The WAAS system consists of a set of devices called wide area application engines (WAEs) that work together to optimize TCP traffic over your network. The WAEs examine the traffic and use built-in application policies to determine whether to optimize the traffic or allow it to pass through your network unoptimized. WAAS accelerates encrypted Secure Sockets Layer (SSL) and Transport Layer Security (TLS) traffic. The SSL accelerator provides traffic encryption and decryption within WAAS to enable end-to-end traffic optimization. The SSL accelerator also provides secure management of the encryption certificates and keys.
Device is showing multiple certificate related alarms, also the SSL service is showing inactive. The device may go offline as shown below
WAAS-WC#sh cms info
Device registration information :
Device Id = 3582
Device registered as = WAAS Application Engine
Current WAAS Central Manager = 192.168.1.14
Registered with WAAS Central Manager = 192.168.1.14
Status = Offline
Time of last config-sync = Tue Nov 01 20:19:24 2011
Nov 01 00:27:27.460 EDT, Processing Error Alarm, #000238, 26000:26003
SSL AO: peering service is inactive.
WAAS and SSL Certificates
When running in an SSL-protected session, the server and client can authenticate one another and negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data. Client certificates provide an additional way to authenticate a client to a server using SSL. Cisco WAAS supports client authentication and can verify the client before allowing the SSL session with the server to proceed. Client certificate authentication is commonly deployed in highly secure environments, in which message-layer authentication mechanisms using user IDs and passwords, or tokens, are not considered sufficient from a security standpoint.
The above shown situation happens because of some issue with device crypto keys. The device (WAAS) usually has a self-signed certificate and a key. The device key is not exposed to the end user. This key is generated when the device is configured for the very first time. The key is required under the global-setting section. Any problem with the key, like the key getting deleted or overwritten, will cause a number of issues with SSL and device certificates. The "keystore" alarm is due to ssl certificates, it might be expired. The "rtr unreachable" alarm is because the waas can't see the router you have specified. Go the wccp settings of the waas and see whether you have the correct router configured and have the same secret in the waas and the router.
Follow the steps to resolve the issue:
1) Backup the running config of your WAE and verify. Make sure you have the details regarding wccp router IP/Static routes etc.(If WCCP is used)
2) Disable WCCP either on the WAE or on the router, either way is fine.
(WAE command : no wccp version 2 (config mode command) Router Command : (no ip wccp 61 and no ip wccp 62))
Dear reader,Hope you are doing well.I am looking for a moquery equivalent for the below selected options(refer the image) in the APIC.I tried target-subtree-class=children and rsp-subtree=full. I am getting operational data(EP data, etc...) included in th...
Dear All,We are facing error with Cisco Hypeflex Installer during Deploy stage. We are trying redeployment on our Hyperflex. Below error is showing:Configuring Storage Nodefailed in Task: 'Configuring Network for Storage Controller VM' with Error: 'Config...
Hi All,We are facing hyerflex installer problem at Config Installer Stage. Its show below error:HTTP Response code: 502[Installer] [failed][ 0.04%][ETA: 0:08:52] Failed to initialize installer.Our Hyperflex Installer ip has reachable to UCS manager.U...
Dear All, I found cisco tac using special command on nexus 7k line card to capture packet on line card. that is special command ,I haven't found that command on CCO document. not ethanalyzer ,not span, &nb...