topic ASA - QoS in Network Security

ASA - QoS

alieas007 — Tue, 12 Mar 2019 02:28:20 GMT

Hello all. ASA IOS is v8.22. I have setup overall police (10 down 5 up) on outside interface to match ISP bandwidth (for congestion determination) as well as two rules to put packest into LLQ. First rule is for all traffic to DataCenter and it is working as I can see the LLQ packet count increasing during access. Second rule is for all traffic coming from our internal ProxyServer to outside, but it is not working. No packets from this second rule are entering the LLQ. Thank you to anyone who can assist or point me in direction of clues to priorty queue packets from our ProxyServer.

name 77.77.77.0 DataCenter

name 192.168.1.158 ProxyServer

access-list MIConnection_mpc extended permit ip any DataCenter 255.255.192.0

access-list MIConnection_mpc extended permit ip host ProxyServer any

priority-queue MIConnection

class-map QOS

match access-list MIConnection_mpc

class-map mi_band

match any

policy-map mi_band_police

class mi_band

police input 10000000

police output 5000000 2500

class QOS

priority

service-policy mi_band_police interface outside

ASA - QoS

Marius Gunnerud — Wed, 21 Aug 2013 09:38:16 GMT

So the ACL does not match at all? Have you tried replacing the ProxyServer name with the actual IP and see if you get any matches then?

ASA - QoS

alieas007 — Wed, 21 Aug 2013 13:46:28 GMT

Marius, thank you for the reply. Yes it does not appear the ACL is matching. Yes I am using the IP address, I actually only changed to a name for this post to help make it easier to understand. Sorry for the confusion. I will continue testing this afternoon and post whatever I come up with. Thanks again!

ASA - QoS

Marius Gunnerud — Thu, 22 Aug 2013 07:11:09 GMT

What version ASA are you running?

The outside interface, I assume that is connecting to the Internet or is it a WAN link?

Are there any NAT statements that might be messing with the traffic not being able to match the ACL?

ASA - QoS

alieas007 — Tue, 03 Sep 2013 20:29:02 GMT

Marius: My ASA IOS is v8.22. The outside interface is connected to a cable modem. In my current setup, I have the cable ISP policed at 10/5 Mbit. If I adjust down to 2/1 Mbit speedtest.net adjusts accordingly, so I know the police on the cable ISP is working. The 1st QoS Rule (QOS) is priorty for our datacenter, and I can see packets hitting the LLQ when this rule is applied. The 2nd QoS rule (DropAmazon) I cannot get to work. It is suppose to police all input and output traffic to AmazonS3 servers at 0.05 Mbit (our offsite backups), but it refuses. I have all the IP ranges for AmazonS3 defined, and I have sniffed the traffic and verified it is going to these ranges, however with the rule active uploads to Amazon still run at full ISP bandwidth (5 Mbit). I will continue to research and test but have been working on this for weeks now. Hopefully I can find out why I cannot police bandwidth to AmazonS3. I can also provide you with the full configuration if you can offer your assistance. Thank you!

names

name 72.15.192.0 Peak10

name 72.21.192.0 AmazonS3.1

name 207.171.160.0 AmazonS3.2

name 176.0.0.0 AmazonS3.3

name 205.251.192.0 AmazonS3.4

interface Ethernet0/2

nameif MIConnection

security-level 0

ip address 24.224.90.78 255.255.255.0

access-list MIConnection_mpc_1 extended permit ip any object-group AmazonS3

access-list MIConnection_mpc_1 extended permit ip object-group AmazonS3 any

access-list MIConnection_access_in extended permit icmp any any

access-list MIConnection_mpc extended permit ip host 192.168.1.158 any inactive

access-list MIConnection_mpc extended permit ip any Peak10 255.255.192.0

access-list MIConnection_mpc extended permit ip Peak10 255.255.192.0 any

priority-queue MIConnection

class-map QOS

match access-list MIConnection_mpc

class-map mi_band

match any

class-map DropAmazon

match access-list MIConnection_mpc_1

class-map inspection_default

match default-inspection-traffic

class-map http-map1

match access-list http-list2

policy-map mi_band_police

class mi_band

police input 10000000

police output 5000000 2500

class QOS

priority

class DropAmazon

police input 50000 1500

police output 50000 1500

service-policy mi_band_police interface MIConnection

ASA - QoS

Marius Gunnerud — Wed, 04 Sep 2013 10:21:37 GMT

I am thinking the mi_band class is catching the traffic that is going to the AmazonS3 sites.

class-map mi_band

match any

If you are in a position to test this, try removing the mi_band from the policy map and see if DropAmazon matches then.

ASA - QoS

Marius Gunnerud — Wed, 04 Sep 2013 10:25:53 GMT

Or just move DropAmazon to the top of the policy-map configuration

ASA - QoS

alieas007 — Thu, 05 Sep 2013 02:20:06 GMT

Marius, thank you for the help. You we're correct, I moved it to the top and it took effect. However I am know interested in shaping, and am having a problem maybe you can offer some assistance. I have setup shaping on the interface with one priority policy but cannot seem to get the ACL to match again. Please take a look:

------------

access-list global_mpc_2 extended permit ip any Peak10 255.255.192.0

class-map DM_INLINE_Child-Class

match access-list global_mpc_2

policy-map DM_INLINE_Child-Policy

class DM_INLINE_Child-Class

priority

policy-map MI-SHAPE

class class-default

shape average 4000000

service-policy DM_INLINE_Child-Policy

---------

However no packets showing the the priority queue. I even tried changing the ACL to match any and "hitcnt" always equals 0 as shown here:

AssetFirewall# sh access-list global_mpc_2

access-list global_mpc_2; 1 elements; name hash: 0xeb994e93

access-list global_mpc_2 line 1 extended permit ip any Peak10 255.255.192.0 (hitcnt=0) 0x2d9af57d

Interface MIConnection:

Service-policy: MI-SHAPE

Class-map: class-default

shape (average) cir 4000000, bc 16000

(pkts output/bytes output) 171542/216278411

(total drops/no-buffer drops) 3105/0

Service-policy: DM_INLINE_Child-Policy

Class-map: DM_INLINE_Child-Class

priority

Queueing

queue limit 66 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

Class-map: class-default

Default Queueing

queue limit 66 packets

(queue depth/total drops/no-buffer drops) 50/3105/0

(pkts output/bytes output) 172584/217549709

Any ideas why the priority queue is not matching traffic? Thank you for your help

ASA - QoS

Marius Gunnerud — Thu, 05 Sep 2013 08:16:00 GMT

You need to re structure the policy map. This way shapes the traffic to 4Mb while prioritizing the traffic going to Peak10. Now I am not 100% sure why it doesn't work the way you originally did it, But I believe it is because the ASA is a firewall and not all functionality of a route is available. Please correct me if I am wrong.

access-list global_mpc_2 extended permit ip any Peak10 255.255.192.0

class-map DM_INLINE_Child-Class

match access-list global_mpc_2

policy-map MI-SHAPE

class DM_INLINE_Child-Class

priority

class class-default

shape average 4000000

ASA - QoS

alieas007 — Thu, 05 Sep 2013 12:59:50 GMT

Marius, original way should have been correct as it was constructed by the ASDM software, however I will try your changes and report. Thank you

ASA - QoS

alieas007 — Thu, 05 Sep 2013 13:11:54 GMT

Unfortunately met with error, SHAPE cannot be used on a policy-map already using Standard Priority.

ASA - QoS

Marius Gunnerud — Thu, 05 Sep 2013 18:54:47 GMT

Sorry my bad, a different policy-map is needed for the priority.

Just out of curiosity, are you in a position to do a test with the ACL? Could you create an ACL that matches an exact port and not IP... for example

access-list global_mpc_2 extended permit tcp any Peak10 255.255.192.0 eq 80

and see if the hitcount on the priority increases. I have seen that with some features on the ASA it needs the exact ports to match for the feature to take effect. I wonder if it is the same with the shaping.

ASA - QoS

alieas007 — Thu, 05 Sep 2013 20:16:45 GMT

Thanks changed ACL to "tcp eq 80" and still no hit counts on ACL. It gets hit counts in standard priority/police mode, although I went back using standard priority today and I'm having problems making ACL's match that too, so I'm wondering if there is some governing setting in my config that is causing all these problems. The shaping on the outside interface with heirerachal priority queue should be working as far as I can tell...