Author Topic: Re: Router Mode troubleshooting  (Read 5526 times)

linuspoon

  • Member
  • ***
  • Posts: 2
    • View Profile
Re: Router Mode troubleshooting
« on: August 21, 2015, 04:01:35 AM »
Hi,

I am having problems configuring for my 2 sites (Office and DR site).  I am using the router mode and have set the VIRT_LAN0 address for both the WANOS appliance.  Both the wan and lan IP addresses are now pingable at the Office and DR network. 

DR WANOS
wan0 IP : 10.138.140.251
virt_lan0 IP : 10.138.140.250

Office WANOS
wan0 IP : 10.138.227.242
virt_lan0 IP : 10.138.227.243

DR network
10.138.140.x/24
Router
10.138.140.254 (LAN gateway)
10.138.255.2 (WAN p2p IP)

Office network
10.138.56.x/21
Core Router
10.138.63.254 (LAN gateway)
10.138.227.254 (VLAN to connect to DR gateway)
Office to DR Router
10.138.227.250
10.138.255.1 (WAN p2p)

As a test, I have created PBR to route traffic from a specific Office network IP address (10.138.63.198) and also any traffic from the Office WANOS IP to the DR WANOS and set up one server (10.138.140.12) in DR network to point its NIC card gateway to the virt_lan0 IP of DR WANOS.

access-list 110 permit ip host 10.138.63.198 host 10.138.140.12
access-list 110 permit ip host 10.138.227.242 any
route-map WANOS permit 10
 match ip address 110
 set ip next-hop 10.138.140.251

I checked the debug log on the DR router and confirmed that traffic are routed to the DR WANOS.

Aug 21 02:28:09.118: IP: s=10.138.140.12 (FastEthernet0/1), d=10.138.63.198, len 60, FIB policy match
Aug 21 02:28:09.118: IP: s=10.138.140.12 (FastEthernet0/1), d=10.138.63.198, g=10.138.227.242, len 60, FIB policy routed

Over at the office network, I created a static route on the core router so that all traffic to 10.138.140.12 are routed to the office WANOS virt_lan0 IP.
ip route 10.138.140.12 255.255.255.255 10.138.227.243 name WANOS

At the Office to DR router, I used PBR to route all traffic coming from 10.138.140.12 and from the DR WANOS IP to the Office WANOS wan0 IP.

access-list 110 permit ip host 10.138.140.12 host 10.138.63.198
access-list 110 permit ip host 10.138.140.251 any
route-map WANOS permit 10
 match ip address 110
 set ip next-hop 10.138.227.242

From the debug log, the traffic is routed correctly.
Aug 21 2015 02:32:03 UTC: IP: s=10.138.63.198 (FastEthernet0/0), d=10.138.140.12, len 60, FIB policy match
Aug 21 2015 02:32:03 UTC: IP: s=10.138.63.198 (FastEthernet0/0), d=10.138.140.12, g=10.138.140.251, len 60, FIB policy routed

Over at the WANOS web interface, when I looked at the peer status, it always shows Local Status as Ready but Peer status as Down.  I had left the configuration of both the WANOS as default without creating anything inside Multisite page and the Traffic Policy page.

So, I set up the following config at the multisite page.

DR WANOS
Rule  Remote Site Subnet    Site Number    Peer IP
1      10.138.227.0/24           1                  10.138.227.242
2      10.138.56.0/21           1                  10.138.227.242
100   0.0.0.0/0                   0                  Auto                   Default

Office WANOS
Rule  Remote Site Subnet    Site Number    Peer IP
1       10.138.140.0/24           1                  10.138.140.251
100    0.0.0.0/0                   0                  Auto                   Default

And the following in the Traffic Policy page.

DR WANOS
#   Source           Destination    Port            DSCP   Class     QoS        Rate   Bypass   
        0.0.0.0/0           0.0.0.0/0           Interactive    -           17     high     -   ✔
        0.0.0.0/0           0.0.0.0/0           Encrypted    -           0     -        -   ✔
1      10.138.140.0/24   10.138.56.0/21   tcp         -         1        -         -   
2      10.138.140.0/24   10.138.56.0/21   udp         -         1        -         -   
98    0.0.0.0/0        0.0.0.0/0       tcp         -         1        -         -   ✔
99    0.0.0.0/0        0.0.0.0/0       udp         -         1        -         -   ✔
100  0.0.0.0/0        0.0.0.0/0       tcp            -           0     -           -   


Office WANOS
#   Source           Destination    Port            DSCP   Class     QoS        Rate   Bypass   
        0.0.0.0/0           0.0.0.0/0           Interactive    -           17     high     -   ✔
        0.0.0.0/0           0.0.0.0/0           Encrypted    -           0     -        -   ✔
1      10.138.56.0/21   10.138.140.0/24   tcp         -         1        -         -   
2      10.138.56.0/21   10.138.140.0/24   udp         -         1        -         -   
98    0.0.0.0/0        10.138.140.0/24   tcp         -         1        -         -   ✔
99    0.0.0.0/0        10.138.140.0/24   udp         -         1        -         -   ✔
100  0.0.0.0/0        0.0.0.0/0       tcp            -           0     -           -   

With the above configuration, the peer status is still down.

Can you advise what I can do to get the peer status to up?

Linus

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Re: Router Mode troubleshooting
« Reply #1 on: August 21, 2015, 04:16:12 AM »
Peers are detected by TCP Option 76. Sometimes they are stripped off by firewalls. Please test with UDP encapsulation enabled on both ends.

This is ususally confirmed with something like:
sudo tcpdump -i wan0 src host 10.138.140.12 | grep mss



Other than UDP encapsulation (due to the possibility of stripped options), other default settings should be sufficient to get optimization going.

I would recommend disabling the UDP traffic policies rule #2.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

linuspoon

  • Member
  • ***
  • Posts: 2
    • View Profile
Re: Router Mode troubleshooting
« Reply #2 on: August 21, 2015, 07:47:18 AM »
Hi,

There is no firewall between the 2 sites as its a local loop.  In any case, I tested to change the encryption to udp and also remove off the udp traffic policies but still the peer status does not come up.  When I issue the tcpdump command on the wanos, nothing is shown on the console but when I do a CTRL-C, it does shows some small number of packets captured.  I am really out of ideas why this setup does not work.

Linus

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Router Mode troubleshooting
« Reply #3 on: August 21, 2015, 11:04:07 AM »
Hi Linus,

Ok, if there are not firewalls or other form of proxy in the path then UDP encap can be disabled. Sometimes it is a quick fix, but it seems there is something else here.

I would use tcpdump to check each wan0 whether traffic is received and sent from the target systems e.g.
sudo tcpdump -i wan0 host 10.138.140.12


Just to state the obvious, there needs to be traffic between the hosts to capture with tcpdump and keep the peers online. The debug log would show "Peer Alive" messages if the did come online at some stage. The peer timeout can be increased since there are only two hosts.

Once it is confirmed that traffic is flowing in both directions on both ends, then either wanop is going to work, or it will show that the TCP Options are not in the SYN (mss) packet.

Hope it helps.
« Last Edit: August 21, 2015, 11:10:20 AM by ahenning »
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Router Mode troubleshooting
« Reply #4 on: August 21, 2015, 02:28:35 PM »
when doing a ping between the two hosts, tcpdump should produce the following output on wan0:
sudo tcpdump -i wan0 host x.x.x.x



In other words, both the icmp echo and echo replies are seen in the output. The most common problem with router mode is that only echo or only replies are seen on either side.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs