cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4390
Views
0
Helpful
5
Replies

ASA 5505 - Windows Update Traffic Policing Not Working

Dustin Barnett
Level 1
Level 1

Hi,

I have an ASA 5505 running 9.1(6)11. It is in a rural location and connected to a T1 for internet. There are 2 Windows 10 computers that get internet through the ASA and T1. The problem is whenever a windows update is downloaded, it laughs in the face of any policing rules I have configured and proceeds to saturate the T1. Here is an example of a rule in ASDM:

When I do a sh connection port 80, it will show about a 100 or so entries.Do I need to limit the amount of connections? Whats best practice?

I also added a priority rule for tcp/udp 3389 so that remote desktop stays responsive, but it doesn't help.

Appreciate any help!

5 Replies 5

Hello,

Untested but will see what happens when i run windows update after work if servers are matching correctly.

Note: Police to 2Mbit.

object network INSIDE-LAN-NETWORK
subnet 192.168.0.0 255.255.255.0
object network FQDN-WINDOWS_UPDATE-1
fqdn windowsupdate.microsoft.com
object network FQDN-WINDOWS_UPDATE-2
fqdn update.microsoft.com
object network FQDN-WINDOWS_UPDATE-3
fqdn windowsupdate.com
object network FQDN-WINDOWS_UPDATE-4
fqdn download.microsoft.com
object network FQDN-WINDOWS_UPDATE-5
fqdn test.stats.update.microsoft.com
object network FQDN-WINDOWS_UPDATE-6
fqdn ntservicepack.microsoft.com
object-group network FQDN-WINDOWS_UPDATE
 network-object object FQDN-WINDOWS_UPDATE-1
 network-object object FQDN-WINDOWS_UPDATE-2
 network-object object FQDN-WINDOWS_UPDATE-3
 network-object object FQDN-WINDOWS_UPDATE-4
 network-object object FQDN-WINDOWS_UPDATE-5
 network-object object FQDN-WINDOWS_UPDATE-6

Source: https://technet.microsoft.com/cs-cz/library/bb693717.aspx

access-list WINDOWS-UPDATE-SERVERS extended permit ip object-group FQDN-WINDOWS_UPDATE object INSIDE-LAN-NETWORK
class-map MATCH-WINDOWS-UPDATE-SERVERS
match access-list WINDOWS-UPDATE-SERVERS
policy-map POLICE-TRAFFIC
class MATCH-WINDOWS-UPDATE-SERVERS
police input 2097000
service-policy POLICE-TRAFFIC interface OUTSIDE

//Cristian

This looks helpful, I'll try it out. I had noticed MS uses CDNs to distribute the updates, so I wasn't sure I would be able to police the traffic using a source. But I pinged download.windowsupdate.com and it resolved to a Level 3 IP address, so it should be ok.

I was having the same issue as Dustin -- normal HTTP traffic would follow the policing rules, but Windows Update traffic would immediately saturate the WAN, causing traffic to get dropped and slowing web browsing to a crawl. I have my VPN traffic set to go through a priority queue, but Windows Update would even cause that traffic to drop.

I discovered I had my global QoS committed rate set a little too high -- I lowered it to 85% of my maximum bandwidth and it works a lot better now, allowing the priority traffic to flow through uninterrupted.

I tried your Windows Update policing policy above because I want to further limit WU traffic beyond the global setting, but it's not working for me unfortunately. WU traffic bypasses it, but does get caught by my global policy, so that's a start.

Hey,

I'm experiencing the same issues with WU traffic blowing right through policing policies.  Was there ever any resolution to this?  We have a lot of 5505's and 5506's in the field that would benefit greatly from proper WU policing.  Even just one machine pulling updates down from WU (with the 10's and sometimes 100's of simultaneous connections) can bring an internet line down to its knees.

Thanks!

Ryan

What software version are you using?

As I see this it should be one of the two:

 - the Windows UPDATE servers listed on your policy-map are not the one being used by the PCs inside your network. 

 - there's some kind of a QoS bug for the current ASA running software version

 

Action plan:

 - run netstat -abn on couple PCs while updating and collect Windows UPDATE servers list; see if there's any consistency with the destination IPs ; be aware that tomorrow those IP addresses might change though

 - check for any QoS related bug here https://bst.cloudapps.cisco.com/bugsearch/search?null 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: