Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3293
Views
0
Helpful
9
Replies

Configuring Traffic Policing

Go to solution
Kasper Elsborg
Level 4
Level 4

‎06-12-2022 03:59 AM

Hi Community, I hope you can help me with this config.

I have an inside SFTP server 192.168.2.82 running on tcp port 20000

I would like to limmit the bandwith, so it not taking up all up and download.

Initially I have a:

access-list SFTP extended permit tcp any host 192.168.2.82 eq 20000

class-map SFTP-shaping
match access-list SFTP

policy-map outside-policy
class SFTP-shaping
police input 1500000 5000 conform-action exceed-action drop
police output 1500000 5000 conform-action exceed-action drop
service-policy outside-policy interface outside


However it dosn't seem to work, regardles of what numbers I config, it still is at full speed of the link.

Any bright ideas?

Config is attached

 

Regards Soter

Labels:
config-sh run.txt
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP Alumni
VIP Alumni
In response to Kasper Elsborg

‎06-14-2022 06:19 AM

If you are also trying to "police" traffic from the SFTP server then you need to amend your access list to include traffic from this server:

access-list SFTP extended permit tcp host 192.168.2.82 eq 20000 any 

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎06-12-2022 10:23 AM

@Kasper Elsborg I notice you've got prompt hostname context configured, are you running in multi-context mode? If that's the case, QoS is not supported in multi-context mode. https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/ha-contexts.html

 

0 Helpful

Go to solution
Kasper Elsborg
Level 4
Level 4
In response to Rob Ingram

‎06-12-2022 11:24 PM

@Rob Ingram I wasn't supposed to run in context mode. 

 

I had a look here https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/mngcntxt.html#wp1036360

but non of the cmd to remove context mode is working?

 

br. Soter

0 Helpful

Go to solution
Marius Gunnerud
VIP Alumni
VIP Alumni

‎06-12-2022 12:15 PM

Have you verified that you are actually hitting the policy map?  

show policy-map outside-policy

 

The first thing I noticed, though I do not believe it is the issue, is that you are missing the "conform-action transmit" command.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Kasper Elsborg
Level 4
Level 4
In response to Marius Gunnerud

‎06-12-2022 11:36 PM - edited ‎06-13-2022 12:40 AM

@Marius Gunnerud I am not sure. 

 

I don't have this command?

asa5516(config)# sh policy-?

exec mode commands/options:
  policy-list    policy-route  
asa5516(config)# sh policy-


but I do have:

asa5516# sh service-policy 

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: netbios, packet 1538, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: icmp, packet 79072, lock fail 0, drop 1297, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: dns preset_dns_map dynamic-filter-snoop, packet 64300, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: ftp strict, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: http, packet 310743, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0
      Inspect: icmp error, packet 1, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
    Class-map: global-class
      Inspect: http Http_Map1, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0

Interface outside:
  Service-policy: outside-policy
    Class-map: outside-class1
      Set connection policy: per-client-embryonic-max 50 
        drop 0
      Set connection timeout policy:
        embryonic 0:00:05 
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
    Class-map: SFTP-shaping
      Input police Interface outside:
        cir 3000000 bps, bc 5000 bytes
        conformed 111052 packets, 9330396 bytes; actions:  transmit
        exceeded 2122 packets, 401076 bytes; actions:  drop
        conformed 968 bps, exceed 40 bps
      Output police Interface outside:
        cir 3000000 bps, bc 5000 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
asa5516#

and it looks like the output police is not working, or am I looking at this the wrong way? Output is when I'm downloading to the internet?

however it is hitting the access-list

asa5516(config)# sh access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list SFTP; 1 elements; name hash: 0xc8056573
access-list SFTP line 1 extended permit tcp any host 192.168.2.82 eq 20000 (hitcnt=16) 0xd17c91db 
access-list global_mpc; 1 elements; name hash: 0x2e734f01
access-list global_mpc line 1 extended permit tcp object Internal any eq www (hitcnt=0) 0xc9123e59 
  access-list global_mpc line 1 extended permit tcp 192.168.0.0 255.255.0.0 any eq www (hitcnt=0) 0xc9123e59 
access-list outside_mpc; 1 elements; name hash: 0x57571241
access-list outside_mpc line 1 extended permit tcp any object Internal eq www (hitcnt=1) 0x9b4aa794 
  access-list outside_mpc line 1 extended permit tcp any 192.168.0.0 255.255.0.0 eq www (hitcnt=1) 0x9b4aa794 
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any4 any4 object-group outside-access-in-tcp (hitcnt=31) 0x4e5d42fd 
  access-list outside_access_in line 1 extended permit tcp any4 any4 eq 20000 (hitcnt=23) 0xf5151a3c 
  access-list outside_access_in line 1 extended permit tcp any4 any4 eq 8080 (hitcnt=8) 0x7a098f1f 
access-list outside_access_in line 2 extended permit udp any4 any4 object-group outside-access-in-udp (hitcnt=0) 0x0e8e78f6 
  access-list outside_access_in line 2 extended permit udp any4 any4 eq ntp (hitcnt=0) 0x4ecff91a

and I also noticed that the

policy-map outside-policy
class SFTP-shaping
police input 3000000 5000 conform-action exceed-action drop
police output 3000000 5000 conform-action exceed-action drop

is leaving out the "conform-action exceed-action drop" in the running config

 

Br. Soter

0 Helpful

Go to solution
Marius Gunnerud
VIP Alumni
VIP Alumni
In response to Kasper Elsborg

‎06-12-2022 11:55 PM

Then try the command show service-policy

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Kasper Elsborg
Level 4
Level 4
In response to Marius Gunnerud

‎06-13-2022 12:53 AM

@Marius Gunnerud I think we crossed eachother. I have eddited my initial reply with the show service-policy

0 Helpful

Go to solution
Kasper Elsborg
Level 4
Level 4
In response to Marius Gunnerud

‎06-14-2022 03:19 AM

@Marius Gunnerud did you see the edited reply with the Show service-policy?

 

Br. Soter

0 Helpful

Go to solution
Marius Gunnerud
VIP Alumni
VIP Alumni
In response to Kasper Elsborg

‎06-14-2022 06:19 AM

If you are also trying to "police" traffic from the SFTP server then you need to amend your access list to include traffic from this server:

access-list SFTP extended permit tcp host 192.168.2.82 eq 20000 any 

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Kasper Elsborg
Level 4
Level 4
In response to Marius Gunnerud

‎06-14-2022 07:10 AM

@Marius Gunnerud of cause man.. so simple. Thanks so much. It working now

 

Br. Soter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card