08-20-2013 01:21 PM - edited 03-11-2019 07:28 PM
Hello all. ASA IOS is v8.22. I have setup overall police (10 down 5 up) on outside interface to match ISP bandwidth (for congestion determination) as well as two rules to put packest into LLQ. First rule is for all traffic to DataCenter and it is working as I can see the LLQ packet count increasing during access. Second rule is for all traffic coming from our internal ProxyServer to outside, but it is not working. No packets from this second rule are entering the LLQ. Thank you to anyone who can assist or point me in direction of clues to priorty queue packets from our ProxyServer.
name 77.77.77.0 DataCenter
name 192.168.1.158 ProxyServer
access-list MIConnection_mpc extended permit ip any DataCenter 255.255.192.0
access-list MIConnection_mpc extended permit ip host ProxyServer any
priority-queue MIConnection
class-map QOS
match access-list MIConnection_mpc
class-map mi_band
match any
policy-map mi_band_police
class mi_band
police input 10000000
police output 5000000 2500
class QOS
priority
service-policy mi_band_police interface outside
08-21-2013 02:38 AM
So the ACL does not match at all? Have you tried replacing the ProxyServer name with the actual IP and see if you get any matches then?
08-21-2013 06:46 AM
Marius, thank you for the reply. Yes it does not appear the ACL is matching. Yes I am using the IP address, I actually only changed to a name for this post to help make it easier to understand. Sorry for the confusion. I will continue testing this afternoon and post whatever I come up with. Thanks again!
08-22-2013 12:11 AM
What version ASA are you running?
The outside interface, I assume that is connecting to the Internet or is it a WAN link?
Are there any NAT statements that might be messing with the traffic not being able to match the ACL?
09-03-2013 01:29 PM
Marius: My ASA IOS is v8.22. The outside interface is connected to a cable modem. In my current setup, I have the cable ISP policed at 10/5 Mbit. If I adjust down to 2/1 Mbit speedtest.net adjusts accordingly, so I know the police on the cable ISP is working. The 1st QoS Rule (QOS) is priorty for our datacenter, and I can see packets hitting the LLQ when this rule is applied. The 2nd QoS rule (DropAmazon) I cannot get to work. It is suppose to police all input and output traffic to AmazonS3 servers at 0.05 Mbit (our offsite backups), but it refuses. I have all the IP ranges for AmazonS3 defined, and I have sniffed the traffic and verified it is going to these ranges, however with the rule active uploads to Amazon still run at full ISP bandwidth (5 Mbit). I will continue to research and test but have been working on this for weeks now. Hopefully I can find out why I cannot police bandwidth to AmazonS3. I can also provide you with the full configuration if you can offer your assistance. Thank you!
names
name 72.15.192.0 Peak10
name 72.21.192.0 AmazonS3.1
name 207.171.160.0 AmazonS3.2
name 176.0.0.0 AmazonS3.3
name 205.251.192.0 AmazonS3.4
interface Ethernet0/2
nameif MIConnection
security-level 0
ip address 24.224.90.78 255.255.255.0
access-list MIConnection_mpc_1 extended permit ip any object-group AmazonS3
access-list MIConnection_mpc_1 extended permit ip object-group AmazonS3 any
access-list MIConnection_access_in extended permit icmp any any
access-list MIConnection_mpc extended permit ip host 192.168.1.158 any inactive
access-list MIConnection_mpc extended permit ip any Peak10 255.255.192.0
access-list MIConnection_mpc extended permit ip Peak10 255.255.192.0 any
priority-queue MIConnection
class-map QOS
match access-list MIConnection_mpc
class-map mi_band
match any
class-map DropAmazon
match access-list MIConnection_mpc_1
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list http-list2
policy-map mi_band_police
class mi_band
police input 10000000
police output 5000000 2500
class QOS
priority
class DropAmazon
police input 50000 1500
police output 50000 1500
service-policy mi_band_police interface MIConnection
09-04-2013 03:21 AM
I am thinking the mi_band class is catching the traffic that is going to the AmazonS3 sites.
class-map mi_band
match any
If you are in a position to test this, try removing the mi_band from the policy map and see if DropAmazon matches then.
09-04-2013 03:25 AM
Or just move DropAmazon to the top of the policy-map configuration
09-04-2013 07:20 PM
Marius, thank you for the help. You we're correct, I moved it to the top and it took effect. However I am know interested in shaping, and am having a problem maybe you can offer some assistance. I have setup shaping on the interface with one priority policy but cannot seem to get the ACL to match again. Please take a look:
------------
access-list global_mpc_2 extended permit ip any Peak10 255.255.192.0
class-map DM_INLINE_Child-Class
match access-list global_mpc_2
policy-map DM_INLINE_Child-Policy
class DM_INLINE_Child-Class
priority
policy-map MI-SHAPE
class class-default
shape average 4000000
service-policy DM_INLINE_Child-Policy
---------
However no packets showing the the priority queue. I even tried changing the ACL to match any and "hitcnt" always equals 0 as shown here:
AssetFirewall# sh access-list global_mpc_2
access-list global_mpc_2; 1 elements; name hash: 0xeb994e93
access-list global_mpc_2 line 1 extended permit ip any Peak10 255.255.192.0 (hitcnt=0) 0x2d9af57d
Interface MIConnection:
Service-policy: MI-SHAPE
Class-map: class-default
shape (average) cir 4000000, bc 16000
(pkts output/bytes output) 171542/216278411
(total drops/no-buffer drops) 3105/0
Service-policy: DM_INLINE_Child-Policy
Class-map: DM_INLINE_Child-Class
priority
Queueing
queue limit 66 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: class-default
Default Queueing
queue limit 66 packets
(queue depth/total drops/no-buffer drops) 50/3105/0
(pkts output/bytes output) 172584/217549709
Any ideas why the priority queue is not matching traffic? Thank you for your help
09-05-2013 01:16 AM
You need to re structure the policy map. This way shapes the traffic to 4Mb while prioritizing the traffic going to Peak10. Now I am not 100% sure why it doesn't work the way you originally did it, But I believe it is because the ASA is a firewall and not all functionality of a route is available. Please correct me if I am wrong.
access-list global_mpc_2 extended permit ip any Peak10 255.255.192.0
class-map DM_INLINE_Child-Class
match access-list global_mpc_2
policy-map MI-SHAPE
class DM_INLINE_Child-Class
priority
class class-default
shape average 4000000
09-05-2013 05:59 AM
Marius, original way should have been correct as it was constructed by the ASDM software, however I will try your changes and report. Thank you
09-05-2013 06:11 AM
Unfortunately met with error, SHAPE cannot be used on a policy-map already using Standard Priority.
09-05-2013 11:54 AM
Sorry my bad, a different policy-map is needed for the priority.
Just out of curiosity, are you in a position to do a test with the ACL? Could you create an ACL that matches an exact port and not IP... for example
access-list global_mpc_2 extended permit tcp any Peak10 255.255.192.0 eq 80
and see if the hitcount on the priority increases. I have seen that with some features on the ASA it needs the exact ports to match for the feature to take effect. I wonder if it is the same with the shaping.
09-05-2013 01:16 PM
Thanks changed ACL to "tcp eq 80" and still no hit counts on ACL. It gets hit counts in standard priority/police mode, although I went back using standard priority today and I'm having problems making ACL's match that too, so I'm wondering if there is some governing setting in my config that is causing all these problems. The shaping on the outside interface with heirerachal priority queue should be working as far as I can tell...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide