Solved: Re: With asymmetric routing, how to make sure auto-discovery tak

gwhuang5398 · ‎03-15-2011

In an asymmetric routing environment like this between site A and B:

Site A: two WAN routers, each router is WCCP with a farm of 2 WAE (negotiated return). Each router has a WAN link. Two WAN links are in a load shared fashion.

Site B: same as site A.

When a user in site A initiates a TCP SYN to site B, it will be redirected by one router to one of the WAE at site A. When the SYN ACK comes back from site B, for auto-discovery to work, the TCP ACK should be redirected back to the same WAE at site A.

However with asymmetric routing, the returning SYN ACK could very well be routed through a different WAN link back to site A into a different WAN router, and redirected to a different WAE. Would auto-discovery fail in this case?

What could be a solution to it? Negotiated return is not applicable here because egress is not the problem.

Thanks a lot

Thomas Jardin · ‎03-18-2011

Hi Gary,

Yes, you can make it it farm. You said that at SYN from router A may get sent to the module in router B and that is not desired.

Why not, I assume it will be able to get to router B on the LAN side which is at least 100 Meg, so no harm.

The reason for using two WAE modules is load balancing and/or redundancy and this will be accomplished.

Of course there is one other possibility. You could use the external interface on the WAE modules as the primary interface and connect them back to a vlan on a switch?

If this answers your question, please mark this as such.

Tom

View solution in original post

Thomas Jardin · ‎03-17-2011

Hello,

The situation you described here can provide optimization. Both of the WAEs have a WCCP router lists that contains both routers. The key to having this work is that you have a CRC 61 on the LAN and a WCCP 62 on the WAN side of the routers.

So the packet flow looks like this.

A SYN packet hits the LAN interface of Router A with the "ip wccp 61 redirect in". The 61 looks at the source IP and will hash to one of the WAEs.

The SYN/ACK hits a WAN interface of Router B with the "ip wccp 62 redirect in". The 62 looks a the destination address and will hash to the same WAE that the SYN hashed to. Egress-method will make sure the WAE returns the packet back to the same router that forwarded to the WAE but you are correct.

If you have it configured like this but still see connections in the WAE as PT-asymmetric, then douple check to make sure you have the redirect statements on all the interfaces that the traffic hits. Also if you are using a WCCP ACL, check it very carefully to make sure the traffic is correctly permitted for the direction it is flowing. The easiest way to do this is with one ACL that contains the mirror entries for the traffic of interest.

permit ip 192.168.1.0 0.0.0.255 any

permit ip any 192.168.1.0 0.0.0.255

I hope this helps,

Tom Jardin

Cisco TAC

gwhuang5398 · ‎03-18-2011

Thank you very much Tom. Can you help me out a similar scenario with WAAS modules?

A remote site with two WAN routers (3900 ISR G2), each with a SM-SRE module running WAAS. The 2 routers are in a load shared fashion. So both are "active" for WAN traffic.

Each router has WCCP 61 in for the LAN interface, and WCCP 62 in for the WAN interface. Each WAAS module uses IP forwarding egress back to its parent router.

Here is my confusion:

Should I make the 2 WAAS modules as a farm that can be recognized by both routers? By doing that, Router A may redirect traffic to the WAAS module in Router B, and that's not desired. However by not doing that, a TCP connection's SYN may be intercepted by the module in Router A, and the return SYN ACK may be intercepted by the module in Router B, which may cause auto-discovery failure.