08-10-2016 03:12 PM - edited 03-12-2019 01:07 AM
Hi,
I have an ASA 5505 running 9.1(6)11. It is in a rural location and connected to a T1 for internet. There are 2 Windows 10 computers that get internet through the ASA and T1. The problem is whenever a windows update is downloaded, it laughs in the face of any policing rules I have configured and proceeds to saturate the T1. Here is an example of a rule in ASDM:
When I do a sh connection port 80, it will show about a 100 or so entries.Do I need to limit the amount of connections? Whats best practice?
I also added a priority rule for tcp/udp 3389 so that remote desktop stays responsive, but it doesn't help.
Appreciate any help!
08-12-2016 01:18 AM
Hello,
Untested but will see what happens when i run windows update after work if servers are matching correctly.
Note: Police to 2Mbit.
object network INSIDE-LAN-NETWORK
subnet 192.168.0.0 255.255.255.0
object network FQDN-WINDOWS_UPDATE-1
fqdn windowsupdate.microsoft.com
object network FQDN-WINDOWS_UPDATE-2
fqdn update.microsoft.com
object network FQDN-WINDOWS_UPDATE-3
fqdn windowsupdate.com
object network FQDN-WINDOWS_UPDATE-4
fqdn download.microsoft.com
object network FQDN-WINDOWS_UPDATE-5
fqdn test.stats.update.microsoft.com
object network FQDN-WINDOWS_UPDATE-6
fqdn ntservicepack.microsoft.com
object-group network FQDN-WINDOWS_UPDATE
network-object object FQDN-WINDOWS_UPDATE-1
network-object object FQDN-WINDOWS_UPDATE-2
network-object object FQDN-WINDOWS_UPDATE-3
network-object object FQDN-WINDOWS_UPDATE-4
network-object object FQDN-WINDOWS_UPDATE-5
network-object object FQDN-WINDOWS_UPDATE-6
Source: https://technet.microsoft.com/cs-cz/library/bb693717.aspx
access-list WINDOWS-UPDATE-SERVERS extended permit ip object-group FQDN-WINDOWS_UPDATE object INSIDE-LAN-NETWORK
class-map MATCH-WINDOWS-UPDATE-SERVERS
match access-list WINDOWS-UPDATE-SERVERS
policy-map POLICE-TRAFFIC
class MATCH-WINDOWS-UPDATE-SERVERS
police input 2097000
service-policy POLICE-TRAFFIC interface OUTSIDE
//Cristian
08-12-2016 09:06 AM
This looks helpful, I'll try it out. I had noticed MS uses CDNs to distribute the updates, so I wasn't sure I would be able to police the traffic using a source. But I pinged download.windowsupdate.com and it resolved to a Level 3 IP address, so it should be ok.
08-19-2016 08:22 AM
I was having the same issue as Dustin -- normal HTTP traffic would follow the policing rules, but Windows Update traffic would immediately saturate the WAN, causing traffic to get dropped and slowing web browsing to a crawl. I have my VPN traffic set to go through a priority queue, but Windows Update would even cause that traffic to drop.
I discovered I had my global QoS committed rate set a little too high -- I lowered it to 85% of my maximum bandwidth and it works a lot better now, allowing the priority traffic to flow through uninterrupted.
I tried your Windows Update policing policy above because I want to further limit WU traffic beyond the global setting, but it's not working for me unfortunately. WU traffic bypasses it, but does get caught by my global policy, so that's a start.
05-17-2018 08:40 AM
Hey,
I'm experiencing the same issues with WU traffic blowing right through policing policies. Was there ever any resolution to this? We have a lot of 5505's and 5506's in the field that would benefit greatly from proper WU policing. Even just one machine pulling updates down from WU (with the 10's and sometimes 100's of simultaneous connections) can bring an internet line down to its knees.
Thanks!
Ryan
05-18-2018 02:46 AM
What software version are you using?
As I see this it should be one of the two:
- the Windows UPDATE servers listed on your policy-map are not the one being used by the PCs inside your network.
- there's some kind of a QoS bug for the current ASA running software version
Action plan:
- run netstat -abn on couple PCs while updating and collect Windows UPDATE servers list; see if there's any consistency with the destination IPs ; be aware that tomorrow those IP addresses might change though
- check for any QoS related bug here https://bst.cloudapps.cisco.com/bugsearch/search?null
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide