Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3 and Later
Welcome to Cisco DocWiki. We encourage registered Cisco.com users to contribute to this wiki to collaborate on Cisco product documentation. You do not
need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions
or comments about documentation content.
See Terms of Use and About DocWiki for more information about Cisco DocWiki.
Contents
1 Audience
2 Organization
3 Creating a PDF of the WAAS
Troubleshooting Wiki
4 Related Documentation
This guide provides a systematic approach to identifying and remedying problems that may arise as you use your WAAS system
over a period of time. This guide is not intended to replace configuration best practices or to be an all-inclusive guide for every
application. Rather, it is an attempt to provide you with the knowledge and skills necessary to correct the most common issues that
you may encounter.
This guide applies to WAAS version 4.1.3 and later releases.
Audience
This article is intended for trained network administrators who have experience with the configuration and maintenance of the
WAAS system.
Organization
This article consists of the following major sections:
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Contents
Related Documentation
Release Notes for Cisco Wide Area Application Services
Cisco Wide Area Application Services Quick Configuration Guide
Cisco Wide Area Application Services Configuration Guide
Cisco Wide Area Application Services vWAAS Installation and Configuration Guide
Cisco Wide Area Application Services Command Reference
Cisco Wide Area Application Services Upgrade Guide
Cisco Wide Area Application Services API Reference
Cisco Wide Area Application Services Monitoring Guide
Using the Print Utilities to Troubleshoot and Fix Samba Driver Installation Problems
Cisco WAAS Installation and Configuration Guide for Windows on a Virtual Blade
Cisco WAAS Installation and Configuration Guide for ACNS on a Virtual Blade
Cisco WAAS on Service Modules for Cisco Access Routers
Cisco SRE Service Module Configuration and Installation Guide
Configuring Cisco WAAS Network Modules for Cisco Access Routers
This article describes the WAAS architecture and how data flows into, gets processed, and flows out of a WAAS device. It
provides a basic understanding of these concepts to assist you in troubleshooting the WAAS system.
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Organization
Contents
1 Understanding the WAAS
Architecture
1.1 AOs
1.2 WoW and Virtual
Blades
1.3 Configuration
Management System
1.4 DRE with Scheduler
1.5 Storage
1.6 Network I/O
1.7 Interception & Flow
Management
1.7.1
Auto-Discovery
1.7.2 Policy
Engine
1.7.3
Filter-Bypass
2 WAAS Traffic Flow
Related Documentation
AOs
AOs (Application Optimizers, also known as Application Accelerators) are the application-specific software that optimizes certain
protocols at Layer 7 (beyond the generic Layer 4 optimizations). AOs may be viewed as the "applications" in the WAE system (in
an OS analogy). The generic AO acts as a catch-all for all traffic that has no protocol-specific AO and also functions as a delegate
if a protocol-specific AO decides to not apply optimization.
Storage
The storage system manages the system disks and the logical RAID volumes on systems that have multiple disks. Disk storage is
used for system software, the DRE cache, the CIFS cache, and virtual blade storage.
Network I/O
The network input/output component is responsible for all aspects that are related to handling data communication coming into or
going out from a WAE, including WAE to WAE communication and WAE to client/server communication.
Filter-Bypass
After interception, the filter-bypass module acts as the mediator between the policy engine and auto discovery. The filter-bypass
module tracks all optimized connections in a filtering table for the life of the connection. Additionally, it tracks pass-through
connections, but pass-through table entries are timed out after 3 seconds.
1. A SYN packet on a flow enters the system. This packet is routed to the filter-bypass module.
2. The filter-bypass module consults the policy engine on how the flow should be handled.
2a. The policy engine consults the configured and dynamically added policies, and based on the current operational status of the
AOs and SO-DRE, decides what the WAE could do for this flow: pass through, locally terminate, or optimize.
2b. The packet and the decision from the policy engine are then returned to the filter-bypass module.
3. The filter-bypass module acts on the policy engine decision in one of the following ways:
3a. Sends the packet out immediately (pass through).
3b. Sends the packet up for local termination by an AO.
3c. Sends the packet to the auto-discovery module for optimization.
If the filter-bypass module chooses option 3c, the packet is sent to the auto-discovery module. The auto-discovery module
Policy Engine
This article introduces the basic concepts, methodology, and general troubleshooting guidelines for problems that may occur when
you configure and use your WAAS system.
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 Overview of the WAAS Troubleshooting Process
2 Verifying the WAAS Image
3 Enabling WAAS Logging
4 Running Diagnostics
5 Verifying the Physical Connectivity Between Peer WAAS Devices and to Application
Servers
6 Checking CPU Load
7 Gathering WAAS Troubleshooting Information
7.1 Rebooting the WAAS Device
7.2 Using show Commands
Contents
<--------
warning
<------------
notice
/local1/syslog.txt
To enable logging to the console, enter the following global configuration command:
wae(config)# logging console enable
NOTE: Setting the logging priority to a level lower than notice can be CPU intensive and can generate a large amount of output.
Use it judiciously and sparingly in a production environment.
The following directories are used by WAAS for log files:
Running Diagnostics
The WAAS Central Manager includes a built-in diagnostic tool that can help you troubleshoot many device problems, including
the following:
Network configuration
Interface configuration
Connectivity to hosts
WCCP configuration
Inline configuration
TFO configuration
WAFS configuration
We recommend that you run the diagnostic tool first before taking other troubleshooting actions. The tool reports on the status and
configuration of many system functions.
To run the diagnostic tool from the Central Manager, follow these steps:
1. From the WAAS Central Manager GUI navigation pane, choose My WAN > Manage Devices (or Manage Device
Groups).
2. Click the Edit icon next to the name of the device (or device group) for which you want to perform diagnostic tests.
3. In the navigation pane, choose Troubleshoot > Diagnostics Tests. The Diagnostic Tool window appears.
4. Check the check box next to each diagnostic test that you want to run, or check the top check box to run all tests.
5. Click Run.
6. View the test results in the lower part of the window. You may have to scroll the window to see all results.
For tests that fail, error messages describe the problem and provide recommended solutions. You can find error message
descriptions in the test command in the Cisco Wide Area Application Services Command Reference.
You can run the same diagnostic tests again and refresh the results by clicking the Refresh icon in the taskbar.
To print the results, click the Print icon in the taskbar.
To run the diagnostic tests from the CLI, use the test EXEC command.
ms
ms
ms
ms
ms
--- 10.1.1.2 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 3997ms
rtt min/avg/max/mdev = 79.274/80.538/83.904/1.793 ms
If a device is one hop away and you are unable to reach the device, then ping the intermediary gateway. If the gateway is not
reachable, enter the show ip routes command and check to make sure that the correct route is displayed. For example, enter:
wae# show ip routes
Destination
Gateway
---------------- ---------------10.10.10.1
0.0.0.0
10.43.62.4
0.0.0.0
10.43.62.0
0.0.0.0
10.10.10.0
0.0.0.0
0.0.0.0
10.43.62.1
Netmask
---------------255.255.255.255
255.255.255.255
255.255.255.192
255.255.255.0
0.0.0.0
Verifying the Physical Connectivity Between Peer WAAS Devices andto Application Servers
11
You may want to adjust the time period of the chart, since the default is Last Hour. To adjust the time period, click the Settings
icon in the task bar and choose a different Time Frame such as Last Day or Last Week.
It is common for a WAAS device to show spikes or even longer durations of high CPU utilization during high user activity
periods. When the CPU remains at a high CPU level for significantly long durations, further troubleshooting or resizing of the
device may be indicated.
copy tech-support {disk filename | ftp {hostname | ip-address} remotedirectory remotefilename | tftp {hostname | ip-address}
remotefilename}
For example, to copy the output of the command to a disk file on the local system, specify the command as follows:
12
A system report (sysreport) is a comprehensive report that you will need before you contact Cisco technical support. You can
generate a sysreport by running the copy sysreport command. The system report contains the output from many commands and
logs on the system, including show commands, network statistics, graphs, log contents, configuration settings, statistics, and so on.
It can take some time to generate a system report and it can be from 30 - 100 MB in size or larger. The system report contains
many more elements than are included in the copy tech-support command, and is generally needed when contacting Cisco
technical support.
Before generating a system report, use the test command to run the diagnostic tests so that this information is included in the
system report. When generating a system report on a Central Manager (or standby Central Manager), you should first make a
database backup by using the cms database backup command.
To generate a sysreport and store it to an FTP server, use this form of the command: copy sysreport ftp server-ip
When generating a system report, do not use any command options that limit the report to a specific time period, as this could
cause information even within that time period not to be included.
14
Using tethereal
For the full tethereal syntax, see tethereal in the Cisco Wide Area Application Services Command Reference.
Useful tethereal options are as follows:
-R read_filter: Filtering can be very useful. Use the same filtering syntax as you would use with Ethereal or Wireshark, so
you can use one of those tools to help you compose a filter. tethereal is also useful for file conversion and filtering of a
packet capture file that has already been captured (for example, from tcpdump).
-F output_filetype: The default filetype is a libpcap file; however, the following options are available:
libpcap - libpcap (tcpdump, Ethereal, etc.)
rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)
suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
modlibpcap - modified libpcap (tcpdump)
nokialibpcap - Nokia libpcap (tcpdump)
lanalyzer - Novell LANalyzer
ngsniffer - Network Associates Sniffer (DOS-based)
snoop - Sun snoop
netmon1 - Microsoft Network Monitor 1.x
netmon2 - Microsoft Network Monitor 2.x
ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
nettl - HP-UX nettl trace
visual - Visual Networks traffic capture
5views - Accellent 5Views capture
niobserverv9 - Network Instruments Observer version 9
The following examples show various options used for filtering and conversion:
To convert from one file format to another, use a command similar to the following:
To use a read filter for the SYN flag, use a command similar to the following:
Note: The tethereal command has some usage caveats that you should be aware of:
A filter defined using the -R option is ignored when it is combined with the -w option (writing to a file) in WAAS 4.1.1
and 4.1.3. To filter captured traffic and write to a disk file, use -f option to specify a capture filter. This issue is resolved in
version 4.1.5.
When using the -a option to print heavy traffic to the screen, it can take significantly longer than the autostop duration to
display the information on the screen. Wait for the command to finish. Displaying output to the console can take
significantly longer than through telnet or SSH, so console display is not recommended.
When using the -f option with the "host" or "not host" filter expression, the wrong traffic may be captured with WCCP
GRE encapsulated or VLAN traffic. With WCCP GRE traffic, tethereal sees only the outermost IP address, not the
original IP address inside the encapsulated packets. Add the "proto 47" keyword into the -f filter expression to capture the
correct traffic. Additionally, for VLAN traffic, add the "vlan" keyword into the -f filter expression to let the command
parse VLAN traffic correctly.
When using the -a filesize option together with the -R option, tethereal may stop unexpectedly and print the message
"Memory limit is reached" before reaching the specified autostop file size. In this case, the maximum memory limit for
the command was reached before the autostop file size limit.
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 TFO
Troubleshooting
2 DRE
Troubleshooting
Basic WAAS optimizations include TCP flow optimization (TFO), data redundancy elimination (DRE), and persistent
Lempel-Ziv (LZ) compression.
TFO Troubleshooting
The number of TCP connections, their status, and disposition can give an indication of the health of the WAAS system in a
specific location. A healthy system will show a large number of connections, with a significantly large percentage of these closed
normally. The show statistics tfo detail command provides an indication of the volume, status, and disposition of connections
between a particular WAAS device and other devices in the network.
17
<-----Active connections
0
0
0
3690931
1088
7183
0
0
0
0
0
0
The No. of active connections field reports the number of connections that are currently being optimized.
In the Policy Engine Statistics section of the output, the Rejected Connection Counts section show various reasons why
connections have been rejected. The Connection Limit counter reports the number of times that a connection has been rejected
because the maximum number of optimized connections has been exceeded. If you see a high number here, you should look into
overload conditions. See the article Troubleshooting Overload Conditions for more information.
Additionally, TFO optimization for connections that are pushed down from other AOs because they cannot optimize the traffic is
handled by the generic AO, which is covered in the article Troubleshooting the Generic AO.
TFO Troubleshooting
18
DRE Troubleshooting
When application acceleration is expected but not being observed, verify that the appropriate optimizations are being applied to
the traffic flow and that the DRE cache is reducing the size of the optimized traffic appropriately.
Policy engine maps for DRE and LZ optimization include the following:
DRE + LZ (full): policy-engine application map other optimize full
DRE only: policy-engine application map other optimize DRE yes compression none
LZ only: policy-engine application map other optimize DRE no compression LZ
TFO pass-through: policy-engine application map other pass-through
Various conditions could cause DRE and/or LZ not to be applied to a connection, even though it is configured:
Cache initialization is in progress
Disk I/O errors
Low memory
Data is not compressible or gain is too small
Data is encrypted such that it does not contain repeated byte sequences
Messages are too small to benefit from compression
Note: In all of the above conditions, the show statistics connection command will report Acceleration of "TDL" for connections
where this was the negotiated policy. Looking at the amount of DRE or LZ bypass traffic will tell you whether DRE or LZ
optimizations were actually applied. Use the show statistics connection conn-id command, as described later, and look at the
DRE encode numbers to see if the DRE or LZ ratio is near 0% and most of the traffic is bypassed. The first three conditions will
be reported by the "Encode bypass due to" field and the last three conditions result from the traffic data pattern and are accounted
for in the reported DRE and LZ ratios.
You can view the statistics for a specific connection to determine what basic optimizations were configured, negotiated with the
peer, and applied by using the show statistics connection conn-id command. First you will need to determine the connection ID
for a particular connection by using the show statistics connection command, as follows:
WAE#show stat conn
Current Active Optimized Flows:
Current Active Optimized TCP Plus Flows:
Current Active Optimized TCP Only Flows:
Current Active Optimized TCP Preposition Flows:
Current Active Auto-Discovery Flows:
Current Reserved Flows:
Current Active Pass-Through Flows:
Historical Flows:
1
0
1
0
0
10
0
375
Source IP:Port
10.10.10.10:3300
Dest IP:Port
PeerID Accel RR
10.10.100.100:80
00:14:5e:84:24:5f T
00.0%
<------
You will find the connection IDs for each connection listed at the end of the output. To view the statistics for a specific
connection, use the show statistics connection conn-id command, as follows:
WAE# sh stat connection conn-id 343
<-----Application name
<-----Classifier name
<-----Configured policy
The Application Name and Classifier Name fields tell you the application and classifier applied to this connection.
The optimization policies are listed in the Policy Details section. If the Configured and Applied policies do not match, it means
that you configured one policy for this type of connection but a different policy was applied. This could result from the peer being
down, misconfigured, or overloaded. Check the peer WAE and its configuration.
The following section of output shows DRE encode/decode-related statistics including the number of messages, how many had
DRE applied, LZ applied, or bypassed DRE and LZ:
. . .
DRE: 353
Conn-ID: 353 10.10.10.10:3304 -- 10.10.100.100:139 Peer No: 0 Status: Active
-----------------------------------------------------------------------------Open at 07/14/2009 16:04:30, Still active
Encode:
Overall: msg:
178, in: 36520 B, out:
8142 B, ratio: 77.71%
<-----Overall compression
DRE: msg:
1, in:
356 B, out:
379 B, ratio:
0.00%
<-----DRE compression ratio
DRE Bypass: msg:
178, in: 36164 B
<-----DRE bypass
LZ: msg:
178, in: 37869 B, out:
8142 B, ratio: 78.50%
<-----LZ compression ratio
LZ Bypass: msg:
0, in:
0 B
<-----LZ bypass
Avg latency:
0.335 ms
Delayed msg:
0
<-----Avg latency
Encode th-put:
598 KB/s
<-----In 4.3.3 and earlier only
Message size distribution:
0-1K=0% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
<-----In 4.3.3 and earlier only
Decode:
Overall: msg:
14448, in:
5511 KB, out:
420 MB, ratio: 98.72%
<-----Overall compression
DRE: msg:
14372, in:
5344 KB, out:
419 MB, ratio: 98.76%
<-----DRE compression ratio
DRE Bypass: msg:
14548, in:
882 KB
<-----DRE bypass
LZ: msg:
14369, in:
4891 KB, out:
5691 KB, ratio: 14.07%
<-----LZ compression ratio
LZ Bypass: msg:
79, in:
620 KB
<-----LZ bypass
Avg latency:
4.291 ms
<-----Avg latency
Decode th-put:
6946 KB/s
<-----In 4.3.3 and earlier only
Message size distribution:
0-1K=4% 1K-5K=12% 5K-15K=18% 15K-25K=9% 25K-40K=13% >40K=40%
<-----Output from here in 4.3.3 and
. . .
The following statistics are highlighted in the above example for both encoding and decoding:
Overall ratio - the overall compression ratio for the data including both DRE and LZ
DRE Troubleshooting
20
<-----Cache age
<-----Percent cache used
<-----Output from here is in 4.3.3 and earlier o
If you are not seeing significant DRE compression, it could be because the DRE cache is not populated with enough data. Check if
the cache age is short and less than 100 percent of the cache is used, which would indicate this situation. The compression ratio
should improve as the cache fills with more data. If 100% of the cache is used and the cache age is short, it indicates that the WAE
may be undersized and not able to handle the traffic volume.
If you are not seeing significant DRE compression, look at the Nack/R-tx counters in the following section of command output:
Connection details:
Chunks: encoded 398832, decoded 269475, anchor(forced) 43917(9407)
Total number of processed messges: 28229
num_used_block per msg: 0.053597
Ack: msg 18088, size 92509 B
Encode bypass due to:
remote cache initialization: messages: 1, size:
120 B
last partial chunk: chunks: 482, size: 97011 B
skipped frame header: messages: 5692, size:
703 KB
Nacks: total 0
R-tx: total 0
Encode LZ latency:
0.133 ms per msg
Decode LZ latency:
0.096 ms per msg
. . .
<-----Nacks
<-----Retransmits
The Nacks and R-tx counters should generally be low relative to the traffic volume. For example, about 1 per 100 MB of original
(unoptimized) traffic. If you see significantly higher counts, it could indicate a DRE cache synchronization problem. Use the clear
cache dre command to clear the DRE cache on all devices, or contact TAC.
The encode bypass reasons counters report the number of bytes bypassed due to various reasons. This can help you determine
what is causing bypass traffic (other than an unoptimizable data pattern).
number
number
number
number
number
number
of
of
of
of
of
of
connected peers:
active peers:
degrade peers:
connected peers:
active peers:
degraded peers:
1
1
0
1
1
0
Connections:
Total (cumulative): 3226861, Active: 597
Concurrent Connections (Last 2 min): max 593, avg 575
. . .
Other output from this command shows the encode and decode statistics similar to an individual connection.
This article describes a general troubleshooting methodology for all application accelerators.
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
DRE Troubleshooting
22
Contents
1 General Troubleshooting Methodology
for AOs
WAAS provides several application accelerators (also known as AOs) that accelerate various TCP protocols such as CIFS, HTTP,
NFS, EPM, MAPI, SSL, and live streaming video (RTSP). These application accelerators do not accelerate specific applications,
but rather they accelerate any application that uses the specified protocol.
To verify the configuration and operational status of all AOs, use the show accelerator and show license commands as shown in
Figure 1.
Figure 1. Verifying All Accelerator Status
Contents
23
For specific information on troubleshooting individual AOs, see the following articles:
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
24
Contents
1 CIFS AO Troubleshooting
1.1 CIFS AO Logging
1.2 Windows Print Accelerator
Troubleshooting
CIFS AO Troubleshooting
The CIFS accelerator transparently optimizes CIFS traffic on ports 139 and 445.
You can verify the general AO configuration and status with the show accelerator and show license commands, as shown in
Figure 1. The Enterprise license is required for CIFS accelerator operation.
Figure 1. Verifying Accelerator Status
Contents
25
Next, verify the status that is specific to the CIFS AO by using the show accelerator cifs command, as shown in Figure 2. You
want to see that the CIFS AO is Enabled, Running, and Registered, and that the connection limit is displayed. If the Config State
is Enabled but the Operational State is Shutdown, it indicates a licensing problem.
Figure 2. Verifying CIFS Accelerator Status
Use the show running-config command to verify that the CIFS traffic policy is properly configured. You want to see accelerate
cifs for the WAFS application action and you want to see appropriate match conditions listed for the CIFS classifier, as follows:
WAE674# sh run | include CIFS
classifier CIFS
name WAFS classifier CIFS action optimize full accelerate cifs
Use the show statistics connection optimized cifs command to check that the WAAS device is establishing optimized CIFS
connections. Verify that "TCDL" appears in the Accel column for a connection. A "C" indicates that the CIFS AO was used.
WAE674# sh stat conn opt cifs
Current Active Optimized Flows:
Current Active Optimized TCP Plus Flows:
Current Active Optimized TCP Only Flows:
Current Active Optimized TCP Preposition Flows:
Current Active Auto-Discovery Flows:
Current Active Pass-Through Flows:
Historical Flows:
3
3
0
1
0
0
100
D:DRE,L:LZ,T:TCP Optimization,
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID
1074
Source IP:Port
10.10.10.10:2704
Dest IP:Port
10.10.100.100:445
PeerID
00:14:5e:84:24:5f
Accel
TCDL
If you see "TDL" in the Accel column, the connection was optimized by transport optimizations only and was not inspected by the
CIFS AO. This situation can happen if the CIFS AO is disabled, the Enterprise license is not configured, or if the maximum
connection limit is reached.
If you see a "G" instead of a "C" in the Accel column, then the connection was pushed down from the CIFS AO to the generic AO
and was optimized with transport optimizations only. This situation can happen if the connection requires SMB2 or a digital
signature and an error message is logged for it.
In version 4.1.3, the syslog has the following error message for digitally signed connections:
2009 Apr 25 13:42:08 wae java: %WAAS-CIFSAO-4-131230: (146708) Connection to test1.example.com will be handled by
generic optimization only, since test1.example.com requires digital signing.
In version 4.1.5 and later, check the CIFS internal error logs to see the reason why the connection was pushed down to the generic
AO. In the cifs_err.log, look for this message for SMB2 connections:
2009-06-29 10:15:04,996 WARN (actona.cifs.netbios.IPacketerHandlerOrigCifs:139) Thread-2 from host 10.56.64.205. Pushing down the connection.
In the cifs_err.log, look for this message for digitally signed connections:
To view similar information from the Central Manager, choose the WAE device, then choose Monitor > Optimization >
Connections Statistics.
Figure 3. Connection Statistics Report
CIFS AO Troubleshooting
27
You can view the CIFS connection statistics by using the show statistics connection optimized cifs detail command as follows:
WAE674# sh stat connection optimized cifs detail
Connection Id:
1801
Peer Id:
00:14:5e:84:24:5f
Connection Type:
EXTERNAL CLIENT
Start Time:
Thu Jun 25 06:15:58 2009
Source IP Address:
10.10.10.10
Source Port Number:
3707
Destination IP Address:
10.10.100.100
Destination Port Number: 139
Application Name:
WAFS
Classifier Name:
CIFS
Map Name:
basic
Directed Mode:
FALSE
Preposition Flow:
FALSE
Policy Details:
Configured:
TCP_OPTIMIZE + DRE + LZ
Derived:
TCP_OPTIMIZE + DRE + LZ
Peer:
TCP_OPTIMIZE + DRE + LZ
Negotiated:
TCP_OPTIMIZE + DRE + LZ
Applied:
TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured:
CIFS
Derived:
CIFS
Applied:
CIFS
Hist:
None
Bytes Read:
Bytes Written:
Original
Optimized
-------------------- -------------------189314
10352510
91649704
28512
. . .
Connection details:
Chunks: encoded 3, decoded 49922, anchor(forced) 0(1)
Total number of processed messges: 1820
num_used_block per msg: 0.140659
Ack: msg 1609, size
7066 B
Encode bypass due to:
last partial chunk: chunks: 1, size:
142 B
skipped frame header: messages: 138, size: 27202 B
Nacks: total 0
R-tx: total 0
Encode LZ latency:
0.060 ms per msg
Decode LZ latency:
0.071 ms per msg
Aggregation encode: Retransmissions: 0
level 0: chunks:
3 hits:
0 miss:
9119 B
If the Retransmissions counter increases, it means that packets are getting lost in the middle, between the two peer WAEs. This
situation will result in lower throughput. You should investigate possible causes for packet lose in the network between the two
peer WAEs.
You can view the CIFS request statistics by using the show statistics cifs requests command as follows:
Figure 4. Inspecting CIFS Request Statistics
CIFS AO Logging
The following log files are available for troubleshooting CIFS AO issues:
Transaction log files: /local1/logs/tfo/working.log (and /local1/logs/tfo/tfo_log_*.txt)
CIFS internal log file: /local1/errorlog/cifs/cifs_err.log
Debug log files: /local1/errorlog/cifsao-errorlog.current (and cifsao-errorlog.*)
For easier debugging, you should first set up an ACL to restrict packets to one host.
CIFS AO Logging
29
You can view the end of a transaction log file by using the type-tail command as follows:
To set up and enable debug logging of the CIFS AO, use the following commands.
NOTE: Debug logging is CPU intensive and can generate a large amount of output. Use it judiciously and sparingly in a
production environment.
You can enable detailed logging to the disk as follows:
WAE674(config)# logging disk enable
WAE674(config)# logging disk priority detail
You can enable debug logging for CIFS connections and then display the end of the debug error log as follows:
WAE674# debug accelerator cifs all
WAE674# type-tail errorlog/cifsao-errorlog.current follow
<-----Should be incrementing
30
Contents
1 HTTP Accelerator Troubleshooting
1.1 Viewing HTTP Statistics
1.2 Viewing HTTPS
Statistics
1.3 Viewing the HTTP
Metadata Cache
1.4 Viewing the HTTPS
Metadata Cache
1.5 Metadata Cache
Cache-Control Behavior
1.6 Metadata Caching
Exceptions
2 HTTP AO Logging
Contents
31
The HTTP metadata caching, suppress server encoding, and DRE hinting features can be configured separately. The TCP
connection reuse feature is always active when the HTTP AO is enabled and applies only to HTTP traffic.
You can verify the general AO configuration and status with the show accelerator and show license commands, as described in
the Troubleshooting Application Acceleration article. The Enterprise license is required for HTTP accelerator operation.
Next, verify the status that is specific to the HTTP AO by using the show accelerator http command, as shown in Figure 1. You
want to see that the HTTP AO is Enabled, Running, and Registered, and that the connection limit is displayed. If the Config State
is Enabled but the Operational State is Shutdown, it indicates a licensing problem. For each of the HTTP features the current mode
is shown (User/Default) along with the value (Enabled, Disabled or configured value). The Suppress Server Encoding and
Metadatacache items were added in version 4.2.1, and the DRE Hints and HTTPS Metadatacache items were added in version
4.3.1.
For HTTPS traffic to be optimized by both the SSL and HTTP AOs, ensure that one of these optional features is enabled: HTTPS
metadata caching, suppress-server-encoding or DRE hints.
Figure 1. Verifying the HTTP Accelerator Status
32
Use the show running-config command to verify that the HTTP/HTTPS traffic policy is properly configured and which of the
features is enabled. You want to see accelerate http for the Web application action and you want to see appropriate match
conditions listed for the HTTP classifier, as follows:
WAE674# sh run | include HTTP
accelerator http suppress-server-encoding enable
accelerator http metadatacache https enable
accelerator http dre-hints enable
classifier HTTP
classifier HTTPS
name Web classifier HTTP action optimize full accelerate http
name Web classifier HTTPS action optimize DRE no compression none
be incrementing
be incrementing
0
2
1
0
0
0
0
0
2
0
1
If the Total Time Saved counter in the output above is not incrementing or is quite small, it indicates that the HTTP AO is not
providing much benefit. If the Total Time Saved by one of the three metadata caches is not incrementing or is quite small, it
indicates that the corresponding metadata cache is not providing much benefit.
The Total Server Compression Suppression counter indicates how many times the Accept-Encoding header has been removed, in
an attempt to provide a better compression by the WAE device. The Total Hints Sent to DRE Layer counters indicate how many
times each of the DRE hints (Flush Data, Skip LZ, Skip Header) has been issued to the DRE module, in an attempt to better
compress the data.
To view similar information from the Central Manager in version 4.2.1 and later, choose the WAE device, then choose Monitor >
Acceleration > HTTP Acceleration Report and choose the Details tab to see the following charts:
HTTP Response Time Savings (fast connection reuse, redirect, conditional, and unauthorized cached)
HTTP Optimization Count (number of times each of the above optimizations has been applied)
HTTP Optimization Techniques (for all HTTP optimizations, including metadata caches, connection reuse, DRE hints and
suppress-server-encoding)
To see debugging information on the HTTP header parsing and error conditions, use the show statistics accelerator http debug
command (in 4.3.1 and later) to determine the following:
Number of 301, 304 and 401 responses cached
Number of HTTP headers, version and methods
Reasons for HTTP responses not being cached
Total number of HTTP responses being cached
Reasons for HTTP requests not being served from the local cache
Use the show statistics connection optimized http command to check that the WAAS device is establishing optimized HTTP
connections. Verify that an "H" appears in the Accel column for HTTP connections, which indicates that the HTTP AO was used,
as follows:
WAE674# sh stat conn opt http
Current Active Optimized Flows:
2
Current Active Optimized TCP Plus Flows:
2
Current Active Optimized TCP Only Flows:
0
Current Active Optimized TCP Preposition Flows:
0
Current Active Auto-Discovery Flows:
0
Current Active Pass-Through Flows:
0
Historical Flows:
100
D:DRE,L:LZ,T:TCP Optimization,
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID Source IP:Port
Dest IP:Port
PeerID
5929
10.10.10.10:3446
10.10.100.100:80
00:14:5e:84:24:5f
Accel
THDL
You can check connection statistics for closed connections by using the show statistics connection closed http command.
35
In the Connection Statistics report, the globe icon in the Applied Policy column shows that the HTTP AO was used for a
connection. (Place your cursor over an icon to see its meaning.)
You can view the HTTP connection statistics by using the show statistics connection optimized http detail command. Look for
the "Fast connections" counter in the output. A positive value for this counter means that the HTTP AO benefits clients by reusing
persistent connections, which reduces latency.
WAE674# show stat conn opt http detail
Connection Id:
1496
Peer Id:
00:14:5e:84:24:5f
Connection Type:
EXTERNAL CLIENT
Start Time:
Wed Jul 15 05:09:52 2009
Source IP Address:
10.10.10.10
Source Port Number:
1760
Destination IP Address:
10.10.100.100
Destination Port Number: 80
Application Name:
Web
Classifier Name:
HTTP
Map Name:
basic
Directed Mode:
FALSE
Preposition Flow:
FALSE
Policy Details:
Configured:
TCP_OPTIMIZE + DRE + LZ
Derived:
TCP_OPTIMIZE + DRE + LZ
Peer:
TCP_OPTIMIZE + DRE + LZ
Negotiated:
TCP_OPTIMIZE + DRE + LZ
Applied:
TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured:
HTTP
Derived:
HTTP
HTTP
None
Bytes Read:
Bytes Written:
. . .
HTTP : 1496
Original
Optimized
-------------------- -------------------266
139160
82686
128
Wed Jul 15
Fast connections:
. . .
11
3269
3269
0
92
92
1040
2046823200
<-----Reused connections
<-----Should be
<-----Should be
<-----Should
<-----Should
<-----Should
<-----Should
<-----Should
<-----Should
be
be
be
be
be
be
incrementing
incrementing
incrementing
incrementing
incrementing
incrementing
incrementing
incrementing
37
0
110
59
4
32
0
0
0
<-----Should be incrementing
If the Total Time Saved counter in the output above is not incrementing or is quite small, it indicates that the HTTP AO is not
providing much benefit to the HTTPS traffic. If the Total Time Saved by one of the three metadata caches is not incrementing or
is quite small, it indicates that the corresponding metadata cache is not providing much benefit.
The Total Server Compression Suppression counter indicates how many times the Accept-Encoding header has been removed
from HTTPS requests, in an attempt to provide a better compression by the WAE device. The Total Hints Sent to DRE Layer
counters indicate how many times each of the DRE hints (Flush Data, Skip LZ, Skip Header) has been issued to the DRE module,
in an attempt to better compress the data.
To view similar information from the Central Manager in version 4.3.1 and later, choose the WAE device, then choose Monitor >
Acceleration > HTTPS Acceleration Report and choose the Details tab to see the following charts:
HTTPS Response Time Savings (redirect, conditional, and unauthorized cached)
HTTPS Optimization Count (number of times each of the above optimizations has been applied)
HTTPS Optimization Techniques (for all HTTPS optimizations, including metadata caches, DRE hints and
suppress-server-encoding)
To see debugging information on the HTTPS header parsing and error conditions, use the show statistics accelerator http debug
command to determine the following:
Number of 301, 304 and 401 responses cached
Number of HTTP headers, version and methods
Reasons for HTTP responses not being cached
Total number of HTTP responses being cached
Reasons for HTTP requests not being served from the local cache
Use the show statistics connection optimized http command to check that the WAAS device is establishing optimized HTTPS
connections. Verify that both an "H" and an "S" appear in the Accel column for HTTPS connections, which indicates that both the
HTTP and SSL AOs were used, as follows:
WAE674# sh stat conn opt http
Current Active Optimized Flows:
2
Current Active Optimized TCP Plus Flows:
2
Current Active Optimized TCP Only Flows:
0
Current Active Optimized TCP Preposition Flows:
0
Current Active Auto-Discovery Flows:
0
Current Active Pass-Through Flows:
0
Historical Flows:
100
D:DRE,L:LZ,T:TCP Optimization,
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID
Source IP:Port
Dest IP:Port
PeerID
5929
10.10.10.10:3446
10.10.100.100:80
00:14:5e:84:24:5f
Accel
THSDL
You can check connection statistics for closed connections by using the show statistics connection closed http or show statistics
connection closed ssl commands.
To view similar information from the Central Manager, choose the WAE device, then choose Monitor > Optimization >
Connections Statistics.
Viewing HTTPS Statistics
38
In the Connection Statistics report, the globe icon in the Applied Policy column shows that the HTTP AO was used for a
connection and the lock icon indicates that the SSL AO was applied. (Place your cursor over an icon to see its meaning.)
You can view the HTTPS connection statistics by using the show statistics connection optimized http detail and show statistics
connection optimized ssl detail commands.
WAE674# show stat conn opt http detail
Connection Id:
34
Peer Id:
00:14:5e:cd:9c:c9
Connection Type:
EXTERNAL CLIENT
Start Time:
Thu Oct 28 14:47:56 2010
Source IP Address:
10.3.2.1
Source Port Number:
40829
Destination IP Address:
110.1.1.100
Destination Port Number: 443
Application Name:
SSL
Classifier Name:
HTTPS
Map Name:
basic
Directed Mode:
FALSE
Preposition Flow:
FALSE
Policy Details:
Configured:
TCP_OPTIMIZE
Derived:
TCP_OPTIMIZE
Peer:
TCP_OPTIMIZE
Negotiated:
TCP_OPTIMIZE + DRE + LZ
Applied:
TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured:
None
Derived:
None
Applied:
HTTP,SSL
Hist:
None
Bytes Read:
Bytes Written:
Original
Optimized
-------------------- -------------------5162
21874
1977819
5108
HTTP : 34
Thu Oct 28
4620
4620
SSL : 34
Time Statistics were Last Reset/Cleared:
14:47:56 2010
Total Bytes Read:
0
Total Bytes Written:
0
. . .
Hostname in HTTP CONNECT:
IP Address in HTTP CONNECT:
TCP Port in HTTP CONNECT:
Thu Oct 28
0
0
You can clear the content of the three caches with the clear cache http-metadatacache all command.
If you want to clear the content of each cache separately, you can use the following commands:
clear cache http-metadatacache redirect-response
clear cache http-metadatacache conditional-response
clear cache http-metadatacache unauthorized-response
If you want to specify a URL to be deleted you can use the following command:
Viewing the HTTP Metadata Cache
40
You can clear the content of the three caches with the clear cache http-metadatacache https command.
If you want to clear the content of each cache separately, you can use the following commands:
clear cache http-metadatacache https redirect-response
clear cache http-metadatacache https conditional-response
clear cache http-metadatacache https unauthorized-response
This command forces the metadatacache to disregard all Cache-Control directives in HTTP/S 304 requests. (The default [no] form
of this command forces the metadatacache to honor all Cache-Control directives in HTTP/S 304 requests.)
To disable cache control checks on HTTP/S 304 responses, use the following command:
WAE#accelerator http metadatacache response-ignore-no-cache enable
41
HTTP AO Logging
The following log files are available for troubleshooting HTTP AO issues:
Transaction log files: /local1/logs/tfo/working.log (and /local1/logs/tfo/tfo_log_*.txt)
Debug log files: /local1/errorlog/httpao-errorlog.current (and httpao-errorlog.*)
For easier debugging, you should first set up an ACL to restrict packets to one host.
WAE674(config)# ip access-list extended 150 permit tcp host 10.10.10.10 any
WAE674(config)# ip access-list extended 150 permit tcp any host 10.10.10.10
You can view the end of a transaction log file by using the type-tail command as follows:
To set up and enable debug logging of the HTTP AO, use the following commands.
42
The options for HTTP AO debugging (on 4.2.1 and later) are as follows:
WAE674# debug accelerator http ?
all
enable
bypass-list
enable
cli
enable
conditional-response
enable
debugs
connection
enable
dre-hints
enable
metadatacache
enable
prefetch
enable
redirect-response
enable
debugs
shell
enable
suppress-server-encoding enable
transaction
enable
unauthorized-response
enable
connection debugs
dre-hints debugs
metadatacache debugs
prefetch debugs
metadatacache redirect (301) response
HTTP
HTTP
HTTP
HTTP
shell debugs
suppress-server-encoding debugs
transaction debugs
auth-optimization debugs bugs
You can enable debug logging for HTTP connections and then display the end of the debug error log as follows:
WAE674# debug accelerator http connection
WAE674# type-tail errorlog/httpao-errorlog.current follow
HTTP AO Logging
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
43
Contents
1 EPM Accelerator
Troubleshooting
2 EPM AO Logging
The End Point Mapper (EPM) accelerator optimizes MS-RPC protocols that do not use predefined TCP ports. Clients contact the
EPM service on the server (TCP port 135) to negotiate a dynamic port that is based on the application UUID. The EPM AO listens
to the client communication and creates a dynamic policy entry to match the negotiated port. EPM is required to apply MAPI
specific optimizations or to provide accounting on any MS-RPC protocol.
You can verify the general AO configuration and status with the show accelerator and show license commands, as described in
the Troubleshooting Application Acceleration article. The Enterprise license is required for EPM accelerator operation.
Next, verify the status that is specific to the EPM AO by using the show accelerator epm command, as shown in Figure 1. You
want to see that the EPM AO is Enabled, Running, and Registered, and that the connection limit is displayed. If the Config State is
Enabled but the Operational State is Shutdown, it indicates a licensing problem.
Figure 1. Verifying the EPM Accelerator Status
Contents
44
Use the show running-config command to verify that the EPM traffic policy is properly configured. You want to see adaptor
EPM for the applications or UUIDs that are configured to use the EPM AO, as follows:
WAE674# sh run | begin EPM
...skipping
map adaptor EPM 1544f5e0-613c-11d1-93df-00c04fd7bd09
name Email-and-Messaging All action pass-through
exit
map adaptor EPM ms-sql-rpc
name SQL All action optimize full
exit
map adaptor EPM mapi
name Email-and-Messaging All action optimize full accelerate mapi
exit
map adaptor EPM ms-ad-replication
name Replication All action optimize full
exit
map adaptor EPM ms-frs
name Replication All action optimize full
exit
map adaptor EPM f5cc5a18-4264-101a-8c59-08002b2f8426
name Email-and-Messaging All action pass-through
Use the show policy-engine application dynamic command to verify the dynamic policy engine match conditions as follows:
WAE674# sh policy-engine application dynamic
Dynamic Match Freelist Information:
Allocated: 32768 In Use: 3 Max In Use: 4
Dynamic Match Type/Count Information:
None
0
Clean-Up
0
Host->Host
0
Host->Local
0
Local->Host
0
Local->Any
0
Any->Host
3
Any->Local
0
Any->Any
0
Individual Dynamic Match Information:
Allocations: 380
<----------------<----------------<----------------<----------------<----------------<-----------------
Use the show statistics connection optimized epm command to check that the WAAS device is establishing optimized EPM
connections. Verify that "TE" or "TDLE" appears in the Accel column for EPM connections, which indicates that the EPM AO
was used, as follows:
WAE674# sh stat conn opt epm
Current Active Optimized Flows:
Current Active Optimized TCP Plus Flows:
Current Active Optimized TCP Only Flows:
Current Active Optimized TCP Preposition Flows:
Current Active Auto-Discovery Flows:
Current Active Pass-Through Flows:
Historical Flows:
18
17
0
1
0
28
100
D:DRE,L:LZ,T:TCP Optimization,
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID
Source IP:Port
Dest IP:Port
PeerID
Accel
2048
2049
10.10.10.10:3007
10.10.10.10:3009
10.10.100.101:135
10.10.100.101:135
00:14:5e:84:24:5f
00:14:5e:84:24:5f
TE
TE
You can check connection statistics for closed connections by using the show statistics connection closed epm command.
To view similar information from the Central Manager, choose the WAE device, then choose Monitor > Optimization >
Connections Statistics.
You can view the EPM connection specific statistics by using the show statistics connection optimized epm detail command as
follows:
WAE674# sh stat connection optimized epm detail
Connection Id:
1885
Peer Id:
00:14:5e:84:24:5f
Connection Type:
EXTERNAL CLIENT
Start Time:
Wed Jul 15 09:50:45 2009
Source IP Address:
10.10.10.10
Source Port Number:
2465
Destination IP Address:
10.10.100.101
Destination Port Number: 135
Application Name:
Other
Classifier Name:
MS-EndPointMapper
Map Name:
basic
Directed Mode:
FALSE
Preposition Flow:
FALSE
Policy Details:
Configured:
TCP_OPTIMIZE
Derived:
TCP_OPTIMIZE
Peer:
TCP_OPTIMIZE
46
TCP_OPTIMIZE
TCP_OPTIMIZE
<-----Should see EPM configured
EPM
EPM
EPM
None
Bytes Read:
Bytes Written:
. . .
Original
Optimized
-------------------- -------------------5220
5076
5076
5220
EPM AO Logging
The following log files are available for troubleshooting EPM AO issues:
Transaction log files: /local1/logs/tfo/working.log (and /local1/logs/tfo/tfo_log_*.txt)
Debug log files: /local1/errorlog/epmao-errorlog.current (and epmao-errorlog.*)
For easier debugging, first set up an ACL to restrict packets to one host.
WAE674(config)# ip access-list extended 150 permit tcp host 10.10.10.10 any
WAE674(config)# ip access-list extended 150 permit tcp any host 10.10.10.10
You can view the end of a transaction log file by using the type-tail command as follows:
To set up and enable debug logging of the EPM AO, use the following commands.
NOTE: Debug logging is CPU intensive and can generate a large amount of output. Use it judiciously and sparingly in a
production environment.
You can enable detailed logging to the disk as follows:
WAE674(config)# logging disk enable
WAE674(config)# logging disk priority detail
You can enable debug logging for connections in the ACL as follows:
WAE674# debug connection access-list 150
EPM AO Logging
47
You can enable debug logging for EPM connections and then display the end of the debug error log as follows:
WAE674# debug accelerator epm connection
WAE674# type-tail errorlog/epmao-errorlog.current follow
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 MAPI Accelerator
2 Encrypted MAPI Acceleration
2.1 Summary
2.2 Feature Information
2.3 Troubleshooting Methodology
2.3.1 Step 1 - Verify Encryption Service Identity configuration and key retrieval success
2.3.2 Step 2 - In 5.0.3 a new diagnostic command was introduced to check some of the required settings.
2.3.3 Step 3- Manually verify the WAE settings that are not checked by the diagnostic command above.
2.4 Data Analysis
2.5 Common Problems
2.5.1 Problem 1: The Encryption service identity configured on the Core WAE does not have the correct
permissions in AD.
2.5.2 Resolution 1: Consult the configuration guide and verify the object in AD has the correct
permissions. "Replicating Directory Changes" and "Replicating Directory Changes All" must both be set
to allow.
Contents
48
MAPI Accelerator
The MAPI accelerator optimizes Microsoft Outlook Exchange e-mail traffic. Exchange uses the EMSMDB protocol, which is
layered on MS-RPC, which in turn uses either TCP or HTTP (unsupported) as the low level transport.
The MAPI AO supports Microsoft Outlook 2000 through 2007 clients for both cached and noncached mode traffic. Secure
connections that use message authentication (signing) or encryption are not accelerated by the MAPI AO. Such connections and
connections from older clients are handed off to the generic AO for TFO optimizations. Additionally, Outlook Web Access
(OWA) and Exchange-Exchange connections are not supported.
Note: Microsoft Outlook 2007 has encryption enabled by default. You must disable encryption to benefit from the MAPI
application accelerator. In Outlook, choose Tools > E-mail Accounts, choose View or Change Existing E-mail Accounts, and
then click Next. Choose the Exchange account, and then click Change. Click More Settings, and then click the Security tab.
Uncheck the Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server check box, as shown in Figure
1.
Alternatively, you can disable encryption for all users of an Exchange Server by using a Group Policy.
Figure 1. Disabling Encryption in Outlook 2007
MAPI Accelerator
49
50
Use the show statistics accelerator epm command to verify that the EPM AO is functional. Check that the Total Handled
Connections, Total Requests Successfully Parsed, and Total Responses Successfully Parsed counters increase when a client is
started.
Use the show running-config command to verify that the MAPI and EPM traffic policies are properly configured. You want to
see accelerate mapi for the Email-and-Messaging application action and you want to see the MS-EndPortMapper classifier and
traffic policy defined, as follows:
WAE674# sh run | include mapi
map adaptor EPM mapi
name Email-and-Messaging All action optimize full accelerate mapi
WAE674# sh run | begin MS-EndPointMapper
...skipping
classifier MS-EndPointMapper
match dst port eq 135
exit
WAE674# sh run | include MS-EndPointMapper
classifier MS-EndPortMapper
name Other classifier MS-EndPortMapper action optimize DRE no compression none accelerate MS-port-mapper
2
1
1
0
0
12
0
161
Source IP:Port
10.56.94.101:4506
Dest IP:Port
10.10.100.100:1456
PeerID
0:1a:64:d3:2f:b8
Accel RR
TMDL 61.0%
Note: In version 4.1.5, the Current Reserved Flows counter was added in the output. This counter refers to the number of reserved
MAPI connection resources on the WAE that are currently unused but set aside for future MAPI connections. For more details
about reserved MAPI connections and their impact on device overload, see the section "MAPI Application Accelerator Reserved
Connections Impact on Overload" in the Troubleshooting Overload Conditions article.
If you observe connections with "TGDL" in the Accel column, these connections were pushed down to the generic AO and
optimized with transport optimizations only. If these are connections that you expected to be handled by the MAPI AO, it may be
because they are encrypted MAPI connections. To check on the number of encrypted MAPI connections that have been requested,
use the show statistics accelerator mapi command as follows:
wae# sh stat accel mapi
MAPI:
Global Statistics
----------------Time Accelerator was started:
Time Statistics were Last Reset/Cleared:
Total Handled Connections:
Total Optimized Connections:
Total Connections Handed-off with Compression Policies Unchanged:
Total Dropped Connections:
Current Active Connections:
Current Pending Connections:
Maximum Active Connections:
Number of Synch Get Buffer Requests:
Minimum Synch Get Buffer Size (bytes):
Maximum Synch Get Buffer Size (bytes):
Average Synch Get Buffer Size (bytes):
Number of Read Stream Requests:
Minimum Read Stream Buffer Size (bytes):
Maximum Read Stream Buffer Size (bytes):
Average Read Stream Buffer Size (bytes):
Minimum Accumulated Read Ahead Data Size (bytes):
MAPI Accelerator
Thu Nov
Thu Nov
8615
8614
0
1
20
0
512
1052
31680
31680
31680
3844
19
31744
14556
0
5 19:45:19 2009
5 19:45:19 2009
52
1172480
594385
20827
250895
70486
277036
0
1
0
1
0
0
<-----Encrypted connections
You can find the IP addresses of clients requesting encrypted MAPI connections in the syslog by searching for messages like the
following:
2009 Jan 5 13:11:54 WAE512 mapi_ao: %WAAS-MAPIAO-3-132104: (929480) Encrypted connection. Client ip: 10.36.14.82
You can view the MAPI connection statistics by using the show statistics connection optimized mapi detail command as
follows:
WAE674# show stat conn opt mapi detail
Connection Id:
1830
Peer Id:
00:14:5e:84:24:5f
Connection Type:
EXTERNAL CLIENT
Start Time:
Thu Jun 25 06:32:27 2009
Source IP Address:
10.10.10.10
Source Port Number:
3774
Destination IP Address:
10.10.100.101
Destination Port Number: 1146
Application Name:
Email-and-Messaging
<-----Should
Classifier Name:
**Map Default**
Map Name:
uuida4f1db00-ca47-1067-b31f-00dd010662da
<-----Should
Directed Mode:
FALSE
Preposition Flow:
FALSE
Policy Details:
Configured:
TCP_OPTIMIZE + DRE + LZ
Derived:
TCP_OPTIMIZE + DRE + LZ
Peer:
TCP_OPTIMIZE + DRE + LZ
Negotiated:
TCP_OPTIMIZE + DRE + LZ
Applied:
TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured:
MAPI
<-----Should
Derived:
MAPI
Applied:
MAPI
<-----Should
Hist:
None
Original
Optimized
-------------------- -------------------Bytes Read:
4612
1973
Bytes Written:
4086
2096
. . .
see Email-and-Messaging
see this UUID
Local and remote response counts and average response times are shown in this output:
. . .
MAPI : 1830
Time Statistics were Last Reset/Cleared:
06:32:27 2009
Total Bytes Read:
Total Bytes Written:
Number of Synch Get Buffer Requests:
MAPI Accelerator
Thu Jun 25
46123985
40864046
0
53
0
0
0
0
0
0
0
0
0
0
0
0
19
89005
<---------<---------<---------<----------
Feature Information
eMAPI will be enabled by default in 5.0.3 and will require the following to successfully accelerate encrypted traffic.
1) CMS secure store must be initialized and open on all Core WAEs
2) The WAEs must be able to resolve the FQDN of the Exchange server(s) and Kerberos KDC (Active Directory Controller)
3) The WAE's clocks must be in sync with the KDC
4) SSL acclerator, WAN Secure, and eMAPI must be enabled on all WAEs in the path from Outlook to Exchange
5) The WAEs in the path must have the correct policy-map configuration
6) The Core WAE(s) must have one or more Encrypted Services Domain Identies configured (User or Machine account)
7) If a machine account is used this WAE must be joined to the AD domain.
8) Then with either the Machine or User account use case, those objects in Active directory need to be given specific permissions.
"Replicating Directory Changes" and "Replicating Directory Changes All" must both be set to allow.
The recommended way to do this is via a Universal Security group (e.g. assign the permissions to the group and then add the
WAAS devices and/or usernames specified in the Encryption service to this group). See the attached guide for screenshots of AD
configuration and WAAS CM GUI.
Troubleshooting Methodology
54
55
For more details and screen shots on Encrytpion service and AD config see the attached guide.
Step 2 - In 5.0.3 a new diagnostic command was introduced to check some of the required settings.
?accelerator mapi verify encryption settings
1.CLI does various validity checks. It output is summary of ability to accelerate encrypted MAPI traffic as edge or core.
2.Checks the various components? status/config attributes for Encryption Service to work properly.
3.When a configuration issue is found it will output what is missing and the CLI or actions to fix it.
4.It give the summary out as Edge device and Core device. Device which can be both edge and core should have EMAPI
operational for both edge and core.
Below is a sample output from an incorrectly configured WAE:
Core#accelerator mapi verify encryption-settings
[EDGE:]
Verifying Mapi Accelerator State
-------------------------------Status: FAILED
Accelerator
Config State
Operational State
-------------------------------------mapi
Disabled
Shutdown
>>Mapi Accelerator should be Enabled
>>Mapi Accelerator should be in Running state
Verifying SSL Accelerator State
------------------------------Status: FAILED
>>Accelerator
Config State
Operational State
-------------------------------------ssl
Disabled
Shutdown
>>SSL Accelerator should be Enabled
>>SSL Accelerator should be in Running state
Verifying Wan-secure State
-------------------------Status: FAILED
>>Accelerator
Config State
Operational State
-------------------------------------wan-secure
Disabled
Shutdown
>>Wan-secure should be Enabled
>>Wan-secure should be in Running state
Verifying Mapi Wan-secure mode Setting
Step 2 - In 5.0.3 a new diagnostic command was introduced to check some of the required settings.
56
Value
-----Not Applicable
Summary [EDGE]:
===============
Device has to be properly configured for one or more components
[CORE:]
Verifying encryption-service State
---------------------------------Status: FAILED
Service
Config State
---------------------Encryption-service
Disabled
>>Encryption Service should be Enabled
>>Encryption Service status should be in
Operational State
----------------Shutdown
'Running' state
Step 2 - In 5.0.3 a new diagnostic command was introduced to check some of the required settings.
57
Step 3- Manually verify the WAE settings that are not checked by the diagnostic command above.
1) The above command while it chekcs for the existence of NTP configured, it does not actually verify the times are in sync
between the WAE and KDC. It is very important the times are in sync between the Core and KDC for key retrieval to be
successful.
If the manual check reveals they are out of sync a simple way to force the clock of the WAE to be in sync would be the ntpdate
command (ntpdate <KDC ip>). Then point the WAEs to the enterprise NTP server.
2) Verify dnslookup succeeds on all WAEs for the Exchange servers' FQDN and the KDCs' FQDN
3) Verify the class-map and policy-map is configured correctly on all WAEs in the path.
4) Verify the CMS secure store is open and initialized on all WAEs "show cms secure store"
Data Analysis
Besides analyzing the output of the diagnostic command and the manual show commands you may need to review the sysreport.
Specifically you'll want to review the mapiao-errorlog, sr-errorlog (core WAE only), and wsao-errorlog files.
Step 3- Manually verify the WAE settings that are not checked by the diagnostic command above.
58
This output is from sr-errorlog and shows validation of Machine Account Encryption Service Identity
Note: This only confirms the Core WAE joined the domain and the machine account exists.
07/03/2012 19:12:07.278(Local)(6249 1.5) NTCE
07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE
07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE
07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE
07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE
07/03/2012 19:12:07.330(Local)(6249 1.5) NTCE
07/03/2012 19:12:07.330(Local)(6249 1.5) NTCE
ID_TAG :MacchineAcctWAAS
Name : pdi-7541-dc
Domain : PDIDC.CISCO.COM
Realm : PDIDC.CISCO.COM
CLI_GUID :
SITE_GUID :
CONF_GUID :
Status:ENABLED
Black_Listed:NO
AUTH_STATUS: SUCCESS
ACCT_TYPE:Machine [SRIdentityObject.cpp:85]
07/03/2012 19:12:07.331(Local)(6249 1.5) NTCE
07/03/2012 19:12:07.347(Local)(6249 1.5) NTCE
(278902)
(279018)
(279282)
(279306)
(279321)
(330581)
(330599)
This output is from the Core sr-errorlog again and shows successful key retrieval from KDC.
10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673766)
10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673811)
Key retrieval is in Progress [SRServer.cpp:322]
10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673818)
10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673827)
10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673834)
[SRDataServer.cpp:444]
10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673922)
10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673937)
10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673950)
10/23/2012 15:46:55.674(Local)(3780 0.0) NTCE (674011)
PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:51]
10/23/2012 15:46:55.674(Local)(3780 0.0) NTCE (674020)
10/23/2012 15:46:55.674(Local)(3780 1.3) NTCE (674421)
10/23/2012 15:46:55.676(Local)(3780 1.3) NTCE (676280)
10/23/2012 15:46:55.676(Local)(3780 0.1) NTCE (676415)
10/23/2012 15:46:55.676(Local)(3780 0.0) NTCE (676607)
10/23/2012 15:46:55.677(Local)(3780 0.0) NTCE (677736)
10/23/2012 15:46:55.678(Local)(3780 0.1) NTCE (678001)
10/23/2012 15:46:55.679(Local)(3780 0.1) NTCE (679500)
10/23/2012 15:46:55.680(Local)(3780 0.1) NTCE (680011)
10/23/2012 15:46:55.680(Local)(3780 0.1) NTCE (680030)
10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685502)
[SRKeyRetriever.cpp:269]
10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685583)
[SRKeyMgr.cpp:296]
10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685594)
Data Analysis
59
'''10/23/2012 17:56:23.080(Local)(8311 0.1) NTCE (80175) (fl=2433) Edge TCP connection initiated (-1409268656), Co
Flavor: 0 [EdgeTcpConnectionDceRpcLayer.cpp:43]
10/23/2012 17:56:23.080(Local)(8311 0.1) NTCE (80199) Edge TCP connection initiated (-1409268656), Conn: [14.110.3
[EdgeTcpConnectionDceRpcLayer.cpp:48]
10/23/2012 17:56:23.108(Local)(8311 0.0) NTCE (108825) (fl=2433) Bind Request from client with AGID 0x0, callId 2,
AuthType: SPNEGO AuthCtxId: 0 WsPlumb:1
[EdgeTcpConnectionDceRpcLayer.cpp:1277]'''
10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109935) CheckAndDoAoshReplumbing perform replumbing wsPlumbState 1
10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109949) (fl=2433) AOSH Replumbing was performed returned Status 0 [
10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109956) CheckAndPlumb WanSecure(14) ret:= [1,0] WsPlumb:4 fd[client
10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312687) (fl=2433) Connection multiplexing enabled by server on the
10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312700) (fl=2433) Header signing enabled by server on the connectio
10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312719) (fl=2433) OnNewConnection - Client IP 14.110.3.117 (0xe6e03
nAssociationGroup=0x11de4,conn_fd=26,
bWasConnectionFromReservedPool=0, bIsNewMapiSession=1 [ConnectionReservationManager.cpp:255]
'''10/23/2012 17:56:23.366(Local)(8311 0.1) NTCE (366789) (fl=2433) Received security context from core with auth
10/23/2012 17:56:23.367(Local)(8311 0.1) NTCE (367157) (fl=2433) Security Layer moved to ESTB state [FlowSecurityL
10/23/2012 17:56:23.368(Local)(8311 0.1) NTCE (368029) (fl=2433) Informational:: Send APC set to WS: asking for Ci
10/23/2012 17:56:23.368(Local)(8311 0.1) NTCE (368041) (fl=2433) Sec-Params [CtxId, AL, AT, ACT, DCT, [Hs, ConnMpl
[FlowIOBuffers.cpp:477]
10/23/2012 17:56:23.369(Local)(8311 0.0) NTCE (369128) (fl=2433) CEdgeTcpConnectionEmsMdbLayer::ConnectRequestComm
Product Minor:0, Build Major:6117,
Build Minor:5001 Client ip 14.110.3.117 Client port 58352 Dest ip 14.110.3.99 Dest port 27744 [EdgeTcpConnectionEm
10/23/2012 17:56:23.868(Local)(8311 0.1) ERRO (868390) (fl=2433) ContextHandle.IsNull() [EdgeTcpConnectionEmsMdbLa
10/23/2012 17:56:23.890(Local)(8311 0.0) NTCE (890891) (fl=2433) CEdgeTcpConnectionEmsMdbLayer::ConnectRequestComm
Product Minor:0, Build Major:6117,
Build Minor:5001 Client ip 14.110.3.117 Client port 58352 Dest ip 14.110.3.99 Dest port 27744 [EdgeTcpConnectionEm
Here is the corresponding Core WAE output from mapiao-errorlog for the same TCP conneciton
'''10/23/2012 17:56:54.092(Local)(6408 0.0) NTCE (92814) (fl=21) Core TCP connection initiated (11892640), Conn: [
lavor: 0 [CoreTcpConnectionDceRpcLayer.cpp:99]
10/23/2012 17:56:54.092(Local)(6408 0.0) NTCE (92832) Core TCP connection initiated (11892640), Conn: [14.110.3.11
[CoreTcpConnectionDceRpcLayer.cpp:104]'''
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175035) SrlibCache Cache eviction starting: static void srlib::CSrl
id*, aosh_work*) [SrlibCache.cpp:453]
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175068) last_cleanup_time (1344411860), evict_in_progress(1) handle
cpp:464]
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175121) SendNextCmd isDuringSend 0, WriteQueue sz 1, isDuringclose
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175132) SendNextCmd: Sending request: exchangeMDB/PDIDC-EXCHANGE1.p
[bClose 0] [SrlibClientTransport.cpp:168]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185576) OnReadComplete len 4 status 0 isDuringRead 1, isDuringHeade
cpp:127]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185587) Parse header, msg body len 152 [SrlibTransport.cpp:111]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185592) ReadNextMsg isDuringRead 0, isDuringHeaderRead 1, isDuringc
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185623) OnReadComplete len 148 status 0 isDuringRead 1, isDuringHea
t.cpp:127]
'''10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185688) Insert new KrbKey: exchangeMDB/PDIDC-EXCHANGE1.pdidc.cis
rlibCache.cpp:735]
'''10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185747) ReadNextMsg isDuringRead 0, isDuringHeaderRead 0, isDuri
'''10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261575) (fl=21) Successfully created memory keytab with name: ME
.com0nxrPblND [GssServer.cpp:468]
10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261613) (fl=21) Successfully added entry in memory keytab. [GssServ
10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261858) (fl=21) Successfully acquired credentials. [GssServer.cpp:1
Data Analysis
60
Common Problems
Below are some common reasons which results in eMAPI connection Hand-off to Generic AO (TG).
Problem 1: The Encryption service identity configured on the Core WAE does not have the correct
permissions in AD.
Output from sr-errolog on Core WAE
09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147570) session(0x517fa0) Failed to Retrieve Key from AD for SPN:ex
'''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147592) Key retrieval failed with Status 16 [SRKeyMgr.cpp:157]
''''''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147623) Identity "WAASMacAct" has been blacklisted [SRDiIdMgr
''''''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147631) Key retrieval failed due to permission issue [SRKeyMg
'''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147636) Identity: WAASMacAct will be black listed. [SRKeyMgr.cpp
09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147657) Calling KrbKeyResponse key handler in srlib [SRServer.cpp:
09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147722) Queued send reponse buffer to client task [SrlibServerTrans
09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147730) KrbKeyResponse, sent to client session object [SrlibServer.
09/25/2012 18:47:54.147(Local)(9063 0.0) NTCE (147733) SendNextCmd isDuringSend 0, WriteQueue size 1 isDuringClose
09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147740) Send Key response to the Client
Resolution 1: Consult the configuration guide and verify the object in AD has the correct permissions.
"Replicating Directory Changes" and "Replicating Directory Changes All" must both be set to allow.
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v511/configuration/guide/policy.html#wp1256547
Problem 2: There is a time skew between the Core WAE and the KDC it attempts to retrieve the key from
Output from sr-errolog on Core WAE
Problem 3: The domain you defined for your Encryption service does not match the domain your Exchange
server is in.
Output from sr-errolog on Core WAE
10/23/2012
10/23/2012
10/23/2012
10/23/2012
10/23/2012
10/23/2012
10/23/2012
18:41:21.918(Local)(3780
18:41:21.918(Local)(3780
18:41:21.918(Local)(3780
18:41:21.918(Local)(3780
18:41:21.918(Local)(3780
18:41:21.918(Local)(3780
18:41:21.918(Local)(3780
1.5)
1.5)
0.0)
1.5)
0.0)
0.0)
0.0)
NTCE
NTCE
NTCE
NTCE
ERRO
NTCE
NTCE
(918788)
(918793)
(918790)
(918798)
(918813)
(918821)
(918832)
Resolution 3: If your Core WAE services multiple Exchange servers in different domains you must configure
an Encryption service Identity for each domain the Exchange servers reside in.
Note, there is NO support for sub-domain include at this time. So if you have myexchange.sub-domain.domain.com , the
Encryption service Identity must be in sub-domain.domain.com; it CAN NOT be in the parent domain.
Mode
----
Value
------
Resolution 2: Use ntpdate on all WAEs (especially the Core) to sync the clock with the KDC. Then point to the enterprise
62 NTP
User
User
User
User
User
User
enabled
enabled
default
default
default
enabled
'''10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25621) (fl=267542) Client 10.16.1.201 disconnected more than fo
[EdgeTcpConnectionDceRpcLayer.cpp:1443]
'''10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25634) (fl=267542) CEdgeIOBuffers:: StartHandOverProcessSingleC
[EdgeIOBuffers.cpp:826]
10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25644) (fl=267542) CEdgeIOBuffers::CheckSendHandOverRequestToCoreA
fragment of call id 0, current call id is 2 [EdgeIOBuffers.cpp:324]
10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48753) (fl=267542) Connection multiplexing enabled by server on th
10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48771) (fl=267542) Header signing enabled by server on the connect
10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48779) (fl=267542) CEdgeIOBuffers:: StartHandOverProcessSingleConn
'''10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430001) certificate verification failed 'self signed certificate
'''10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430047) ssl_read failed: 'SSL_ERROR_SSL' [open_ssl.cpp:1217]
10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430055) openssl errors: error:14090086: SSL routines: SSL3_GET_SERV
[open_ssl.cpp:1220]
Resolution 4: Remove peer cert verify configuration from both WAEs and restart the encrytpion service on the
Core WAE(s).
pdi-7541-dc(config)#crypto ssl services host-service peering
pdi-7541-dc(config-ssl-peering)#no peer-cert-verify
pdi-7541-dc(config)#no windows-domain encryption-service enable
pdi-7541-dc(config)#windows-domain encryption-service enable
Problem 5: If NTLM is used by the Outlook client the connection will be pushed down to Generic AO.
You will see the following in the mapiao-errorlog on the client side WAE:
63
In the scenario above, Kerberos does not work - and clients will fall-back to NTLM by defult. I believe this is due to the fact that
clients have to AUTH to the CAS server vs. the Mailbox server, as they did in previous Exchange releases.
In Exchange 2010 RTM, there is no fix for this! Kerberos in the above scenario will never function pre-Exchange 2010-SP1.
In SP1, Kerberos can be enabled in these environments, but it's a manual process. See the article here:
http://technet.microsoft.com/en-us/library/ff808313.aspx
MAPI AO Logging
The following log files are available for troubleshooting MAPI AO issues:
Transaction log files: /local1/logs/tfo/working.log (and /local1/logs/tfo/tfo_log_*.txt)
Debug log files: /local1/errorlog/mapiao-errorlog.current (and mapiao-errorlog.*)
For easier debugging, you should first set up an ACL to restrict packets to one host.
WAE674(config)# ip access-list extended 150 permit tcp host 10.10.10.10 any
WAE674(config)# ip access-list extended 150 permit tcp any host 10.10.10.10
You can view the end of a transaction log file by using the type-tail command as follows:
wae# type-tail tfo_log_10.10.11.230_20090715_130000.txt
Wed Jul 15 19:12:35 2009 :2289 :10.10.10.10 :3740 :10.10.100.101
Wed Jul 15 19:12:35 2009 :2289 :10.10.10.10 :3740 :10.10.100.101
Wed Jul 15 19:12:35 2009 :2290 :10.10.10.10 :3738 :10.10.100.101
Wed Jul 15 19:12:35 2009 :2290 :10.10.10.10 :3738 :10.10.100.101
Wed Jul 15 19:12:35 2009 :2284 :10.10.10.10 :3739 :10.10.100.101
:1146
:1146
:1146
:1146
:1146
To set up and enable debug logging of the MAPI AO, use the following commands.
NOTE: Debug logging is CPU intensive and can generate a large amount of output. Use it judiciously and sparingly in a
production environment.
You can enable detailed logging to the disk as follows:
WAE674(config)# logging disk enable
You can enable debug logging for connections in the ACL as follows:
WAE674# debug connection access-list 150
You can enable debug logging for MAPI connections and then display the end of the debug error log as follows:
WAE674# debug accelerator mapi Common-flow
WAE674# type-tail errorlog/mapiao-errorlog.current follow
MAPI AO Logging
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
65
Contents
1 NFS Accelerator
Troubleshooting
2 NFS AO Logging
The NFS accelerator optimizes NFSv3 traffic. Other NFS versions are not optimized by the NFS AO.
You can verify the general AO configuration and status with the show accelerator and show license commands, as described in
the Troubleshooting Application Acceleration article. The Enterprise license is required for NFS accelerator operation.
Next, verify the status specific to the NFS AO by using the show accelerator nfs command, as shown in Figure 1. You want to
see that the NFS AO is Enabled, Running, and Registered, and that the connection limit is displayed. If the Config State is
Enabled but the Operational State is Shutdown, it indicates a licensing problem.
Figure 1. Verifying the NFS Accelerator Status
Use the show running-config command to verify that the NFS traffic policy is properly configured. You want to see accelerate
nfs for the File-System application classifier NFS action and you want to see appropriate match conditions listed for the NFS
classifier, as follows:
Contents
66
<-------------
<-------------
Use the show statistics connection optimized nfs command to check that the WAAS device is establishing optimized NFS
connections. Verify that "N" appears in the Accel column for NFS connections, which indicates that the NFS AO was used.
WAE674# sh stat conn opt nfs
D:DRE,L:LZ,T:TCP Optimization,
C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO,
ConnID
582
Local IP:Port
10.56.94.101:33606
Remote IP:Port
10.56.94.80:2049
PeerID
0:1a:64:d3:2f:b8
Accelerator
NTDL
Use the show statistics accelerator nfs command to verify the following:
The NFS traffic is NFSv3. Look at the Total RPC Calls per NFS Version field. The output of that field is an array of 5
values, and you want to see mostly NFSv3 traffic, which is reported in the 4th counter. High numbers in other array
positions signify other NFS versions.
NFS traffic is not encrypted. Look at the Total RPC Calls per Authentication Flavor field. The output of that field is an
array of 4 values, and you want to see mostly unencrypted traffic, which corresponds to the first 3 counters. A high
number in the last counter signifies encrypted NFS traffic. Also check the Total RPC Calls with Unknown Authentication
Flavor field, where you want to see 0 or a small number because these connections are not optimized.
The NFS connection is asynchronous. Verify that the Percentage of Requests Served Locally field is nonzero.
WAE# sh statistics accelerator nfs
NFS:
Global Statistics
----------------Time Accelerator was started:
16:40:06 2009
Time Statistics were Last Reset/Cleared:
16:40:06 2009
Total Handled Connections:
Total Optimized Connections:
Total Connections Handed-off with Compression Policies Unchanged:
Total Dropped Connections:
Current Active Connections:
Current Pending Connections:
Maximum Active Connections:
Total RPC Calls per Authentication Flavor:
298544
0
0
Total RPC Calls with Unknown Authentication Flavor:
Total RPC Calls per NFS Version:
0
0
298609
0
Total RPC Calls with Unknown NFS Version:
Total Requests:
Total Local Replies:
Percentage of Requests Served Locally:
Percentage of Requests Served Remotely:
Average Time to Generate Local READ Reply (ms):
Average Time to Generate Local WRITE Reply (ms):
Average Time to Generate Local GETATTR Reply (ms):
Average Time to Generate Local Reply (ms):
Average Time to Receive Remote Reply (ms):
Meta-Data Cache Access Count:
Meta-Data Cache Hit Count:
Fri Oct 23
Fri Oct 23
170
170
0
0
0
0
13
65
0
0
0
298609
191713
64
36
15
0
0
0
10
206017
191673
<----Should be nonzero
67
128926
93
You can view the NFS connection statistics by using the show statistics connection optimized nfs detail command as follows:
WAE674# show stat conn opt nfs detail
Connection Id:
1916
Peer Id:
00:14:5e:84:24:5f
Connection Type:
EXTERNAL CLIENT
Start Time:
Thu Jun 25 07:09:09 2009
Source IP Address:
10.10.10.20
Source Port Number:
928
Destination IP Address:
10.10.100.102
Destination Port Number: 2049
Application Name:
File-System
<-----Should
Classifier Name:
NFS
<-----Should
Map Name:
basic
Directed Mode:
FALSE
Preposition Flow:
FALSE
Policy Details:
Configured:
TCP_OPTIMIZE + DRE + LZ
Derived:
TCP_OPTIMIZE + DRE + LZ
Peer:
TCP_OPTIMIZE + DRE + LZ
Negotiated:
TCP_OPTIMIZE + DRE + LZ
Applied:
TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured:
NFS
<-----Should
Derived:
NFS
Applied:
NFS
<-----Should
Hist:
None
Original
Optimized
-------------------- -------------------Bytes Read:
5120
4639
Bytes Written:
28136
1407
. . .
see File-System
see NFS
NFS : 1916
Time Statistics were Last Reset/Cleared:
07:09:09 2009
Total Bytes Read:
28136
Total Bytes Written:
5120
Bit Flags for I/O state:
Histogram of Buffers Read From Local Endpoint:
1
0
0
0
Total NFS Requests:
Total Replies Served Locally:
Percentage of Requests Served Locally:
Percentage of Requests Served Remotely:
Average Time to Generate Local READ Reply (ms):
Average Time to Generate Local WRITE Reply (ms):
Average Time to Generate Local GETATTR Reply (ms):
Average Time to Generate Local Reply (ms):
Average Time to Receive Remote Reply (ms):
Total RPC Procedure Calls:
9
0
10
7
0
4
0
0
0
0
0
0
1
0
0
0
0
. . .
Total Unknown RPC Procedure Calls:
Total Write RPCs Using Stable-how Enumerated Values:
0
1
Thu Jun 25
5120
28136
19
31
32
4
12
88
0
0
0
0
103
0
0
0
1
0
0
0
68
0
0
Thu Jun 25
9
4
1000
44
0
NFS AO Logging
The following log files are available for troubleshooting NFS AO issues:
Transaction log files: /local1/logs/tfo/working.log (and /local1/logs/tfo/tfo_log_*.txt)
Debug log files: /local1/errorlog/nfsao-errorlog.current (and nfsao-errorlog.*)
For easier debugging, you should first set up an ACL to restrict packets to one host.
WAE674(config)# ip access-list extended 150 permit tcp host 10.10.10.10 any
WAE674(config)# ip access-list extended 150 permit tcp any host 10.10.10.10
You can view the end of a transaction log file by using the type-tail command.
To set up and enable debug logging of the NFS AO, use the following commands.
NOTE: Debug logging is CPU intensive and can generate a large amount of output. Use it judiciously and sparingly in a
production environment.
You can enable detailed logging to the disk as follows:
WAE674(config)# logging disk enable
WAE674(config)# logging disk priority detail
You can enable debug logging for connections in the ACL as follows:
WAE674# debug connection access-list 150
You can enable debug logging for NFS connections and then display the end of the debug error log as follows:
NFS AO Logging
69
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 SSL Accelerator Overview
2 Troubleshooting the SSL AO
2.1 Troubleshooting HTTP AO to SSL AO Handoff
Connections
2.2 Troubleshooting Server Certificate Verification
2.3 Troubleshooting Client Certificate Verification
2.4 Troubleshooting Peer WAE Certificate Verification
2.5 Troubleshooting OCSP Revocation Checking
2.6 Troubleshooting DNS Configuration
2.7 Troubleshooting HTTP to SSL AO Chaining
2.8 SSL AO Logging
2.9 Troubleshooting Certificate Expiry Alarms on NME and
SRE Modules
Contents
70
If you see an Operational State of Gen Crypto Params, wait until the status becomes Running, which may take a few minutes
following a reboot. If you see a state of Retrieving Keys from CM for more than a few minutes, it could indicate that the CMS
service on the Central Manager is not running, that there is no network connectivity to the Central Manager, that the WAAS
versions on the WAE and Central Manager are incompatible, or that the Central Manager secure store is not open.
You can verify that the Central Manager secure store is initialized and open by using the show cms secure-store command as
follows:
cm# show cms secure-store
secure-store is initialized and open.
If the secure store is not initialized or open, you will see critical alarms such as mstore_key_failure and secure-store. You can
open the secure store with the cms secure-store open command or from the Central Manager, choose Admin > Secure Store.
Tip: Document the secure store password to avoid having to reset the secure store if you forget the password.
If there is a problem with the disk encryption on a WAE, that can also prevent the SSL AO from operating. Use the show disk
details command to verify that disk encryption is enabled and check if the CONTENT and SPOOL partitions are mounted. If
these partitions are mounted, it indicates that the disk encryption keys were successfully retrieved from the Central Manager and
Use the show running-config command to verify that the HTTPS traffic policy is properly configured. You want to see optimize
DRE no compression none for the SSL application action and you want to see appropriate match conditions listed for the HTTPS
classifier, as follows:
WAE674# sh run | include HTTPS
classifier HTTPS
name SSL classifier HTTPS action optimize DRE no compression none
WAE674# sh run | begin HTTPS
<-------------
<-------------
An active accelerated service inserts dynamic policies corresponding to the server IP:port, server name:port, or server domain:port
configured within the accelerated service. These policies can be inspected using the show policy-engine application dynamic
command. The Dst field in each displayed policy indicates the server IP and port matching the accelerated service. For the
wildcard domain (for example, server-domain *.webex.com port 443), the Dst field will be 'Any:443'. For the server-name
configuration, forward DNS lookup is performed when the accelerated service is activated and all the IP addresses returned in the
DNS response will be inserted in the policy engine. This command is useful to catch situations where an accelerated service is
marked "inservice" but the accelerated service is rendered inactive because of some other error. For example, all accelerated
services are dependent on the peering service, and if the peering service is inactive because of a missing/deleted certificate, then
an accelerated service will also be marked as inactive although it appears to be "inservice" in the show running-config output. You
can verify that the SSL dynamic policy is active on the data center WAE by using the show policy-engine application dynamic
command. You can verify the peering service status by using the show crypto ssl services host-service peering command.
An SSL AO accelerated service configuration can have four types of server entries:
Static IP (server-ip)--available in version 4.1.3 and later
Catch All (server-ip any)--available in 4.1.7 and later
Hostname (server-name)--available in 4.2.1 and later
Wildcard domain (server-domain)--available in 4.2.1 and later
Once the connection is received by the SSL AO, it decides which accelerated service should be used for optimization. The static
IP configuration is given the highest preference, followed by server name, server domain, and then the server ip any. If none of the
configured and activated accelerated services match with the server IP for the connection, the connection is pushed down to the
generic AO. The cookie inserted into the policy engine by the SSL AO is used to determine which accelerated service and what
type of server entry is matched for a particular connection. This policy engine cookie is a 32-bit number and is meaningful only to
the SSL AO. The higher bits are used to indicate different server entry types and the lower bits indicate the accelerated service
index, as follows:
Server Entry
Type
0x8xxxxxxx
Server IP
address
0x4xxxxxxx
Server
hostname
Data center WAE performs a forward DNS lookup for the hostname and it adds the IP addresses
that are returned into the dynamic policy configuration. Refreshed every 10 minutes by default.
0x2FFFFFFF
Data center WAE performs a reverse DNS lookup on the destination host IP address to determine
Server
if it matches with the domain. If it matches, then SSL traffic is accelerated, and if it does not
domain name
match, the traffic is handled according to the static HTTPS policy.
0x1xxxxxxx
Server Any
Comments
All SSL connections are accelerated using this accelerated service configuration
74
Allocations: 1751
<---------------<----------------
<----------------
Allocations: 1751
(4)
<---------------<----------------
<---------------(4)
<---------------<----------------
<---------------(4)
<---------------<----------------
<---------------(4)
<---------------<----------------
75
<----------------
Allocations: 1751
<---------------<----------------
<----------------
Allocations: 1751
<---------------<----------------
<----------------
76
You can verify that these ciphers match those configured on the origin server. Note: Ciphers that include DHE are not supported
by Microsoft IIS servers.
On an Apache server, you can verify the SSL version and cipher details in the httpd.conf file. These fields may also be in a
separate file (sslmod.conf) referenced from httpd.conf. Look for the SSLProtocol and SSLCipherSuite fields as follows:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
. . .
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
To verify the certificate issuer on an Apache server, use the openssl command to read the certificate as follows:
> openssl x509 -in cert.pem -noout -issuer -issuer_hash
issuer= / C=US/ST=California/L=San Jose/O=CISCO/CN=tools.cisco.com/emailAddress=webmaster@cisco.com be7cee67
In the browser, you can view a certificate and its details to determine the certificate chain, version, encryption key type, issuer
common name (CN), and subject/site CN. In Internet Explorer, click the padlock icon, click View Certificate, and then look at the
Details and Certification Path tabs for this information.
Most browsers require that client certificates be in the PKCS12 format rather than the X509 PEM format. To export the X509
PEM format to PKCS12 format, use the openssl command as follows on an Apache server:
Troubleshooting the SSL AO
77
If the private keys are encrypted, the passphrase is required for export. The export password is used again for importing
credentials to the WAAS device.
Use the show statistics accelerator ssl command to see the SSL AO statistics.
WAE7326# show statistics accelerator ssl
SSL:
Global Statistics
----------------Time Accelerator was started:
Mon Nov 10
15:28:47 2008
Time Statistics were Last Reset/Cleared:
Mon Nov 10
15:28:47 2008
Total Handled Connections:
17
Total Optimized Connections:
17
Total Connections Handed-off with Compression Policies Unchanged: 0
Total Dropped Connections:
0
Current Active Connections:
0
Current Pending Connections:
0
Maximum Active Connections:
3
Total LAN Bytes Read:
25277124
Total Reads on LAN:
5798
Total LAN Bytes Written:
6398
Total Writes on LAN:
51
Total WAN Bytes Read:
43989
Total Reads on WAN:
2533
Total WAN Bytes Written:
10829055
Total Writes on WAN:
3072
. . .
<---------------<---------------<---------------<----------------
<---------------<---------------<---------------<---------------<---------------<---------------<---------------<----------------
Failed sessions and certificate verifications statistics can be useful for troubleshooting and are more easily retrieved by using the
following filter on the show statistics accelerator ssl command:
WAE# show statistics accelerator ssl | inc Failed
Total Failed Handshakes:
Total Failed Certificate Verifications:
Failed certificate verifications due to invalid certificates:
Failed Certificate Verifications based on OCSP Check:
Failed Certificate Verifications (non OCSP):
Total Failed Certificate Verifications due to Other Errors:
Total Failed OCSP Requests:
Total Failed OCSP Requests due to Other Errors:
Total Failed OCSP Requests due to Connection Errors:
Total Failed OCSP Requests due to Connection Timeouts:
Total Failed OCSP Requests due to Insufficient Resources:
47
28
28
0
28
0
0
0
0
0
0
DNS related statistics can be useful for troubleshooting server name and wildcard domain configuration. To retrieve these
statistics use the show statistics accelerator ssl command, as follows:
WAE# show statistics accelerator ssl
. . .
Number of forward DNS lookups issued:
Number of forward DNS lookups failed:
Number of flows with matching host names:
Number of reverse DNS lookups issued:
Number of reverse DNS lookups failed:
Number of reverse DNS lookups cancelled:
Number of flows with matching domain names:
Number of flows with matching any IP rule:
18
0
8
46
4
0
40
6
78
SSL rehandshake related statistics can be useful for troubleshooting and can be retrieved using the following filter on the show
statistics accelerator ssl command:
WAE# show statistics accelerator ssl | inc renegotiation
Total renegotiations requested by server:
Total SSL renegotiations attempted:
Total number of failed renegotiations:
Flows dropped due to renegotiation timeout:
0
0
0
0
Use the show statistics connection optimized ssl command to check that the WAAS device is establishing optimized SSL
connections. Verify that "TDLS" appears in the Accel column for a connection. "S" indicates that the SSL AO was used as
follows:
WAE674# sh stat conn opt ssl
Current Active Optimized Flows:
Current Active Optimized TCP Plus Flows:
Current Active Optimized TCP Only Flows:
Current Active Optimized TCP Preposition Flows:
Current Active Auto-Discovery Flows:
Current Active Pass-Through Flows:
Historical Flows:
3
3
0
1
0
0
100
D:DRE,L:LZ,T:TCP Optimization,
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID
342
Local IP:Port
10.56.94.101:3406
Remote IP:Port
10.10.100.100:443
PeerID
0:1a:64:d3:2f:b8
Accelerator
TDLS
You can check connection statistics for closed connections by using the show statistics connection closed ssl command.
If the connections are not getting optimized, check if WCCP/PBR is properly configured and working, and check for asymmetric
routing.
You can view the SSL connection statistics by using the show statistics connection optimized ssl detail command, where you
will see the dynamic policy that results from the configured SSL accelerated service. Note: The configured policy is TFO
optimization only, but full optimization is applied as a result of the configured SSL service.
WAE674# sh stat connection optimized ssl detail
Connection Id:
1633
Peer Id:
00:14:5e:84:24:5f
Connection Type:
EXTERNAL CLIENT
Start Time:
Wed Jul 15 06:35:48 2009
Source IP Address:
10.10.10.10
Source Port Number:
2199
Destination IP Address:
10.10.100.100
Destination Port Number: 443
Application Name:
SSL
Classifier Name:
HTTPS
Map Name:
basic
Directed Mode:
FALSE
Preposition Flow:
FALSE
Policy Details:
Configured:
TCP_OPTIMIZE
Derived:
TCP_OPTIMIZE + DRE + LZ
Peer:
TCP_OPTIMIZE
Negotiated:
TCP_OPTIMIZE + DRE + LZ
Applied:
TCP_OPTIMIZE + DRE + LZ
79
Bytes Read:
Bytes Written:
. . .
None
None
SSL
None
Original
Optimized
-------------------- -------------------1318
584
208
1950
Later in this output, extended SSL session level details are shown as follows:
. . .
SSL : 1633
Time Statistics were Last Reset/Cleared:
Total Bytes Read:
Total Bytes Written:
Memory address:
LAN bytes read:
Number of reads on LAN fd:
LAN bytes written out:
Number of writes on LAN fd:
WAN bytes read:
Number of reads on WAN fd:
WAN bytes written out:
Number of writes on WAN fd:
LAN handshake bytes read:
LAN handshake bytes written out:
WAN handshake bytes read:
WAN handshake bytes written out:
AO bytes read:
Number of reads on AO fd:
AO bytes written out:
Number of writes on AO fd:
DRE bytes read:
Number of reads on DRE fd:
DRE bytes written out:
Number of writes on DRE fd:
Number of renegotiations requested by server:
Number of SSL renegotiations performed:
Flow state:
LAN work items:
LAN conn state:
LAN SSL state:
WAN work items:
WAN conn state:
WAN SSL state:
W2W work items:
W2W conn state:
W2W SSL state:
AO work items:
AO conn state:
DRE work items:
DRE conn state:
Hostname in HTTP CONNECT:
IP Address in HTTP CONNECT:
TCP Port in HTTP CONNECT:
80
Server certificate verification requires that you import the correct CA certificate to the data center WAE.
1. Inspect the server certificate and retrieve the Issuer name. This Issuer name within the server certificate must match the subject
name within the matching CA certificate. If you have PEM encoded certificates, you can use the following openssl command on a
server with openssl installed:
2. Ensure that the matching crypto pki ca configuration exists on the data center WAE by using show running-config command.
For a CA certificate to be used by the WAE in the verification process, a crypto pki ca configuration item is required for each CA
certificate imported. For example, if a CA certificate company1.ca is imported, then the following configuration must be made on
the data center WAE:
Note: If a CA certificate is imported using the Central Manager GUI, the Central Manager automatically adds the above crypto
pki ca configuration to include the imported CA certificate. However, if the CA certificate is imported via the CLI, then you will
need to manually add the above configuration.
5. Initiate a test connection and then examine the /local/local1/errorlog/sslao-errorlog.current log file. This file should indicate the
issuer name that was included in the server certificate. Ensure that this issuer name exactly matches the subject name of the CA
certificate.
If there are any other internal errors in the logs, it may be helpful to enable additional debug options.
6. Even if the Issuer name and Subject names match, the CA certificate may not be the correct one. In such cases, if the server
certificate is issued by a well-known CA, then a browser can be used to directly (without WAAS) reach the server. When the
browser sets up the connection, the certificate can be examined by clicking the Lock icon that appears on the bottom right of the
browser window or within the browser?s address bar. The certificate details may indicate the appropriate CA certificate matching
this server certificate. Check the Serial Number field within the CA certificate. This serial number should match the serial number
of the certificate that is being imported on the data center WAE.
7. If you have OCSP revocation checking enabled, disable it and check that certificate verification by itself works. For help
troubleshooting OCSP settings see the "Troubleshooting OCSP Revocation Checking" section.
82
This response indicates the name cannot be resolved by the configured name servers.
Try ping/traceoute for the configured name servers to check their reachability and the round trip time.
WAE# ping 2.53.4.3
PING 2.53.4.3 (2.53.4.3) 56(84) bytes of data.
83
2. If the DNS server is reachable and it can resolve names and still the SSL connections are not getting optimized, make sure the
accelerated service configuring the specified domain or hostname is active and there are no alarms for the SSL AO. Use following
commands:
WAE# show alarms
Critical Alarms:
---------------Alarm ID
--------------1 accl_svc_inactive
2 accl_svc_inactive
Module/Submodule
-------------------sslao/ASVC/asvc-host
sslao/ASVC/asvc-domain
Instance
--------------accl_svc_inactive
accl_svc_inactive
Major Alarms:
------------None
Minor Alarms:
------------None
The presence of the "accl_svc_inactive" alarm is an indication that there is some discrepancy in the accelerated service
configuration and there might be one or more accelerated services having overlapping configuration for server entries. Check the
accelerated service configuration and make sure the configuration is correct. Use the following command to verify the
configuration:
WAE# show crypto ssl accelerated service
Accelerated Service
Config State
Oper State
---------------------------------------asvc-ip
ACTIVE
ACTIVE
asvc-host
ACTIVE
INACTIVE
asvc-domain
ACTIVE
INACTIVE
Cookie
-----0
1
2
To check details about a particular accelerated service use the following command:
WAE# show crypto ssl accelerated service asvc-host
Name: asvc-host
Config state: ACTIVE, Oper state: INACTIVE, Cookie: 0x3, Error vector: 0x0
No server IP addresses are configured
The following server host names are configured:
lnxserv.shilpa.com port 443
Host 'lnxserv.shilpa.com' resolves to following IPs:
--none-No server domain names are configured
One reason that the operational state of the accelerated service might be INACTIVE is a DNS failure. For example, if there is a
server hostname in the accelerated service configuration and the WAE cannot resolve the server IP address, then it cannot
configure the appropriate dynamic policy.
3. If the statistics counter for ?Pipe-through due to non-matching domain name? is increasing, it is an indication that the SSL
connection is for a server that is configured for optimization. Check the policy engine entries using following command:
Troubleshooting DNS Configuration
84
Check the connection status using the show statistics connection command. The first connection should show an Accelerator of
TSGDL and the subsequent connections, until the lifetime of the TIME_DENY policy entry, should be TDL.
4. If the DNS server is across the WAN with respect to the data center WAE, or if the reverse DNS response time is too long, then
some connections may be dropped. This depends on the client timeout and the rDNS response time. In this case, the counter for
?Number of reverse DNS lookups cancelled? increases and the connection is dropped. This situation is an indication that the DNS
server is not responsive or very slow and/or NSCD on WAAS is not working. The NSCD status can be checked using the show
alarms command. The probability of this happening is very low since in most deployments, the DNS server is expected to be on
the same LAN as the data center WAE.
85
SSL AO Logging
The following log files are available for troubleshooting SSL AO issues:
Transaction log files: /local1/logs/tfo/working.log (and /local1/logs/tfo/tfo_log_*.txt)
SSL AO Logging
86
You can view the end of a transaction log file by using the type-tail command as follows:
To set up and enable debug logging of the SSL AO, use the following commands.
NOTE: Debug logging is CPU intensive and can generate a large amount of output. Use it judiciously and sparingly in a
production environment.
You can enable detailed logging to the disk as follows:
WAE674(config)# logging disk enable
WAE674(config)# logging disk priority detail
You can enable debug logging for connections in the ACL as follows:
WAE674# debug connection access-list 150
SSL AO Logging
ssl ?
accelerated service debugs
SSL AO alarm debugs
all SSL accelerator debugs
auth manager debugs
am generic service debugs
bio layer debugs
cert auth module debugs
cert auth pool debugs
cipherlist debugs
client-to-server datapath debugs
dataserver debugs
flow shutdown debugs
generic debugs
ocsp debugs
oom-manager debugs
opnessl internal debugs
peering service debugs
session cache debugs
SSL shell debugs
session manager alert debugs
session manager generic debugs
session manager i/o debugs
sm pipethrough debugs
87
You can enable debug logging for SSL connections and then display the end of the debug error log as follows:
WAE674# debug accelerator ssl all
WAE674# debug connection all
Enabling debug messages for all connections.
Are you sure you want to do this? (y/n) [n]y
WAE674# type-tail errorlog/sslao-errorlog.current follow
Module/Submodule
-------------------sslao/SGS/gsetting
Instance
--------------cert_near_expiration
Module/Submodule
-------------------sslao/SGS/gsetting
Instance
--------------cert_expired
or
Alarm ID
--------------1 cert_expired
The Central Manager GUI reports the following alarm: "Certificate__waas-self__.p12 is near expiration it is configured as
machine cert in global settings"
You can use one of the following solutions to resolve this problem:
Configure a different certificate for global settings:
SRE# crypto generate self-signed-cert waas-self.p12 rsa modulus 1024
SRE# config
SRE(config)# crypto ssl services global-settings machine-cert-key waas-self.p12
Update the self-signed factory certificate with a later expiration date. This solution requires a script that you can obtain by
contacting Cisco TAC.
NOTE: This issue is fixed by the resolution of caveat CSCte05426, released in WAAS software versions 4.1.7b, 4.2.3c, and 4.3.3.
The certification expiration date is changed to 2037.
Troubleshooting Certificate Expiry Alarms on NME and SRE Modules
88
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 Video Accelerator
Troubleshooting
2 Video AO Logging
The Video accelerator optimizes Windows Media live streams that are requested over RTSP. Requests for RTSP-UDP streams are
denied by WAAS and the player will automatically request an RTSP-TCP stream. Incoming stream splitting allows multiple
clients to watch live video over a single stream on the WAN.
You can verify the general AO configuration and status with the show accelerator and show license commands, as described in
the Troubleshooting Application Acceleration article. The Video and Enterprise licenses are required for Video accelerator
operation.
Next, verify the status that is specific to the video AO by using the show accelerator video command, as shown in Figure 1. You
want to see that the video AO is Enabled, Running, and Registered, and that the connection limit is displayed. If the Config State
is Enabled but the Operational State is Shutdown, it indicates a licensing problem.
Contents
89
Use the show statistics accelerator video command to see the Video AO statistics. The following output shows that one
incoming video stream from the WAN was split to 10 clients, which removed 9 video streams from the WAN.
wae# sh stat acc video
Time elapsed since "clear statistics": 1days 0hr 50min 30sec
Video Connections
==================================================================
Connections handled
num
%
-----------------------------------------------------------------Total handled
3330
100.00
Windows-media live accelerated
3329
99.97
Un-accelerated pipethru
1
0.03
Un-accelerated dropped due to config
0
0.00
Error dropped connections
0
0.00
Windows-media active sessions
current
max
-----------------------------------------------------------------Outgoing (client) sessions
10
10
Incoming (server) sessions
1
10
To examine the reasons why the video AO is not accelerating video connections, use the show statistics accelerator video detail
command. In the example below, the video is not a live broadcast stream but is a video-on-demand (VoD), which is not
If videos are not being accelerated as expected, it is often because they are not marked with the live broadcast cache-control
header, x-wms-stream-type="broadcast". VoD streams lack this header. Figure 2 shows where to find the cache-control header in
the Windows Media Server response to the player, using Wireshark.
Figure 2. Windows Media Cache-Control Header
91
The URLs for video streams are case sensitive to the video AO, so if a video stream is not being optimized or not playing,
carefully check the URL case and verify that the video is still played. Also verify that the video can be played directly from the
video server, without using WAAS in the network path, to ensure that the video is playable.
Use the show statistics connection optimized video command to check that the WAAS device is establishing optimized video
connections. Verify that "V" appears in the Accel column for video connections, which indicates that the video AO was used as
follows:
WAE# sh stat conn opt video
Current Active Optimized Flows:
Current Active Optimized TCP Plus Flows:
Current Active Optimized TCP Only Flows:
Current Active Optimized TCP Preposition Flows:
Current Active Auto-Discovery Flows:
Current Reserved Flows:
Current Active Pass-Through Flows:
Historical Flows:
500
500
0
0
0
15
0
302
Source IP:Port
2.75.13.3:1442
2.75.13.3:1443
Dest IP:Port
PeerID Accel RR
2.75.11.3:554 00:1a:64:64:b1:ec TV
00.0%
2.75.11.3:554 00:1a:64:64:b1:ec TV
100.0%
92
2.75.13.3:1444
2.75.11.3:554 00:1a:64:64:b1:ec TV
100.0%
You can see in the connections above that DRE and LZ optimizations are not used with video, but the primary server connection
is TFO optimized. All subsequent connections for the same video stream show a reduction of 100% because they are completely
removed from the WAN and instead are split from the primary stream at the branch WAE.
To view similar information from the Central Manager, choose the WAE device, then choose Monitor > Optimization >
Connections Statistics.
Figure 3. Connection Statistics Report with Video
The show statistics connection optimized video windows-media command is useful to show the status of all inbound video
streams, including the requesting URL. The show statistics connection optimized video detail command is useful to list all the
inbound and outbound video streams being handled by the video AO.
Video AO Logging
The following log files are available for troubleshooting video AO issues:
Transaction log files: /local1/logs/tfo/working.log (and /local1/logs/tfo/tfo_log_*.txt)
Debug log files: /local1/errorlog/videoao-errorlog.current (and videoao-errorlog.*)
Debug log files for the WM module: /local1/errorlog/wmt_errorlog.current (and wmt_errorlog.*)
To enable transaction logging, use the transaction-logs configuration command as follows:
wae(config)# transaction-logs accelerator video windows-media enable
You can view the end of a transaction log file by using the type-tail command.
NOTE: Debug logging is CPU intensive and can generate a large amount of output. Use it judiciously and sparingly in a
production environment.
To set up and enable debug logging of the video AO, enable detailed logging to the disk:
WAE674(config)# logging disk enable
WAE674(config)# logging disk priority detail
You can enable debug logging for video connections and then display the end of the debug error log as follows:
WAE674# debug accelerator video all
WAE674# type-tail errorlog/videoao-errorlog.current follow
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 Generic Accelerator
Troubleshooting
2 Generic AO Logging
Contents
94
Tue Jul 14
Thu Jul 16
32
1
24
0
0
0
4
3388
415
25
2147
You can also check connection statistics to see what optimizations are being applied to connections. In the show statistics
connection output, a "G" indicates the connection was handled by the generic AO as follows:
WAE674# sh stat connection
Current Active Optimized Flows:
Current Active Optimized TCP Plus Flows:
Current Active Optimized TCP Only Flows:
Current Active Optimized TCP Preposition Flows:
Current Active Auto-Discovery Flows:
Current Active Pass-Through Flows:
2
2
0
0
5
0
100
D:DRE,L:LZ,T:TCP Optimization,
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID
Source IP:Port
Dest IP:Port
PeerID
Accel
3722
3924
10.10.10.10:2162
10.10.10.10:2464
10.10.100.100:445
10.10.100.101:445
00:14:5e:84:24:5f
00:14:5e:84:24:5f
TCDL
TGDL
If you take a closer look at the connection above, you will see that CIFS was configured but the generic AO was applied as
follows:
WAE674# sh stat connection conn-id 3924
Connection Id:
3924
Peer Id:
00:14:5e:84:24:5f
Connection Type:
EXTERNAL CLIENT
Start Time:
Thu Jul 16 06:10:44 2009
Source IP Address:
10.10.10.10
Source Port Number:
2464
Destination IP Address:
10.10.100.101
Destination Port Number: 445
Application Name:
WAFS
Classifier Name:
CIFS
Map Name:
basic
Directed Mode:
FALSE
Preposition Flow:
FALSE
Policy Details:
Configured:
TCP_OPTIMIZE + DRE + LZ
Derived:
TCP_OPTIMIZE + DRE + LZ
Peer:
TCP_OPTIMIZE + DRE + LZ
Negotiated:
TCP_OPTIMIZE + DRE + LZ
Applied:
TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured:
CIFS
Derived:
CIFS
Applied:
GENERICAO
Hist:
CIFS
<-----CIFS configured
<-----Generic applied
To view similar information from the Central Manager, choose the WAE device, then choose Monitor > Optimization >
Connections Statistics. Connections handled by the generic AO look as follows:
Figure 1. Connection Statistics Report with Generic
You can use the show statistics accelerator generic detail command to see more details about connections being handled by the
Tue Jul 14
Tue Jul 14
366
366
0
0
1
0
2
366
1
12055
12492
730
0
0
0
0
0
0
0
<------------
If you are seeing a large Total number of connections handled, some kind of configuration or communication error might be
causing a large number of connections to be pushed down.
Generic AO Logging
The following log files are available for troubleshooting generic AO issues:
Transaction log files: /local1/logs/tfo/working.log (and /local1/logs/tfo/tfo_log_*.txt)
Debug log files: /local1/errorlog/genericao-errorlog.current (and genericao-errorlog.*)
For easier debugging, you should first set up an ACL to restrict packets to one host.
WAE674(config)# ip access-list extended 150 permit tcp host 10.10.10.10 any
WAE674(config)# ip access-list extended 150 permit tcp any host 10.10.10.10
Generic AO Logging
97
You can enable debug logging for connections in the ACL as follows:
WAE674# debug connection access-list 150
You can enable debug logging for generic AO connections and then display the end of the debug error log as follows:
WAE674# debug accelerator generic connection
WAE674# type-tail errorlog/genericao-errorlog.current follow
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Generic AO Logging
98
Contents
1 Overview
2 How to Monitor TFO Flows and Overload Conditions
2.1 Checking the TCP Connection Limit
2.2 Checking the Optimized TCP Connections
3 MAPI Application Accelerator Reserved Connections Impact on
Overload
4 Solutions for Overload Conditions
Overview
The Cisco WAAS network would have been designed to optimize a certain number of TCP connections, based on customer
requirements. Depending on the model of the WAE, there could be additional connection limitations for the SSL and CIFS
application accelerators. When either the overall connection limit or a specific application accelerator connection limit is
exceeded, the device is overloaded. In this situation, more traffic is entering the device than it can handle and so traffic may not be
optimized as expected (overloaded traffic is passed through unoptimized).
When a WAAS accelerator device is overloaded, you typically see the following Central Manager alarm: Entering overload state
due to Max connections (nnn). The number nnn is the number of times the WAE has become overloaded since the last reboot.
The device also logs a syslog error message similar to the following: Sysmon: %WAAS-SYSMON-3-445015: Fault detected: The
TFO accelerator is overloaded (connection limit)
You can use various show commands at the CLI to determine the number of allowed and actual connections and gather more
information.
The first useful command is show tfo detail, which can tell you how many optimized TFO connections that the device can handle,
as follows:
Contents
Value
----Registered
Use Policy
12000
11988
3.0 seconds
99
5
5
0
0
0
12
0
143
D:DRE,L:LZ,T:TCP Optimization,
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID
Source IP:Port
Dest IP:Port
PeerID
Accel
92917
92918
92921
94458
36883
10.86.232.131:41197
10.86.232.131:41198
10.86.232.131:41216
10.86.232.131:45354
10.86.232.136:1857
70.70.7.11:3268
70.70.7.11:3268
70.70.7.11:3268
70.70.7.11:1026
10.86.232.131:1026
00:1a:64:69:19:fc
00:1a:64:69:19:fc
00:1a:64:69:19:fc
00:1a:64:69:19:fc
00:1a:64:69:19:fc
TDL
TDL
TDL
TDL
TDL
From the first line in the output (Current Active Optimized Flows), you can see that the device currently has five active optimized
flows. From the second counter (Current Active Optimized TCP Plus Flows), you can see that they are all being handled with
TFO/DRE/LZ optimization (TFO Plus means that DRE and/or LZ optimization is being used in addition to TFO). The third
counter (Current Active Optimized TCP Only Flows) shows flows that are optimized by TFO only.
Another useful counter is the Current Active Auto-discovery Flows, which displays flows that have not been fully set up to
become optimized flows or pass-through flows. To become fully set up, the connection must see the SYN, SYN ACK, ACK
handshake, which is useful to note when dealing with an overload condition. The Current Active Pass-Through Flows counter
shows connections that the device has determined to be pass-through or where the device did not see the SYN, SYN ACK, ACK
setup. These flows will not be counted as optimized flows. For pass-through flows, a device should be able to handle up to 10
times the number of optimized flows for which it is rated.
The Current Reserved Flows counter shows the number of connections reserved for the MAPI accelerator. For more details about
reserved MAPI connections and their impact on device overload, see the section MAPI Application Accelerator Reserved
Connections Impact on Overload.
The sum of the following three counters tells you how close the WAE device is to its connection limit:
Current Active Optimized Flows
Current Active Auto-Discovery Flows
Current Reserved Flows (available only in 4.1.5 and later)
If this sum is equal to or greater than the connection limit, the device is in an overload condition.
Checking the TCP Connection Limit
100
0
0
0
49227
17945
37257
0
0
0
0
0
0
<-----Active Connections
<-----Connection Limit
22907
0
0
0
101
0
0
In some cases, the two counters will differ and the reason is that the ?No. of active connections? displays all the current flows that
being optimized by TFO, TFO/DRE, TFO/DRE/LZ, and TFO/DRE/LZ and an application accelerator. The ?Active Connections?
under the policy engine statistics includes all the flows in the state above plus the connections that are optimized only by TFO and
an application accelerator. This situation means that a TCP flow has come in and matched an application accelerator classifier but
the SYN, SYN ACK, ACK handshake has not been completed.
In many TFO overload cases, if the problem is still occurring, you can look at these commands and determine if the number of
optimized flows is around the rated number of optimized TCP connections for the hardware. If it is, then you can view the flow
details and see what is using up all the flows to determine if this traffic is legitimate and overloading the device or is a virus,
security scanner, or something else occurring on the network.
The "Connection Limit" counter under the policy engine statistics reports the number of connections rejected and passed through
because the WAE has exceeded its rated number of optimized TCP connections. If this counter is high, it means the WAE is
frequently getting more connections than it can handle.
If the number of optimized connections is not close to the rated number of optimized TCP connections and you are still getting an
overload alarm, then you should look at the Current active auto-discovery flows from the show statistics connection command or
the ?Active Connections? under Policy Engine Statistics from the show statistics tfo detail command. In some cases, the number
of optimized connections can be very low but the Active Connections under the Policy Engine Statistics are roughly equal to the
rated number of optimized flows for the hardware. This situation means that there are many flows that match a classifier but they
are not fully established. When a TCP SYN matches a classifier, it will reserve an optimized connection. This connection will not
appear in the optimized TCP connections count until the TCP handshake is finished and optimization starts. If the device
determines that the flow should not be optimized, it will be removed from the count of active connections under the Policy Engine
Statistics.
To further troubleshoot cases where TFO overload is occurring and the Policy Engine Statistics Active Connections seem to be
using up all the optimized TCP connections on the device, use the show statistics accelerator detail command. In the output of
this command, look at the Active Connections under the Policy Engine Statistics for each application accelerator to determine
which application accelerator is receiving these connections that are not fully established. Next, look at what state these flows
might be in by using the show statistics filtering command, which provides you with the number of filtering tuples on the device,
as follows:
wae# show statistics filtering
Number of filtering tuples:
Number of filtering tuple collisions:
Packets dropped due to filtering tuple collisions:
Number of transparent packets locally delivered:
Number of transparent packets dropped:
Packets dropped due to ttl expiry:
Packets dropped due to bad route:
Syn packets dropped with our own id in the options:
Syn-Ack packets dropped with our own id in the options:
Internal client syn packets dropped:
Syn packets received and dropped on estab. conn:
Syn-Ack packets received and dropped on estab. conn:
Syn packets dropped due to peer connection alive:
Syn-Ack packets dropped due to peer connection alive:
Packets recvd on in progress conn. and not handled:
Packets dropped due to peer connection alive:
Packets dropped due to invalid TCP flags:
Packets dropped by FB packet input notifier:
Packets dropped by FB packet output notifier:
Number of errors by FB tuple create notifier:
Number of errors by FB tuple delete notifier:
18
0
0
965106
0
0
10
0
0
0
0
0
525
0
0
1614
0
0
0
0
0
0
0
0
0
The number of filtering tuples is the number of flows on the device that are optimized, in pass-through, in FIN WAIT state, in
setup state, and so on. Each established flow appears as two tuples, one for each side of the flow, so the number that you see in
this output may be much larger than the number of flows that you are seeing in the other commands.
To get more information on the flows in the filtering list, you can use the show filtering list command as follows:
wae# show filtering list
E:
s:
B:
T:
Local-IP:Port
10.86.232.82:23
10.86.232.131:58775
70.70.7.11:3268
70.70.7.11:3268
10.86.232.131:57920
10.86.232.82:23
10.86.232.131:58787
70.70.7.11:1026
10.86.232.131:48698
10.86.232.131:58774
70.70.7.11:389
10.86.232.131:58728
10.86.232.131:58784
70.70.7.11:1026
70.70.7.11:1026
10.86.232.131:58790
70.70.7.11:3268
Remote-IP:Port
10.86.232.134:41784
70.70.7.11:3268
10.86.232.131:58775
10.86.232.131:57920
70.70.7.11:3268
161.44.67.102:4752
70.70.7.11:1026
10.86.232.131:58787
70.70.7.11:1026
70.70.7.11:389
10.86.232.131:58774
70.70.7.11:1026
70.70.7.11:1026
10.86.232.131:58784
10.86.232.131:48698
70.70.7.11:3268
10.86.232.131:58790
Tuple(Mate)
0xbc1ae980(0x0
)
0x570b2900(0x570b2b80)
0x570b2b80(0x570b2900)
0x570b2d80(0x570b2800)
0x570b2800(0x570b2d80)
0xbc1aee00(0x0
)
0x570b2080(0x570b2e80)
0x570b2e80(0x570b2080)
0x570b2f00(0x570b2880)
0x570b2300(0x570b2180)
0x570b2180(0x570b2300)
0x570b2380(0x570b2a00)
0x570b2e00(0x570b2980)
0x570b2980(0x570b2e00)
0x570b2880(0x570b2f00)
0x570b2100(0x570b2c80)
0x570b2c80(0x570b2100)
State
E
EW
EDL
E
E
E
EW
EDL
PE
EW
EDL
E
EW
EDL
PE
EW
EDL
If the show statistics accelerator all command shows you which application accelerator is using up all the optimized TFO
connections, you can filter on that port or traffic. For example, if you want to filter on port 80 traffic, use the show filtering list |
I :80 command.
Look at the legend in the State column. In the case where the flows are in the SYN state, you may see a lot of flows with a state of
S. If the WAE has sent back the SYN ACK with options set you may see the state SAsO. This indication may help you determine
the state of the flow and from there, you can determine if there is a routing problem, virus, or a problem with the WAE not
releasing connections. You may need traces to determine exactly what is happening to the flows but the commands above should
give you an idea of what to look for.
103
Guide Contents
Contents
1 Troubleshooting WCCP on the Router
1.1 Troubleshooting WCCP on the Catalyst 6500 Series Switches and the ISR and 3700
Series Routers
1.2 Troubleshooting WCCP on the ASR 1000 Series Routers
2 Troubleshooting WCCP on the WAE
3 Troubleshooting Configurable Service IDs and Variable Timeouts in Version 4.4.1
WCCP issues can result from problems with the router (or redirecting device) or from the WAE device. It is necessary to look at
the WCCP configuration both on the router and on the WAE device. First we will look at the WCCP configuration on the router,
then we will check the WCCP configuration on the WAE.
Contents
105
Troubleshooting WCCP on the Catalyst 6500 Series Switches and the ISR and 3700
Series Routers
Begin troubleshooting by verifying WCCPv2 interception on the switch or router by using the show ip wccp IOS command as
follows:
Router# show ip wccp
Global WCCP information:
Router information:
Router Identifier:
Protocol Version:
10.88.81.242
2.0
Service Identifier: 61
Number of Service Group Clients:
Number of Service Group Routers:
Total Packets s/w Redirected:
Process:
Fast:
CEF:
Service mode:
Service access-list:
Total Packets Dropped Closed:
Redirect access-list:
Total Packets Denied Redirect:
Total Packets Unassigned:
Group access-list:
Total Messages Denied to Group:
Total Authentication failures:
Total Bypassed Packets Received:
--More--
1
1
68755
2
0
68753
Open
-none0
-none0
0
-none0
0
0
<-----Client = WAE
<-----Increments for software-based redirection
<----<----<-----
On platforms that use software-based redirection, verify that the Total Packets s/w Redirected counters are incrementing in the
above command output. On platforms that use hardware-based redirection, these counters should not be incrementing much. If
you are seeing these counters increment significantly on hardware-based platforms, WCCP could be misconfigured on the router
(WCCP GRE is processed in software by default), or the router could be falling back to software redirection due to hardware
resources issues such as running out of TCAM resources. More investigation is required if you see these counters incrementing on
a hardware-based platform, which could lead to high CPU usage.
The Total Packets Denied Redirect counter increments for packets that match the service group but do not match the redirect list.
The Total Authentication failures counter increments for packets that are received with the incorrect service group password.
On routers where WCCP redirection is performed in the software, continue by verifying WCCPv2 interception on the router by
using the show ip wccp 61 detail IOS command as follows:
Router# show ip wccp 61 detail
WCCP Client information:
WCCP Client ID:
Protocol Version:
State:
Initial Hash Info:
10.88.81.4
2.0
Usable
00000000000000000000000000000000
<-----Should be Usable
106
00000000000000000000000000000000
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
256 (100.00%)
2452
01:19:46
0
0
0
Verify that the WAE state in the service group 61 is Usable. Verify that hash buckets are assigned to the WAE in the Hash
Allotment field. The percentage tells you how many of the total hash buckets are handled by this WAE. The amount of time that
the WAE has been in the service group is reported in the Connect Time field. The hash assignment method should be used with
software-based redirection.
You can determine which WAE in the farm will handle a particular request by using the show ip wccp service hash dst-ip src-ip
dst-port src-port hidden IOS command on the router as follows:
Router# show ip wccp 61 hash 0.0.0.0 10.88.81.10 0 0
WCCP hash information for:
Primary Hash:
Src IP: 10.88.81.10
Bucket:
9
WCCP Client: 10.88.81.12
<-----Target WAE
On routers where WCCP redirection is performed in the hardware, continue by verifying WCCPv2 interception on the router by
using the show ip wccp 61 detail IOS command as follows:
Cat6k# sh ip wccp 61 detail
WCCP Client information:
WCCP Client ID:
10.88.80.135
Protocol Version:
2.0
State:
Usable
Redirection:
L2
Packet Return:
GRE
Packets Redirected:
0
Connect Time:
1d18h
Assignment:
MASK
Mask SrcAddr
DstAddr
SrcPort DstPort
---- ------------------- ------0000: 0x00001741 0x00000000 0x0000 0x0000
Value
----0000:
0001:
0002:
0003:
SrcAddr
------0x00000000
0x00000001
0x00000040
0x00000041
DstAddr
------0x00000000
0x00000000
0x00000000
0x00000000
SrcPort
------0x0000
0x0000
0x0000
0x0000
DstPort
------0x0000
0x0000
0x0000
0x0000
<-----Default mask
CE-IP
----0x0A585087
0x0A585087
0x0A585087
0x0A585087
(10.88.80.135)
(10.88.80.135)
(10.88.80.135)
(10.88.80.135)
You want to see the Mask assignment method for routers that are capable of hardware redirection.
In order to save TCAM resources on the router, consider altering the default WCCP mask to suit your network environment.
Consider these recommendations:
Use the smallest number of mask bits possible when using WCCP redirect ACL. A smaller number of mask bits when
used in conjunction with Redirect ACL results in lower TCAM utilization. If there are 1-2 WCCP clients in a cluster, use
one bit. If there are 3-4 WCCP clients, use 2 bits. If there are 5-8 WCCP clients, then use 3 bits and so on.
We do not recommend using the WAAS default mask (0x1741). For data center deployments, the goal is to load balance
the branch sites into the data center rather than clients or hosts. The right mask minimizes data center WAE peering and
Troubleshooting WCCP on the Catalyst 6500 Series Switches and the ISR and 3700Series Routers
107
"Punt" matches represent requests not handled in the hardware. This situation could be caused by the following errors:
Hash assignment instead of mask
Outbound redirection instead of inbound
Redirect exclude in
Unknown WAE MAC address
Using a loopback address for the generic GRE tunnel destination
In the following example, the policy-route entries show that the router is doing full hardware redirection:
Cat6k# show tcam interface vlan 900 acl in ip
* Global Defaults not shared
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
any
any
any
any
any
any
any
any
0.0.1.1 255.255.232.190
0.0.1.64 255.255.232.190
0.0.1.65 255.255.232.190
0.0.2.0 255.255.232.190
0.0.2.1 255.255.232.190
0.0.2.64 255.255.232.190
0.0.2.65 255.255.232.190 (75 matches)
0.0.3.0 255.255.232.190 (222195 matches)
The Here I Am (HIA) from the WAE must enter the same interface that the WAE MAC is known through. We recommend that
you use a loopback interface and not a directly connected interface in the WAE router list.
