Release Note for Cisco Wide Area Application Services Software Version 6.2.1x
Cisco Software Version 6.2.1x New and Changed Features
Cisco Software Version 6.2.1x Filenames
No Payload Encryption Image Files
Cisco WAAS Appliance System Firmware Update
RAID Controller Firmware Update
Hardware, Client, and Web Browser Support
Cisco WAAS Version Interoperability
Cisco WAAS and vWAAS Interoperability
Cisco WAAS, ISR-WAAS and IOS-XE Interoperability
Cisco AppNav and AppNav-XE Interoperability
Cisco WAAS, ASR/CSR, and IOS-XE Interoperability
Cisco WAAS Express Interoperability
Traffic Interception Interoperability
General Traffic Interception Interoperability
Microsoft Windows XP Support Notice
Upgrading from a Prerelease Version to Version 6.2.1x
Upgrading from a Release Version to Version 6.2.1x
Upgrade Paths and Considerations for Version 6.2.1x
Upgrade Paths for WAAS Version 6.2.1x
Upgrading from Cisco WAAS Version 5.x and Later to Version 6.2.1x
Upgrading from Cisco WAAS Version 4.2.x to Version 6.2.1x
Workflow: Upgrading from a Release Version to Version 6.2.1x
Upgrade Part 1: Create a Backup of the Primary WAAS CM Database
Upgrade Part 2: Upgrade the Standby WAAS CM
Upgrade Part 3: Upgrade the Primary WAAS CM
Upgrade Part 4: Upgrade the Branch WAE Devices
Upgrade Part 5: Upgrade the Data Center WAAS Software
Upgrade Part 6: Upgrade Each Data Center WAE
Upgrade Part 7: WCCP and Migration Processes
Upgrade Part 8: Post-Upgrade Tasks
Migrating a WAAS CM from an Unsupported to a Supported Platform
Migrating a Physical Appliance Being Used as a WAAS CM to a vCM
Ensuring a Successful RAID Pair Rebuild
Downgrading from Version 6.2.1x to a Previous Version
Downgrading the WAAS System from Version 6.2.1x to a Previous Version
Downgrade Component and Data Considerations
Downgrading the WAAS CM from Version 6.2.1x to a Previous Version
WAAS CM Downgrade Path Considerations
WAAS CM Downgrade Procedure Considerations
Procedure for Downgrading the WAAS CM to a Previous Version
Cisco WAE and WAVE Appliance Boot Process
CIFS Support of FAT32 File Servers
Using the HTTP Accelerator with the Cisco ASR 1000 Series Router and WCCP
Configuring SMART-SSL Acceleration
Preparing to Use SMART-SSL Acceleration
Creating a Root CA certificate
Creating Single-Sided SSL Accelerated Service Certificate
Configuring and Enabling SMART-SSL Accelerated Services on Single-Sided Device Group
Software Version 6.2.1x Resolved and Open Caveats, and Command Changes
Cisco Software Version 6.2.1a Resolved Caveats
Cisco Software Version 6.2.1 Resolved Caveats
Cisco Software Version 6.2.1 Open Caveats
Cisco Software Version 6.2.1x Command Changes
Obtaining Documentation and Submitting a Service Request
Note The most current Cisco documentation for released products is available on Cisco.com.
This Release Note applies to the following software versions for the Cisco Wide Area Application Services (WAAS) software:
For information on Cisco WAAS features and commands, see the Cisco WAAS documentation located at http://www.cisco.com/en/US/products/ps6870/tsd_products_support_series_home.html.
This Release Note contains the following sections:
The following sections describe the new and changed features in Software Version 6.2.1x:
Cisco WAAS Software Version 6.2.1 includes the following new features and changes:
– Supported WAAS platforms for Akamai Connect connection counts scale beyond 6,000 connections, to scale close to the connection limit on WAAS mid- to high-end platforms.
– HAR (HTTP Archive format) file support—Support for generating HAR files on both LAN and WAN sides, with filter support. Although not fully integrated with the WAAS CM and WAAS CLI, you can use the script execute harcap.sh to launch and manage this feature.
– Prepositioning proxy support—Akamai Connect utilizes a non-transparent proxy for prepositioning content.
– Prepositioning User Agent—Provides information on client browser and operating system type used to access the URLs specified for a preposition task.
– Force IMS—Akamai Connect supports an additional force refresh option for dual-sided deployments with filtering/SWG/CWS servers up stream.
– Prepositioning of JNLP (Java Network Launch Protocol) files, which contain URL references for Java Web Start.
– Prepositioning of HLS (HTTP Live Streaming) and HDS (HTTP Dynamic Streaming) video manifest files.
– Enhancements to OTT caching, including query formulation and support for YouTube R playback with range requests.
– Cisco vWAAS on RHEL KVM
—EzDeploy script for simplified deployment of vWAAS on RHEL KVM
—L2 Inline traffic interception for vWAAS on RHEL KVM
– For vWAAS-12000 and vWAAS-50000, Akamai Connect connection counts scale beyond 6,000 connections, to scale close to the WAAS connection limit for these models.
– vWAAS-150 supported for Microsoft Hyper-V and RHEL KVM
This section describes the Cisco WAAS Software Version 6.2.1x software image files for use on Cisco WAAS appliances and modules and contains the following topics:
Cisco WAAS Software Version 6.2.1x includes the following standard primary software image files for use on Cisco WAAS appliances and modules:
The following additional files are also included:
Cisco WAAS Software Version 6.2.1x includes No Payload Encryption (NPE) primary software image files that have the disk encryption feature disabled. These images are suitable for use in countries where disk encryption is not permitted. NPE primary software image files include the following:
The following additional files are also included:
On Cisco Wide Area Application Engine (WAE) and Cisco Wide Area Application Virtualization Engine (WAVE) appliances, we recommend that you update the following three types of system firmware to the latest version to best support new Cisco WAAS features.
This section contains the following topics:
BIOS on the WAVE-294/594/694/7541/7571/8541 models. The latest BIOS is required for AppNav operation.
