cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5855
Views
0
Helpful
22
Replies

Cisco ASA 8.6.1 Shape Command Invalid

TechDude
Level 1
Level 1

Tried setting up a Shape Policy and it states its invalid.  Worked fine on my 5520, just curious if anyone else might know why its coming as invalid now                  

      

ciscoasa(config-pmap-c)# shape

                                          ^

ERROR: % Invalid input detected at '^' marker.

ciscoasa(config-pmap-c)# shape ?

ERROR: % Unrecognized command

22 Replies 22

Are you in the class-default while you try to apply shaping? It's only supported in that class.

Sent from Cisco Technical Support iPad App

100% sure, this is on asa 8.6.1

ciscoasa(config)# policy-map shaper
ciscoasa(config-pmap)# policy-map shaper
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  set              Set connection values
  user-statistics  configure user statistics for identity firewall
 
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services
ciscoasa(config-pmap-c)# shape average ?
ERROR: % Unrecognized command
ciscoasa(config-pmap-c)# shape average
                           ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)#

The downfall here for me is that I need to use shape for outgoing traffic and limit it, the connect speed with the fiber box is 100Mbit, police polocy doesnt work, using police people downloading off the FTP server get under 1KB per second (Acts like a duplex issue), using shaper always made it work perfect by limiting the upload to 60MBit

Strange, the shaper is documented not to work on the ASA 5580, but you probably have one of the newer ASA 5500-X. I'm not aware of any more restrictions there. Perhaps someone at Cisco can take over ...

I switched over and have Edge Routers that take care of everything now so the command isn't relevant.  However on remote sites, having a firewall that I can shape traffic with will be missed, police is just not that great imo, I notice on heavy traffic that things like Telepresence calls will stutter and flicker, using QoS policies I can improve it, but with half a days effort I took care of with the shape command in 5 minutes :P

Hi Bro

Based on the Cisco's Configuration Guide, this should work. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html#wp1112081

By any chance, is your Cisco ASA FW running in multiple context mode or transparent firewall mode?

Warm regards,
Ramraj Sivagnanam Sivajanam

shellstorm
Level 1
Level 1

Same problem here.

I use an ASA 5545, routed and single context mode.

According to documentation that feature should be supported.

I follow the documentation (use class-default) and i cannot define a shaping policy.

Is it a bug ? Does a software upgrade is needed to fix the problem ? I actually use :

asamaster# show version

Cisco Adaptive Security Appliance Software Version 8.6(1)2

Device Manager Version 6.6(1)

Compiled on Fri 01-Jun-12 02:16 by builders

System image file is "disk0:/asa861-2-smp-k8.bin"

Any help would be very appreciated

Craig Sposito
Level 1
Level 1

I am actually having the same issue with my ASA 5515X. The shape command just seems to be missing. Has anyone contacted Cisco yet about this issue?

Cisco Adaptive Security Appliance Software Version 8.6(1)

Device Manager Version 6.6(1)

Compiled on Fri 18-Nov-11 21:21 by builders

System image file is "disk0:/asa861-smp-k8.bin"

TechDude
Level 1
Level 1

Theres a bug opened on it, just waiting for a reply.  I currently use the Police Method as a work around

Same problem with ASA5515 running 8.6.1.  Command appears not present.  Ethan, what did Cisco suggest to workaround/solve the issue?  Thanks.

Nothing, your left using the Police Command, however in my case I setup a router to do outbound Shaping.

Parece que es un bug de la version 8.6.1 actualizar a la version 9.

Cisco Adaptive Security Appliance Software Version 9.0(1)

FW-5510(config)# policy-map shape

FW-5510(config-pmap)# class class-default

FW-5510(config-pmap-c)# ?            

MPF policy-map class configuration commands:

  exit             Exit from MPF class action configuration mode

  help             Help for MPF policy-map class/match submode commands

  no               Negate or set default values of a command

  police           Rate limit traffic for this class

  priority         Strict scheduling priority for this class

  quit             Exit from MPF class action configuration mode

  service-policy   Configure QoS Service Policy

  set              Set connection values

  shape            Traffic Shaping

  user-statistics  configure user statistics for identity firewall

 

  csc              Content Security and Control service module

  flow-export      Configure filters for NetFlow events

  inspect          Protocol inspection services

  ips              Intrusion prevention services

FW-5510(config-pmap-c)#

FW-5510(config-pmap-c)# shape average ?

mpf-policy-map-class mode commands/options:

  <64000-154400000>  Target Bit Rate (bits per second), the value needs to be

                     multiple of 8000

FW-5510(config-pmap-c)# shape average

I already know how to setup a shape command, problem is on the newer -X firewalls the commands isnt present for some reason, on my 5510 and 5520 its there

Shaping is not supported on newer X ASAs.  We need to know if this is going to be on the roadmap.  Shaping is pretty vital.

aaron.storey
Level 1
Level 1

I'm running into the same issue on the newer ASAs.  Not sure why the shaping command is missing or removed, but it needs to be available, especially for sub-rate ethernet connections.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: