Hi,

We have a setup in which we have two Catalyst 6500 in a core network that receive connections from 100+ remote sites with WAAS devices optimizing traffic and two core WAE-674 acting as enpoints to connections to a datacenter and dmz off of the two 6500.  There have been times when the core WAEs are restarted or when service 61 or 62 are restarted that the CPU goes up to 98%+ for some time causing strain on the core network.

After a few conversations with TAC it was found that the problem lies with the ACL and it needs to be modified.  We are following best practices to the best of my knowledge.

One of the things they pointed out was that the redirect ACL should not have specific port statements, and that they should be avoided. our ACL looks like this at the beggining

remark **Deny Management Protocols***

deny   tcp any any eq telnet

deny   tcp any any eq 22

deny   tcp any any eq 161

deny   tcp any any eq 162

deny   tcp any any eq 123

deny   tcp any any eq bgp

deny   tcp any any eq tacacs

deny   tcp any any eq 2000

deny   tcp any any eq 5060

deny   tcp any any eq 5061

deny   tcp any any eq 1718

deny   tcp any any eq 1719

deny   tcp any any eq 1720

deny   tcp any any eq 554

deny   tcp any any eq 1755

The reason for this was to bypass redirecting these protocols trough the WAAS. I have found that most of these protocols have a default policy to be passed trough by the WAE.  Is there any reason why there might be problems if these protocols are redirected? even as pass trough traffic?