MultiSite configuraton error

[windy]

my wanos layout
LAN1---WANOS1----ASAFW1-----VPN---------ASAFW2---WANOS2----LAN2
my two wanos sites peer status are down,please help me check it

[ahenning]

Ok, because there is only one remote site, MultiSite is not strictly required. It would be required if there were at least three sites in total.

Looking at the MultiSite config, the following policies are most likely needed:

At the other site add the equivalent policies for the other subnets.

My recommendation would be to:
1) Enable the default bypass policy rule #99 to start with
2) Find out what is causing the lan0 errors on the one site.
3) Make sure wan0 and lan0 are cabled the right way around.
4) Start adding the rules e.g. #91 and check that the peers come online.

[windy]

Thank you,
I have set up according to your 1) 3) 4) ,but peer status always down.
next week I will check lan0 cable or other

[ahenning]

If all is correctly setup then it could be that the firewall is stripping TCP Option 76.

Some more info here:
UPDATED: Peer Down
UPDATED: Firewalls

[windy]

In accordance with your operator, Peer Status is up, but PLR status is off
how about for this

[ahenning]

That is normal. It is recommended to configure PLR only after optimization has been running for a couple of days and it has been determined that optimization is working as expected. PLR is still in beta.

[windy]

I found another problem,
my site2 asa version:8.21 (asa5505)
subnet:192.168.7.x 192.168.8.x   192.168.9.x

Site1 asa version: 8.21 (asa5520)
subnet:192.168.38.x 192.168.86.x   192.168.70.x

when i add below commons in two asa, peer status is up
access-list TCP_Option_76 extended permit tcp any any log
tcp-map TCP_Option_76_Tmap
  tcp-options range 76 76 allow
class-map TCP_Option_76_Cmap
   match access-list TCP_Option_76
policy-map global_policy
  class TCP_Option_76_Cmap
     set connection advanced-options TCP_Option_76_Tmap

All Clients of Site2 can't access site1 's sql, web Servers of all,but ping is ok,but they can access website of outside

must "no service-policy global_policy global" in site1 asa and reload asa5505 , it can reback normal

[ahenning]

Hi Windy,

I am not sure what went wrong with the ASA policy, but perhaps remove them and test with UDP encapsulation on both ends.

[windy]

my network layout
lan1---wanos1-----asa5520 ------site to site vpn-------asa5505----wanos2----lan2
site1 asa rules(inside): all subnet full access site2 subnets
site2 rule the same as site1

And can you tell me how to set with UDP encapsulation on both ends.

like setting below （wanos）
#  Source  Destination  Port  DSCP  Class  QoS  Rate  Bypass   
98 0.0.0.0/0 0.0.0.0/0 udp  - 1 - - ✔ Remove this rule Edit this rule 

OR
System Settings--Optimization Settings --Encapsulation --select udp （default is ipcomp ）

[ahenning]

Hi, I mean the udp encapsulation in the system settings. When the encapsulation is set to UDP then the TCP Options change on the firewall is not required.

So yes, the second option on both ends:

System Settings--Optimization Settings --Encapsulation --select udp （default is ipcomp ）

[windy]

thank you ，I will try then tell you result

[windy]

Now ， Peer Status is up
thank you very much

[ahenning]

Pleasure,

Now if that SQL issue is back then it is most likely traffic that needs to be bypassed that is not yet bypassed. For example traffic that flows through the one appliance on the one side, but this traffic does not flow through the wanop device at the other site. In this case the compressed traffic flows directly to the server because it missed the decompressing device. Hopefully this is not the case, but just in case.