Author Topic: MultiSite configuraton error  (Read 8858 times)

windy

  • Member
  • ***
  • Posts: 19
    • View Profile
MultiSite configuraton error
« on: June 12, 2015, 05:23:11 AM »
my wanos layout
LAN1---WANOS1----ASAFW1-----VPN---------ASAFW2---WANOS2----LAN2
my two wanos sites peer status are down,please help me check it


ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: MultiSite configuraton error
« Reply #1 on: June 12, 2015, 08:07:24 AM »
Ok, because there is only one remote site, MultiSite is not strictly required. It would be required if there were at least three sites in total.

Looking at the MultiSite config, the following policies are most likely needed:

At the other site add the equivalent policies for the other subnets.

My recommendation would be to:
1) Enable the default bypass policy rule #99 to start with
2) Find out what is causing the lan0 errors on the one site.
3) Make sure wan0 and lan0 are cabled the right way around.
4) Start adding the rules e.g. #91 and check that the peers come online.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

windy

  • Member
  • ***
  • Posts: 19
    • View Profile
Re: MultiSite configuraton error
« Reply #2 on: June 12, 2015, 03:11:35 PM »
Thank you,
I have set up according to your 1) 3) 4) ,but peer status always down.
next week I will check lan0 cable or other

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: MultiSite configuraton error
« Reply #3 on: June 15, 2015, 08:48:21 AM »
If all is correctly setup then it could be that the firewall is stripping TCP Option 76.

Some more info here:
UPDATED: Peer Down
UPDATED: Firewalls
« Last Edit: September 26, 2016, 01:57:37 PM by lmolina »
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

windy

  • Member
  • ***
  • Posts: 19
    • View Profile
Re: MultiSite configuraton error
« Reply #4 on: June 16, 2015, 07:33:53 AM »
In accordance with your operator, Peer Status is up, but PLR status is off
how about for this

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: MultiSite configuraton error
« Reply #5 on: June 16, 2015, 09:05:56 AM »
That is normal. It is recommended to configure PLR only after optimization has been running for a couple of days and it has been determined that optimization is working as expected. PLR is still in beta.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

windy

  • Member
  • ***
  • Posts: 19
    • View Profile
Re: MultiSite configuraton error
« Reply #6 on: June 16, 2015, 09:26:41 AM »
I found another problem,
my site2 asa version:8.21 (asa5505)
subnet:192.168.7.x 192.168.8.x   192.168.9.x

Site1 asa version: 8.21 (asa5520)
subnet:192.168.38.x 192.168.86.x   192.168.70.x

when i add below commons in two asa, peer status is up
access-list TCP_Option_76 extended permit tcp any any log
tcp-map TCP_Option_76_Tmap
  tcp-options range 76 76 allow
class-map TCP_Option_76_Cmap
   match access-list TCP_Option_76
policy-map global_policy
  class TCP_Option_76_Cmap
     set connection advanced-options TCP_Option_76_Tmap

All Clients of Site2 can't access site1 's sql, web Servers of all,but ping is ok,but they can access website of outside

must "no service-policy global_policy global" in site1 asa and reload asa5505 , it can reback normal
« Last Edit: June 16, 2015, 11:03:22 AM by windy »

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: MultiSite configuraton error
« Reply #7 on: June 16, 2015, 11:32:20 PM »
Hi Windy,

I am not sure what went wrong with the ASA policy, but perhaps remove them and test with UDP encapsulation on both ends.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

windy

  • Member
  • ***
  • Posts: 19
    • View Profile
Re: MultiSite configuraton error
« Reply #8 on: June 17, 2015, 01:12:56 AM »
my network layout
lan1---wanos1-----asa5520 ------site to site vpn-------asa5505----wanos2----lan2
site1 asa rules(inside): all subnet full access site2 subnets
site2 rule the same as site1

And can you tell me how to set with UDP encapsulation on both ends.

like setting below (wanos)
#  Source  Destination  Port  DSCP  Class  QoS  Rate  Bypass   
98 0.0.0.0/0 0.0.0.0/0 udp  - 1 - - ✔ Remove this rule Edit this rule 

OR
System Settings--Optimization Settings --Encapsulation --select udp (default is ipcomp )

« Last Edit: June 17, 2015, 01:53:30 AM by windy »

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: MultiSite configuraton error
« Reply #9 on: June 17, 2015, 01:51:48 AM »
Hi, I mean the udp encapsulation in the system settings. When the encapsulation is set to UDP then the TCP Options change on the firewall is not required.

So yes, the second option on both ends:
Quote
System Settings--Optimization Settings --Encapsulation --select udp (default is ipcomp )
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

windy

  • Member
  • ***
  • Posts: 19
    • View Profile
Re: MultiSite configuraton error
« Reply #10 on: June 17, 2015, 01:54:44 AM »
thank you ,I will try then tell you result

windy

  • Member
  • ***
  • Posts: 19
    • View Profile
Re: MultiSite configuraton error
« Reply #11 on: June 17, 2015, 02:00:58 AM »
Now , Peer Status is up
thank you very much

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: MultiSite configuraton error
« Reply #12 on: June 17, 2015, 02:14:05 AM »
Pleasure,

Now if that SQL issue is back then it is most likely traffic that needs to be bypassed that is not yet bypassed. For example traffic that flows through the one appliance on the one side, but this traffic does not flow through the wanop device at the other site. In this case the compressed traffic flows directly to the server because it missed the decompressing device. Hopefully this is not the case, but just in case.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs