Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6590
Views
0
Helpful
5
Comments

Deploy Cisco WAAS through a non Cisco Firewall

Sandeep Singh
Level 7
Level 7

‎01-09-2012 10:15 PM - edited ‎08-29-2017 04:51 AM

 

 

Introduction

The WAAS system consists of a set of devices called wide area application engines (WAEs) that work together to optimize TCP traffic over your network. WAAS Central Manager GUI is used to centrally configure and monitor the WAEs and application policies in your network. The Cisco WAAS uses redirect method and assignment method to move packets between router to waas and to load balance packets among WAAS respectively. If one WAE fails or experiences issues this reflects in overall system performance. Data replication applications are dependent on the IP network infrastructure for their performance.

 

Firewall Considerations

When deploying a Cisco WAAS where a non-Cisco firewall is logically between two WAEs, firewall can drop connections due to changes done by WAE to the packet. The firewall should be configured specifically to allow optimized traffic through it. WAAS devices transparently sets up new TCP connections to  peer WAEs, which can cause firewall traversal issues when a WAAS device tries to optimize the traffic. WAAS devices mark TCP packets with the option 0x21. This marking allows the WAAS devices to know if there is another WAAS device on the other end of the WAN connection. After acceleration is confirmed, WAAS devices will add 2 Million to the sequence numbers of accelerated traffic, to be able to differentiate between accelerated and non-accelerated traffic. Cisco firewalls can be configured to allow TCP options by using the "ip inspect waas" command (for IOS 12.4(11)T2 and later) or the "inspect waas" command (for FWSM 3.2(1) and later and PIX 7.2(3) and later).

 

WAAS Directed Mode

In WAAS directed mode, all TCP traffic that is sent to a peer WAE is encapsulated in UDP, which allows a firewall to either bypass the traffic or inspect the traffic (by adding a UDP inspection rule). Firewalls typically would scrub out TCP options, resulting in WAAS  devices not discovering each other in the first place. Firewalls might drop traffic as a result of a sequence number shift introduced by WAAS to discriminate between the accelerated and non accelerated traffic; this feature must be disabled in most cases. WAAS Directed Mode encapsulates optimized traffic over one UDP port. The firewall should be configured to allow traffic  flow on that single port. The port is configurable and it is set to UDP port 4050 by default. If a WAE at either end of a peer WAE connection specifies directed mode, and both WAEs support directed mode, then both WAEs use directed mode, even if one is not explicitly configured for directed mode. If a peer WAE does not support directed mode, then the peers pass through traffic unoptimized. WAE peer deiscovery or auto discovery is the first step and requires that the firewall passes the TCP option 0x21; only if both devices are able to do optimization, the traffic will pass over the UDP port.

 

Configuring Multiple IP Addresses on a Single Interface

 

You can configure up to four secondary IP addresses on a single interface. This configuration allows the device to be present in more than one subnet and can be used to optimize response time because it allows the data to go directly from the WAAS device to the client that is requesting the information without being redirected through a router. The WAAS device becomes visible to the client because both are configured on the same subnet.

 

Network Diagram

 

This document uses this network setup:

waasf.jpg

Configure Directed mode

To configure directed mode through the central manager, follow these steps:

 

a) Select MyWAN -> Manage Devices -> (select the WAE) -> Configure -> Network -> Directed Mode Settings

b) Check the "Enable Directed Mode" box.

c) Enter the custom UDP port number for accelerated traffic or keep the default port 4050.

d) click "Submit" to save the changes.

 

Directed Mode Considerations

 

a) On WAAS 4.1 and later if directed mode is configured on any of the peer devices all connections between the devices will be using directed mode.

b) If mixed versions exist such as WAAS 4.1 or later on a data centre and WAAS 4.0 on a remote branch site then all the connections between these WAEs will be in pass-through mode.

 

Related Information

Common WAAS/WCCP issues on interactions with Security Devices
Troubleshooting Cisco Wide Area Application Services: FAQ from Live Webcast

0 Helpful
Comments
tsarles
Level 1
Level 1
‎06-28-2017 09:50 AM

Cisco removed direct mode in v6.1.1. Curious if there is another way to handle this situation now.

Jawad Al Akrabawi
Cisco Employee
Cisco Employee
‎07-11-2017 01:16 AM

Directed Mode for Non-Cisco Firewall is no longer supported since version 6.1, and we do not explicitly support any third party firewall. Direct Mode/Tunneling will hider Layer4-7  and could break layers of IPS, QoS, application optimization and others.

WAAS relies on TCP options and also manipulates the TCP sequence number when performing auto discovery of peers.  This will break things with  third party firewall solutions.

Some few possible solutions:

- If you are not doing VPN on the firewall, you can install WAAS in front of the firewall facing the provider, however, 3rd party firewalls have always encountered challenges in redirecting traffic to WAAS and this might also raise some security concerns. If VPN is configured on the firewall, the WAAS or any other device in front of the firewall cannot deal with IPSEC encrypted traffic.

- Deploy an ISR in front of the firewall facing the ISP, Cisco routers can easily redirect traffic to WAAS and can provide you with solid IWAN/DMVPN solution that can scale over any classical firewall VPN solution.

- Use a Cisco Firewall (Firepower or ASA), as it can inspect and understand WAAS.

Marwan ALshawi
VIP Alumni
VIP Alumni
‎07-11-2017 01:16 AM

Agree with jalakrab  recommendations and the original post needs to be updated 

bcturner
Level 1
Level 1
‎09-29-2017 07:46 AM

We are currently facing this challenge.  Does anybody have experience in a deployment of WAAS through Palo Alto firewalls.  Directed Mode is working fine for us but like the post from 07-11-2017 states we are missing valuable netflow data and QoS.  Also, I see in the same post that DM is discontinued in version 6.1.  Looking for anybody who has done WAAS through PAN VPN with success.

bcturner
Level 1
Level 1
‎11-27-2017 11:47 AM

We figured out a way to turn off Directed Mode when running through Palo Alto firewalls.  On the PANs we were able to create a Zone Protection Profile and in the Packet Based Attack Protection tab / TCP drop tab / change the Assymetric Path field to "bypass".  Then apply this Zone Protection Profile to the zones where WAAS traffic passes.  This essentially allows for the WAAS sequence number jumps to pass through the PAN.  You would not want to turn on this PAN feature on external facing zones.  But since WAAS is running internally we were able to apply this only to the inside facing zones.  Hope this helps!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents