The output of this
command should show a number of connections established between edge-core pairs. One
connection always appears as pass-through, because this connection is used for high-priority
control messages where compression serves only to slow the message exchange down.
If these connections do not appear, check the service on each of the WAEs, along with the
service configuration, core cluster, and connectivity directive. If the configuration is correct,
and these connections still do not appear, verify network connectivity and ensure that nothing is
blocking use of TCP port 4050. As a last resort, try restarting the WAFS Edge and WAFS Core
services, followed by clearing the data redundancy elimination (DRE) cache, which restarts the
TCP proxy.
4-131
Examining Accelerated CIFS Servers

Bypass list built with accept entries based on CIFS servers
configured for acceleration:
File servers listed in bypass list are accelerated (listed with accept entries)
Should have accept entries that match the WAFS Edge WAE port configuration
(TCP 139, TCP 445)
Command will only produce the desired output on the WAFS Edge WAE
edge-wae# sh bypass list

Client
------
Server
Entry type
------
----------
any-client:0
10.10.10.100:139
accept
any-client:0
10.10.10.100:445
accept
WAAS v4.0.74-18
The WAE CLI includes a command that allows the administrator to view which file servers are
being CIFS accelerated. The output of this command lists any servers that are statically defined
and included in a connectivity directive that is applied to the local WAE, and also any file
servers that have been automatically discovered during interactive user access. This command
only produces these results on a WAE that is running the WAFS Edge service. A WAE that is
only running the WAFS Core service, or neither service, will not return any entries.
If the list is empty, a service is not configured or configured properly, a connectivity directive
is not in place, or the long-lived CIFS acceleration connection could not be established between
the edge-core WAEs.
4-132
Validating Client Connectivity

This topic explains how to examine the client, server, and Cisco WAEs to verify client
connectivity to a file server, as well as verify that acceleration is being applied.
Existing CIFS Sessions

When configuring CIFS acceleration, WAEs optimize any new
CIFS session that is seen.
Any preexisting session will be handled as pass-through:
Done as a safety measure to aensure that cached contents
are not served to unauthorized users
Ensures that optimizations are not applied to a connection
when unsafe to do so
To accelerate pre-existing CIFS sessions, they will need to be
broken and reestablished:
Disable and re-enable the client network adapter
Disconnect from the file server
WAAS v4.0.74-20
Cisco WAAS does not accelerate any CIFS session that was established before CIFS
acceleration was configured, or before interception of packets began.
This is by design, and performed as a safety measure to ensure that cached contents are not
served to unauthorized users. This is also done to ensure that optimizations are not employed
on a connection when it is not safe to employ optimization. Cisco WAAS dynamically adjusts
the level of optimization employed based on data seen within the connection between the client
and the server. If the WAE has no visibility to this data, as is the case when the connection
existed before CIFS acceleration was configured or before interception was configured, Cisco
WAAS does not understand the state of the session and thus can not perform any acceleration.
To have CIFS acceleration applied against a connection, when that connection pre-existed
before CIFS acceleration was configured or interception was enabled, the session must be
broken and re-established.
4-133
Examining CIFS Sessions on the Server

Current CIFS sessions can be examined from the
Microsoft MMC.
WAAS v4.0.74-21
The Microsoft Management Console (MMC) snap-in or Computer Management, can be used to
examine the sessions that exist on a file server or on a PC. If the data in the Computer field
shows the IP address of the Core WAE, the session is being accelerated by Cisco WAAS. If the
data in the Computer field shows anything other than the IP address of the Core WAE, one of
following situations are possible:
CIFS acceleration is not configured properly.
The session is long-lived and not being accelerated by WAAS.
The session is being accelerated by WAAS, but the Core WAE is using CIFS over
NetBIOS to connect to the file server.
If the situation being encountered is the last one in the list, the operations found in the Edge
WAE expert mode can be used to determine if the user is being CIFS-accelerated.
4-134
Verify Client Connectivity

