Citrix Professionals Network Discussion Forum - provided by Actu8 IT Pty Ltd (www.actu8.com)
News:
 
Home Help Search Login Register
*
Welcome, Guest. Please login or register. September 04, 2010, 11:45:38 PM


Login with username, password and session length

Citrix Professionals Network Discussion Forum - provided by Actu8 IT Pty Ltd (www.actu8.com) > Citrix Application Delivery Technologies > Citrix Netscaler, WANscaler and Branch Repeater > WANScaler not accelerating traffic after correct setup due to firewall config
Pages: [1]
« previous next »
  Print  
Author Topic: WANScaler not accelerating traffic after correct setup due to firewall config  (Read 1658 times)
Pepperami
Administrator
Member
*****
Offline Offline

Posts: 17



View Profile WWW
« on: July 02, 2008, 11:51:06 PM »
WANScaler acceleration parameters are sent via TCP options. These may occur in any packet, and are guaranteed to be present in the SYN and SYN-ACK packets that establish the connection.  Your firewall must not block TCP options in the range of 24-31 (decimal), or acceleration cannot take place, and accelerated connections will be blocked. Most firewalls do not block these options. However, Cisco ASA and PIX firewalls (and perhaps others) with release 7.x firmware may do so by default.

(The WANScaler unit will detect this and stop trying to accelerate connections for the offending source/dest IP combination, at which point connections will be established normally, but will not be accelerated. The detection process can take anywhere from 20 seconds to several minutes, causing annoying delays in addition to the lack of acceleration.) In general, programming your firewall to accept TCP options in the range of 24-31 will solve this problem. The firewalls at both ends of the link should be examined, since both may be permitting options on outgoing connections but blocking them on incoming ones.

 
The following example should work with Cisco ASA 55x0 firewalls using 7.x firmware.

Because it globally allows options in the range of 24-31, there is no customized

per-interface or per-unit configuration:

====================================================================

CONFIGURATION FOR CISCO ASA 55X0 WITH 7.X CODE TO ALLOW TCP OPTIONS

====================================================================

hostname(config)# tcp-map WSOptions

hostname(config-tcp-map)# tcp-options range 24 31 allow

hostname(config-tcp-map)# class-map WSOptions-class

hostname(config-cmap)# match any

hostname(config-cmap)# policy-map WSOptions

hostname(config-pmap)# class WSOptions-Class

hostname(config-pmap-c)# set connection advanced-options WSOptions

hostname(config-pmap-c)# service-policy WSOptions global

Configuration for a PIX firewall is similar:

=====================================================

POLICY MAP TO ALLOW WANSCALER TCP OPTIONS TO PASS (PIX 7.x)

=====================================================

pixfirewall(config)#access-list tcpmap extended permit tcp any any

pixfirewall(config)# tcp-map tcpmap

pixfirewall(config-tcp-map)# tcp-opt range 24 31 allow

pixfirewall(config-tcp-map)# exit

pixfirewall(config)# class-map tcpmap

pixfirewall(config-cmap)# match access-list tcpmap

pixfirewall(config-cmap)# exit

pixfirewall(config)# policy-map global_policy

pixfirewall(config-pmap)# class tcpmap

pixfirewall(config-pmap-c)# set connection advanced-options tcpmap
Logged
Nathan Anthony
Specialist Citrix and Microsoft Consultants
www.actu8.com
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM