What is the topology of your network at the site where your core-wae and wae manager is located? We are running the WAE-core in an in-line configuration behind the ASA. At the branch we are running as a test a WAE also inline between our 2811 router and switch. There are certain IOS versions that you must be running on the ASA and router to make this work along with some configs.

Hi,

From what you are telling me I don't exactly understand where you've positioned the WAE's but this is what the WAE's do to detect if the connection needs to be optimized:

They add a specific IP option to the IP packet traveling through the first WAE. The remote WAE should see this IP option and reply add the same option to the return traffic. At the same time the WAE's shift the tcp sequence numbers on the packets that traverse the WAE's on one side and de-shift it at the second WAE.

So unless the WAE's see the IP option and continue to see the correct sequence-number shift, the connection will not be optimized.

Keep in mind that ASA's and IOS firewalls might not understand the IP option and/or sequence number shift and remove the option or drop te connection.

ASA 7.0 (I haven't checked 8) does not understand these options and seq-nr shifts. I don't know for IOS firewall, but the same might apply.

etamminga is mostly correct. And, I agree that the original post did not clearly identify the topology. I have a pair of WAE's running as legs off of routers(using WCCP), and traversing thru ASA's with an IPsec tunnel between them.

Almost a year agao, we installed them. After opening a TAC case to address the non-optimization, ASA special code was created to properly execute the needed code - I am running version 7.2(2)12, but I don't know if any other later version includes the fix it (even 8.0).

In case you or anyone else wants the info, the ASA config that is needed is in two parts:

1) Most people would want to do nonat (aka nat-zero), but that does not work. And, you need several specific options that are only on the static command AND use it both directions, on both firewalls. These options are:

nailed - Allows TCP sessions for asymmetrically routed traffic

norandomseq - Disables TCP ISN randomization protection

For one ASA, for the far end segments use

static (outside,inside) far-end far-end netmask x.x.x.x norandomseq nailed

And, repeat for every segment range/mask required.

For the local, you'll need to use an access-list and the static nat:

access-list stat-acl-name extended permit ip local-sement-1 local-seg-mask object-group FAR-END-SEGMENTS

static (inside,outside) local-segment-1 access-list stat-acl-name norandomseq nailed

And, repeat the pair for every local segment.

2) need to allow 33 in the tcp-options. This is what the WAE set so they recognize their streams. To do this, requires several steps:

access-list TCP-Options-ACL extended permit tcp any object-group FAR-END-SEGMENTS

access-list TCP-Options-ACL extended permit tcp object-group FAR-END-SEGMENTS any

tcp-map WAAS-Options-map

tcp-options range 33 33 allow

class-map MATCH-TCP-Options-map

match access-list TCP-Options-ACL

policy-map global_policy

[perhaps other class'es for default inspection}

class MATCH-TCP-Options-map

set connection advanced-options WAAS-Options-map

service-policy global_policy global

****

Hope this helps!