Examine the browse list for the current
workgroup or domain
Ensure that the server is

visible and can be reached
C:\Documents and Settings\Administrator> net view

Server Name
Remark
------------------------------------------------------------------------------\\SERVER
The command completed successfully.
C:\Documents and Settings\Administrator> net use
New connections will be remembered.
Status
Local
Remote
Network
------------------------------------------------------------------------------Disconnected Z:
\\10.10.10.100\share
Microsoft Windows Network
Current drive mappings,

printer mappings, named
pipe mappings, local
identifier, and status
Examine the list of currentlyused network resources

WAAS v4.0.74-22
The net command can be used for a variety of purposes, including establishing CIFS sessions
and drive mappings to a server. The net view command displays a list of devices in the local
network, based on the browse list. This command can be used against a server to display the list
of shared resources that are available on that particular server.
The net use command allows for management of sessions. Using this command, the user can
establish a session to another PC, map a drive on another PC, or delete an existing session.
If you are unable to view a list of servers with shared resources, verify network connectivity
and ensure that the servers are configured properly. If you are unable to view the shared
resources on a particular server, verify network connectivity, server configuration, security
settings, as well as the credentials being supplied.
Note
If credentials are not supplied while using a net use command, the credentials of the
logged-in user are used. If the logged-in user has no privileges on the server, the net use
command can be used to establish a session to the server using alternate credentials.
4-135
Verify Client Connectivity (Cont.)

C:\Documents and Settings\Administrator> net view \\server
Shared resources at \\server
Share name
Type
Used as
Examine shared resources

available on a network node
Comment
------------------------------------------------------------------------------Address
Disk
backup
Disk
"Access to address objects"
NETLOGON
Disk
Logon server share
SERVER.LOG
Disk
Exchange message tracking logs
share
Disk
SYSVOL
Disk
Logon server share

C:\Documents and Settings\Administrator> net use Z: \\server\share
Establish a session to the node and map

the shared resource to a local drive letter
WAAS v4.0.74-23
The figure shows an example of using the net view command to view the list of shared
resources available on a server. The net use command can then be used to map a drive to a
shared resource.
4-136
CIFS Acceleration and SMB Signing

System error 64 is returned when SMB
C:\> net use Y: \\server\share

signing is required by a file server
System error 64 has occurred.
The specified network name is no longer available.

SMB signing, also known as digital signatures, is a signature
applied to an SMB message to validate the authenticity of the
sender.
Cisco WAAS can not provide CIFS acceleration when SMB
signing is enabled:
Disable digital signatures on the server to leverage CIFS
acceleration, or
Leave digital signatures enabled and ensure the server is not
configured in the Central Manager
WAAS v4.0.74-24
Some operation systems, such as Microsoft Windows Server 2003 with Service Pack 1, are
configured, by default, to use digital signatures for Server Message Block (SMB)
communications. Digital signatures are a security feature that is included with Windows that
help to validate a message that is received actually came from the sender, preventing man-inthe-middle attacks. Cisco WAAS will, by default, override digital signature message markings
if digital signatures are set to optional, but not required. If digital signatures are set to required,
Cisco WAAS can not employ CIFS acceleration capabilities against that particular server.
Using CIFS acceleration with such a server requires that digital signatures be set to optional or
disabled. Any server configured with digital signatures can still be optimized with
DRE/TFO/LZ, based on the configured CIFS policy.
4-137
Which Clients are CIFS Accelerated?
Examine the CIFS

session database
WAAS v4.0.74-25
The Cisco WAE expert mode is a hidden interface that can be used to verify which clients are
being CIFS accelerated. The expert mode is not a documented interface and should only be
used when working with documented parameters, such as those found in this training, or when
working with Cisco support personnel.
Note
Care should be taken when using expert mode, as its contents directly impact services
running on the WAE.
Expert mode can be accessed by navigating to https://<ipaddress_of_wae>:8443/mgr/expert.

