Document migrated. An updated Firewall Troubleshooting Guide can be found in the Wanos Documentation site
Wanos with Firewall
Normally there are no issue with Firewalls on the LAN side of the Wanos device except, if it encrypts or encapsulates the traffic e.g. IPsec or GRE tunnel.
Things to know about Firewalls:
- When the Firewalls are doing encryption like an IPsec VPN, then the Wanos device needs to be on the user LAN side to optimize the traffic before it's encrypted. In other words, when the Firewall is between the Wanos appliance and the user LAN, this is fine as long as the Firewall is not encrypting or encapsulating traffic.
- When the Firewall is on the WAN side and the filter rules are very strict, some configuration may be required to allow the Wanos optimized traffic through. This is normally TCP Option 76 and IPCOMP (IP Proto 108).
- When the Firewall is on the WAN side and NATting traffic, UDP Encapsulation on the Wanos devices may be required.
Wanos as a WAN accelerator is deployed in WAN environments where typically a Firewall might also be found.
In this case the topology would be similar to:
Site 1 Switch | Wanos 1 | ASA/PIX Firewall 1 | WAN | ASA/PIX Firewall 2 | Wanos 2 | Site 2 Switch
Wanos uses the TCP option 76 only in SYN and SYN-ACK packets of each TCP connection. This is used for autodiscovery.
Since the Cisco ASA/PIX is a firewall after all, the device might require a specific configuration to permit TCP option 76 for Wanos auto discovery to be operational. This is only needed if the firewall is in the path between Wanos devices.
The following sample configuration can be use on Cisco ASA/PIX version 7.0 or above:
access-list TCP_Option_76 extended permit tcp any any log tcp-map TCP_Option_76_Tmap tcp-options range 76 76 allow class-map TCP_Option_76_Cmap match access-list TCP_Option_76 policy-map global_policy class TCP_Option_76_Cmap set connection advanced-options TCP_Option_76_Tmap
Please post a sample config, in the [forums ], if you use a different firewall and had to configure a similar policy.
UDP Encapsulation is useful when users are not in control of the Firewalls. It gives them a last resort option when they can't implement the recommended/required firewall changes.
Examples:
Examples of environments where the auto-discovery process does not work are as follows:
UDP Encapsulation can be enabled by setting the UDP encapsulation in the Wanos web UI.
Notes when enabling UDP encapsulation:
- All sites requires this option configured.
- Additional overhead and processing is introduced.