<----<-----
The following example shows additional commands that you can use to examine forwarding processor information:
ASR1000# sh platform software wccp fp active ?
<0-255>
service ID
cache-info Show cache-engine info
interface
Show interface info
statistics Show messaging statistics
web-cache
Web-cache type
|
Output modifiers
<cr>
To display redirected packet statistics for each interface, use the show platform software wccp interface counters command as
follows:
ASR1000# sh platform software wccp interface counters
Interface GigabitEthernet0/1/2
Input Redirect Packets = 391
Output Redirect Packets = 0
Interface GigabitEthernet0/1/3
Input Redirect Packets = 1800
Output Redirect Packets = 0
Use the show platform software wccp web-cache counters command to display WCCP cache information as follows:
ASR1000# sh platform software wccp web-cache counters
Service Group (0, 0) counters
unassigned_count = 0
dropped_closed_count = 0
bypass_count = 0
bypass_failed_count = 0
denied_count = 0
redirect_count = 0
109
Next check the WCCP status by using the show wccp status command. You want to see that WCCP version 2 is enabled and
active as follows:
WAE-612# show wccp status
WCCP version 2 is enabled and currently active
Look at the WCCP farm information by using the show wccp wide-area-engine command. This command shows the number of
WAEs in the farm, their IP addresses, which one is the lead WAE, routers that can see the WAEs, and other information, as
follows:
WAE612# show wccp wide-area-engine
Wide Area Engine List for Service: TCP Promiscuous 61
Number of WAE's in the Cache farm: 3
Last Received Assignment Key IP address: 10.43.140.162
Last Received Assignment Key Change Number: 17
Last WAE Change Number: 16
Assignment Made Flag = FALSE
IP address = 10.43.140.162
Lead WAE = YES
Routers seeing this Wide Area Engine(3)
10.43.140.161
10.43.140.166
10.43.140.168
Weight = 0
IP address = 10.43.140.163
Lead WAE = NO
Routers seeing this Wide Area Engine(3)
10.43.140.161
10.43.140.166
10.43.140.168
Weight = 0
IP address = 10.43.140.164
Lead WAE = NO
Routers seeing this Wide Area Engine(3)
10.43.140.161
10.43.140.166
10.43.140.168
Weight = 0
. . .
Look at the router information by using the show wccp routers command. Verify that there is bidirectional communication with
WCCP-enabled routers and all routers show the same KeyIP and KeyCN (change number), as follows:
MCN
52
53
25
In cases where the WAE is not Layer 2-adjacent to the router, or a loopback address is used, either static routes or a default
gateway is required to support WCCP.
To examine the hash bucket distribution in the service group, use the show wccp flows tcp-promiscuous command as follows:
wae# sh wccp flows tcp-promiscuous
Flow counts for service: TCP Promiscuous 61
Bucket
Flow Counts
0- 11:
0
0
0
0
0
0
12- 23:
0
0
0
0
0
0
24- 35:
0
0
0
0
0
0
36- 47:
0
0
0
0
0
0
48- 59:
0
0
0
0
0
0
60- 71:
0
0
0
0
0
0
72- 83:
0
0
0
0
0
0
84- 95:
0
0
0
0
0
0
96-107:
0
0
0
0
0
0
108-119:
0
0
0
0
0
0
120-131:
0
0
0
0
0
0
132-143:
0
0
0
0
0
0
144-155:
0
0
0
0
0
0
156-167:
0
0
0
0
0
0
168-179:
0
0
0
0
0
0
180-191:
0
0
0
0
0
0
192-203:
0
0
0
0
0
0
204-215:
0
0
0
0
0
0
216-227:
0
0
0
0
0
0
228-239:
0
0
0
0
0
0
240-251:
0
0
0
0
0
0
252-255:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Alternatively, you can use the summary version of the command to see similar information, as well as bypass flow information:
wae# sh wccp flows tcp-promiscuous summary
Flow summary for service: TCP Promiscuous 61
Total Buckets
OURS = 256
0- 59:
60-119:
120-179:
180-239:
240-255:
BYP
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
OOOOOOOOOO
= 0
111
..........
..........
..........
..........
..........
..........
..........
..........
..........
......
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
Use the show wccp gre command to display GRE packet statistics as follows:
WAE-612# show wccp gre
Transparent GRE packets received:
5531561
Transparent non-GRE packets received:
0
Transparent non-GRE non-WCCP packets received: 0
Total packets accepted:
5051
Invalid packets received:
0
Packets received with invalid service:
0
Packets received on a disabled service:
0
Packets received too small:
0
Packets dropped due to zero TTL:
0
Packets dropped due to bad buckets:
0
Packets dropped due to no redirect address:
0
Packets dropped due to loopback redirect:
0
Pass-through pkts dropped on assignment update:0
Connections bypassed due to load:
0
Packets sent back to router:
0
GRE packets sent to router (not bypass)
0
Packets sent to another WAE:
0
GRE fragments redirected:
0
GRE encapsulated fragments received:
0
Packets failed encapsulated reassembly:
0
Packets failed GRE encapsulation:
0
--More--
If WCCP redirection is working, either of the first two counters should be incrementing.
The Transparent non-GRE packets received counter increments for packets that are redirected using the WCCP Layer 2 redirect
forwarding method.
The Transparent non-GRE non-WCCP packets received counter increments for packets that are redirected by a non-WCCP
interception method (such as ACE or PBR).
The Total packets accepted counter indicates packets that are accepted for optimization because auto-discovery found a peer
WAE.
The GRE packets sent to router (not bypass) counter indicates packets that were handled using the WCCP negotiated return egress
method.
The packets sent to another WAE counter indicates that flow protection is occurring when another WAE is added to the service
group and begins handling a bucket assignment that was previously being handled by another WAE.
Verify that the egress methods that are being used are the expected ones by using the show egress-methods command as follows:
WAE674# show egress-methods
112
Destination
----------any
Egress Method
Configured
---------------------WCCP Negotiated Return
Egress Method
Used
------------WCCP GRE
TCP Promiscuous 62 :
WCCP negotiated return method : WCCP GRE
Destination
----------any
Egress Method
Configured
---------------------WCCP Negotiated Return
Egress Method
Used
------------WCCP GRE
Destination
----------any
Egress Method
Configured
---------------------Generic GRE
Egress Method
Used
------------IP Forwarding
WARNING:
GRE
Egress Method
Used
------------IP Forwarding
<-----Mismatch
<-----Warning if mismatch occurs
<-----Mismatch
<-----Warning if mismatch occurs
For Catalyst 6500 Sup720 or Sup32 routers, we recommend using the generic GRE egress method, which is processed in
hardware. Additionally, we recommend using one multipoint tunnel for ease of configuration, instead of one point-to-point tunnel
for each WAE. For tunnel configuration details, refer to the section Configuring a GRE Tunnel Interface on a Router in the Cisco
Troubleshooting WCCP on the WAE
113
10.10.14.16
N/A
2
0
0
0
0
0
Failure to ensure that egress packets from a WAE are not reintercepted can lead to a redirection loop. If a WAE detects its own ID
returned in the TCP options field, a redirection loop has occurred and results in the following syslog message:
%WAAS-SYS-3-900000: 137.34.79.11:1192 - 137.34.77.196:139 - opt_syn_rcv: Routing Loop detected - Packet has our ow
You can search the syslog.txt file for instances of this error by using the find command as follows:
WAE-612# find match ?Routing Loop? syslog.txt
This error also shows up in the TFO flow statistics available in the show statistics filtering command as follows:
WAE-612# show statistics filtering
. . .
Syn packets dropped with our own id in the options:
. . .
If you are doing outbound redirection on the router, as traffic leaves the router it will get redirected back to the WAE, which will
reroute the packet out the router, causing a routing loop. If the data center WAE and servers are on different VLANs and the
branch WAE and the clients are on different VLANS, you can avoid a routing loop by using the following router configuration on
the WAE VLAN:
ip wccp redirect exclude in
If the WAE shares the same VLAN with its adjacent clients or servers, you can avoid routing loops by using the negotiated return
method, or generic GRE return for platforms where WCCP redirection is performed in the hardware. When using generic GRE
return, the WAE uses a GRE tunnel to return traffic to the router.
114
Module/Submodule
-------------------WCCP/svc051/rtr2.192.9.161
Instance
---------------
<-----Check reason
<-----
0
0
0
0
On the router, check if the IOS version supports variable failure detection timeout. If so, you can check the configured setting by
using the show ip wccp xx detail command, where xx is the WCCP service ID. There are three possible results:
WAE is using default failure detection timeout of 30 seconds and router is configured the same or does not support
variable timeout: The router output shows no details about the timeout setting. This configuration operates fine.
WAE is using non-default failure detection timeout of 9 or 15 seconds and router does not support variable timeout: State
field shows "NOT Usable" and the WAE cannot use the router. Change the WAE failure detection timeout to the default
value of 30 seconds by using the wccp tcp failure-detection 30 global configuration command.
WAE is using non-default failure detection timeout of 9 or 15 seconds and router supports variable timeout: Client
timeout field shows the configured failure detection timeout, which matches the WAE. This configuration operates fine.
If the WCCP farm is unstable due to link flapping, it could be because the WCCP failure detection timeout is too low.
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 AppNav Troubleshooting
1.1 In-Path (Inline) Interception
1.2 Off-Path (WCCP) Interception
1.2.1 Configuring and Verifying WCCP
Interception on the Router
1.2.2 Additional Information
1.3 Network Connectivity Troubleshooting
1.3.1 Passing Through Specific Traffic
1.3.2 Disabling an Inline ANC
1.3.3 Disabling an Off-Path ANC
1.4 AppNav Cluster Troubleshooting
1.4.1 AppNav Alarms
1.4.2 Central Manager Monitoring
1.4.3 AppNav CLI Commands for Monitoring
Cluster and Device Status
1.4.4 AppNav CLI Commands for Monitoring
Flow Distribution Statistics
1.4.5 AppNav CLI Commands for Debugging
Connections
1.4.6 Connection Tracing
1.4.7 AppNav Debug Logging
1.5 AppNav Packet Capture
Contents
116
AppNav Troubleshooting
Cisco WAAS AppNav simplifies network integration of WAN optimization and greatly reduces dependency on the intercepting
switch or router by using AppNav Controllers (ANCs) to distribute traffic among WAAS Nodes (WNs) for optimization using a
powerful class and policy mechanism. You can use WAAS nodes (WNs) to optimize traffic based on sites and/or applications.
This article describes how to troubleshoot AppNav.
NOTE: The AppNav feature was introduced in WAAS version 5.0.1. This section is not applicable to earlier WAAS versions.
Interception Statistics:
GigabitEthernet 1/0
Operation State
:
Down
Input Packets Forwarded/Bridged
:
16188
Input Packets Redirected
:
5068
Input Packets Punted
:
1208
Input Packets Dropped
:
0
Output Packets Forwarded/Bridged :
7843
Output Packets Injected
:
301
Output Packets Dropped
:
2
GigabitEthernet 1/1
Down(lsp)
<<< Down due to LSP
7845
0
605
0
21256
301
0
In the example above, the Gig 1/0 interface is down and the Gig 1/1 interface is also down due to link state propagation (LSP).
You might also see Down(flow sync), which means that the ANC is joining a cluster and synchronizing flow information with
other ANCs in the cluster. It keeps the interception path (bridge interface) shut for about two minutes until all ANCs are
synchronized so that existing flows can be distributed correctly.
The lower part of the output shows traffic statistics for the member interfaces.
119
In the interface configuration for an off-path deployment, the interception and distribution roles can share the same interfaces on
the Cisco AppNav Controller Interface Module, but it is not required.
Troubleshooting off-path interception consists of these steps:
Verify correct placement of the WCCP routers to ensure they are in the path of traffic going to and from the optimized
hosts. You can use the show run or show wccp commands to verify that these are the same routers that are configured for
WCCP. If necessary, use basic tools like ping and traceroute, or Layer 7 tools or applications to confirm that all traffic
needing optimization passes through the WCCP routers.
Verify the WCCP configuration on the WAAS ANCs, using either the Central Manager (preferred) or the CLI.
Verify the WCCP configuration on the redirecting routers, using the router CLI.
To verify the WCCP configuration on the ANCs, in the Central Manager, choose Devices > AppNavController, then choose
Configure > Interception > Interception Configuration.
Verify that the Interception Method is set to WCCP.
Verify that the Enable WCCP Service check box is checked.
Verify that the Use Default Gateway as WCCP Router check box is checked or that the WCCP router IP addresses are
listed in the WCCP Router field.
Verify that the other settings such as the load balancing mask and redirect method are configured properly for your
deployment.
Check for any WCCP related alarms on the ANCs that are part of the router WCCP farm. On the Central Manager, click the
Alarms panel at the bottom of the screen or use the show alarm command on each device to view alarms. Correct any alarm
conditions by changing the configuration on the ANC or router, as needed.
From the CLI, follow these steps to configure WCCP operation:
1. Set the interception method to wccp.
Off-Path (WCCP) Interception
120
2. Configure the WCCP router list, which contains the IP addresses of the routers participating in the WCCP farm.
wave(config)# wccp router-list 1 10.10.10.21 10.10.10.22
3. Configure the WCCP service ID. A single service ID is preferred for AppNav, though two service IDs are supported.
wave(config)# wccp tcp-promiscuous 61
5. Configure the WCCP assignment method (only the mask method is supported on an ANC). If you do not specify the
dst-ip-mask or src-ip-mask options, the default source IP mask is set to f and the destination IP mask is set to 0.
wave(config-wccp-service)# assignment-method mask
6. Configure the WCCP redirect method (the egress and return methods are set automatically to match the redirect method and are
not configurable for an ANC). You can choose L2 (the default) or GRE. L2 requires that the ANC has a Layer 2 connection with
the router and the router is also configured for Layer 2 redirection.
wave(config-wccp-service)# redirect-method gre
Verify WCCP interception on each ANC by using the show running-config command. The two examples below show the
running config output for L2 redirect and GRE redirect.
Show running-config wccp (for L2 redirect):
wave# sh run wccp
wccp router-list 1 10.10.10.21 10.10.10.22
wccp tcp-promiscuous service-pair 61
router-list-num 1
enable
exit
Verify the WCCP status on each ANC by using the show wccp status command.
wave# show wccp routers
WCCP Interception :
121
Verify the routers that have responded to keep-alive messages in the WCCP farm by using the show wccp routers command.
wave# show wccp routers
Router Information for Service Id: 61
Routers Seeing this Wide Area Engine(2)
Router Id
Sent To
192.168.1.1
10.10.10.21
192.168.1.2
10.10.10.22
Routers not Seeing this Wide Area Engine
-NONERouters Notified of from other WAE's
-NONE-
Verify each ANCs' view of the other ANCs in the WCCP farm and the routers reachable by each of them by using the show wccp
clients command.
wave# show wccp clients
Wide Area Engine List for Service: 61
Number of WAE's in the Cache farm: 2
IP address = 10.10.10.31
Lead WAE = NO
Routers seeing this Wide Area Engine(2)
192.168.1.1
192.168.1.2
Weight = 0
IP address = 10.10.10.32
Lead WAE = YES
Routers seeing this Wide Area Engine(2)
192.168.1.1
192.168.1.2
Weight = 0
Verify that packets are being received by each ANC from the routers in the farm by using the show statistics wccp command.
Statistics for traffic that is received from, passed through, and sent to each router are shown. Cumulative statistics for all routers in
the farm are shown at the bottom. A similar command is show wccp statistics. Note that "OE" refers to the ANC devices here.
wave# sh statistics wccp
WCCP Stats for Router
Packets Received from Router
Bytes Received from Router
Packets Transmitted to Router
Bytes Transmitted to Router
Pass-thru Packets sent to Router
Pass-thru Bytes sent to Router
Redirect Packets sent to OE
Redirect Bytes sent to OE
:
:
:
:
:
:
:
:
:
10.10.10.21
1101954
103682392
1751072
2518114618
0
0
1101954
103682392
:
:
:
:
:
:
:
:
:
10.10.10.22
75264
10732204
405193
597227459
0
0
75264
10732204
122
2. Configure WCCP interception on the router LAN and WAN interfaces. You can configure the same service ID on both
interfaces if you are using a single service ID on the ANCs.
Core-Router1(config)# interface GigabitEthernet0/0
Core-Router1(config-subif)# ip address 10.20.1.1 255.255.255.0
Core-Router1(config-subif)# ip wccp 61 redirect in
Core-Router1(config-subif)# ip router isis inline_wccp_pod
Core-Router1(config-subif)# exit
Core-Router1(config)# interface GigabitEthernet0/1
Core-Router1(config-subif)# ip address 10.19.1.1 255.255.255.0
Core-Router1(config-subif)# ip wccp 61 redirect in
Core-Router1(config-subif)# ip router isis inline_wccp_pod
Core-Router1(config-subif)# glbp 701 ip 10.19.1.254
Core-Router1(config-subif)# duplex auto
Core-Router1(config-subif)# speed auto
Core-Router1(config-subif)# media-type rj45
Core-Router1(config-subif)# exit
3. (Optional) Configure a tunnel interface if you are using generic GRE egress (only if you chose GRE for the ANC WCCP
redirect method).
Core-Router1(config)# interface Tunnel1
Core-Router1(config-subif)# ip address 192.168.1.1 255.255.255.0
Core-Router1(config-subif)# no ip redirects
Core-Router1(config-subif)# tunnel source GigabitEthernet0/0.3702
Core-Router1(config-subif)# tunnel mode gre multipoint
Verify the WCCP configuration on each router in the farm by using the show wccp command.
Core-Router1 sh ip wccp 61 detail
WCCP Client information:
WCCP Client ID:
10.10.10.31
Protocol Version:
2.00
State:
Usable
Redirection:
GRE
Packet Return:
GRE
Assignment:
MASK
Connect Time:
00:31:27
Redirected Packets:
Process:
0
CEF:
0
GRE Bypassed Packets:
Process:
0
123
0
16 of 16 (100.00%)
1/16
Mask SrcAddr
DstAddr
SrcPort DstPort
---- ------------------- ------0000: 0x0000000F 0x00000000 0x0000 0x0000
Value
----0000:
0001:
0002:
0003:
0004:
0005:
0006:
0007:
0008:
0009:
0010:
0011:
0012:
0013:
0014:
0015:
SrcAddr
------0x00000000
0x00000001
0x00000002
0x00000003
0x00000004
0x00000005
0x00000006
0x00000007
0x00000008
0x00000009
0x0000000A
0x0000000B
0x0000000C
0x0000000D
0x0000000E
0x0000000F
DstAddr
------0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
SrcPort
------0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
DstPort
------0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
0x0000
Additional Information
For additional information, see these documents:
WCCP Network Integration with Cisco Catalyst 6500: Best Practice Recommendations for Successful Deployments
Cisco Wide Area Application Services Web Cache Communication Protocol Redirection: Cisco Router Platform Support
Configuring Advanced WCCP Features on Routers, from the Cisco Wide Area Application Services Configuration Guide
Configuring WCCP on WAEs, from the Cisco Wide Area Application Services Configuration Guide
Additional Information
124
Configure the ANC policy to pass through traffic matching specific classes.
class-map type appnav HTTP
match tcp dest port 80
policy-map type appnav my_policy
.
.
125
In some cases, there may be multiple ANCs receiving redirected traffic from the same router. For convenience, you may choose to
disable WCCP at the router, rather than the ANCs. The advantage is that you can remove multiple ANCs from a WCCP farm in a
single step. The disadvantage is that you cannot do this from the WAAS Central Manager.
To disable WCCP at the router, use the following syntax:
RTR1(config)# no ip wccp 61
RTR1(config)# no ip wccp 62
<<< Only needed if you are using two WCCP service IDs
126
<<< Only needed if you are using two WCCP service IDs
At each WCCP router, verify that the ANCs you chose to disable are not showing up as WCCP clients. The following output is
displayed when the WCCP services have been deleted on the router.
RTR1# show ip wccp 61
The WCCP service specified is not active.
127
Note that the ANC and WN icons shown in this diagram have the same device name because they reside on the same device. On
an ANC that is also optimizing traffic as a WN, these two functions are shown as separate icons on the topology diagram.
An orange triangle warning indicator is shown on any device for which the Central Manager may not have current information
because the device has not responded within the last 30 seconds (the device could be offline or unreachable).
You can get a detailed 360 degree status view of any ANC or WN device by hovering your cursor over the device icon. The first
tab displays alarms on the device. You should resolve any alarms that are inhibiting proper cluster operation.
Click the Interception tab to verify the device interception method on each ANC.
File:Waast-an-interceptiontab.png
If interception is down, the status appears as follows:
Click the Cluster Control tab to see the IP address and status of each device in the cluster that this ANC can see. Each ANC in the
cluster should have the same list of devices. If not, it indicates a configuration or network issue.
File:Waast-an-clustercontrol.png
If all ANCs cannot see each other, the cluster is nonoperational and all traffic is passed through due to the cluster's inability to
synchronize flows.
If all ANCs are connected but have different views of the WNs, the cluster is in a degraded state. Traffic is still distributed, but
only to the WNs that are seen by all ANCs.
Any WNs not seen by all ANCs are excluded.
Click the Interfaces tab to verify the state of the physical and logical interfaces on the ANC.
129
Look at the 360 degree view on each WN in the cluster and verify the green status of all accelerators in the Optimization tab. A
yellow status for an accelerator means that the accelerator is running but is unable to service new connections, for example
because it is overloaded or because its license has been removed. A red status indicates that the accelerator is not running. If any
accelerators are yellow or red, you must separately troubleshoot those accelerators. If the Enterprise license is missing, the
description reads System license has been revoked. Install the Enterprise license in the Admin > History > License Management
device page.
130
A split cluster results from connectivity issues between ANCs in the cluster. If the Central Manager can communicate with all
ANCs, it can detect a split cluster, however, if it cannot communicate with some ANCs, it cannot detect the split. The
"Management status is offline" alarm is raised if the Central Manager loses connectivity with any device and the device is shown
as offline in the Central Manager.
It is best to separate the management interfaces from the data interfaces to maintain management connectivity even if a data link is
down.
131
In a split cluster, each subcluster of ANCs independently distributes flows to the WNGs that it can see, but since flows between
the subclusters are not coordinated, it can cause reset connections and the overall cluster performance is degraded.
Check the Cluster Control tab of each ANC to see if one or more ANCs are unreachable. The "Service controller is unreachable"
alarm is raised if two ANCs that once could communicate with each other lose connectivity between themselves but this situation
is not the only cause of a split cluster so it is best to check the Cluster Control tab of each ANC.
132
If an ANC has a gray status light, it might be disabled. Check that all ANCs are enabled by clicking the AppNav Controllers tab
below the topology diagram. If an ANC is not enabled, its Enabled status is No. You can click the Enable taskbar icon to enable
an ANC.
Check the AppNav policy on each ANC that has anything other than a green status light. If you hover your cursor over the status
light on a device, a tool tip tells you the status or problem, if one is detected.
133
To check the defined policies, from the Central Manager menu, choose Configure > AppNav Policies and then click the Manage
button.