BMC firmware on the WAVE-294/594/694/7541/7571/8541 models. The latest BMC (Baseboard Management Controller) firmware is required for Intelligent Platform Management Interface (IPMI) over LAN feature.
RAID controller firmware on the WAVE-7541/7571/8541. The latest RAID (Redundant Array of Independent Disks) controller firmware is recommended to avoid some rarely-encountered RAID controller issues.
The latest BIOS is required for AppNav operation with a Cisco AppNav Controller Interface Module in WAVE-594/694/7541/7571/8541 models. WAVE-294 models may also need a BIOS update, though they do not support AppNav.
WAVE-594/694/7541/7571/8541 appliances shipped from the factory with Cisco WAAS Version 5.0.1 or later have the correct BIOS installed. WAVE-294 appliances shipped from the factory with Cisco WAAS Version 5.1.1 or later have the correct BIOS installed.
For the specfic BIOS version required for WAVE-594/694 models, WAVE-7541/7571/8541 models, and WAVE-294 models, please see the Cisco Wide Area Application Service (WAAS) Firmware download page ( registered customers only).
If you install a Cisco AppNav Controller Interface Module in a device that requires a BIOS update, the bios_support_seiom major alarm is raised, “I/O module may not get the best I/O performance with the installed version of the system BIOS firmware.”
To determine if a device has the correct BIOS version, use the show hardware command. The last three characters of the Version value, for example, “20a,” show the BIOS version installed on the device.
If a BIOS firmware update is needed, you can download it from cisco.com at the Cisco Wide Area Application Service (WAAS) Firmware download page ( registered customers only). The firmware binary image for WAVE-294/594/694/7541/7571/8541 appliances is named waas-bios-installer-20a-19a-13a-k9.bin.
You can use the following command to update the BIOS from the image file that is available through FTP on your network:
copy ftp install ip-address remotefiledir waas-bios-installer-20a-19a-13a-k9.bin
Use the appropriate BIOS installer file for your appliance model.
The complete update process can take several minutes and the device may appear unresponsive but do not interrupt the process or power cycle the device. After the update is complete, you must reload the device.
After the device reboots, you can verify the firmware version by using the show hardware command.
IPMI over LAN requires that you install a specific BMC firmware version on the device. The minimum supported BMC firmware versions are as follows:
Cisco WAAS appliances shipped from the factory with Cisco WAAS Version 4.4.5 or later have the correct firmware installed. If you are updating a device that was shipped with an earlier version of Cisco WAAS software, you must update the BMC firmware, unless it was updated previously.
To determine if you are running the correct firmware version, use the show bmc info command. The following example displays the latest BMC firmware version installed on the device (49a here):
If a BMC firmware update is needed, you can download it from cisco.com at the Cisco Wide Area Application Service (WAAS) Firmware download page ( registered customers only). For example, if the firmware binary image is named waas-bmc-installer-49a-49a-27a-k9.bin, you can use the following command to update the firmware from the image file that is available through FTP on your network:
copy ftp install ip-address remotefiledir waas-bmc-installer-49a-49a-27a-k9.bin
The update process automatically checks the health status of the BMC firmware. If the system detects that the BMC firmware is corrupted, BMC is recovered during the BMC firmware update procedure. The complete update process can take several minutes. If the device appears unresponsive, do not interrupt the process or power cycle the device. After the update is complete, you must reload the device.
After the device reboots, you can verify the firmware version by using the show bmc info command.
BMC recovery and BMC firmware update restores the factory defaults on the BMC and all the current IPMI over LAN configurations are erased.
If the BMC firmware gets corrupted, a critical alarm is raised.
We recommend that you upgrade to the latest RAID-5 controller firmware for your hardware platform, which can be found on cisco.com at the Cisco Wide Area Application Service (WAAS) Firmware download page ( registered customers only). The firmware differs depending on your hardware platform:
The firmware binary image is named waas-raid-fw-installer-12.12.0-0060-k9.bin. Instructions on how to apply the firmware update are posted on cisco.com together with the firmware in the file named M2_0060_FIRMWARE.pdf, which you can see when you mouse over the firmware file.
This section contains the following topics:
Table 1 lists the hardware, client, and web browser support for Cisco WAAS Software Version 6.2.1x.
Table 1 WAAS 6.2.1x Hardware, Client and Web Browser Support
The Cisco WAAS software operates on these hardware platforms: Consider the following if you upgrade a WAVE-694 from WAAS Version 5.x to Version 6.x, and the WAVE-694 has the following parameters: – You have used the disk object-cache extend command before the upgrade. After the upgrade from WAAS Version 5.x to 6.x, you may see the disk_full alarm. (For more information on alarms, see of the WAAS Alarm Book.) To address the above scenario, follow these steps before beginning the upgrade process: a. Use the no disk object-cache extend command to disable the disk object cache extend command. b. Reload the WAVE-694 in WAAS Version 5.x. c. Verify that the device is operational. d. Upgrade from WAAS Version 5.x to WAAS Version 6.x.
Additionally, Cisco 880 Series, 890 Series, and ISR G2 routers running Cisco WAAS Express are supported on the branch side (Cisco WAAS Version 5.0.x or later is required on the data center side). You must deploy the Cisco WAAS Central Manager on a dedicated device. |
|
The Cisco WAAS Central Manager GUI requires Internet Explorer Version 8 or 9 (only 8 on Windows XP), Firefox Version 4 or later, Chrome Version 10 or later, or Safari version 5.x (only on Apple OS X) and the Adobe Flash Player browser plug-in.
Note A known issue in Chrome Version 44.0 may prevent some WAAS CM pages—including Device Listing, Reports, Software Update pages—from loading properly. In Chrome Version 43.0 all WAAS CM pages work as expected. |
Consider the following guidelines when operating a Cisco WAAS network that mixes Software Version 6.2.1x devices with devices running earlier software versions:
Consider the following guidelines when using Cisco vWAAS with WAAS:
Note When selecting the format in the vSphere Client for the virtual machine’s disks for vWAAS with VMware vSphere ESXi, you must choose the Thick Provision Eager Zeroed disk format for vWAAS deployment; this is the format recommended with vWAAS deployment for a clean installation.
