Recent Posts

Pages: 1 ... 3 4 [5] 6 7 ... 10
41
Deployment / Re: Suggested deployment between two firewalled sites
« Last post by ahenning on July 30, 2018, 08:30:32 PM »
Hi,

Yes, tunnel mode should work fine in that configuration as long as the redirect config is applied both sides.
Traceroute from both sides to the other should show the path going over Wanos, then all should be good to go.
42
Deployment / Re: Suggested deployment between two firewalled sites
« Last post by blazarov on July 30, 2018, 03:31:33 PM »
Hi Again,
since disabling RPF check and enabling Asymmetric flows was not acceptable solution we have delayed the implementation.
Meanwhile another migration took place and the now the infrastructure on both ends, i believe, allows for better integration with WanOS.

Please look at the attachment.

Currently the connection works as in the diagram, except for the WANOS appliances. On both sides there is a separate VPN router and there is a /24 transport network between the firewall and that VPN router. Currently there is a static routing between the VPN router and the firewall in that transport network.
i was thinking of deploying the WANOS in the transport network and force the traffic to traverse the appliance using static routes and probably tracking for bypass in case of failure.
Will this work? WIll all optimization features work that way?
Will the two WANOS correctly discover themselves?
Thanks in advance! Will appreciate your responses and suggestions!
43
Recommended action:
Set WAN Tx rate to link rate on both sides.
Clear datastores on both sides manually.
Check if this resolves the issue.

Re TCP-X:
Wanos is probably not able to find the routes it needs to reach the source/destination and additional static routes may be needed.
44
I'm in the process of evaluating Wanos. Initial test look promising but I'm facing the problem mentioned in the title. Use-case is:
svn repo synchronization over low performance OpenVPN Site-to-Site links.

Network-Architecture: SVN Server HQ -> Wanos HQ (Tunnel-mode) -> Firewall HQ -> OpenVPN Site 2 Site Link -> Firewall BO -> Wanos BO (Tunnel-mode) -> SVN Server BO

Setup works as expected (but only without tcp-x), peers are healthy, optimization ratios look promising and during "normal use" no issues came up.
But when I try to do the initial repo sync with long-term link saturation the WebGUI times out after some time and data stops to flow/svnsync becomes unresponsive (resulting in a broken repo with tons of zombie-locks). most of the time it happens with the BO-Appliance but sometimes also on the HQ-end. Local login on the VMs is still possible and normal operation resumes after a reboot. 

Log on operational HQ-VM:
[Thu May 17 11:17:30 2018] : Info : ph All data stores ready
[Thu May 17 11:17:35 2018] : Info : comp1 clearing force stateless.
[Thu May 17 11:25:10 2018] : Info : decomp1 reset decompressor stream
[Thu May 17 12:47:04 2018] : Error : stacker_tx_peer1 attempting to send empty stacker packet.
[Thu May 17 13:13:13 2018] : Warn : rsp_peer1 maximum retransmits reached, changing mode to server. HQ-IP -> BO-IP

Log on failing BO-VM:
[Thu May 17 11:17:13 2018] : Info : comp1 clearing force stateless.
[Thu May 17 11:17:33 2018] : Info : rsp_peer1 connection reset
[Thu May 17 11:17:33 2018] : Info : comp1 hard setting force
[Thu May 17 11:17:35 2018] : Info : comp1 clearing force stateless.
[Thu May 17 11:25:17 2018] : Info : decomp1 reset decompressor stream
Can't return outside a subroutine at /tce/etc/wanos/wanos-show line 32.
Can't return outside a subroutine at /tce/etc/wanos/wanos-show line 32.
[Thu May 17 13:17:19 2018] : Info : Stopping Wanos Servic

Software Version (both ends): 4.2.1 Plus 2/20 (Trial license)

Please advice/let me know if more info is required.
45
Deployment / Re: Suggested deployment between two firewalled sites
« Last post by ahenning on May 09, 2018, 01:14:07 PM »
Outbound/Transmit optimization, after optimization/compression, excluding pass-through = 10Mbps (Typically the links speed TX rate)
Outbound/Inbound pass-through, QoS, Path-Selection, TCP acceleration = 100Mbps
46
Deployment / Re: Suggested deployment between two firewalled sites
« Last post by blazarov on May 09, 2018, 12:10:04 PM »
Yep, RPF was exactly what i was worried for. I know how to do it (Palo Alto on left side, Fortigate on right side), butf or now i really dont want to disable RPF.

Also usually stateful firewalls (esp. NGFW) track ingress and egress interfaces for each session and set them during initial session establishment. This deployment approach, i believe, will mess up that logic too.

One extra question on licensing:
Customer bought "Plus 10/100" license. What will this license give us in terms of maximum bandwidth and how does it measure it - before or after optimization?
47
Deployment / Re: Suggested deployment between two firewalled sites
« Last post by ahenning on May 09, 2018, 12:04:02 PM »
One thing to check with this design is whether the FW will allow the subnets from the remote site, to be the source IP when Wanos sends it back to the FW once the traffic gets off the tunnel. What happens is the FW sees the remote site subnets source IP coming from the Wanos/DMZ/Additional LAN section, when the routing table says the traffic should come from the External interface. What we sometimes need to do is disable Reverse Path Check or Asymmetric routing checks on the FW interface going to Wanos.

More info available at: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30543
48
Deployment / Re: Suggested deployment between two firewalled sites
« Last post by blazarov on May 09, 2018, 10:59:05 AM »
Thanks for the suggestion, i imagined similar approach as well. That would probably work, however i should verify if that will not break the stateful firewall session mapping in terms of ingress/egress interface for each session.
I just hoped i can get around with something with less overall impact, so i can first test it and introduce it in a phased approach.
IPSec directly on the WANOS suits better the overall architecture design, but since its purely software on VM i have no idea will it perform good enough in terms of throughput.
Max speed per TCP session varies a lot depending mostly on end-host OSes. Usually, worst case is newer (2016) Windows server versions where i believe their intelligent TCP stack features are intervening. With careful TCP tuning on the end-hosts, even on windows 2016 server I am able to achieve the desired speed even in a single session, but there are too many hosts on both sides, not all of them under my control, so OS tuning is not a solution.
All the Linuxes usually perform excellent too.
49
Troubleshooting / Re: WanOS bridge on oVirt (KVM) pass only icmp
« Last post by ahenning on May 09, 2018, 09:57:50 AM »
Hi Robert,

If it was a case where the ICMP, UDP and HTTPS passed, but other TCP e.g. HTTP and FTP not, then traffic policies etc could be looked at. I think the problem is lower down on the KVM virtual Interface/VLAN config level.

Can you dedicate a separate physical interface for lan0 and wan0? If not, perhaps test with tunnel mode.

Feel free to send the support query to support at wanos
50
Deployment / Re: Suggested deployment between two firewalled sites
« Last post by ahenning on May 09, 2018, 09:48:06 AM »
It depends on the firewall capability. In similar scenarios we use an additional Interface on the firewall where Wanos connects to and the FW PBR is set to redirect traffic from the local subnets (Internal Interface) to the Wanos interface. Wanos has the firewall as default gateway, so traffic flow looks as follows:

LAN Subnets -> (Internal)-FW  -> Wanos -> FW-(external) -> VPN

What is the max speed per TCP session that you get over the 20ms?
Pages: 1 ... 3 4 [5] 6 7 ... 10