Configuring Traffic Policing

Kasper Elsborg — Sun, 12 Jun 2022 10:59:45 GMT

Hi Community, I hope you can help me with this config.

I have an inside SFTP server 192.168.2.82 running on tcp port 20000

I would like to limmit the bandwith, so it not taking up all up and download.

Initially I have a:

access-list SFTP extended permit tcp any host 192.168.2.82 eq 20000

class-map SFTP-shaping
match access-list SFTP

policy-map outside-policy
class SFTP-shaping
police input 1500000 5000 conform-action exceed-action drop
police output 1500000 5000 conform-action exceed-action drop
service-policy outside-policy interface outside

However it dosn't seem to work, regardles of what numbers I config, it still is at full speed of the link.

Any bright ideas?

Config is attached

Regards Soter

Re: Configuring Traffic Policing

Rob Ingram — Sun, 12 Jun 2022 17:23:18 GMT

@Kasper Elsborg I notice you've got prompt hostname context configured, are you running in multi-context mode? If that's the case, QoS is not supported in multi-context mode. https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/ha-contexts.html

Re: Configuring Traffic Policing

Marius Gunnerud — Sun, 12 Jun 2022 19:15:14 GMT

Have you verified that you are actually hitting the policy map?

show policy-map outside-policy

The first thing I noticed, though I do not believe it is the issue, is that you are missing the "conform-action transmit" command.

Re: Configuring Traffic Policing

Kasper Elsborg — Mon, 13 Jun 2022 06:24:27 GMT

@Rob Ingram I wasn't supposed to run in context mode.

I had a look here https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/mngcntxt.html#wp1036360

but non of the cmd to remove context mode is working?

br. Soter

Re: Configuring Traffic Policing

Kasper Elsborg — Mon, 13 Jun 2022 07:40:08 GMT

@Marius Gunnerud I am not sure.

I don't have this command?

asa5516(config)# sh policy-?

exec mode commands/options:
  policy-list    policy-route  
asa5516(config)# sh policy-

but I do have:

asa5516# sh service-policy 

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: netbios, packet 1538, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: icmp, packet 79072, lock fail 0, drop 1297, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: dns preset_dns_map dynamic-filter-snoop, packet 64300, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: ftp strict, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: http, packet 310743, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: icmp error, packet 1, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
    Class-map: global-class
      Inspect: http Http_Map1, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0

Interface outside:
  Service-policy: outside-policy
    Class-map: outside-class1
      Set connection policy: per-client-embryonic-max 50 
        drop 0
      Set connection timeout policy:
        embryonic 0:00:05 
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
    Class-map: SFTP-shaping
      Input police Interface outside:
        cir 3000000 bps, bc 5000 bytes
        conformed 111052 packets, 9330396 bytes; actions:  transmit
        exceeded 2122 packets, 401076 bytes; actions:  drop
        conformed 968 bps, exceed 40 bps
      Output police Interface outside:
        cir 3000000 bps, bc 5000 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
asa5516#

and it looks like the output police is not working, or am I looking at this the wrong way? Output is when I'm downloading to the internet?

however it is hitting the access-list

asa5516(config)# sh access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list SFTP; 1 elements; name hash: 0xc8056573
access-list SFTP line 1 extended permit tcp any host 192.168.2.82 eq 20000 (hitcnt=16) 0xd17c91db 
access-list global_mpc; 1 elements; name hash: 0x2e734f01
access-list global_mpc line 1 extended permit tcp object Internal any eq www (hitcnt=0) 0xc9123e59 
  access-list global_mpc line 1 extended permit tcp 192.168.0.0 255.255.0.0 any eq www (hitcnt=0) 0xc9123e59 
access-list outside_mpc; 1 elements; name hash: 0x57571241
access-list outside_mpc line 1 extended permit tcp any object Internal eq www (hitcnt=1) 0x9b4aa794 
  access-list outside_mpc line 1 extended permit tcp any 192.168.0.0 255.255.0.0 eq www (hitcnt=1) 0x9b4aa794 
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any4 any4 object-group outside-access-in-tcp (hitcnt=31) 0x4e5d42fd 
  access-list outside_access_in line 1 extended permit tcp any4 any4 eq 20000 (hitcnt=23) 0xf5151a3c 
  access-list outside_access_in line 1 extended permit tcp any4 any4 eq 8080 (hitcnt=8) 0x7a098f1f 
access-list outside_access_in line 2 extended permit udp any4 any4 object-group outside-access-in-udp (hitcnt=0) 0x0e8e78f6 
  access-list outside_access_in line 2 extended permit udp any4 any4 eq ntp (hitcnt=0) 0x4ecff91a

and I also noticed that the

policy-map outside-policy
class SFTP-shaping
police input 3000000 5000 conform-action exceed-action drop
police output 3000000 5000 conform-action exceed-action drop

is leaving out the "conform-action exceed-action drop" in the running config

Br. Soter

Re: Configuring Traffic Policing

Marius Gunnerud — Mon, 13 Jun 2022 06:55:39 GMT

Then try the command show service-policy

Re: Configuring Traffic Policing

Kasper Elsborg — Mon, 13 Jun 2022 07:53:35 GMT

@Marius Gunnerud I think we crossed eachother. I have eddited my initial reply with the show service-policy

Re: Configuring Traffic Policing

Kasper Elsborg — Tue, 14 Jun 2022 10:19:31 GMT

@Marius Gunnerud did you see the edited reply with the Show service-policy?

Br. Soter

Re: Configuring Traffic Policing

Marius Gunnerud — Tue, 14 Jun 2022 13:19:27 GMT

If you are also trying to "police" traffic from the SFTP server then you need to amend your access list to include traffic from this server:

access-list SFTP extended permit tcp host 192.168.2.82 eq 20000 any

Re: Configuring Traffic Policing

Kasper Elsborg — Tue, 14 Jun 2022 14:10:06 GMT

@Marius Gunnerud of cause man.. so simple. Thanks so much. It working now

Br. Soter

topic Re: Configuring Traffic Policing in Network Security

Configuring Traffic Policing

Re: Configuring Traffic Policing

Re: Configuring Traffic Policing

Re: Configuring Traffic Policing

Re: Configuring Traffic Policing

Re: Configuring Traffic Policing

Re: Configuring Traffic Policing

Re: Configuring Traffic Policing

Re: Configuring Traffic Policing

Re: Configuring Traffic Policing