QoS (policing only) on ASA does not work

stefan.radovanovici · ‎03-01-2013

Hi All,

I have the following problem. I have an inside user which uses excessive amounts of bandwidth (citrix traffic) and I need to limit it. The ASA has a trunk to our backbone switch and over this trunk, two subinterfaces: lan and wan. QoS is configured as following:

! range of citrix servers

access-list citrix_traffic extended permit ip any 194.x.x.0 255.255.255.0

access-list citrix_traffic extended permit ip 194.x.x.0 255.255.255.0 any

class-map citrix

match access-list citrix_traffic

policy-map throttle

class citrix

police input 4000000 3000

police output 4000000 3000

service-policy throttle interface wan

This is not doing anything at all. We have a 8Mbps wan connection (mpls) and the citrix traffic is using all of it. If I look at the access list I see only a few hits:

sh access-list citrix_traffic

access-list citrix_traffic; 2 elements; name hash: 0xe77efd3e

access-list citrix_traffic line 1 extended permit ip any 194.x.x.0 255.255.255.0 (hitcnt=243) 0xdcf3fc4a

access-list citrix_traffic line 2 extended permit ip 194.x.x.0 255.255.255.0 any (hitcnt=228) 0xffe6a0ff

That must be wrong, wireshark on the switch port connected to the mpls gateway shows 8mbps. The policy map shows this:

Interface wan:

Service-policy: throttle

Class-map: citrix

Input police Interface wan:

cir 4000000 bps, bc 3000 bytes

conformed 41 packets, 6612 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Output police Interface wan:

cir 4000000 bps, bc 3000 bytes

conformed 38 packets, 6065 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

This also can't be right, how can I have only 38 conformed packets ? Even the ASA shows a LOT of traffic to citrix servers:

sh local-host 194.x.x.159

Conn:

TCP wan 194.x.x.159:2598 vlan_sds_lan 10.226.201.70:60189, idle 0:00:02, bytes 4248754624, flags UIO

What exactly am I doing wrong ? I tried putting the policy-map also on the lan interface, no change. I notice that if I change the ACL to basically say "any any" then it seems to work, I see the real bandwidth in the "show service-policy" output.

Best regards,

Stefan

Zill Ahmed Chaudhry · ‎03-01-2013

Which version of ASA u r running on?

If u r using 8.4 then u Will use private addresses while applying acl for interesting traffic on wan interface
If u r using 8.0 version then u will use public addresses while applying acl for interesting traffic on wan interface.

The reason why u put any any and it worked is because u r matching public ip instead instead of private ip or vice versa.

Sent from Cisco Technical Support iPad App

stefan.radovanovici · ‎03-02-2013

I am using version 8.2.6. There is no NAT involved and nothing goes to the Internet. The wan interface is not the outside interface, it's just going towards the MPLS provider and to another of our remote locations. All IP addresses are internal, the 194.x.x.x too (yes, that is a public range but it's used internally. Don't ask ... ).

Regards,

Stefan

sganpat · ‎08-01-2013

Did you ever get a resolution to this problem?

stefan.radovanovici · ‎08-02-2013

Kinda. The fact is, it started working all of a sudden without me doing anything. I have no explanation for it but it does show that the configuration I used was correct or it would not work now.

Regards,

Stefan