WAAS WITH WINDOWS SERVER 2008 AND CERTIFICATE

thiago.tomen · ‎08-01-2011

							-
172.20.203.3:135	172.20.1.191:2751	-	PT AD Int Error	-	-	-	-	-
172.20.221.205:51786	172.20.1.176:80	-	PT In Progress	-	-	-	-	-
172.20.1.191:2751	172.20.203.3:135	-	PT AD Int Error	-	-	-	-	-
172.20.221.3:443	172.20.1.29:25403	-	PT AD Int Error	-	-	-	-	-
172.20.1.176:80	172.20.221.250:64345	-	PT In Progress	-	-	-	-	-
172.20.221.250:64345	172.20.1.176:80	-	PT In Progress	-	-	-	-	-
172.20.203.222:57837	172.20.1.232:80	-	PT In Progress	-	-	-	-	-
172.20.1.138:2249	172.20.140.218:139	-	PT AD Int Error	-	-	-	-	-
172.20.1.29:25403	172.20.221.3:443	-	PT AD Int Error	-	-	-	-	-
172.20.1.29:25452	172.20.221.3:443	-	PT AD Int Error	-	-	-	-	-
172.20.1.138:2241	172.20.140.218:445	-	PT AD Int Error	-	-	-	-	-
172.20.1.29:25411	172.20.221.3:443	-	PT AD Int Error	-	-	-	-	-
172.20.1.187:8014	172.20.221.250:64349	-	PT In Progress	-	-	-	-	-
172.20.1.176:80	172.20.221.205:51786	-	PT In Progress	-	-	-	-	-
172.20.140.218:445	172.20.1.138:2241	-	PT AD Int Error	-	-	-	-	-
172.20.221.3:443	172.20.1.29:25452	-	PT AD Int Error	-	-	-	-	-
172.20.1.138:1942	172.20.221.3:445	-	PT In Progress	-	-	-	-	-

SMB Digital Signing is enabled by default on Domain Controllers - I'll double check, but don't believe it is enabled across ALL 2008 Server, but it would be worth checking.

Digital Signing is designed to prevent man in the middle attacks - which is precisely what WAAS is doing

Turning it of generally improves speed by around 20% even without WAAS, and lets WAAS use full DRE and the CIFS adapter to cache files.

Any problems, just raise a TAC case and my boys will help you out

Edit: Link from MS which discusses it in more detail and how to turn off:

http://support.microsoft.com/?kbid=887429

According to that, it's NOT enabled across the board in 2008, just on the DC's.

My company uses waas, as you can see above whenever i try to do the implementation waas is giving me the following message "pt in ad error"for all the connections that will be compatible with windows, I did some research and what's above has to do with the digital windows certificate which waas is struggling to open due to the code encrypted in the certificate. do you happen to have a way of enabling the certificate within the module. another option would be to disable the certificate in windows server 2008?

Michael Korenbaum · ‎08-01-2011

Thiago,

PT AD Int Error has nothing to do with SMB digital signatures. PT AD Int error means TFO auto-discovery failed and could not negotiate an optimized flow; this is during the TCP 3-way handshake before digital signatures even come into play

A common reason for PT AD Int Error status is another device in the path before WAAS has filled up the TCP options field with other data, thus leaving no room for WAAS to put it's TCP opt 0x21.

Once you resolve the PT AD Int Error problem and a CIFS AO negotiated policy occurs, if the server/client require digital signatures then you will see the connection as T,G,D,L or T,G (meaning Generic AO).

If digital signatures are not required the CIFS connections will show as T,C,D,L.

I suggest you take packet captures on both client and server side WAEs to see how SYN and SYN-ACK packets are reaching the WAE and see if the options field is filed with data before reaching the WAE.

If this is part of a WAAS PoC/ Demo feel free to open a case with the PDI team.

http://www.cisco.com/web/partners/tools/pdi.html

Otherwise, if this is in production please open a case with TAC.

Regards,

Mike Korenbaum

Cisco Data Center PDI Help Desk

http://www.cisco.com/go/pdihelpdesk