Messages

16

Deployment / Re: Suggested deployment between two firewalled sites

« on: May 08, 2018, 04:27:27 PM »

Just checking, 300Mbps and 20ms? That would be a short fat pipe, unless the 20 should be 200+?

PBR sounds like the way to go, with some IP Track SLA type of config for redundancy.

Wanos has IPsec, but if you have the infrastructure already, go with what is working now and just add Wanos for Optimization.

17

Troubleshooting / Re: WANOS bridge not working - with mirror/span traffic

« on: April 03, 2018, 10:26:57 AM »

Hi Philippe,

Thanks, techsup received. Log files don't report any problems, so we will need to look a little deeper to find the cause.

But firstly the test to send mirrored traffic to Wanos is not a valid test due to "noise" filters. Consider Wanos as a two port switch rather than a traditional bridge that would just pass everything through.

It is recommended to test with real traffic.

Also please disable TCP-X and if enabled web caching as these features requires a routing table and Wanos would not know to send the traffic to the laptop.

18

Deployment / Re: WAN Optimization Solution

« on: March 28, 2018, 10:13:33 PM »

Yes, should work, bridge mode does exactly that.

19

Troubleshooting / Re: no tun0 interface

« on: February 18, 2018, 11:22:29 AM »

Thanks for the suggestion.

The reason tunnel id is not part of the SPI is because the SPI must match on both sides. Say for example a hub and spoke, the hub would have 5 tunnels, but the spoke would have 1. In order to make the suggestion work, which we considered initially, it would be required to teach the user to make the tunnel id match on both ends. We would like the learning curve to be as low as possible for the user.

The issue that it is possible to configure the SPI with chars and not digits, is an oversight.

What are your end goals in testing IPSec?

20

Troubleshooting / Re: no tun0 interface

« on: February 15, 2018, 12:11:02 PM »

Ok thank you very much for pointing this out. There are some javascript verification already, but it needs some extra checks to ensure 3 characters are digits

21

Troubleshooting / Re: no tun0 interface

« on: February 10, 2018, 08:29:34 AM »

Ok, it looks like there is some check that should prevent switching from udp to ipsec when the pre-shared key is not configured. What is happening is there aren't any pre-shared keys configured, so the UI should not allow ipsec to be enabled, but because the exact steps used it managed to enable ipsec without the keys, hence the error that the SPI is invalid.

I think the following steps would be required:
1) switch to udp
2) delete all tunnel subnets
3) switch to udp-ipsec
4) add tunnels with a valid pre-shared key

We'll take a look at how it was possible to enable ipsec without valid pre-shared keys, as this should be prevented.

22

Troubleshooting / Re: no tun0 interface

« on: February 09, 2018, 09:04:33 PM »

Ok thank you very much for the useful info:

It appears to be an invalid SPI number in the IPSec configuration, which is part of the pre-shared key. Not sure how that is possible.

You can edit /etc/wanos/wanos.conf and change encapsulation to udp and it should be ok, then try to fix the IPsec rules.

Alternatively reset to defaults with:
/etc/wanos/clean.sh

23

Troubleshooting / Re: no tun0 interface

« on: February 09, 2018, 06:00:41 PM »

Any hostname changes?

The full output of: "sudo click /etc/wanos/wanos.click" would be useful in order to pinpoint the reason.

24

Troubleshooting / Re: HTTP and FTP Traffic not Optimized !

« on: January 28, 2018, 03:10:48 PM »

That's hard to believe considering SMB is optimized, but I guess there is a first time for everything.

Can you upload small wireshark trace of the ftp or http test. Just do a very small test file like a few KB, I just want to see the TCP establishment.

25

Troubleshooting / Re: HTTPS can never be optimized?

« on: January 25, 2018, 08:19:54 AM »

Lew, kindly post the SSL FAQ links.

In a nutshell, all optimizations are possible for SSL, except stream compression and deduplication.

26

Troubleshooting / Re: HTTP and FTP Traffic not Optimized !

« on: January 25, 2018, 08:18:56 AM »

Hi Ali,

The one image has a PLR state of stateless, combined with the issues you are having, I am wondering if there is not maybe something else not 100% with your lab setup.

Are you still having the same conditions after setting the peer timeout higher?
Is it possible that there might be some asymmetrical routing in the setup?
Are you using bridge mode or tunnel mode?
How/What tool are you using to simulate the WAN conditions?

Note on the delay in reply, but considering that this is for educational research, support for this project gets appropriate priority

27

Troubleshooting / Re: HTTP and FTP Traffic not Optimized !

« on: January 23, 2018, 01:05:28 PM »

Please post your traffic policies. This would be expected with bypass rules targeting specific apps or IP addresses.

28

Troubleshooting / Re: Some time SMB not Optimized !

« on: January 22, 2018, 05:29:25 PM »

Hi,

Yes, please use Lew's suggestion. Increase it even more at say 900 seconds as this is lab testing setup and it seems there is not enough traffic in the lab to keep the peers active. Once the peer timeout has been increased and all configuration on Wanos has been completed and no-additional changes are expected, reboot the Microsoft workstation or server to force the TCP session to re-establish.

29

Troubleshooting / Re: Some time SMB not Optimized !

« on: January 22, 2018, 02:09:57 PM »

If after a config change, and depending on which config change, that would be the normal expected behavior. By default Wanos does not reset TCP sessions when making a config change. This can be enabled by enabling the TCP-X Accelerator.

SMB/CIFS sessions are cached and remain open for a long time, avoiding a TCP handshake. Due to this after a config change on Wanos, the CIFS/SMB TCP session needs to be reset either by Wanos with TCP-X or on the PC/Server.

30

General Discussion / Re: Testing WANOS - Single Appliance

« on: January 05, 2018, 04:18:13 PM »

Yes, its fine, so it will look like this:

Server-A <---> Wanos-A <---> Firewall-A <---> IPSec <---> Firewall-B <---> Wanos-B <---> Workstation-B

If the Firewalls are doing strict filtering, please see the Firewall FaQ for ports and protocols that need to be opened