Note When upgrading vWAAS, do not upgrade more than five vWAAS nodes at the same time on a single UCS box. Upgrading more than five vWAAS nodes at the same time may cause the vWAAS devices to go offline and diskless mode.
If needed, change the SCSI controller type to VMware Paravirtual by following these steps:
b. From the VMware vCenter, navigate to vSphere Client > Edit Settings > Hardware.
d. From the Change Type drop-down list, verify that the SCSI Controller Type is set to VMware Paravirtual. If this is not the case, choose VMware Paravirtual.
f. Power up the vWAAS, with WAAS Version 6.1.x or later.
For more information on setting the SCSI Controller Type and on the vWAAS VM installation procedure, see Chapter 2, “Installing Cisco vWAAS” section “Installing the vWAAS VM” in the Cisco Virtual Wide Area Application Services Installation and Configuration Guide.
Table 2 shows Cisco WAAS, ISR-WAAS and IOS-XE Interoperability.
Table 2 Cisco WAAS, ISR-WAAS and IOS-XE Interoperability
Note ISR4321-B/K9 is not supported for ISR-WAAS installation.
Consider the following guidelines when deploying the Cisco AppNav solution, for AppNav and AppNav-XE.
Note WAAS Version 6.1.x and later does not support AppNav IOM.
– All Cisco ASRs (Aggregation Services Routers) in an AppNav Controller Group need to be the same model, with the same ESP (Embedded Services Processor) rate (in Gbps). For example, in an AppNav Controller Group, you cannot have one ASR-1006 40-Gbps ESP and one ASR-1006 100-Gbps ESP.
– The same principle is true for using the ISR (Integrated Services Router) 4000 series. You cannot have an ISR-4451 and an ISR-4321 in the same AppNav-XE cluster.
Note Although an IOS router can have a dot (“.”) in the hostname, this special character is not allowed in a WAAS device hostname. If you try to import an AppNav-XE device that has a dot in the hostname, the import will fail and the following error message is displayed: Registration failed for the device devicename ConstraintException; Invalid AppNav-XE name: X.X since name includes invalid character ‘.’.
Table 3 shows Cisco WAAS, ASR/CSR and IOS-XE Interoperability.
Table 3 Cisco WAAS, ASR/CSR, and IOS-XE Interoperability
Consider the following guideline when using Cisco WAAS Express devices in your Cisco WAAS network:
Note If you are upgrading the WAAS Express devices to IOS 15.3(3)M image, as part of the new AppX/K9 (Application Experience) license support in WAAS Express IOS 15.3(3)M images, you need to upgrade the WAAS Central Manager to WAAS v5.3.1 or later, or else the devices will go offline.
Note As listed in “Software Version 5.1.1 Open Caveats,” CSCug16298, “WAAS-X to WAAS 5.1.1 connections will be reset when using HTTP acceleration.” We recommend that you do not use HTTP Application Optimizer (AO) between Cisco WAAS and Cisco WAAS Express unless you are running Cisco IOS Release 15.3(1)T or later.
Table 4 lists the Cisco WAAS, WAAS Express and IOS Interoperability
Table 4 Cisco WAAS, WAAS Express and IOS Interoperability
Note 39xxE series routers do not support WAAS Express.
Cisco WAAS uses the following traffic interception methods: Web Cache Communications Protocol (WCCP), WCCP Version 2, AppNav, Inline, Policy-Based Routing (PBR) and ITD (advanced version of PBR). For WAAS Version 5.5.1 and earlier, WAAS supports WCCP, AppNav, and vPATH.
Consider the following guidelines when configuring traffic interception for Cisco WAAS.
For more information on traffic interception methods, see the “Configuring Traffic Interception” chapter of the Cisco Wide Area Application Services Configuration Guide.
Central Managers running Version 6.2.1x can manage WAEs running WAAS Version 5.x and later. However, we recommend that all WAEs in a given WCCP service group be running the same WAAS version.
Note All WAEs in a WCCP service group must have the same mask.
To upgrade the WAEs in your WCCP service group, follow these steps:
Step 1 You must disable WCCP redirection on the Cisco IOS router first. To remove the global WCCP configuration, use the following no ip wccp global configuration commands:
Step 2 Perform the Cisco WAAS software upgrade on all WAEs using the Cisco WAAS Central Manager GUI.
Step 3 Verify that all WAEs have been upgraded in the Devices pane of the Central Manager GUI. Choose Devices to view the software version of each WAE.
Step 4 If mask assignment is used for WCCP, ensure that all WAEs in the service group are using the same WCCP mask value.
Step 5 Reenable WCCP redirection on the Cisco IOS routers. To enable WCCP redirection, use the ip wccp global configuration commands:
Cisco WAAS Version 5.1 and later do not support Windows domain login authentication using the NTLM protocol. Therefore, upgrading from a Cisco WAAS Version earlier than Version 5.1 with the device configured with Windows domain login authentication using the NTLM protocol is blocked. You must change the Windows domain authentication configuration to use the Kerberos protocol before proceeding with the upgrade.
Follow these steps to change from NTLM to Kerberos Windows domain login authentication:
Step 1 Unconfigure Windows domain login authentication. You can do this from the Central manager in the Configure > Security > AAA > Authentication Methods window.
Step 2 Change the Windows domain configuration setting to use the Kerberos protocol. You can do this from Central manager in the Configure > Security > Windows Domain > Domain Settings window. For more information, see “Configuring Windows Domain Server Authentication Settings” in the “Configuring Administrative Login Authentication, Authorization, and Accounting” chapter of the Cisco Wide Area Application Services Configuration Guide.
Step 3 Perform the Windows domain join again from the Central manager in the Configure > Security > Windows Domain > Domain Settings window.
Step 4 Configure Windows domain login authentication from the Central manager in the Configure > Security > AAA > Authentication Methods window.
