Hello all!
I need some advice.
I'm conducting a PoC for WAN optimization which is built of the following devices:
1.) Two Cisco 4451-X routers on each side of the WAN.
2.) On one side of the WAN (the branch side), we have UCS-E series server with ESXi Cisco customer image installed.
The vCM (Central Manager) is running on this ESXi server.
Also, each router has ISR-WAAS 4.5.1 installed with AppNav-XE used for traffic redirection.
3.) Two Cisco Catalyst switches, one on each site of the WAN (branch and DC) to connect all of the devices (PCs, servers, routers).
4.) On the DC side, there is a physical checkpoint FW which servers as the DG of all devices on the DC.
There is also a physical domain controller server installed.
5.) On the branch side, there is a virtual FW installed on the ESXi server, which serves as the DG of all devices on the branch side.
There is also a VM on which a virtual domain controller server is installed.
6.) The WAN characteristics:
256K link, 400-450ms one-way delay.
The speed and delay are introduced using a physical WAN emulator device which is connected between the two routers.
7.) The two routers form a GRE tunnel between them, and also running OSPF between them and between each one of them and the FW on each site.
The test we'd like to perform:
A user needs to login to its PC, which is part of a domain.
The PC performs the login by connecting to the physical domain controller.
It performs the login and retrieves a GPO.
This procedure, of course, is performed over the WAN with the characteristics I described.
The protocols involved in this procedure are:
CIFS/SMB, Kerberos and LDAP.
We wanted to test the login procedure and GPO retrieval with Cisco WAAS and see if it optimizes the login and GPO retrieval process.
Without WAAS, the entire procedure (from the moment when the user enters its credentials until it sees the desktop) takes 3 minutes.
With WAAS, it takes 3:40 minutes (even slower.
On "show statistics connection" command, we can see that traffic is being optimized (there is a reduction rate and all CIFS traffic is using the SMB AO - we see TXDL).
We noticed that one of the CIFS sessions is actually less optimized (there is a bad reduction rate).
We also noticed that all CIFS sessions are handed-off to the generic AO (by using the "show statistics accelerator smb detail" command).
Furthermore, by looking at SMB AO logs, we see the following two messages:
08/28/14 10:26:17.851(11068 0.0) NTCE (851741) intercepted new connection new flow 46, source A.B.C.D:49263(fd:22), destination A.B.C.D:445(fd:23) @smb_new_conn_handler [AoSmbFlow.cpp:429]
08/28/14 10:26:19/601(11068 0.2) NTCE (601866) (fl=76) f:YC2 FL:Invoking pushdown (src fd: 22, dst fd: 23) with reason: digitally signed traffic @smb_flow_handler [AoSmbFlow.cpp:664]
Anyway, we wanted to try and optimize standard CIFS application - just sending some files using //A.B.C.D/c$ from the PC to the physical domain controller.
Without WAAS, it takes more than 3 minutes.
With WAAS, it takes approximately 40 seconds.
So standard file transfer is being optimized successfully.
However, we still see the same error messages above and we still see that CIFS sessions are handed-off to the generic AO on the "show statistics accelerator smb detail" command.
So, it means that the sessions being handed-off are not causing the login and GPO retrieval to not be optimized (and even to be more slow), but there is some other issue with the WAAS during this process.
Needless to say that when we use the virtual domain controller for the login process, it takes a few seconds for the login process and GPO retrieval to complete, since the domain controller is local on the branch, on the ESXi server on the UCS-E.
Do you aware of such issue, with WAAS does not optimize login and GPO retrieval process, that use standard CIFS protocol?
Please be aware that I'm not able to share configuration or sniffer captures, since the security policy of the organization forbids it.
I'd be thankful for your assistance.
Thanks.
