06-12-2022 03:59 AM
Hi Community, I hope you can help me with this config.
I have an inside SFTP server 192.168.2.82 running on tcp port 20000
I would like to limmit the bandwith, so it not taking up all up and download.
Initially I have a:
access-list SFTP extended permit tcp any host 192.168.2.82 eq 20000 class-map SFTP-shaping match access-list SFTP policy-map outside-policy class SFTP-shaping police input 1500000 5000 conform-action exceed-action drop police output 1500000 5000 conform-action exceed-action drop service-policy outside-policy interface outside
However it dosn't seem to work, regardles of what numbers I config, it still is at full speed of the link.
Any bright ideas?
Config is attached
Regards Soter
Solved! Go to Solution.
06-14-2022 06:19 AM
If you are also trying to "police" traffic from the SFTP server then you need to amend your access list to include traffic from this server:
access-list SFTP extended permit tcp host 192.168.2.82 eq 20000 any
06-12-2022 10:23 AM
@Kasper Elsborg I notice you've got prompt hostname context configured, are you running in multi-context mode? If that's the case, QoS is not supported in multi-context mode. https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/ha-contexts.html
06-12-2022 11:24 PM
@Rob Ingram I wasn't supposed to run in context mode.
I had a look here https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/mngcntxt.html#wp1036360
but non of the cmd to remove context mode is working?
br. Soter
06-12-2022 12:15 PM
Have you verified that you are actually hitting the policy map?
show policy-map outside-policy
The first thing I noticed, though I do not believe it is the issue, is that you are missing the "conform-action transmit" command.
06-12-2022 11:36 PM - edited 06-13-2022 12:40 AM
@Marius Gunnerud I am not sure.
I don't have this command?
asa5516(config)# sh policy-? exec mode commands/options: policy-list policy-route asa5516(config)# sh policy-
but I do have:
asa5516# sh service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: netbios, packet 1538, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: icmp, packet 79072, lock fail 0, drop 1297, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: dns preset_dns_map dynamic-filter-snoop, packet 64300, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: ftp strict, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: http, packet 310743, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Inspect: icmp error, packet 1, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Class-map: global-class Inspect: http Http_Map1, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Interface outside: Service-policy: outside-policy Class-map: outside-class1 Set connection policy: per-client-embryonic-max 50 drop 0 Set connection timeout policy: embryonic 0:00:05 DCD: disabled, retry-interval 0:00:15, max-retries 5 DCD: client-probe 0, server-probe 0, conn-expiration 0 Class-map: SFTP-shaping Input police Interface outside: cir 3000000 bps, bc 5000 bytes conformed 111052 packets, 9330396 bytes; actions: transmit exceeded 2122 packets, 401076 bytes; actions: drop conformed 968 bps, exceed 40 bps Output police Interface outside: cir 3000000 bps, bc 5000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps asa5516#
and it looks like the output police is not working, or am I looking at this the wrong way? Output is when I'm downloading to the internet?
however it is hitting the access-list
asa5516(config)# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list SFTP; 1 elements; name hash: 0xc8056573 access-list SFTP line 1 extended permit tcp any host 192.168.2.82 eq 20000 (hitcnt=16) 0xd17c91db access-list global_mpc; 1 elements; name hash: 0x2e734f01 access-list global_mpc line 1 extended permit tcp object Internal any eq www (hitcnt=0) 0xc9123e59 access-list global_mpc line 1 extended permit tcp 192.168.0.0 255.255.0.0 any eq www (hitcnt=0) 0xc9123e59 access-list outside_mpc; 1 elements; name hash: 0x57571241 access-list outside_mpc line 1 extended permit tcp any object Internal eq www (hitcnt=1) 0x9b4aa794 access-list outside_mpc line 1 extended permit tcp any 192.168.0.0 255.255.0.0 eq www (hitcnt=1) 0x9b4aa794 access-list outside_access_in; 3 elements; name hash: 0x6892a938 access-list outside_access_in line 1 extended permit tcp any4 any4 object-group outside-access-in-tcp (hitcnt=31) 0x4e5d42fd access-list outside_access_in line 1 extended permit tcp any4 any4 eq 20000 (hitcnt=23) 0xf5151a3c access-list outside_access_in line 1 extended permit tcp any4 any4 eq 8080 (hitcnt=8) 0x7a098f1f access-list outside_access_in line 2 extended permit udp any4 any4 object-group outside-access-in-udp (hitcnt=0) 0x0e8e78f6 access-list outside_access_in line 2 extended permit udp any4 any4 eq ntp (hitcnt=0) 0x4ecff91a
and I also noticed that the
policy-map outside-policy class SFTP-shaping police input 3000000 5000 conform-action exceed-action drop police output 3000000 5000 conform-action exceed-action drop
is leaving out the "conform-action exceed-action drop" in the running config
Br. Soter
06-12-2022 11:55 PM
Then try the command show service-policy
06-13-2022 12:53 AM
@Marius Gunnerud I think we crossed eachother. I have eddited my initial reply with the show service-policy
06-14-2022 03:19 AM
06-14-2022 06:19 AM
If you are also trying to "police" traffic from the SFTP server then you need to amend your access list to include traffic from this server:
access-list SFTP extended permit tcp host 192.168.2.82 eq 20000 any
06-14-2022 07:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide