Hey Andrej, I just had the

andrej cambal · ‎07-01-2016

Hello, has anyone yet successfully tested SMB v3 on the latest Cisco WAAS 6.2.1?

I'm trying to get SMB v3 working in our LAB environment however it looks like all my connections are getting pushed-down to the Generic AO. None of the connection is getting accelerated by the SMB engine. I have tried various settings on WAAS (highest-dialect, matches-dialect, signing settings) and also on CLIENT/SERVER side (smb signing turned on/off) without any luck. SMB v2.1 seems to be working just fine...

WAAS devices are running latest IOS v 6.2.1

Client side: Windows 8.1

Server side: Windows Server 2012 Standard

When I check WireShark, I can see that SMB is getting negotiated (dialect) to SMB3.00 which is correct. But for some reason the WAAS appliance does not use the SMB engine to accelerate such traffic.

Tested connection would look this:

apm-wave-br01#sh stat conn opti

D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio
A:AOIM,C:SMB,E:EPM,G:GENERIC,H:HTTP,I:ICA,M:MAPI,N:NFS,S:SSL,W:WAN SECURE,X: SMB
Signed Connection,s:SSL Interposer

ConnID Source IP:Port Dest IP:Port PeerID Accel RR
6825 192.168.21.11:49247 192.168.11.11:445 c0:8c:60:8b:c8:be TDL 02.6%

apm-wave-br01#sh stat conn conn-id 6825

Connection Id: 6825
Peer Id: c0:8c:60:8b:c8:be
Connection Type: EXTERNAL CLIENT
Start Time: Thu Jun 30 10:48:17 2016
Source IP Address: 192.168.21.11
Source Port Number: 49247
Destination IP Address: 192.168.11.11
Destination Port Number: 445
Application Name: CIFS
Classifier Name: CIFS
Map Name: WAAS-GLOBAL
Directed Mode: FALSE
Preposition Flow: FALSE
Policy Details:
Configured: TCP_OPTIMIZE + DRE + LZ
Derived: TCP_OPTIMIZE + DRE + LZ
Peer: TCP_OPTIMIZE + DRE + LZ
Negotiated: TCP_OPTIMIZE + DRE + LZ
Applied: TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured: CIFS
Derived: CIFS
Applied: None
Hist: SMB

philipp.kreidl1 · ‎09-14-2016

Hey Andrej, I just had the very same behaviour in my WAAS environment and opened a TAC case. I guess you might already found the same solution but maybe it is useful for somebody else looking for this issue.

The WAAS will hand off a SMB3 connection if it is encrypted and/or signed and it does not have a domain membership, this is the expected behaviour and is perfectly fine, the thing is:

1. The need for the domain join is not documented in the config guide for version 6.2.1 or 6.2.3 but it is in 6.1.1

2. There is now show command which will confirm that the SMB connection was encrypted/signed

So in this case the only way to verify is by looking into the logfile /local1/errorlog/smbao-errorlog.current in which you should see a line like this:

09/14/2016 13:50:22.137smbao(28957 0.0) NTCE (136996) (fl=20467) f:YE2 FL:Invoking pushdown (src fd: 17, dst fd: 44) with reason: digitally signed traffic @smb_flow_handler [AoSmbFlow.cpp:881]

Hope this helps

Tymofii Dmytrenko · ‎02-17-2017

Thanks for that. In fact, they do have a guide how to configure a windows AD identity but under encrypted MAPI optimization section. It is also possible to do this via GUI: Configure > Security > Windows Domain > Encrypted Services.

Even if you use CLI to do this, you will see your identity in this list and can later edit it using GUI.

However, I am still struggling to understand what is the best way to optimize SMBv3 traffic. I know we use SMBv3 with signing enabled, and people complain about slow network shares now. However, when I check connections on WAAS it shows my like if SMB AO is applied to it, but all my WNs generate 'Identity not configured alarm'. Also, my SMB AO is configured with SMB2.1 as Highest Dialect and Exceed Action is Mute.

I think it has to be SMB3.02 (as long as I have AD identities configured). Has anyone managed to integrate WAAS with AD and get signed SMBv3 optimized properly?

Thanks

SMB v3 on Cisco WAAS 6.2.1