Note If you are upgrading the Central Manager itself from the GUI and the Windows domain login authentication on the Central Manager is configured to use the NTLM protocol, the upgrade fails with the following error logged in the device log:
Error code107: The software update failed due to unknown reason. Please contact Cisco TAC.
To view the device log for the Central Manager, choose the Central Manager device and then choose Admin > Logs > Device Logs. If you see this error, follow the steps above to change the Central Manager device Windows domain login authentication from NTLM to Kerberos.
If you upgrade the Central Manager itself from the CLI and the upgrade fails due to NTLM being configured, you will get an appropriate error message. Once the Central Manager is upgraded to Version 5.1, it can detect and display the reason for any upgrade failures for other devices.
Note Cisco WAAS Version 5.1 and later do not support the Kerberos protocol running with a nonstandard port (other than port 88). Upgrading from a Cisco WAAS Version earlier than 5.1 with the device configured with the Kerberos protocol on a nonstandard port is blocked. You must change the Kerberos server on your network to listen on port 88 and change the Kerberos configuration on the device to use port 88. You can do this from the Central manager in the Configure > Security > Windows Domain > Domain Settings window.
If you are trying to upgrade your device from the CLI and the upgrade fails due to NTLM configuration, then the kerberos_validation.sh script is installed on your device. This script can be used to verify that your network supports the Kerberos protocol before changing from NTLM to Kerberos. This script is not available if you are using the Central Manager to upgrade the device.
To run the script, follow these steps:
Step 1 (Optional) Run the Kerberos validation script command with the -help option to display the usage:
CM# script execute kerberos validation.sh -help
Step 2 Run the Kerberos validation script to verify that your network supports the Kerberos protocol before migrating from NTLM to Kerberos:
Step 3 Change the device Windows domain login authentication from NTLM to Kerberos and upgrade your device, as described in the first procedure in this section.
Microsoft ended support for Microsoft Windows XP on April 8, 2014. Microsoft has advised customers to upgrade to a newer Microsoft Windows operating system prior to that date.
Cisco strongly encourages upgrading to the latest Microsoft Windows operating systems. For customers who have not upgraded to the latest Microsoft Windows OS, Cisco will continue to support Microsoft Windows XP with their Cisco WAAS deployments and customers may continue to obtain support from Cisco TAC for those Cisco WAAS deployments for six months after Microsoft’s end-of-support date (Oct. 8, 2014).
To upgrade from Cisco WAAS prerelease software to Version 6.2.1x, you must perform the following tasks to ensure a successful upgrade:
Upgrading to WAAS Version 6.2.1xx is supported from WAAS Version 4.2.1 and later. For information on upgrade paths, see Upgrade Paths and Considerations for Version 6.2.1x.
To take advantage of new features and bug fixes, we recommend that you upgrade your entire deployment to the latest version. For an overview of the upgrade process from a release version to Version 6.2.1xx, see Workflow: Upgrading from a Release Version to Version 6.2.1x.
This section contains the following topics:
– Upgrade Part 1: Create a Backup of the Primary WAAS CM Database
– Upgrade Part 2: Upgrade the Standby WAAS CM
– Upgrade Part 3: Upgrade the Primary WAAS CM
– Upgrade Part 4: Upgrade the Branch WAE Devices
– Upgrade Part 5: Upgrade the Data Center WAAS Software
– Upgrade Part 6: Upgrade Each Data Center WAE
– Upgrade Part 7: WCCP and Migration Processes
– Upgrade Part 8: Post-Upgrade Tasks
For additional upgrade information and detailed procedures, refer to the Cisco Wide Area Application Services Upgrade Guide.
As shown in Table 5, upgrading to WAAS Version 6.2.1x is supported from WAAS Version 4.2.x and later.
Consider the following guidelines when upgrading from Cisco WAAS Version 5.x to Version 6.2.1x.
Note When upgrading vWAAS, do not upgrade more than five vWAAS nodes at the same time on a single UCS box. Upgrading more than five vWAAS nodes at the same time may cause the vWAAS devices to go offline and diskless mode.
Note Prior to upgrading the Central Manager to Version 5.2 or later, we strongly encourage you to change any usernames that use restricted characters; however if you must maintain existing usernames unchanged, please contact Cisco TAC.
When you upgrade from Cisco WAAS Version 4.x, you must reconfigure the custom EPM policy for a device or device group. You must first restore the default policy setting by selecting the Restore default Optimization Policies link for the device group in the Modifying Device Group window and then reconfigure your custom policy rules for the device. For more information on upgrade paths, see Table 5.
To upgrade from a Release Version to Version 6.2.1x, complete the tasks listed in Table 6.
Table 6 Workflow: Upgrading from a Release Version to Version 6.2.1x
|
|
Before upgrading to WAAS Version 6.2.1x, create a backup of the WAAS CM database.
WARNING: Upgrade of vCM device to 6.2.0 (or) higher version with ‘/sw’ and ‘/swstore’ size less than 2GB will clear system and data partition.
If you upgrade the vCM device to WAAS Version 6.2.1x via the GUI, a warning message is not displayed.
Follow these steps to create a backup of the WAAS CM database:
Step 1 Telnet to the primary WAAS CM, using the telnet command:
Step 2 Create the database backup, using the cms database backup command:
Step 3 The cms database backup command displays the following information:
creating backup file with label ‘backup’
backup file local1/filename filedate.dump is ready. use ‘copy’ command to move the backup file to a remote host.
Step 4 Copy the backup database file to a remote location, using the copy disk command:
waas-cm# copy disk ftp hostname ip-address remotefiledir remotefilename localfilename
Step 5 Verify that the backup file was copied correctly by verifying file size and time stamp.
Follow these steps to upgrade the standby WAAS CM, if present in your WAAS system.
Step 1 Telnet to the standby WAAS CM IP address:
Step 2 Copy the new software image to the standby WAAS CM, using the copy ftp command:
wae# copy ftp install ftpserver / waas-image.bin
Note This example shows the file in the root directory. Provide the correct path on your WAAS system, if different from the root directory path.