After logging into the expert mode on the edge WAE, navigate to Rx > CifsSessionDB >
Attributes > TotalSessionCount. This number reflects the number of sessions being CIFS
accelerated.
Note
4-138
Rx is displayed in the table of contents when you are on a WAE configured with the WAFS
Edge service. Tx is displayed in the table of contents when you are on a WAE configured
with the WAFS Core service. Verifying clients that are CIFS accelerated must be done from
a WAFS Edge WAE, and can not be done from a WAFS Core WAE.
Which Clients are Accelerated? (Cont.)
Query all active CIFS

sessions and display
results
Each accelerated CIFS

session will appear in the
resultant output
WAAS v4.0.74-26
You can also click the Operations tab, followed by the Invoke button (next to) queryAll to
display a list of sessions that are being CIFS accelerated by this WAFS Edge WAE.
4-139
Which Files are CIFS Accelerated?
Examine CIFS file system

database
WAAS v4.0.74-27
The WAFS Edge WAE expert mode can also display the files that are being CIFS accelerated.
Navigate to Rx > CifsFileSystemDB.
4-140
Which Files are CIFS Accelerated? (Cont.)

Examine which files are
being accelerated by
WAAS
WAAS v4.0.74-28
Under the Operations tab, click the Invoke button next to query. This returns a list that includes
the server name, path, and file name of all files that are open with CIFS acceleration being
applied to them. The optimization level describes the level of optimization being applied to the
file; a higher number indicates a broader set of optimizations are being applied. The remainder
of data within each entry lists information relevant to the session, the user, and flags set within
the session.
4-141
Statistics, Health Indicators, and Logs

This topic explains how to examine liveliness and reporting data relative to the CIFS
acceleration component of Cisco WAAS.
System Health Indicators and Logs

Check disk drive status through the
CLI for failed drives or indications that
a drive is failing
EDGE1# show disks details
Physical disk information:
disk00: Normal
disk01: Normal
(h00 c00 i00 l00 - DAS)

(h01 c00 i00 l00 - DAS)
76324MB( 74.5GB)
76324MB( 74.5GB)
Software RAID devices:

DEVICE NAME
/dev/md0
/dev/md1
/dev/md2
/dev/md3
/dev/md4
/dev/md5
/dev/md6
TYPE
RAID-1
RAID-1
RAID-1
RAID-1
RAID-1
RAID-1
RAID-1
STATUS
NORMAL OPERATION
NORMAL OPERATION
NORMAL OPERATION
NORMAL OPERATION
REBUILDING
REBUILDING
REBUILDING
PHYSICAL DEVICES
disk00/00[GOOD]
disk00/01[GOOD]
disk00/02[GOOD]
disk00/03[GOOD]
disk00/04[GOOD]
disk00/05[GOOD]
disk00/06[GOOD]
AND STATUS
disk01/00[GOOD]
disk01/01[GOOD]
disk01/02[GOOD]
disk01/03[GOOD]
disk01/04[GOOD]
disk01/05[GOOD]
disk01/06[GOOD]
EDGE1#
WAAS v4.0.74-30
The first system health indicator to examine when troubleshooting system problems,
particularly those related to acceleration, is the health of the disks in the WAE. The output of
the show disks details command verifies that the installed disks are recognized and that the
random array of inexpensive disks (RAID) devices (software RAID-1) are healthy or
unhealthy. If a disk fails to appear, or appears failed, the drive might require replacement.
4-142
Health Indicators and Logs (Cont.)

EDGE1# show disks failed-sectors disk00
disk00
=========
(none)
Check for failed sectors on any of the

disks installed in the WAE
FE-511# show disks SMART-info

=== disk00 ===
=== START OF INFORMATION SECTION ===
Device Model:
Maxtor 6Y080M0
Examine the disk self-monitoring and
Serial Number:
Y21T4NCC
reporting data
Firmware Version: YAR511W0
Device is:
In smartctl database [for details use: -P show]
ATA Version is:
7
ATA Standard is: ATA/ATAPI-7 T13 1532D revision 0
Local Time is:
Thu Mar 30 22:49:50 2006 CST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
EDGE1#
WAAS v4.0.74-31
The show disks failed-sectors and show disks SMART-info commands allow you to examine
additional data about the disks, including a report that displays any failed sectors found on the
disk, and the results of the disk self-assessment. If the SMART test results fail the drive
requires replacement.
4-143
CIFS Acceleration Service Log

