WAAS WITH WINDOWS SERVER 2008 AND CERTIFICATE

Advertisement
November 30

172.20.203.3:135
172.20.1.191:2751
PT AD Int Error
172.20.221.205:51786
172.20.1.176:80
PT In Progress
172.20.1.191:2751
172.20.203.3:135
PT AD Int Error
172.20.221.3:443
172.20.1.29:25403
PT AD Int Error
172.20.1.176:80
172.20.221.250:64345
PT In Progress
172.20.221.250:64345
172.20.1.176:80
PT In Progress
172.20.203.222:57837
172.20.1.232:80
PT In Progress
172.20.1.138:2249
172.20.140.218:139
PT AD Int Error
172.20.1.29:25403
172.20.221.3:443
PT AD Int Error
172.20.1.29:25452
172.20.221.3:443
PT AD Int Error
172.20.1.138:2241
172.20.140.218:445
PT AD Int Error
172.20.1.29:25411
172.20.221.3:443
PT AD Int Error
172.20.1.187:8014
172.20.221.250:64349
PT In Progress
172.20.1.176:80
172.20.221.205:51786
PT In Progress
172.20.140.218:445
172.20.1.138:2241
PT AD Int Error
172.20.221.3:443
172.20.1.29:25452
PT AD Int Error
172.20.1.138:1942
172.20.221.3:445
PT In Progress
SMB Digital Signing is enabled by default on Domain Controllers - I'll double check, but don't believe it is enabled across ALL 2008 Server, but it would be worth checking.
Digital Signing is designed to prevent man in the middle attacks - which is precisely what WAAS is doing
Turning it of generally improves speed by around 20% even without WAAS, and lets WAAS use full DRE and the CIFS adapter to cache files.
Any problems, just raise a TAC case and my boys will help you out
Edit: Link from MS which discusses it in more detail and how to turn off:
http://support.microsoft.com/?kbid=887429
According to that, it's NOT enabled across the board in 2008, just on the DC's.
My company uses waas, as you can see above whenever i try to do the implementation waas is giving me the following message "pt in ad error"for all the connections that will be compatible with windows, I did some research and what's above has to do with the digital windows certificate which waas is struggling to open due to the code encrypted in the certificate. do you happen to have a way of enabling the certificate within the module. another option would be to disable the certificate in windows server 2008?

Advertisement

Replay

Thiago,
PT AD Int Error has nothing to do with SMB digital signatures.  PT AD Int error means TFO auto-discovery failed and could not negotiate an optimized flow; this is during the TCP 3-way handshake before digital signatures even come into play
A common reason for PT AD Int Error status is another device in the path before WAAS has filled up the TCP options field with other data, thus leaving no room for WAAS to put it's TCP opt 0x21.
Once you resolve the PT AD Int Error problem and a CIFS AO negotiated policy occurs, if the server/client require digital signatures then you will see the connection as T,G,D,L or T,G (meaning Generic AO).
If digital signatures are not required the CIFS connections will show as T,C,D,L.
I suggest you take packet captures on both client and server side WAEs to see how SYN and SYN-ACK packets are reaching the WAE and see if the options field is filed with data before reaching the WAE.
If this is part of a WAAS PoC/ Demo feel free to open a case with the PDI team.
http://www.cisco.com/web/partners/tools/pdi.html
Otherwise, if this is in production please open a case with TAC.
Regards,
Mike Korenbaum
Cisco Data Center PDI Help Desk
http://www.cisco.com/go/pdihelpdesk

View 2 Replies

Tags:

  1. arp mac aging best practices
  2. Mail Version 4.6 (1085) outgoing server
  3. 4.4.2verssion changer app
  4. iphoto 8.1.2 hanging delete plist
  5. QRRI
  6. within6fx
  7. becameyqh
  8. larged77
  9. YW6D
  10. cookiesy76
Copyrights 2019 Fcffair BigData Resource, All rights reserved