This document describes the required steps for configuring Youtube Acceleration on Cisco Wide Area Application Services (WAAS) using Akamai Connect feature.
Note: Throughout this article, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE (Wide Area Application Engineer) refers to WAE and WAVE appliances, SM-SRE modules running WAAS, and vWAAS instances.
Cisco recommends that you have knowledge of these topics:
Public Key Infrastructure
Secure Sockets Layer (SSL) Certificate
The information in this document is based on these software versions:
Cisco WAAS version 5.5.1
Cisco WAAS version 6.2.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Akamai Connect and WAAS
The Akamai Connect feature is an HTTP/S object cache component added to Cisco WAAS. It is integrated into the existing WAAS software stack and is leveraged via the HTTP Application Optimizer. Akamai Connect helps reduce latency for HTTP/S traffic for business and web applications and can improve performance for many applications including POS (Point of Sale), HD video, digital signage, and in-store order processing. It provides significant and measurable WAN data offload and is compatible with existing WAAS functions such as DRE (deduplication), LZ (compression), TFO (Transport Flow Optimization), and SSL acceleration (secure/encrypted) for first and second pass acceleration.
These terms are used with Akamai Connect and WAAS:
Akamai Connect - Akamai Connect is an HTTP/S object cache component added to Cisco WAAS, integrated into the existing WAAS software stack and leveraged via the HTTP Application Optimizer. WAAS with Akamai Connect helps to reduce latency for HTTP/S traffic for business and web applications.
Akamai Connected Cache - Akamai Connected Cache is a component of Akamai Connect, which allows the cache engine (CE) to cache content that is delivered by an Edge server on the Akamai Intelligent Platform.
Step 1. You need an SSL certificate signed by your internal/public CA.
The certificate needs to include the following SubjectAltName:
This is an example certificate:
Step 2. You need to trust your the intermediary and/or root Certificate Authority (CA) across your organization.
This can be achieved by using Group Policy across the Active Directory domain.
If you are testing this setup in a lab, you can install the intermediary and/or root CA in the client device as a Trusted CA.
Step 3. Create an SSL accelerated Service on WAAS device using WAAS Central Manager GUI.
On dual sided Akamai (pre WAAS 6.2.3) configure the SSL accelerated service on the core WAAS. For single sided Akamai (WAAS 6.2.3 or later) configure the SSL accelerated server on the branch WAAS and enable the SSL interposer. This is the only difference between dual side setup and single side setup.
Note: WAAS running software release prior to 6.2.3 needs a dual sided Akamai setup to accelerate Youtube Traffic The core WAAS proxies the SSL connection going to Youtube. WAAS running software release 6.2.3 or later supports SSL AO v2 (SAKE). This allows the branch WAAS to proxy the SSL connection when the branch sends traffic directly to the internet without being directed through the datacentre infrastructure.
Navigate to Devices > Configure > Acceleration > SSL Accelerated Service, as shown in the image:
Step 4. Configure the SSL Accelerated Service.
If you use an explicit proxy, Protocol Chaining needs to be enabled. HTTP AO must be applied to the TCP port used for proxying the traffic (for example, 80 or 8080).
Match Server Name Indication needs to be checked. In this setup, when the core WAAS receives SSL traffic, it compares the SNI field in the Client Hello with the SubjectAltName in uploaded certificate. If the SNI field matches the SubjectAltName the core WAAS proxies this SSL traffic.
When the Match Server Name Indication field is checked, use Any for IPAddress and 443 for Server Port. Click Add to add this entry.
Server Name Indication (SNI)
Step 5. Upload certificate and private key.
You need to provide a certificate and private key. The example shown in the image uses PEM format:
Step 6. Verify the uploaded certificate information.
Step 7. Click the SUBMIT button and this is the end result.
Step 8. Enable Akamai Connect.
Navigate to Devices > Configure > Caching > Akamai Connect.
Step 9. Enable the SSL Interposer on the branch WAAS (Required only for Single Side Setup).
Step 1. You need to have Akamai Connect enabled on branch WAAS.
WAAS-BRANCH# show accelerator http object-cache
Akamai Connected Cache State
Ensure Operational State is Running and Connect State is Connected.
Step 2. Verify Youtube Acceleration on Client.
When you access Youtube you must see the certificate signed by your own CA:
Step 3. Verify on WAAS.
Verify if SSL AO is correctly applied to the traffic:
Example Output from the CLI when running WAAS software prior to 6.2.3 (SSL AO v1 and Dual Site Setup)
Check the ce-access-errorlog on the branch WAAS. Log entries for optimized traffic have a code of 10000 associated with them (Indicate classified as OTT-Youtube) and h - - - 200 indicates that the object cache is hit and traffic is served locally. The most acceleration is expected on googlevideo. You can open multiple browsers on the test machine and play the same video at the same time to test the setup:
Problem: The browser cannot connect to Youtube and there is no certificate pushed.
This can be caused by the core WAAS not trusting the certificate pushed by Youtube.
Uncheck this on SSL accelerated service.
Problem: Traffic hits Akamai Connect Engine but there is no Cache hit.
This can be caused by enforcing the If-Modified-since (IMF) check on the branch WAAS. The IMS option may check the enforced logging of users activity to a proxy server or usage analysis device. When IMS check is enabled, in the current OTT version, Youtube always requests the client to fetch the latest copy from the origin server.
Uncheck these on the branch WAAS to disable IMS checking:
Navigate to Configure > Caching > Akamai Connect.
This issue is expected to be fixed in WAAS 6.3 and beyond.
Problem: Akamai Cache breaks HTTPS connection when going through a proxy with Authentication.
When you need to go through a proxy before going to the internet and the proxy requires authentication, WAAS may break the HTTPS connection. Packet capture taken on branch WAAS shows the response of HTTP 407 from the server site. However, the capture stops after the first packet. Subsequent packets are not sent and the response is incomplete.
This is tracked in defect CSCva26420 and is likely to be fixed in WAAS 6.3 release.