Citrix SD-WAN WANOP

Firewall considerations

The Citrix SD-WAN WANOP appliance’s use of TCP options puts accelerated traffic at risk from firewalls that have aggressive rules about denying service to connections using less-common TCP options.

Some firewalls strip off the “unknown” options and then forward the packet. This action prevents acceleration but does not impair connectivity.

Other firewalls deny service to connections with unknown options. That is, the SYN packets with Citrix SD-WAN WANOP options are dropped by the firewall. When the appliance detects repeated connection-attempt failures, it retries without the options. This restores connectivity after a delay of variable length, usually in the range of 20-60 seconds, but without acceleration.

Any firewall that does not pass Citrix SD-WAN WANOP options through unmodified must be reconfigured to accept TCP options in the range of 24–31 (decimal).

Most firewalls do not block these options. However, Cisco ASA and PIX firewalls (and perhaps others) with release 7.x firmware might do so by default.

The firewalls at both ends of the link should be examined, because either one might be permitting options on outgoing connections but blocking them on incoming connections.

The following example should work with Cisco ASA 55x0 firewalls using 7.x firmware. Because it globally allows options in the range of 24-31, there is no customized per-interface or per-unit configuration:

 ====================================================================
 CONFIGURATION FOR CISCO ASA 55X0 WITH 7.X CODE TO ALLOW TCP OPTIONS
 ====================================================================
 hostname(config)# tcp-map WSOptions
 hostname(config-tcp-map)# tcp-options range 24 31 allow
 hostname(config-tcp-map)# class-map WSOptions-class
 hostname(config-cmap)# match any
 hostname(config-cmap)# policy-map WSOptions
 hostname(config-pmap)# class WSOptions-Class
 hostname(config-pmap-c)# set connection advanced-options WSOptions
 hostname(config-pmap-c)# service-policy WSOptions global
<!--NeedCopy-->

Configuration for a PIX firewall is similar:

 =====================================================
 POLICY MAP TO ALLOW APPLIANCE TCP OPTIONS TO PASS (PIX 7.x)
 =====================================================
 pixfirewall(config)#access-list tcpmap extended permit tcp any any
 pixfirewall(config)# tcp-map tcpmap
 pixfirewall(config-tcp-map)# tcp-opt range 24 31 allow
 pixfirewall(config-tcp-map)# exit
 pixfirewall(config)# class-map tcpmap
 pixfirewall(config-cmap)# match access-list tcpmap
 pixfirewall(config-cmap)# exit
 pixfirewall(config)# policy-map global_policy
 pixfirewall(config-pmap)# class tcpmap
 pixfirewall(config-pmap-c)# set connection advanced-options tcpmap
<!--NeedCopy-->
Firewall considerations