There should generally be a single policy assigned to all ANCs in the cluster. The default policy is named appnav_default. Select
the radio button next to a policy and click the Edit taskbar icon. The AppNav Policy pane shows you the ANCs to which the
selected policy is applied. If all ANCs are not shown with a checkmark, click the checkbox next to each unchecked ANC to assign
Central Manager Monitoring
134
After verifying the policy assignments, you can verify the policy rules in the AppNav Policies page that remains displayed. Select
any policy rule and click the Edit taskbar icon to change its definition.
An ANC could have a yellow or red status light if one or more policies are overloaded. Check the Overloaded Policies tab of the
360 degree device view to see a list of monitored policies that are overloaded.
135
If an ANC is joining the cluster, it is shown with a yellow status light and joining status.
136
If you remove an ANC from a cluster, it is still shown for a few minutes in the topology diagram and as alive in the Cluster
Control tab, until all ANCs agree on the new cluster topology. It does not receive any new flows in this state.
137
:
:
:
:
:
:
:
:
:
:
:
:
:
:
test
appnav_default
1.1
1.1
Wed Jul 11 02:05:23
Operational
Wed Jul 11 02:05:55
Converging
Wed Jul 11 02:05:45
Not Configured
Wed Jul 11 02:05:23
Operational
Ready
Not Shutdown
2012
<<< Service context status
2012
2012
2012
<<< Status of this ANC
10.1.1.2
<<< Stable view of converged WNs
10.1.1.2
10.1.1.2
10.1.1.2
10.1.1.3
If the Device Interception State field (above) shows Shutdown, it means that the CMM has shut down interception due to this
ANC not being ready to receive traffic flows. For example, the ANC could still be in the joining process and the cluster has not
yet synchronized flows.
The Stable View fields (above) list the IP addresses of the ANCs and WNs seen by this ANC device in its last converged view of
the cluster. This is the view used for distribution operations. The Current View fields list the devices advertised by this ANC in its
heartbeat messages.
You can use the show service-insertion appnav-controller-group command on an ANC to see the status of each ANC in the
ANC group:
ANC# show service-insertion appnav-controller-group
All AppNav Controller Groups in Service Context
: test
: Enabled
10.1.1.1
1
Alive
Wed Jul 11 02:05:23 2012
Joined
10.1.1.1
1.1
2
0
0
10.1.1.2 (local)
1
Alive
Wed Jul 11 02:05:23 2012
Joined
10.1.1.2
1.1
2
0
0
10.1.1.3
For a list of possible ANC statuses and joining statuses, see the show service-insertion command in the Cisco Wide Area
Application Services Command Reference.
You can use the show service-insertion service-node command on an ANC to see the status of a particular WN in the cluster:
ANC# show service-insertion service-node 10.1.1.2
Service Node:
: 20.1.1.2
Service Node belongs to SNG
: sng2
Service Context
: test
Service Context configured state
: Enabled
Service Node ID
:
Current status of Service Node
:
Time current status was reached
:
Cluster protocol DMP version
:
Cluster protocol incarnation number
:
Cluster protocol last sent sequence number
:
Cluster protocol last received sequence number:
AO state
-------AO
-tfo
State
----GREEN
1
Alive
Sun May 6 11:58:11 2011
1.1
1
1692060441
1441393061
For
--3d 22h 11m 17s
<<< WN is visible
139
GREEN
GREEN
GREEN
RED
RED
GREEN
YELLOW
GREEN
3d 22h
3d 22h
3d 22h
3d 22h
11d 2h
3d 22h
3d 22h
3d 22h
11m 17s
11m 17s
11m 17s
14m 3s
2m 54s
11m 17s
11m 17s
11m 17s
You can use the show service-insertion service-node-group command on an ANC to see the status of a particular WNG in the
cluster:
ANC# show service-insertion service-node-group sng2
Service Node Group name
: sng2
Service Context
: scxt1
Member Service Node count
: 1
Members:
10.1.1.1
10.1.1.2
Service Node:
:
Service Node belongs to SNG
:
Current status of Service Node
:
Time current status was reached
:
Cluster protocol DMP version
:
Cluster protocol incarnation number
:
Cluster protocol last sent sequence number
:
Cluster protocol last received sequence number:
AO state
-------AO
-tfo
epm
cifs
mapi
http
video
nfs
ssl
ica
State
----GREEN
GREEN
GREEN
GREEN
RED
RED
GREEN
YELLOW
GREEN
For
--3d 22h
3d 22h
3d 22h
3d 22h
3d 22h
11d 2h
3d 22h
3d 22h
3d 22h
10.1.1.1
sng2
Excluded
Sun Nov 6 11:58:11 2011
1.1
1
1692061851
1441394001
12m 52s
12m 52s
12m 52s
12m 52s
15m 38s
4m 29s
12m 52s
12m 52s
12m 52s
Service Node:
:
Service Node belongs to WNG
:
Current status of Service Node
:
Time current status was reached
:
Cluster protocol DMP version
:
Cluster protocol incarnation number
:
Cluster protocol last sent sequence number
:
Cluster protocol last received sequence number:
AO state
-------AO
-tfo
epm
cifs
mapi
http
video
nfs
ssl
ica
State
----GREEN
GREEN
GREEN
GREEN
RED
RED
GREEN
YELLOW
GREEN
For
--3d 22h
3d 22h
3d 22h
3d 22h
3d 22h
11d 2h
3d 22h
3d 22h
3d 22h
<<< WN status
10.1.1.2
sng2
Alive
Sun Nov 6 11:58:11 2011
1.1
1
1692061851
1441394001
<<< WN status
12m 52s
12m 52s
12m 52s
12m 52s
15m 38s
4m 29s
12m 52s
12m 52s
12m 52s
140
Since
----3d 22h
3d 22h
3d 22h
3d 22h
3d 22h
11d 2h
3d 22h
11d 2h
3d 22h
12m 52s
12m 52s
12m 52s
12m 52s
15m 38s
4m 29s
12m 52s
4m 29s
12m 52s
The first WN in the example above has a status of Excluded, which means that the WN is visible to the ANC but it is excluded
from the cluster because one or more other ANCs cannot see it.
The SNG Availability per AO table shows if each AO is able to service new connections. An AO is available if at least one WN in
the WNG has a GREEN status for the AO.
You can use the show service-insertion service-node command on a WN to see the status of the WN:
WAE# show service-insertion service-node
Cluster protocol DMP version
: 1.1
Service started at
: Wed Jul 11 02:05:45 2012
Current FSM state
: Operational
Time FSM entered current state
: Wed Jul 11 02:05:45 2012
Last FSM state
: Admin Disabled
Time FSM entered last state
: Mon Jul 2 17:19:15 2012
Shutdown max wait time:
Configured
: 120
Operational
: 120
Last 8 AppNav Controllers
-------------------------AC IP
My IP
e Last Heard
-------------------Reported state
-------------Accl
---TFO (System)
EPM
CIFS
MAPI
HTTP
VIDEO
NFS
SSL
ICA
DMP Version
Incarnation
Sequence
Tim
-----------
-----------
--------
---
For
--43d
43d
43d
43d
43d
43d
43d
43d
43d
Reason
-----7h
7h
7h
7h
7h
7h
7h
7h
7h
45m
44m
44m
44m
44m
44m
44m
44m
44m
8s
40s
41s
43s
45s
41s
44s
21s
40s
141
The monitored state of an accelerator is its actual state but the reported state can differ because it is the lower of the system state
or the accelerator state.
For more information about troubleshooting optimization on a WN, see the Troubleshooting Optimization and Troubleshooting
Application Acceleration articles.
AppNav CLI Commands for Monitoring Flow Distribution Statistics
Several CLI commands are useful for troubleshooting policies and flow distribution on an ANC:
show policy-map type appnav policymap-name -- Shows the policy rules and hit counts for each class in the policy map.
show class-map type appnav class-name -- Shows the match criteria and hit counts for each match condition in the class
map.
show policy-sub-class type appnav level1-class-name level2-class-name -- Shows the match criteria and hit counts for
each match condition in a class map in a nested AppNav policy map.
show statistics class-map type appnav class-name -- Shows traffic interception and distribution statistics for a class
map.
show statistics policy-sub-class type appnav level1-class-name level2-class-name -- Shows traffic interception and
distribution statistics for a class map in a nested AppNav policy map.
show statistics pass-through type appnav -- Shows AppNav traffic statistics for each pass-through reason.
show appnav-controller flow-distribution -- Shows how a specific hypothetical flow would be classified and distributed
by an ANC, based on the defined policy and dynamic load conditions. This command can be useful to verify how a
particular flow will be handled on an ANC and what class it belongs to.
Use these commands on a WN to troubleshoot flow distribution:
show statistics service-insertion service-node ip-address -- Shows statistics for accelerators and traffic distributed to the
WN.
show statistics service-insertion service-node-group name group-name -- Shows statistics for accelerators and traffic
distributed to the WNG.
You can use the show statistics class-map type appnav class-name command on an ANC to troubleshoot flow distribution, for
example to determine why traffic might be slow for a particular class. This could be an application class map such as HTTP or, if
all traffic to a branch seems slow, it could be a branch affinity class map. Here is an example for the HTTP class:
AppNav CLI Commands for Monitoring Flow Distribution Statistics
142
Passthrough Reasons
------------------Collected by ANC:
PT Flow Learn Failure
PT Cluster Degraded
PT SNG Overload
PT AppNav Policy
PT Unknown
From SN to Network
------------------
11588180
102853
9842597
60070
<<<
<<<
<<<
<<<
<<<
<<<
4
0
4
4
0
0
Packets
-------
Indicated by SN:
PT No Peer
...
Bytes
----0
0
0
0
0
0
0
0
0
0
<<<
<<<
<<<
<<<
<<<
The WN pass-through reasons in the Indicated by SN section increment only if pass-through offload is configured on a WN.
Otherwise, the ANC does not know that the WN is passing through a connection and does not count it.
If the Connections: Intercepted by ANC counter is not incrementing, there is an interception problem. You can use the WAAS
TcpTraceroute utility to troubleshoot the placement of the ANC in the network, find asymmetric paths, and determine the policy
applied to a connection. For details, see the section Connection Tracing.
AppNav CLI Commands for Debugging Connections
To debug an individual connection or set of connections on an ANC, you can use the show statistics appnav-controller
connection command to display the active connection list.
anc# show statistics appnav-controller connection
Collecting Records. Please wait...
Optimized Flows:
------------------------Client
Server
SN-IP
AC Owned
2.30.5.10:38111
2.30.5.10:38068
2.30.5.10:59861
2.30.5.10:59860
2.30.5.10:43992
2.30.5.10:59859
2.30.5.10:59858
2.30.5.10:59857
2.30.5.10:59856
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
2.30.1.10:5004
2.30.1.10:5003
2.30.1.10:445
2.30.1.10:445
2.30.1.10:5001
2.30.1.10:445
2.30.1.10:445
2.30.1.10:445
2.30.1.10:445
2.30.1.21
2.30.1.21
2.30.1.21
2.30.1.21
2.30.1.5
2.30.1.21
2.30.1.21
2.30.1.21
2.30.1.21
Passthrough Flows:
143
Passthrough Reason
PT Flowswitch Policy
You can filter the list by specifying the client or server IP address and/or port options and you can show detailed statistics about
connections by specifying the detail keyword.
anc# show statistics appnav-controller connection server-ip 2.30.1.10 detail
Collecting Records. Please wait...
Optimized Flows
-------------------------Client: 2.30.5.10:55330
Server: 2.30.1.10:5001
AppNav Controller Owned: Yes
Service Node IP:2.30.1.5
Classifier Name: se_policy:p5001
Flow association: 2T:No,3T:No
Application-ID: 0
Peer-ID: 00:14:5e:84:41:31
<<<
<<<
<<<
<<<
<<<
<<<
Client: 2.30.5.10:55331
Server: 2.30.1.10:5001
AppNav Controller Owned: Yes
Service Node IP:2.30.1.5
Classifier Name: se_policy:p5001
Flow association: 2T:No,3T:No
Application-ID: 0
Peer-ID: 00:14:5e:84:41:31
...
You can specify the summary option to display the number of active distributed and pass-through connections.
anc# show statistics appnav-controller connection summary
Number of optimized flows
= 2
Number of pass-through flows = 17
Connection Tracing
To assist in troubleshooting AppNav flows, you can use the Connection Trace tool in the Central Manager. This tool shows the
following information for a particular connection:
If the connection was passed through or distributed to a WNG
Pass-through reason, if applicable
The WNG and WN to which the connection was distributed
Accelerator monitored for the connection
Class-map applied
To use the Connection Trace tool, follow these steps:
1. From the Central Manager menu, choose AppNav Clusters > cluster-name, then choose Monitor > Tools > Connection
Trace.
2. Choose the ANC, the peer WAAS device, and specify connection match criteria.
3. Click Trace to display matching connections.
The WAAS TCP Traceroute is another tool not specific to AppNav that can help you troubleshoot network and connection issues,
including asymmetric paths. You can use it to find a list of WAAS nodes between the client and server, and the configured and
Connection Tracing
144
The options for cluster manager debugging (on 5.0.1 and later) are as follows:
WAE# debug cmm ?
all
enable
cli
enable
events
enable
ipc
enable
misc
enable
packets enable
shell
enable
timers
enable
all
CMM
CMM
CMM
CMM
CMM
CMM
CMM
CMM debugs
cli debugs
state machine events debugs
ipc messages debugs
misc debugs
packet debugs
infra debugs
state machine timers debugs
You can enable debug logging for the cluster manager and then display the end of the debug error log as follows:
WAE# debug cmm all
WAE# type-tail errorlog/cmm-errorlog.current follow
You can also enable debug logging for the flow distribution manager (FDM) or the flow distribution agent (FDA) with these
commands:
WAE# debug fdm all
WAE# debug fda all
145
If you capture packets at points 1 or 4 in the diagram, they are unencapsulated. If you capture packets at points 2 or 3, they are
encapsulated.
Here is sample output for an encapsulated packet capture:
anc# packet-capture appnav-controller interface GigabitEthernet 1/0 access-list all
Packet-Capture: Setting virtual memory/file size limit to 419430400
Running as user "admin" and group "root". This could be dangerous.
Capturing on eth14
0.000000
2.58.2.11 -> 2.1.6.122
TCP https > 2869 [ACK] Seq=1 Ack=1 Win=65535 Len=0
4.606723
2.58.2.175 -> 2.43.64.21
TELNET Telnet Data ...
...
37.679587
2.58.2.40 -> 2.58.2.35
GRE Encapsulated 0x8921 (unknown)
37.679786
2.58.2.35 -> 2.58.2.40
GRE Encapsulated 0x8921 (unknown)
0.000000
be dangerous.
33165 [SYN, ACK] Seq=0 Ack=1
WS=4
33165 [SYN, ACK] Seq=0 Ack=1
WS=4
This article describes how to troubleshoot disk, RAID, and hardware issues.
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
AppNav Packet Capture
147
Contents
1 Checking the Disk Health
2 Disk Failures
3 RAID-5 Rebuilding and Synchronization
4 Firmware Upgrade for WAE-7341/7371/674
5 Boot Sequence Issue on WAE-7341/7371/674
6 Serial Port Disabled Issue on WAE-7341/7371/674
7 Boot Status Display
8 Replacing Disks on the WAE-612 with WAAS Versions 4.0.11 and Earlier
Releases
8.1 Disk01 Fails
8.2 Disk00 Fails and Disk01 has Problematic Status and is Marked Bad
8.3 Disk00 Fails and Disk01 is Not Marked Bad
You can check the disk health from the Central Manager or from the command line. On a Central Manager, choose the device to
check, and then choose Monitor > Disks to get a report on the disk status. For more details, see the Disks Report section in the
Cisco Wide Area Application Services Configuration Guide.
From the command line, you can use the show disks details command as follows:
J8WM2DTC
J8WMPV9C
J8WMYG6C
286102 MB
286102 MB
286102 MB
Contents
148
DEVICE
/dev/sda1
/dev/sda2
/dev/sda3
/dev/sda6
/dev/data1/spool
/dev/data1/obj
/dev/data1/dre
/dev/data1/ackq
/dev/data1/plz
SIZE
991MB
991MB
7935MB
22318MB
991MB
248221MB
248221MB
991MB
2975MB
INUSE
892MB
733MB
176MB
139MB
32MB
130MB
130MB
32MB
64MB
FREE USE%
99MB 90%
258MB 73%
7759MB
2%
22179MB
0%
959MB
3%
248091MB
0%
248091MB
0%
959MB
3%
2911MB
2%
It is also useful to check the Predictive Failure Analysis (PFA) flag for RAID-5 disks by using the show disks tech-support
command. You will find the PFA flag at the end of the output. If the PFA flag is set to Yes, it indicates a predicted drive failure
and you should replace the disk. A critical alarm is also raised on the WAE.
Disk Failures
Disk failures are automatically detected by the system. Failed disks are automatically removed from service.
You can also shut down a disk for scheduled replacement by using the following commands:
For a RAID-5 system:
WAE674# disk disk-name disk01 replace
Controllers found: 1
After you replace a disk on a RAID-5 system, the system rebuilds the logical RAID drive automatically.
For a RAID-1 system:
WAE7326# config
WAE7326(config)# disk disk-name disk01 shutdown
Device maybe busy while going offline ... please wait!
mdadm: set /dev/sdb1 faulty in /dev/md0
mdadm: set /dev/sdb2 faulty in /dev/md1
. . .
After you replace the disk on a RAID-1 system, use the following command to reenable the disk:
WAE7326# config
WAE7326(config)# no disk disk-name disk01 shutdown
149
If your RAID controller firmware needs to be updated, obtain the recommended version from the Cisco software download
website (registered customers only) and upgrade the firmware as described in the documentation that accompanies the firmware.
Disk01 Fails
If the disk only in slot 01 (right slot) fails and disk00 is good, use the following procedures to replace the disk, depending on the
WAAS version on the device.
WAAS version 4.0.5 and earlier releases
1. Mark disk01 as bad.
2. Upgrade the WAAS software to WAAS 4.0.7.
3. Shut down the WAE and replace disk01.
Boot Sequence Issue on WAE-7341/7371/674
151
Disk00 Fails and Disk01 has Problematic Status and is Marked Bad
If disk00 fails and disk01 shows a status of Problematic, with an asterisk (*) next to the status (the asterisk means the disk is
marked bad), it means that disk00 has failed but disk01 is misclassified as bad and its partition table has been removed. In this
situation, all data will be lost after the disk replacement.
Use the following procedures to replace the disk, depending on the WAAS version on the device.
WAAS version 4.0.5 and earlier releases
1. Mark disk00 as bad (if it is not already done).
2. Shut down the WAE and replace disk00.
3. Start up the WAE.
4. Mark disk00 as good (disk01 should still show as bad) and reload the WAE.
5. Reinstall a later version of the WAAS software (for example, by using the copy ftp install command or other method).
6. Mark disk01 as good and reload the WAE.
You should see RAID rebuilds from disk00 to disk01.
WAAS versions 4.0.7 through 4.0.11
1. Mark disk00 as bad (if it is not already done).
2. Shut down the WAE and replace disk00.
3. Start up the WAE.
4. Mark both disk00 and disk01 as good and reload the WAE.
5. Reinstall a later version of the WAAS software (for example, by using the copy ftp install command or other method).
152
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 Checking for Connectivity Between the Serial
Peers
2 Verifying that the Serial Peers are Configured
Correctly
3 Verifying that a Serial Inline Cluster is
Operational
4 Detecting Serial Peer Configuration Mismatch
5 Troubleshooting MAPI Acceleration
5.1 Check EPM and MAPI Dynamic
Policies
153
If the serial peers are separated by one or more switches, the peer will not show up in the output above.
Run this command on both the peers and make sure that each device shows up on the other correctly.
Use the show device-id command to check the device ID, as follows:
WAE#show device-id
System Device ID is: 00:21:5e:57:e9:d4
7552
7563
0
0
12891
100
3053
429
Source IP:Port
190.190.3.175:19268
190.190.5.115:19283
199.199.3.0:58436
190.190.2.231:19312
Dest IP:Port
155.155.7.208:80
155.155.0.144:80
155.155.9.15:443
155.155.0.112:80
PeerID
00:21:5e:52:25:5c
00:21:5e:52:25:5c
00:21:5e:52:25:5c
00:21:5e:52:25:5c
Accel
THDL
THDL
TSDL
THDL
RR
00.0%
86.0%
00.0%
86.0%
Local IP:Port
2.74.2.162:37116
2.74.2.18:80
Remote IP:Port
2.74.2.18:80
2.74.2.162:37116
0
0
0
0
0
100
1
1
Peer ID
ConnType
00:21:5e:27:ae:14 PT Non-optimizing Peer
00:21:5e:27:ae:14 PT Non-optimizing Peer
0
0
0
155
Local IP:Port
2.74.2.162:37116
2.74.2.18:80
Remote IP:Port
2.74.2.18:80
2.74.2.162:37116
0
0
100
1
1
Peer ID
N/A
N/A
ConnType
PT No Peer
PT No Peer
You can also use the Central Manager Connection Statistics report (Device > Monitor > Optimization > Connections Statistics)
to display device connection statistics in a table, as shown in Figure 1. The Peer IDs are indicated by device name.
Figure 1. Central Manager Device Connection Statistics Report
To detect a serial peer configuration mismatch, you can also look for syslog messages such as the following:
%WAAS-SYS-4-900000: AD: Serial Mode configuration mismatch with peer_id=00:21:5e:27:a8:80
156
Allocations: 14
Number:
2
Type: Any->Host (6) User Id: EPM (3)
Src: ANY:ANY Dst: 10.56.45.68:1163
Map Name: uuida4f1db00-ca47-1067-b31f-00dd010662da
Flags: TIME_LMT REPLACE FLOW_CNT
Seconds: 1200 Remaining: - NA - DM Index: 32767
Hits: 2 Flows: 0 Cookie: 0x00000000
DM Ref Index: -None- DM Ref Cnt: 1
0
12886550
12872245
1065677
87134
0
0
0
0
0
0
<----- MAPI & Serial Inline cluster statistic
44892
402
3
287133100
0
0
589
0
0
158
1
22016
0
4
0
1806742
0
0
0
0
0
0
0
0
0
0
<----- MAPI & Serial Inline Cluster statistic
0
8
policy-engine connection
auto-discovery connection
filtering connection
connection acl
As always, disk logging needs to be enabled and the logging level for disk has to be set to debug.
NOTE: Debug logging is CPU intensive and can generate a large amount of output. Use it judiciously and sparingly in a
production environment.
2. If the interface is up, check the state of the connections, and if they are in pass-through, check the reason using the following
command:
159
9004
9008
0
0
10294
100
2994
443
Flows:
Peer ID
N/A
N/A
ConnType
PT App Cfg
PT App Cfg
3. If the reason appears as "PT Interception ACL", then it is due to the interception ACL denying the SYN packets.
You can look at the following output to drill down into the ACL to see which condition matched:
WAE#show ip access-list
Space available:
49 access lists
499 access list conditions
Standard IP access list test
1 permit any (1296 matches)
(implicit deny any: 0 matches)
total invocations: 1296
Interface access list references:
None Configured
Application access list references:
INTERCEPTION
Standard
Any IP Protocol
test
test
Check the hit counts from the above output to see if they are incrementing as expected.
As always, disk logging needs to be enabled and the logging level for disk has to be set to debug.
Connections Are Not Optimized
160
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1 Identifying a vWAAS Device
2 Troubleshooting vWAAS Device
Registration
3 Verifying vWAAS Virtual Interfaces
4 Troubleshooting vWAAS Networking
5 Troubleshooting VPATH Interception
6 Troubleshooting Undersized Alarm
Virtual WAAS (vWAAS) implements a virtual WAAS appliance in VMware ESXi on a host server such as Cisco UCS.
NOTE: vWAAS was introduced in WAAS version 4.3.1. This section is not applicable to earlier WAAS versions.
You can identify a vWAAS device from the Manage Devices page of the WAAS Central Manager. The device type appears as
OE-VWAAS for all types of vWAAS devices. The show version and show hardware CLI commands also show the device
Version as OE-VWAAS.
Figure 1. vWAAS Device Type
161
The model of the vWAAS device is determined from the number of CPUs and Maximum TCP Connections shown in the Device
Dashboard window when you select the device from the Manage Devices page. These two fields are displayed only for vWAAS
devices.
Figure 2. vWAAS Capabilities
162
Value
----Registered
Use Policy
750
750
3.0 seconds
Module/Submodule
-------------------vwaas/model
Instance
--------------<------Not registered
To register the vWAAS device with the Central Manager, use the cms enable global configuration command on the vWAAS
device:
vWAAS# config
vWAAS(config)# cms enable
Registering WAAS Application Engine...
Sending device registration request to
Please wait, initializing CMS tables
Successfully initialized CMS tables
. . .
management services enabled
You can verify the registration with the show cms info command:
vWAAS# show cms info
Device registration information :
Device Id
Device registered as
1730
= WAAS Application Engine
ala
<----- Successful
registration
vWAAS device registration and deregistration is logged in the system message log with a line that begins with "vWAAS:". You
can view the system message log in the Central Manager by choosing Admin > Logs > System Messages.
Figure 3. vWAAS Registration Syslog Message
164
=
=
=
=
=
=
=
=
=
=
YES
4783472
918762
15537
0
26
0
0
0
810022
<-----Should be YES
<-----Should be incrementing
<-----Should be incrementing
165
=
=
=
=
0
0
0
0
To determine if VPATH is sending ARP requests, use the tcpdump arp command.
To display VPATH MAC address information for TCP flows, use the show statistics connection egress-methods command:
vWAAS# show statistics connection egress-methods
----------------------------------------------------------------------|
|
TUPLE
|
MATE
|
----------------------------------------------------------------------Local-IP:Port
10.104.227.25:443
10.104.227.28:36052
Remote-IP:Port
10.104.227.28:36052
10.104.227.25:443
Directed Mode
No
No
Egress method
IP Forwarding
IP Forwarding
VPATH mode
Yes
Yes
WCCP Service|Bucket
Tuple Flags
NON-WCCP|L2|
NON-WCCP|L2|
Intercepting Device (ID):
ID IP address
ID MAC address
ID IP address updates
0
0
ID MAC address updates 0
0
Egress Tunnel Dst
VPATH MAC Address
00:02:3D:83:B5:03
00:02:3D:83:B5:03
Memory address
0xffff8101078b1b80
0xffff8101078b1b80
. . .
<-----VPATH connection
Module/Submodule
-------------------vwaas/model
Instance
--------------memory
<-----Undersized alarm
You should never see this alarm if you are using valid OVA files to deploy vWAAS. If you see this alarm, delete the vWAAS VM
and redeploy it using a valid OVA file.
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
166
Contents
1 Verifying WAAS Express Image Version
2 Verifying WAAS Express License
3 Verifying WAAS Enabled Interfaces
4 Verifying WAAS Optimized Connections
5 Verifying WAAS Optimized Data
6 Verifying WAAS Express Alarms
7 Verifying WAAS Express Peers
8 Offline Alarms
9 Verifying WAAS Express HTTPS Configuration
10 WAAS-Express - WAE - WAAS CM Compatibility
10.1 WAAS-Express Version 1.0,1.5
10.1.1 Known Issues
10.2 WAAS-Express Version 2.0.0
10.2.1 Known Issues
11 Unexpected WAAS-Express License Expiration
12 WAAS-Express and WAAS CM interaction issues
12.1 Symptom: WAAS-Express fail to register with the WAAS CM
12.1.1 Possible Cause #1: Connectivity issue
12.2 Symptom: WAAS CM shows WAAS-Express goes off-line after successful registration
12.2.1 Possible Cause #1: WAAS-Express device certificate changes
12.2.2 Possible Cause #2: Incorrect certificates or trustpoints are used
12.2.3 Possible Cause #3: Device authentication problem
12.2.4 Debug Information
12.3 Symtom: Mismtach Statistic between WAAS CM and WAAS-Express
12.3.1 Possible Cause #1: Clocks are not synchronized
13 Connections are not getting optimized
13.1 Symptom: Connections are getting pass-through
13.1.1 What could cause asymetric routing or dropped packets in the network
13.1.2 Information to be provided to development team:
14 Connections are not getting the desired optimization level
14.1 Symtom: Established connections do not get the desired or configured policy to use CIFS, SSL, or
167
Contents
168
Evaluation
625 weeks 0
622 weeks 6
Note: WAAS should be enabled on WAN interfaces only. If connections, to be optimized, are routed over multiple WAN
interfaces, then, WAAS should be applied on all those WAN interfaces.
Note: If WAAS is enabled on a logical or virtual interface it need not be implemented on the corresponding physical
interface.
status
:59211
:56860
:59206
Dest IP:Port
192.168.4.2
192.168.4.2
192.168.4.2
:1742
:61693
:23253
PeerID
0021.5e57.a768
0021.5e57.a768
0021.5e57.a768
Accel
TLD
TLD
TLD
To view similar information from the Central Manager, choose the WAAS Express device, then choose Monitor > Optimization
> Connections Statistics to see the Connections Summary Table.
Figure 1. Connections Summary Table
169
Outbound
41674120
87948683030
863
0
0
0
Completed
126
71
0
0
on
off
off
off
off
off
To view alarms for all devices from the Central Manager, choose My WAN > Alerts. In addition to the alarms listed above, an
alarm is raised if the clocks of the WAAS Express and WAAS Central Manager devices are not synchronized.
Outbound
5212151
6867128187
0
0
0
0
Completed
0
0
0
0
1
0
1
3
1
0
Local AO statistics
Local AO:
TFO
Total number of incompatible connections: 0
Version:
0.11
Registered:
Yes
Local AO:
HTTP
Total number of incompatible connections: 0
Version:
1.1
Registered:
Yes
Local AO:
SSL
Total number of incompatible connections: 0
Version:
1.0
Registered:
Yes
171
0027.0d79.c215
20.0.0.2
00:00:02
Yes
0
1.0
No
Yes
4.4.3(b4)
<--- Peer ID
<--- Peer IP
TFO
Yes
0.20
HTTP
Yes
1.4
SSL
Yes
1.0
Enabled
0
1
Peer-ID
Hostname
IP reported from peer
Peer version
0027.0d79.c215
waasx1-b-wae.cisco.com
20.0.0.2
4.4.3(b4)
Cache:
Cache in storage
Age
0 B
00:00:00
AckQ:
AckQ in storage
0 B
WaitQ:
WaitQ in storage
WaitQ size
0 B
0 B
Sync-clock:
Local-head
Local-tail
Remote-head
Curr-sync-clock
0 ms
0 ms
18609143000 ms
24215235228 ms
Encode Statistics
DRE msgs:
R-tx total:
R-tx chunk-miss:
R-tx collision:
Bytes in:
Bytes out:
Bypass bytes:
Compression gain:
Decode Statistics
DRE msgs:
Bytes in:
Bytes out:
Bypass bytes:
Compression gain:
<--- Peer ID
<--- Peer hostname
<--- Peer IP
1
0
0
0
0
0
178
0%
4
299
277
51
0%
172
To view similar information from the Central Manager, choose Monitor > Topology.
Offline Alarms
The WAAS Express device may go to an offline state in the Central Manager because of the following issues:
Central Manager does not have WAAS Express device credentials.
Credentials are not configured for this WAAS Express device in the Central Manager. The WAAS Central Manager needs
the WAAS Express username and password to communicate with the WAAS Express device. You can configure
credentials in the Central Manager by choosing My WAN (or a WAAS Express device or device group) > Admin >
WAAS Express Credentials.
Authentication failed while communicating with WAAS Express device.
The Central Manager is not able to communicate with the WAAS Express because wrong credentials are configured. You
can configure credentials in the Central Manager by choosing My WAN (or a WAAS Express device or device group) >
Admin > WAAS Express Credentials.
SSL Handshake failed while communicating with WAAS Express devcie.
The WAAS Express device certificate is changed and the same certificate is not imported for this device in the Central
Manager. To reimport the WAAS Express device certificate, choose the WAAS Express device, then choose Admin >
Certificate.
No route to WAAS Express device.
The Central Manager is not able to reach the WAAS Express Device. Configure the correct WAAS Express management
IP address by choosing the WAAS Express device, then choosing DeviceName > Activation.
Connection is refused by WAAS Express device.
The HTTPS server port configured on the WAAS Express device is not the same as the port shown in the Central
Manager DeviceName > Activation page. Configure the correct WAAS Express HTTPS server port in this page.
WAAS support is not available on WAAS Express device.
The WAAS Express device is downgraded to an IOS image version with no WAAS support. Install an IOS image with
WAAS support.
Connection timed out while communicating with WAAS Express device.
The WAAS Express device is taking more than 30 seconds to respond to the Central Manager. It could be because the
WAAS Express device is overloaded or the network is slow.
License is expired on WAAS Express device.
The Evaluation license on the WAAS Express device is expired. Install a Permanent license by using the WAAS Express
license install command.
SSL connection closed incorrectly while communicating with WAAS Express device.
Offline Alarms
173
secure
secure
secure
secure
secure
secure
server
server
server
server
server
server
status: Enabled
port: 443
ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-sha
client authentication: Disabled
trustpoint: local
active session modules: ALL
Known Issues
IOS version WAE version WAAS CM version
15.1(3)T1
5.0.1
4.4.5a
Known Issues
Connections originating on data-center side will not be optimized:
CSCtz82646
This version of WAAS-Express, in addition to supporting transport optimization, also support selected applicaiton optimization,
specifically HTTP Express, SSL Express, and CIFS Express AO.
174
WAE
version
WAAS CM
version
Known Issues
15.2(4)M1
< 4.4.3c
< 5.0.1
HTTP-Express Accelerator requires 4.4.3c or later. Connections will not have http
optimization, however, will have TDL.
15.2(4)M1
< 5.0.1
< 4.4.5a
< 5.0.1
< 5.0.1
< 5.0.1
15.2(4)M1
15.2(3)T1
15.2(3)T
< 5.0.1
< 5.0.1
< 5.0.1
Known Issues
Policy Map
waas_global
175
Evaluation
0 seconds <---- License is expired.
0 seconds
errors
ext
msg
states
176
177
Debug Information
178
0
0
0
0
0
0
0
0
0
0
0
0
0
waas
waas
waas
waas
waas
infra error
infra events
auto-discovery error
auto-discovery event
auto-discovery op <---- Verbose debug
If the counter for Interface Application Configincrements, it is likely your policy is configured to pass-through this
particulate connection. Check your WAAS policy on both WAAS-Express and its peer.
Solution: Check and validate your optimization policy. Use below debug to discover if traffic is marked as pass-through
in the policy.
show policy-map type waas interface
debug waas infra events
If the counter for Interface Global Config increments, this could be caused by asymetrical routing in your network. This
is the case where WAAS-Express or its peer does not see both directions of the TCP traffic. This could be caused by true
asymetrical routing in the network, or could be caused by some packets are getting dropped by devices in the traffic path
(ACL, firewall, etc.)
Solution: Check for asymetric routing of dropped packets in the network.See what could cause asymetric routing or
dropped packets in the network below.
Connections could also be pass-through if the peers are not compatible with each other. This may happen if you run the
non-compatible version between WAAS-Express and WAE. Check the compatibility table above for recommedned
software releases.
Solution #1: Check if the peer is incompatible using show waas statistics aoim
Solution #2: If you believe you have asymetrical routing scenario in your network, check the following.
What could cause asymetric routing or dropped packets in the network
Multiple WAN links in either the WAAS-Express router or the peer. Note that WAAS-Express it not supported on
active/active or active/standby routers because both traffic leaving and entering the WAN need to be on the same
WAAS-Express router. If there are multiple WAN links, make sure all the WAN links have config waas enable. Make
sure that all the WAN links and routers on the peer routers have config to redirect traffic to WAAS.
179
waas
waas
waas
waas
waas
auto-discovery error
auto-discovery event
auto-discovery operation
infra error
infra event
Note: Pass-through connections are not counted in the per-platform connection limit. WAAS-Express does not track
pass-through connections, hence there are no statistics related to pass-through flows. There, however, are counters that
indicate how many flows were put into pass-through and why.
Symtom: Established connections do not get the desired or configured policy to use
CIFS, SSL, or HTTP-Express AO
Verify that CIFS, SSL, or HTTP-Express AO is enabled globally
router#show waas status
IOS Version: 15.2(4)M1
WAAS Express Version: 2.0.0
WAAS Enabled Interface Policy Map
FastEthernet8 waas_global
WAAS Feature License
License Type: EvalRightToUse
Evaluation total period: 8 weeks 4 days
Evaluation period left: 7 weeks 4 days
DRE Status : Enabled
LZ Status : Enabled + Entropy
CIFS-Express AO Status : Disabled
SSL-Express AO Status : Enabled
HTTP-Express AO Status : Disabled <---- HTTP Express AO is disabled by default
Maximum Flows : 75
Total Active connections : 4
Total optimized connections : 4
180
Check Configured, Derived and Applied Accelerator fields under show waas connection detail
Router#show waas connection detail
...
Negotiated Policy:
Configured Accelerator:
Derived Accelerator:
Applied Accelerator:
Hist. Accelerator:
Bytes Read Orig:
...
0
0
0
show
show
show
show
show
show
show
show
show
show
waas
waas
waas
waas
waas
waas
waas
waas
waas
waas
status
alarms
accelerator detail
accelerator http
accelerator smb
accelerator ssl
statistic global
statistic auto-discovery
statistic aoim
statistic pass-through
Typically, there will also be error message which indicates the type of error along with the flow that is getting reset. For example,
Aug 18 03:02:52.861: %WAAS-3-WAAS_TFO_DEC_FRAME_FAILED: IOS-WAAS failed to decode TFO frame for connection 100.2.0
182
waas
waas
waas
waas
waas
waas
waas
waas
waas
infra error
auto-discovery error
aoim error
tfo error
lz error
dre error
accelerator ssl error
accelerator http error
accelerator cifs error
Router crash/tracebacks
Router crashes and tracebacks may have been seen during testing. Search of previous cases and DDTSs for similar known issues.
In addition we also need to isolate what feature is resulting in the crash. If an IOS feature other than ios-waas or layer4-forwarding
is resulting in a crash/traceback, then that particular feature development team/ router TAC should be contacted accordingly.
Do a topic search at topic.cisco.com
Check previous customer cases for similar/known issues.
Information to be provided to the development team:
show tech or if not possibleshow running-config output
Exact IOS version.
Exact steps to reproduce the problem.
Decodes of traceback, or crashinfo in the case of crash.
Topology of the network
Any relevant information that will help with the reproduction of the problem internally.
Hung connections
There are no known issues with hung connections, please provide the following information to the development team to help RCA
the problem.
Step to troubleshoot and collect information
Search the flow in WAAS-Express connection table using show waas connection.
Router#show waas connection
ConnID
Source IP:Port
3336
192.168.22.99 :37797
Router#
Dest IP:Port
192.168.42.99
:80
PeerID
0016.9d39.20bd
Accel
THDL
184
3336
0016.9d39.20bd
External
19:45:34 UTC Dec 21 2011
192.168.22.99
37797
<------ Unique port number required for next step
192.168.42.99
80
Web
HTTP
TFO, LZ, DRE
TFO, LZ, DRE
TFO, LZ, DRE
HTTP-Express
HTTP-Express
HTTP-Express
None
43056412
25
162
43359878
192.168.42.99:80
From the first column, collect the L4F flow id and use the information to get the detail L4F connection information.
Router#show l4f flow detail F4DF6EA0
Flow Address : F4DF6EA0
Index
: 11
Idle Time
: 0.004
Family
: IPv4
Protocol
: TCP
VRF ID
: 0
Address1
: 192.168.22.99:37797
Address2
: 192.168.42.99:80
State
: L4F_STATE_PROXYING
Flags
: 0x00012000
App Context
: 0x41D4728C
CEF pak
: 0x0
Endpoint1 FD 1073748479
State
: EP-ESTAB
Flags
: 0x00000001
Client
: L4F_FEATURE_WAAS
Association
: OUTPUT
CEF Fwd State : 0xC20D2C74
Proc Fwd State: 0xC1E36EA8
TCB Address
: 0xC01F0D9C
<------ Address required for next step
Endpoint2 FD 1073748480
State
: EP-ESTAB
Flags
: 0x00000001
Client
: L4F_FEATURE_WAAS
Association
: INPUT
CEF Fwd State : 0xC20D2248
Proc Fwd State: 0xC1E36F20
TCB Address
: 0x4002AB6C <------ Address required for next step
185
mis-ordered: 0 (0 bytes)
688070906
684581592
sndwnd:
rcvwnd:
6144
1263
snduna:
rcvnxt:
scale:
scale:
688070932
713368125
9
7
sndnxt:
maxrcvwnd:
delrcvwnd:
688070932
32767
0
SRTT: 6687 ms, RTTO: 59312 ms, RTV: 52625 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 2857348 ms, ACK hold: 200 ms
Status Flags: passive open, Timestamp echo present
Option Flags: keepalive running, SACK option permitted, non-blocking reads
non-blocking writes, win-scale, 0x200000, 0x1000000, 0x10000000
0x20000000
IP Precedence value : 0
mis-ordered: 0 (0 bytes)
186
0
0
19975
iss: 2832065240
irs: 2835554554
0
0
19975
0x0
0x0
0x0
snduna: 2867154917
rcvnxt: 2835554717
sndnxt: 2867205953
maxrcvwnd:
delrcvwnd:
65535
0
The following command output can be useful in debugging the WAAS-Express AO.
show
show
show
show
show
waas
waas
waas
waas
waas
statistics
statistics
statistics
statistics
statistics
errors
accelerator
accelerator
accelerator
accelerator
http-express
cifs-express
ssl-express
ssl-express debug
Version: 1.0
Check if you have an NPE image (this image does not support SSL-Express Accelerator)
SSL-Express Accelerator issues:
187
Enable ssl, aoim and infra debugs during enable/disable operation and provide debug logs.
Connection getting reset because of W2W handshake failure
Check SSL-Express Accelerator error statistics using show waas statistics errors | i SSL-Express
Check certificates:
Check alarms:
Router#show waas alarms
...
WAAS SSL-Express CA enrolled trustpoint deleted:
WAAS SSL-Express router certificate deleted:
...
off
off
Check configuration on edge and core devices. Check they are in-sync with respect to cipher-list, SSL version, and
certificate verification and revocation checks.
If self-signed certificates are being used, revocation-check and certificate verification should be disabled.
Turn on debug waas accelerator ssl error
Connection getting pipe-through?ed because of C2S Unsupported cipher
Check SSL-Express Accelerator error statistics using show waas statistics errors | i SSL-Express
Turn on debug waas accelerator ssl
Check cipher-list configured in the accelerated-svc on core WAAS device.
No SSL optimization (Pipe-through)
Check SSL-Express status on WAAS Express device: show waas accelerator ssl-express
Check SSL AO status on peer WAAS device: show accelerator ssl
Check SSL-Express statistics: show waas statistics accelerator ssl-express | i Pipe
Unable to access HTTPS page from internet
Since server is in internet, it?s private key and certificate can?t be installed on core WAAS device. Even after
accepting warning for certificate in the browser some objects on page may not show-up.
These objects may be served from CDN (content-delivery network). This issue is not unique to WAAS-Express.
That is, it should happen when connection is optimized between two WAAS devices as well.
Users will need to add exception to the browser to ignore certificate from CDN URL.
CDN URL can be found in page source.
show
show
show
show
waas
waas
waas
waas
statistics
statistics
statistics
statistics
accelerator
accelerator
accelerator
accelerator
ssl
ssl debug
ssl ciphers
ssl peering
188
Information in addition to debugs and show commands, that needs to be provided to the development team:
show
show
show
show
show
show
show
show
tech-support
ip interface
ip virtual-reassembly
ip route
ip cef detail
ip cef internal
ip cef switching statistics
process cpu history
int
int
int
int
s0/0/0
s0/0/0
s0/0/0
s0/0/0
start
stop
copy ftp://username:password@192.168.1.116//tftpboot/ngwo.pcap
clear
This article describes how to troubleshoot the integration of Network Analysis Module (NAM) into the WAAS Central Manager.
Guide Contents
Main Article
Understanding the WAAS Architecture and Traffic Flow
Preliminary WAAS Troubleshooting
Troubleshooting Optimization
Troubleshooting Application Acceleration
Troubleshooting the CIFS AO
Troubleshooting the HTTP AO
Troubleshooting the EPM AO
Troubleshooting the MAPI AO
Troubleshooting the NFS AO
Troubleshooting the SSL AO
Troubleshooting the Video AO
Troubleshooting the Generic AO
Troubleshooting Overload Conditions
Troubleshooting WCCP
Troubleshooting AppNav
Troubleshooting Disk and Hardware Problems
Troubleshooting Serial Inline Clusters
Troubleshooting vWAAS
Troubleshooting WAAS Express
Troubleshooting NAM Integration
Contents
1
Connectivity
Issues
2 Rendering
Issues
3 Chart Data
Issues
The Cisco Network Analysis Module (NAM) is a standalone network analysis product that you can access through the WAAS
Central Manager if you have a NAM server installed in your network. This article describes how to troubleshoot the integration of
NAM into the WAAS Central Manager.
190
Connectivity Issues
If you are unable to connect to NAM from the WAAS Central Manager, do the following:
In the Central Manager GUI, choose Configure > Network Analysis Module (Beta) > Basics > Setup and ensure that
NAM server address and credentials are entered correctly, then click Test Connectivity/Credentials. All of the address,
user, and password fields should show a green check mark to indicate success. Any fields that show a red X are
configured incorrectly.
Ensure that the NAM HTTP or HTTPS server is enabled.
Ensure that the NAM server IP address and port are reachable both from the Central Manager and from the client
computer on which you are running the browser to access the Central Manager. You should be able to use the same IP
address and port to access the NAM server from both machines, regardless of whether NAT is involved.
Check your browser settings. In Internet Explorer, you may need to revert to the default settings in the Security and
Privacy tabs of Tools > Internet Options, then change the Privacy setting to Low.
If you are using the NAM HTTPS server, the NAM self-signed certificate may not be installed in the browser. Manually
add the NAM self-signed certificate into your browser. Alternatively, you can launch the NAM user interface in a separate
browser tab or window and accept and install the certificate, which allows you to view the integrated charts.
If you are unable to directly telnet into the NAM server, use the exsession on command on the NAM console
Rendering Issues
If the NAM page does not render properly or some action buttons on NAM do not work, it is likely due to an incompatible
browser version. The NAM server has the following browser requirements:
Internet Explorer 8 or later, or Firefox 3.6 or later
Java version 6 update 22 or later
Adobe Flash 10.0.45.2 or later (install the latest version from Adobe)
JavaScript must be enabled
If you get the message, "Navigation to the webpage was canceled" when you click on a NAM report, log out of the Central
Manager and log in again. When the browser asks if you want to view only the content delivered securely, click "No" to show all
content. The Central Manager data is based on HTTPS and NAM access uses HTTP by default, so the browser must be able to
show both secure (HTTPS) and unsecure (HTTP) content.
192