Step 3 Reload the standby WAAS CM, using the reload command
Step 4 Verify that the new image is loaded correctly, using the show version command.
Step 5 To confirm connectivity, ping the primary WAAS CM and branch WAE devices.
Step 6 Wait at least five minutes.
Step 7 To ensure that the database has been synchronized, confirm the database last synchronization time, using the show cms info command.
Step 8 From the primary WAAS CM, confirm that the status indicator for the standby WAAS CM is online and green.
Perform the following tasks before you upgrade the primary WAAS CM:
Follow these steps to upgrade the primary WAAS CM.
Step 1 Telnet to the primary WAAS CM IP address:
Step 2 Copy the new Version 6.2.1x software image to the primary WAAS CM, using the copy ftp command:
wae# copy ftp install ftpserver / waas-image.bin
Note This example shows the file in the root directory. Provide the correct path on your WAAS system, if different from the root directory path.
Step 3 Reload the primary WAAS CM, using the reload command
Step 4 Verify that the new Version 6.2.1x image is loaded correctly, using the show version command.
Step 5 To confirm connectivity, ping the standby WAAS CM (if present in your WAAS system) and branch WAE devices.
Step 6 Confirm that the CMS services are running, using the show cms info command.
Step 7 Choose Devices > All Devices and verify that all WAE devices are online.
Step 8 Choose Device Groups > AllWAASGroups > Assign Devices and verify that each WAE device is listed with a green check mark.
Before you upgrade the upgrade the branch WAE devices, verify that you have completed the following tasks:
Follow these steps to upgrade the branch WAE devices.
Step 1 Access the primary WAAS CM GUI:
Step 2 Verify that all WAE devices are online (displaying green).
Step 3 Resolve any alarm conditions that may exist.
Step 4 Open a console session or Telnet to the branch WAE.
Step 5 Copy the new Version 6.2.1x software image to the WAE with the copy ftp command. You can use either Universal or Accelerator-only images.
wae# copy ftp install ftpserver / waas-image.bin
Note This example shows the file in the root directory. Provide the correct path on your WAAS system, if different from the root directory path.
WARNING: Upgrade of vCM device to 6.2.0 (or) higher version with ‘/sw’ and ‘/swstore’ size less than 2GB will clear system and data partition.
If you upgrade the vCM device to WAAS Version 6.2.1x via the GUI, a warning message is not displayed.
Step 6 Reload the WAE using the reload command.
Step 7 Verify that the new Version 6.2.1x software image has installed correctly, using the show version command.
Step 8 Verify that the correct licenses are installed, using the show license command.
Step 9 If you have purchased an Enterprise license and have enabled it, proceed to Step 11.
If you have purchased an Enterprise license and have not yet enabled it, perform the following tasks:
a. Clear the Transport license, using the clear license transport command.
b. Add the Transport license, using the license add enterprise command.
Step 10 Save the changed configuration, using the copy running-config startup-config command.
Step 11 From the primary WAAS CM, choose Devices > branchWAE, to verify that the WAE device is online and has a green status.
Step 12 Verify the following WAE device functionalities:
a. If you are using WCCP for traffic interception, verify that WCCP is working properly, using the show running -config wccp command.
b. (Optional) Confirm that flows are being optimized, using the show statistics connection command.
c. Confirm that the Enterprise license is enabled, using the show license command.
If you have purchased the Enterprise license and it is enabled, proceed to Step 13.
If you have purchased an Enterprise license and have not yet enabled it, perform the following tasks:
1. Clear the Transport license, using the clear license transport command.
2. Add the Enterprise license, using the license add enterprise command.
3. Save the changed configuration, using the copy running-config startup-config command.
Step 13 The branch WAE devices within the active WAAS network are now upgraded to the current WAAS Version 6.2.1x.
Follow these steps to upgrade the data center WAAS software.
Step 1 Access the primary WAAS CM GUI:
Step 2 Verify that all WAE devices are online (displaying green).
Step 3 Resolve any alarm conditions that may exist.
Step 4 Upgrade each data center WAE (Upgrade Part 6: Upgrade Each Data Center WAE).
Note For deployments using WCCP as the traffic interception method, each data center WAE is automatically removed from the interception path. If your deployment does not use WCCP, use one of the following methods to remove each data center WAE from the interception path during the upgrade process:
For an inline deployment, use the interface InlineGroup slot/grpnumber shutdown global configuration command to bypass traffic on the active inline groups.
For a deployment using serial inline cluster, shut down the interfaces on the intermediate WAE in the cluster, then shut down the interfaces on the optimizing WAE in the cluster.
Follow these steps to upgrade each data center WAE.
Step 1 Use the following sequence of commands to disable WCCP on the WAE and allow a graceful termination of existing TCP flows that are optimized by WAAS:
a. Disable WCCP with the no wccp tcp-promiscuous service-pair serviceID serviceID global configuration command.
b. Wait until the countdown expires, or use CTL-C to skip the countdown.
c. Verify that WCCP is disabled, using the show wccp status command.
d. Save the changed configuration, using the copy running-config startup-config command.
Step 2 (Optional) Disable WCCP on the intercepting router or switch, using the no ip wccp global configuration command.
Note We recommend this step only if the Cisco IOS release on the router or switch has not been scrubbed for WCCP issues for your specific platform.
Step 3 (Optional) Verify that WCCP is disabled, using the show ip wccp command, if you have used Step 2.
Step 4 Upgrade the data center WAE software:
a. Open a console session or Telnet to the branch WAE.
b. Copy the new Version 6.2.1x software image to the WAE with the copy ftp command. You can use either Universal or Accelerator-only images.
wae# copy ftp install ftpserver / waas-image.bin
Note This example shows the file in the root directory. Provide the correct path on your WAAS system, if different from the root directory path.
c. Reload the WAE using the reload command.
d. Verify that the new Version 6.2.1x software image has installed correctly, using the show version command.
e. Verify that WCCP is disabled, using the show wccp status command.
f. Save the changed configuration, using the copy running-config startup-config command.
Step 5 From the primary WAAS CM, choose Devices > branchWAE, to verify that the WAE device is online and has a green status.
Step 6 (Optional) Enable WCCP on all intercepting routers or switches in the list, if you have used Step 2.
a. Telnet to each core router or switch.
b. Enable WCCP, using the ip wccp 61 redirect-list acl-name command and the ip wccp 62 redirect-list acl-name command.
Step 7 Verify the following WAE device functionalities:
a. Enable WCCP, using the wccp tcp-promiscuous service-pair serviceID serviceID global configuration command. If you are using WCCP single-service, use the wccp tcp-promiscuous serviceID global configuration command.
b. Verify that redirecting router IDs are seen, using the show wccp routers command.
c. Verify that all WAEs in the cluster are seen, using the show wccp clients command.
d. Verify that the packet count to the WAE is increasing and no loops are detected, using the show wccp statistics command.
e. Verify that the buckets assigned for Service Group 61 match those of Service Group 62, and are assigned to the WAE, using the show wccp flows tcp-promiscuous detail command.
f. Verify that flows are being optmized, using the show statistics connection command.
g. If you are using WCCP for traffic interception, verify that WCCP is working properly, using the show running -config wccp command.
Step 8 Each data center WAE within the active WAAS network is now upgraded to the current WAAS Version 6.2.1x.
For information on the sets of tasks to enable and reconfigure WCCP, and information on configuring accelerators, switches and routers for migration, see the Cisco Wide Area Application Services Upgrade Guide.
Perform the following tasks after you have completed the upgrade to WAAS Version 6.2.1x:
If you have a Cisco WAAS Central Manager that is running on a hardware platform that is unsupported in Version 6.1 and later (such as a WAE-274/474/574/674/7341/7371), you are not allowed to upgrade the device to Version 6.1 or later. You must migrate the WAAS CM to a supported platform by following the procedure in this section, which preserves all of the WAAS CM configuration and database information.
Follow these steps to migrate a primary WAAS CM from an unsupported platform to a platform that is supported for WAAS Version 6.2.1x:
Step 1 From the primary Central Manager CLI, create a database backup by using the cms database backup EXEC command. Move the backup file to a separate device by using the copy disk ftp command.
Step 2 Display and write down the IP address and netmask of the Central Manager.
Step 3 Shut down all the interfaces on the primary Central Manager.
Step 4 Replace the existing Central Manager device with a new hardware platform that can support Cisco WAAS Version 6.1. Ensure that the new Central Manager device is running the same software version as the old Central Manager.
Step 5 Configure the new Central Manager with the same IP address and netmask as the old Central Manager. You can do this in the setup utility or by using the interface global configuration command.
Step 6 Copy the backup file created in Step 1 from the FTP server to the new Central Manager.
Step 7 Restore the database backup on the new Central Manager by using the cms database restore command. Use option 1 to restore all CLI configurations.
Step 8 Enable the CMS service.
Step 9 Verify that the Central Manager GUI is accessible and all Cisco WAAS devices are shown in an online state in the Devices window.
Step 10 (Optional) If you have a standby Central Manager that is running on unsupported hardware and is registered to the primary Central Manager, deregister the standby Central Manager.
Step 11 Upgrade the primary Central Manager to Cisco WAAS Version 6.2.1x. You can use the Central Manager Software Update window or the copy ftp install command.
Step 12 Verify that the Central Manager GUI is accessible and all Cisco WAAS devices are shown in an online state in the Devices window.
Step 13 (Optional) Register a new standby Central Manager that is running Cisco WAAS Version 5.1.x or later.
Wait for the device to reload, change the Central Manager role to standby, and register the standby Central Manager to the primary Central Manager.
Follow these steps to migrate a physical appliance being used as a primary WAAS CM to a vCM:
Step 1 Introduce vCM as the Standby Central Manager by registering it to the Primary Central Manager.
Step 2 Configure both device and device-group settings through Primary CM and ensure that devices are getting updates. Wait for two to three data feed poll rate so that the Standby CM gets configuration sync from the Primary CM.
Step 3 Ensure that the Primary CM and Standby CM updates are working.
Step 4 Switch over CM roles so that vCM works as Primary CM. For more information, see the “Converting a Standby Central Manager to a Primary Central Manager” section of the Cisco Wide Area Application Services Configuration Guide.
RAID pairs rebuild on the next reboot after you use the restore factory-default command, replace or add a hard disk drive, delete disk partitions, or reinstall Cisco WAAS from the booted recovery CD-ROM.
To view the status of the drives and check if the RAID pairs are in “NORMAL OPERATION” or in “REBUILDING” status, use the show disk details command in EXEC mode. When you see that RAID is rebuilding, you must let it complete that rebuild process. This rebuild process may take several hours.
If you do not wait for the RAID pairs to complete the rebuild process before you reboot the device, you may see the following symptoms that could indicate a problem:
If you encounter any of these symptoms, reboot the WAE device and wait until the RAID rebuild finishes normally.
This section contains the following topics:
– If you have a standby Central Manager, it must be registered to the primary Central Manager before the downgrade.
– Prior to downgrading the WAAS CM to a version up to 5.2.1, you must remove Backup WNG from the AppNav-XE cluster and verify that the WAAS CM and AppNav-XE device are in sync.
– Before downgrading to a version earlier than 4.4.1, we recommend that you change the following WCCP parameters, if they have been changed from their default values:
——Change service IDs back to their default values of 61 and 62.
——Change the failure detection timeout back to the default value of 30 seconds.
Note Only these WCCP default values are supported in versions prior to 4.4.1; any other values are lost after the downgrade. If a WAE is registered to a Central Manager, it is configured with the default service IDs of 61 and 62 after it is downgraded and comes back online.
– If the WAAS CM is downgraded to a version up to 5.2.1 and if the AppNav-XE cluster has more than 32 WAAS nodes: prior to downgrade, we recommend that you reduce the number of WAAS nodes to a maximum of 32 WAAS nodes.
– When downgrading Cisco WAAS devices, first downgrade application accelerator WAEs, then the standby Central Manager (if you have one), and lastly the primary Central Manager.
1. Deregister the device from the WAAS CM.
2. Change the device mode to application-accelerator.
4. Re-register the device (or, alternatively, you can reregister the device before downgrading).
If you do not deregister the device before downgrading, the device goes offline and the device mode is not set correctly. In that case, use the cms deregister force EXEC command to deregister the device and then reregister it by using the cms enable global configuration command.
Note If the AppNav Controller device contains an AppNav Controller Interface Module, the module is not recognized by Cisco WAAS versions earlier than 5.0.1 and is nonfunctional after a downgrade.
To downgrade the Cisco WAAS Central Manager (not required for WAE devices), follow these steps:
Step 1 (Optional) From the Central Manager CLI, create a database backup by using the cms database backup EXEC command. Move the backup file to a separate device by using the copy disk ftp command.
Step 2 Install the downgrade Cisco WAAS software image by using the copy ftp install EXEC command.
Note After downgrading a WAAS CM, you must clear your browser cache, close the browser, and restart the browser before reconnecting to the Central Manager.
Note Downgrading the database may trigger full updates for registered devices. In the WAAS CM GUI, ensure that all previously operational devices come online.
To monitor the boot process on Cisco WAE and WAVE appliances, connect to the serial console port on the appliance as directed in the Hardware Installation Guide for the respective Cisco WAE and WAVE appliance.
Cisco WAE and WAVE appliances may have video connectors that should not be used in a normal operation. The video output is for troubleshooting purposes only during BIOS boot and stops displaying output as soon as the serial port becomes active.
This section includes operating considerations that apply to Cisco WAAS Software Version 6.2.1xx:
In the Cisco WAAS Central Manager, we recommend running system wide reports in device groups of 250 devices or less, or scheduling these reports at different time intervals, so multiple system wide reports are not running simultaneously and do not reach the limit of the HTTP object cache.
Making policy changes to large numbers of Cisco WAAS Express devices from the Central Manager may take longer than making policy changes to Cisco WAAS devices.
HTTP application optimization with Akamai Connect (HTTP object cache) may deliver unexpected HTTP objects to a client, which may create a risk of delivering malicious content. This scenario can occur after a different—erroneously configured, or otherwise failing—client device has retrieved the object with a matching URL from an invalid HTTP server. A check for this scenario will be implemented in a future WAAS release.
When you create a device group in WAAS Version 6.2.1x, the Configure > Acceleration > DSCP Marking page is automatically configured for the group, with the default DSCP marking value of copy.
Autoregistration is designed to operate on the first network interface and will not work if this interface is part of a port-channel or standby. Do not enable the auto-register global configuration command when the interface is configured as part of a port-channel or standby group.
The CIFS accelerator does not support file servers that use the FAT32 file system. You can use the policy rules to exclude from acceleration any file servers that use the FAT32 file system.
When using the Cisco ASR 1000 Series router and WCCP to redirect traffic to a WAE that is using WCCP GRE return as the egress method and the HTTP accelerator is enabled, there may be an issue with HTTP slowness due to the way the ASR router handles proxied HTTP connections (see CSCtj41045). To work around this issue, on the ASR router, create a web cache service in the same VRF as that of the 61/62 service by using the following command: ip wccp [vrf vrf-name ] web-cache
If you use the Central Manager to disable WCCP on a Cisco WAAS device, the Central Manager immediately shuts down WCCP and closes any existing connections, ignoring the setting configured by the wccp shutdown max-wait global configuration command (however, it warns you). If you want to gracefully shut down WCCP connections, use the no enable WCCP configuration command on the Cisco WAAS device.
If you change the device mode to or from Central Manager mode, the DRE cache is erased.
If you are using TACACS+ authentication, we recommend that you do not assign any roles to the default user ID, which has no roles assigned by default. If you assign any roles to the default user, external users that are authenticated by TACACS+ and who do not have the waas_rbac_groups attribute defined in TACACS+ (meaning they are not assigned to any group) can gain access to all the roles that are assigned to the default user.
If you use Internet Explorer to access the Central Manager GUI Version 4.3.1 or later and Internet Explorer has personal certificates installed, the browser prompts you to choose a certificate from the list of those installed in the personal certificate store. The certificate request occurs to support Cisco WAAS Express registration and is ignored by Internet Explorer if no personal certificates are installed. Click OK or Cancel in the certificate dialog to continue to the Central Manager login page. To avoid this prompt, remove the installed personal certificates or use a different browser.
If a Central Manager is managing Cisco WAAS devices that have different versions, it is possible that a feature could have different default settings in those different versions. If you use the Central Manager to apply the default setting for a feature to mixed devices in a device group, the default for the Central Manager version is applied to all devices in the group.
SMART-SSL is an encryption service that enables L7 application network services ( e.g. ftp, http, dns) to optimize traffic on SSL/TLS encrypted connections. It enables content caching for SSL/TLS applications (http object cache for https traffic) in single sided deployment.
With the evolution of cloud services, there is a critical need to provide application optimization in a single-sided deployment scenario. With SMART-SSL optimization, the interposing device does not require a peer device to process the SSL traffic flow. SSL traffic can be optimized by the edge device without having to go through a core device.
This section contains the following topics:
Table 7 provides an overview of the steps you must complete to set up and enable SMART-SSL acceleration.
Table 7 Checklist for Configuring SMART-SSL Acceleration
Identifies the information that you need to gather before configuring SSL acceleration on your WAAS devices. For more information, see Preparing to Use SMART-SSL Acceleration. |
|
Set up Root CA certificates |
(Optional) Describes how to create, import, and manage certificate authority (CA) certificates. For more information, see Creating a Root CA certificate. |
Set up accelerated service certificates. |
Describes how to create, import, and use certificates for SMART-SSL acceleration. For more information, see Creating Single-Sided SSL Accelerated Service Certificate. |
Configure and enable SSL-accelerated services. |
Describes how to add, configure, and enable services to be accelerated by the SMART-SSL application optimization feature. For more information, see Configuring and Enabling SMART-SSL Accelerated Services on Single-Sided Device Group. |
Before you configure SMART-SSL acceleration, you should know the following information:
A root SSL certificate is a certificate issued by a trusted certificate authority and is in turn trusted by domain clients. This is used to sign all issued certificates. This CA needs to be capable of accepting certificate signing requests (CSRs) that include subject alternative names and generate certificates that include subject alternative names. The subject alternative name is an extension to the X.509 protocol that allows various values to be associated with a security certificate (SSL certificate). Subject alternative names can include IP addresses, email addresses, universal resource identifiers (URIs), alternative common Domain Name System (DNS) names, alternatives to the distinguished name, and other information.You can install this on all machines that will be communicating with services using SSL certificates generated by this root certificate. If your organization already has a root CA for its internal use, you can use it instead of a new root CA. If not, use a Linux machine with openssl version of 1.0.1e or greater to create these certificates.
Step 1 Create the root CA key. This signs all issued certificates.
Step 2 Create the self-signed root CA certificate, with the key generated above.
Step 3 Verify the root certificate.
Step 4 Import the certificate from the Enterprise CA to the Trusted Root Certification Authorities store on the client browser and install the root CA certificate and intermediate CA certificate.
To create the certificate to be used with the accelerated service, follow the steps below:
Step 1 Create a new encryption key pair using open ssl.
Step 2 Create a Certificate Signing Request (CSR) and key pair and other needed attributes such as Common Name, Company and SubjAltName for the application you are trying to optimize. For example, in case of YouTube(TM), make sure the subjectAltNames have all the URLs that YouTube(TM) servers include in their certificate that you would like to optimize.
Step 3 Create new proxy server certificate by signing the above generated CSR with your enterprise root CA, created above. This will generate.crt or.pem certifcate file.
Note that the CA certificate used to sign this accelerated service certificate should be present in the client browser root CA store for the accelerated service proxy certificate created to be authenticated and accepted by the client browser.
Step 4 WAAS allows importing certificates s only with pkcs12 format. To generate the pcks12 format from the certificate file and your private key use the open ssl command.
Step 5 Import this certificate into the WAAS device group using crypto import EXEC command and thereafter be used in the accelerated server configuration as server-cert-key.
It is important to note that the CA cert used to sign this ASVC cert will need to exist in the browser rootCA store for the accelerated service proxy certificate create to be authenticated and accepted by the browser.
The following are prerequisites for using Cisco WAAS to optimize SSL Interposer/Optimizer v2 traffic:
After you have created an accelerated service certificate for WAN optimization, to enable the SSL Interposer/Optimizer v2 settings on this group follow these steps:
Step 1 From the WAAS Central Manager menu, choose Device Groups > device-group-name, to select the device group created above. Add only branch devices to this group.These devices will optimize the SSL traffic as it passes through them.
Step 2 Choose Configure > Acceleration > Enabled Features.
Step 3 Check the SSL Interposer check box to enable SSL Optimizer v2 acceleration.
Alternately, use the accelerator interposer-ssl enable global configuration command from the CLI to enable SSL Optimizer v2 acceleration.
Step 4 Create an SSL accelerated service for the device group. Choose Acceleration > SSL Accelerated Services and click the Create button. The Creating New SSL Accelerated Service page opens.
Step 5 In the SSL Accelerated Service section, name your service, and select both In Service and Match Server Name Indication boxes. You can also provide a short description.
Step 6 In the Server Addresses section, enter “any” in the IP Address box and “443” in the Server Port box. Then click Add.
Step 7 In the Certificate and Private Key section, click Import Existing Certificate and Optionally Private Key and select Upload File in PKCS#12 Format. Supply the password used to export the certificate ( Using the Browse button, locate the certificate. Then click the Import button.
A confirmation screen with the certificate information appears.
Step 8 Click Submit to complete configuring the SSL-accelerated service to use single sided optimization.
Alternatively, if you want to automate the entire process using a script, we recommend that you get in touch with the Cisco Technical Assistance Center (TAC).
Step 9 Monitor the accelerated service optimization statistics using the Cisco WAAS Central Manager and the command-line interface (CLI) using the show statistics connections optimized exec command.
This section contains the resolved caveats, open caveats, and command changes in Software Version 6.2.1x, fixed and known and contains the following topics:
The following caveats, impacting earlier software versions of WAAS, were resolved in Software Version 6.2.1a.
The following caveats, impacting earlier software versions of WAAS, were resolved in Software Version 6.2.1.
The following caveats are open in Software Version 6.2.1.
This section lists the new and modified commands in Cisco WAAS Software Version 6.2.1x.
Table 8 lists the commands and options that have been added or changed in Cisco WAAS Software Version 6.2.1x.
If you have upgraded to Cisco WAAS Version 6.2.1x and are using the WSDL2Java tool to generate client stubs that enforce strict binding, earlier version client code (prior to 4.3.1) may return unexpected exceptions due to new elements added in the response structures in 4.3.1 and later releases. The observed symptom is an exception related to an unexpected subelement because of the new element (for example, a deviceName element) in the XML response.
To work around this problem, we recommend that you patch the WSDL2Java tool library to silently consume exceptions if new elements are found in XML responses and then regenerate the client stubs. This approach avoids future problems if the API is enhanced with new elements over time.
You must modify the ADBBeanTemplate.xsl file in the axis2-adb-codegen- version.jar file.
To apply the patch, follow these steps:
Step 1 List the files in the axis2-adb-codegen- version.jar file:
Step 2 Change the ADBBeanTemplate.xsl file by commenting out the following exceptions so that the generated code consumes the exceptions:
Step 3 Re-create the jar file and place it in the CLASSPATH. Delete the old jar file from the CLASSPATH.
Step 4 Use the WDL2Java tool to execute the client code using the modified jar.
Note IOS-XE 3.14 should not be used for ISR-WAAS.
In addition to this document, the WAAS documentation set includes the following publications:
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.