Service status changes are logged in the /logs/actona
directory:
RxLogging.log for the WAFS Edge Service
TxLogging.log for the WAFS Core Service
EDGE1# pwd
/local1
EDGE1# cd logs/actona
EDGE1# type-tail RxLogging.log
[2006-04-05 09:03:45,799][ WARN]
to.
[2006-04-05 09:03:45,903][ INFO]
[2006-04-05 09:07:56,134][ERROR]
[2006-04-05 09:07:58,144][ERROR]
[2006-04-05 09:08:00,154][ERROR]
[2006-04-05 09:08:02,164][ERROR]
[2006-04-05 09:08:04,174][ERROR]
[2006-04-05 09:20:34,442][ WARN]
[2006-04-05 09:20:34,629][ WARN]
[2006-04-05 09:34:32,194][ INFO]
EDGE-FE#
Examine the WAFS Edge service log

- There are no sessions to be started or ports to bind
-
Edge File Engine has started successfully.

WINS server registration error
Invalid file server 255.255.255.255
Invalid file server 255.255.255.255
CIFS port 445 successfully enabled
WAAS v4.0.74-32
The CIFS acceleration service log (also referred to as the WAFS Edge service log and WAFS
Core service log) can be found in the /local1/logs/actona directory on the WAEs file system.
This log file (RxLogging.log for the WAFS Edge service and TxLogging.log for the WAFS
Core service) contains logging, reporting, and error data for the service. Such events that are
listed include when a service starts or stops, configuration changes, and error conditions. These
logs are helpful when trying to isolate problematic situations with CIFS acceleration.
4-144
CIFS Acceleration Service Log (Cont.)

The CIFS acceleration service log also
displays entries pertaining to the state
of WAFS connections between Edge
and Core peer WAEs
EDGE1# cd logs/actona
EDGE1# type-tail RxLogging.log 10
[2005-09-20 14:33:07,281][ INFO] - The connection of session:
[SessionImpl: id=1551958072, clusterId=13, clusterName=ast6-fe05,
inetAddress=/10.88.80.15, port=4050, initiator=true, state=3] has been
lost.
[2005-09-20 14:33:27,562][ INFO] - Unable to reconnect session to
[SessionImpl: id=1551958072, clusterId=13, clusterName=ast6-fe05,
inetAddress=/10.88.80.15, port=4050, initiator=true, state=3].
[2005-09-20 14:33:27,569][ INFO] - The session: [SessionImpl:
id=1551958072, clusterId=13, clusterName=ast6-fe05,
inetAddress=/10.88.80.15, port=4050, initiator=true, state=-1] has been
closed.
EDGE1#
WAAS v4.0.74-33
The same log file also displays events related to the connections established between edge and
core WAEs. As shown in the figure, the connections established between WAEs are logged in
this log file. Session close events are also logged in this log file.
4-145

This topic explains how to validate print services configuration and troubleshoot problems
related to printing, job control, and driver distribution.
Print Services Components

Print driver upload to Central
Manager WAE as driver repository
Printer
Drivers
JOB
WAN
FILE.DOC
Edge
WAFS Edge
service configured
and running
Print
Print service enabled

and running, printer
queues defined
Print driver distribution from

Central Manager WAE to print
server WAEs via FTP
WAAS v4.0.74-35
Using print services on Cisco WAAS requires that a number of items be properly configured:
4-146
WAFS Edge service must be configured on the WAE that is acting as a print server.
The print server must be started on the WAE.
The printer queue must be defined on the print server WAE.
Drivers should be distributed to the WAE print server from the Central Manager (optional).
Verify Print Services are Running
EDGE1# show print-services process

Print server is running.
Print spooler is running.
...
Verify that print services and WAFS

Edge services are running on the WAE
WAAS v4.0.74-36
Print services requires that the WAFS Edge service be running on the WAE. First, verify that
the service is configured and running by visiting the appropriate pages in the Central Manager
as well as the device GUI. Next, navigate to and verify that the checkbox next to is checked.
The WAE CLI can also be used to verify that print services are running by executing the show
print-services process command. The output of this command, which is also discussed in the
next section, shows the status of the print server, status of the print spooler, status of the print
scheduler, default print queue, configured print queues, and the state of each of the print
queues.
4-147
Verify Print Queues are Defined
EDGE1# show print-services process

Device URI compatible
...
with each printer provided
-------------- Print Spooler Status ---------------
by the manufacturer
scheduler is running
system default destination: HP_Laserjet_500
device for HP_Laserjet_4000: socket://laserjet4000:9100
device for HP_Laserjet_500: socket://laserjet500:9100
HP_Laserjet_4000 accepting requests
HP_Laserjet_500 accepting requests
printer HP_Laserjet_4000 is idle. enabled
printer HP_Laserjet_500 is idle. enabled
Verify that print queues

are enabled and accepting
requests
WAAS v4.0.74-37
By clicking the open link on the print services page in the device GUI (WAFS Edge >
Configuration > Print Services), you can configure and manage all print queues, print queue
clusters, and jobs. Validate that each configured print queue is idle and accepting jobs, or
otherwise in use, and that the device Universal Resource Identifiers (URIs) are correct. In many
cases, telnet can be used to establish a connection to the device on the specified URI port to
validate that network connectivity between the print server WAE and the printer is available.
4-148
Verify Driver Repository Configured
Ensure that driver

repository services are
enabled and drivers are
uploaded. Verify by
FTPing to the Central
Manager WAE
WAAS v4.0.74-38
To verify that the appropriate drivers are copied to a WAE print server, first validate that the
WAAS Central Manager is configured as a print driver repository and that the appropriate
drivers are uploaded to the CM.
4-149
Verify Driver Repository Connectivity

C:\Documents and Settings\Administrator.PEAP> ftp 10.10.10.10
Connected to 10.10.10.10.
220 CM1 FTP server (Version wu-2.7.0(1) Sat Jan 13 21:43:16 PST 2007) ready.
User (10.10.10.10:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Verify that FTP is
Password:
permitted to the Central
230 Guest login ok, access restrictions apply.
Manager
ftp> ls
200 PORT command successful.
550 No files found.
Anonymous login
ftp> ls -a
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
.
..
logs
Printer drivers are stored
printers
in /printers
system32
226 Transfer complete.
ftp: 33 bytes received in 0.08Seconds 0.42Kbytes/sec.
C:\Documents and Settings\Administrator>ftp 10.10.10.10

> ftp: connect :Connection timed out
ftp> quit
C:\Documents and Settings\Administrator>
Check print repository

configuration, firewall rules,
and access lists
WAAS v4.0.74-39
After the WAAS Central Manager print driver repository and drivers have been verified, verify
network connectivity from a device adjacent to the print server WAE to the Central Manager by
using FTP. The Central Manager, while configured as a print driver repository, runs an FTP
service locally that accepts anonymous connections. When connected to the Central Manager
via FTP, the file system structure shows a variety of directories, including logs, printers, and
System32. The printers directory contains files for any drivers that have been uploaded to the
Central Manager WAE.
Note
Viewing files in the directories requires use of the dir command, or ls la, as opposed to the
ls command. The ls command reports that directories are empty.
If you are unable to FTP to the Central Manager, then the print driver repository is not enabled,
or network connectivity is unavailable. Otherwise, FTP might be blocked by an access-list or
firewall policy in the network.
4-150
C:\> net view \\1.1.1.2

Shared resources at \\1.1.1.2
Samba 3.0.20
Share name
Type
Used as Comment
-------------------------------------------------HP_Laserjet_4000 Print
B/W only
HP_Laserjet_500
Print
Color
WAAS v4.0.74-40
Printer queues appear as shared resources when using the net view command against a print
server WAE. Because the WAE uses guest printing, any user is able to connect to the WAE and
attach to one of the print queues. The net use command can be used to map a shared printer,
similar to how a shared drive is mapped.
To examine printer queues using Windows Explorer, go to Start > Run and type in the
Universal Naming Convention (UNC) path to the WAE (that is, \\WAE1).
If net view, net use, or Windows Explorer fail to show the printer queues, verify that the
services are properly configured and running, and that the printer queues are defined. Also,
verify that the print-services enable command, as well as the print-services guest-print
enable commands appear in the running configuration.
4-151
Viewing the Samba Log

EDGE1(config)# smb-conf section global name "log level" value 3
=============== checking new config using testparm ===================
Load smb config files from /state/actona/conf/smb.conf
Processing section "[print$]"
Processing section "[printers]"
Loaded services file OK.
EDGE1(config)# end
EDGE1# pwd
/local1
EDGE1# cd /local1/errorlog
EDGE1#pwd
/local1/errorlog
EDGE1# type-tail samba.log follow
[2006/04/05 11:03:11, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
got principal=ast6-fs03$@ASDCNP-WAAS.CISCO.COM
[2006/04/05 11:03:13, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
Kinit failed: Clock skew too great
WAAS v4.0.74-41
Each Cisco WAE that is configured as a print server also maintains two logs for print services;
the Samba log, and the Common Unix Printing System (CUPS) log.
The samba.log file found in /local1/errorlog provides useful debugging information related to
the Samba print process.
4-152
Viewing the CUPS Log

EDGE1# type-tail cups_error_log
I [06/Apr/2006:17:58:32 +0000] Job 7 queued on 'xrx_m20_256' by admin'.
I [06/Apr/2006:17:58:32 +0000] Job 8 queued on 'xrx_m20_256' by user1'.
I [06/Apr/2006:17:58:33 +0000] Job 9 queued on 'xrx_m20_256' by user2'.
I [06/Apr/2006:17:58:37 +0000] Started "/usr/lib/cups/cgi-bin/jobs.cgi"
(pid=22305)
I [06/Apr/2006:17:58:41 +0000] Started "/usr/lib/cups/cgi-bin/jobs.cgi"
(pid=22310)
E [06/Apr/2006:17:58:41 +0000] hold_job: "" not authorized to hold job id
3 owned by user1"!
E [06/Apr/2006:18:00:09 +0000] [Job 3] Unable to connect to printer:
Connection timed out
EDGE1#
WAAS v4.0.74-42
The CUPS log provides insight into the jobs that have been received and processed by the print
server WAE. This log also helps to highlight any issues associated with connecting to a
particular printer, which could be helpful in identifying network connectivity issues or device
URI configuration issues.
The CUPS log can also be found in the /local1/errorlog directory under the file name
cups_error_log. Any entries that begin with an I are merely informational, where as entries
that begin with an E are errors that have been identified.
4-153
Summary
Summary
CIFS acceleration services are configured and operational on
the WAFS Edge WAEs and WAFS Core Clusters.
Correct policies are defined in Central Manager and propagated
to each WAE for the CIFS protocol and WAFS transport
protocol.
WAE expert mode provides a detailed view of which clients are
accelerated and which files are open through the accelerated
CIFS connections.
Service logs provide insight into issues with CIFS acceleration
services and connectivity between WAEs.
SAMBA and CUPS print service logs on the WAFS Edge server
provide detailed data about job management and printer
connectivity.
4-154
WAAS v4.0.74-43
Module Summary
This topic summarizes the key points that were discussed in this module.
Module Summary
The first step in troubleshooting Cisco WAAS is to validate
platform liveliness, including management services, examine
common issues, and understand system log files and locations
Network interception configuration should be examined to
ensure that traffic is being correctly redirected for both
directions of traffic flow.
Troubleshooting automatic discovery involves the WAE CLI as
well as packet capture tools.
Troubleshooting optimization issues involves examination of
networking aspects as well as configured policy for devices in
the network path of the connection.
Troubleshooting acceleration services, such as CIFS and print,
involves examination of service configuration, directives, and
health indicators, as well as information that can be examined
from the WAE CLI and the server.
WAAS v4.0.74-2
This module described how to troubleshoot Cisco Wide Area Application Services
installations, including platform and network connectivity issues, network interception issues,
WAN optimization issues, and application acceleration issues.
4-155
4-156
Module Self-Check
Use the questions here to review what you learned in this module. The correct answers and
solutions are found in the Module Self-Check Answer Key.
Q1)
Which common issue can cause poor performance when the system seems to be
operating correctly? (Source: Common Issues)
A)
B)
C)
D)
Q2)
Which common issue can lead to TCP connections becoming blackholed? (Source:
Common Issues)
A)
B)
C)
D)
Q3)
show management
show central manager
show lcm
show cms info
Which of the following is included in the WAE system report? (Source: Cisco WAE
Reporting Facilities)
A)
B)
C)
D)
E)
Q6)
show NME-WAE
show hardware
show portcard
show system
Which command shows the status of the CMS services on a WAE? (Source:
Troubleshooting Cisco WAAS Management Services)
A)
B)
C)
D)
Q5)
Network interception
Configured policy
Central Manager
Duplex
Which command on an Integrated Services Router will validate that a NME-WAE is

properly inserted and recognized by IOS? (Source: Platform Liveliness and
Connectivity)
A)
B)
C)
D)
Q4)
Network interception
Configured policy
Central Manager
Duplex
Device configuration
Log files
Service logs
Platform data
All of the above
Which is the root directory for all management and log files? (Source: Cisco WAE
Reporting Facilities)
A)
B)
C)
D)
/mgmt
/local
/local1
/local1/mgmt
4-157
Q7)
Which command shows the number of WCCP packets received that are GRE
encapsulated? (Source: Troubleshooting WCCPv2 Interception)
A)
B)
C)
D)
Q8)
Which PBR component defines the type of traffic that should be routed via the routemap? (Source: Troubleshooting PBR Interception)
A)
B)
C)
D)
Q9)
TCP_OPTIMIZE
TCP_OPTIMIZE + LZ
PASS_THROUGH
With TFO accelerator status, what does a handling level of zero indicate? (Source:
Configured and Applied Policies)
A)
B)
C)
D)
4-158
Ifdump
tethereal
tcpdump
capture-tool
With automatic discovery, if one WAE is configured for FULL_OPTIMIZE and the
other is configured for TCP_OPTIMIZE, what policy will be negotiated? (Source:
Configured and Applied Policies)
A)
B)
C)
D)
Q13)
show rserver
show serverfarm
show detail rservers
show summary serverfarm
Which two of the following tools can be used on the WAE to capture packets for the
purposes of troubleshooting issues such as automatic discovery? (Choose 2.) (Source:
Troubleshooting Automatic Discovery)
A)
B)
C)
D)
Q12)
WAE inline group MAC address

WAE LAN inline port MAC address
WAE WAN inline port MAC address
Neighbor device MAC address
With ACE, which command provides a summary view of the rservers and their
operational state within a serverfarm? (Source: Troubleshooting ACE Interception)
A)
B)
C)
D)
Q11)
route map
access list
next hop
source address
With inline interception, what will the show cdp neighbors command on one of the two
adjacent devices show? (Source: Troubleshooting Inline Interception)
A)
B)
C)
D)
Q10)
show wccp packets

show wccp gre
show ip wccp packets
show ip wccp gre
Accelerator is not configured, failed, or overloaded

Accelerator is ready to receive workload
Accelerator is not configured on the peer
Automatic discovery has failed
Q14)
When viewing an optimized connection in the WAE CLI, what optimization feature
will cause the encode and decode values to change? (Source: Examining Optimized
Connections)
A)
B)
C)
D)
Q15)
When examining a TFO transaction log, what does the string BP indicate about a
connection? (Source: TFO Transaction Logs)
A)
B)
C)
D)
E)
Q16)
WAFS
CIFS
WAFS Transport
TCP445
What command shows the list of CIFS-accelerated servers in the WAE CLI? (Source:
CIFS Configuration and Directives)
A)
B)
C)
D)
Q20)
WAFS
CIFS
WAFS Transport
TCP139
Which policy is responsible for WAN optimizing a cache miss when working with a
CIFS file server? (Source: CIFS Acceleration Policies and Services)
A)
B)
C)
D)
Q19)
show statistics compression

show statistics dre
show statistics dre compression
show statistics dre connection
Which policy is responsible for routing traffic to the CIFS accelerator? (Source: CIFS
Acceleration Policies and Services)
A)
B)
C)
D)
Q18)
The connection is TCP-optimized only.

The connection is configured for TFO and LZ compression only.
The connection is configured for full optimization.
The connection is passed through.
The connection is optimized by an accelerator.
What command is used to examine the DRE disk and memory capacity and utilization?
(Source: Compression Statistics)
A)
B)
C)
D)
Q17)
TFO
LZ
DRE
None
show bypass-list
show cifs servers
show bypass-cifs
show servers cifs
What industry-standard utility can be used to verify that drivers exist in the Central
Manager printer driver repository? (Source: Print Services Troubleshooting)
A)
B)
C)
D)
TCP
FTP
DNS
WINS
4-159
4-160
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Q7)
Q8)
Q9)
Q10)
Q11)
B,C
Q12)
Q13)
Q14)
Q15)
Q16)
Q17)
Q18)
Q19)
Q20)

WAAS407SG Vol2 PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WAAS407SG Vol2 PDF

Uploaded by

Copyright:

Available Formats

Table of Contents

Installing and Configuring the WAE

Configuring Traffic Interception

Cisco WAAS Central Management

Configuring Application Traffic Policies

Configuring Application Acceleration

Troubleshooting Cisco WAAS

Troubleshooting Network Interception

Troubleshooting WAN Optimization

Troubleshooting Application Acceleration

Cisco Wide Area Application Services Technical Training (WAAS) v4.0.7

2007 Cisco Systems, Inc.

Describe the WAE installation and configuration process

Explain how to configure application traffic policies

Explain how to configure file and print services acceleration

Cisco Wide Area Application Services Technical Training (WAAS) v4.0.7

2007 Cisco Systems, Inc.

Installing and Configuring the

Explain how to perform the initial installation of WAE appliances configured as

Explain how to configure the network interfaces on the WAE

Identify commonly used CLI commands

Describe the key features of the Cisco WAE device GUI

Initial Central Manager Configuration

Initialize Central Manager

2007 Cisco Systems, Inc. All rights reserved.

Cisco WAAS deployments require that a Central Manager be deployed.

Cisco Wide Area Application Services Technical Training (WAAS) v4.0.7

2007 Cisco Systems, Inc.

WAE Setup Script

Please enter the IP address of this interface [10.10.10.10]:

Network interface speed and duplex

Network interface IP address and subnet mask

2007 Cisco Systems, Inc.

Implementation, Integration, and Management

WAE Setup Script (Cont.)

Based on the input, the following CLIs will be configured:

Do you want to apply the configurations (y/n) [y]: y

2007 Cisco Systems, Inc. All rights reserved.

Domain Name Server (DNS) server IP address

Cisco Wide Area Application Services Technical Training (WAAS) v4.0.7

2007 Cisco Systems, Inc.

Initialize Central Manager

The device mode

2007 Cisco Systems, Inc. All rights reserved.

Application accelerator: This WAE should optimize or accelerate application traffic in

2007 Cisco Systems, Inc.

Implementation, Integration, and Management

Initialize Central Manager (Cont.)

2007 Cisco Systems, Inc. All rights reserved.

This command saves the

Cisco Wide Area Application Services Technical Training (WAAS) v4.0.7

2007 Cisco Systems, Inc.

Initialize Central Manager (Cont.)

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc.

Implementation, Integration, and Management

Initialize Central Manager (Cont.)

2007 Cisco Systems, Inc. All rights reserved.

Cisco Wide Area Application Services Technical Training (WAAS) v4.0.7

2007 Cisco Systems, Inc.

Initial Accelerator Appliance Configuration

Initialize Application Accelerators