03-01-2013 02:03 AM - edited 03-11-2019 06:08 PM
Hi All,
I have the following problem. I have an inside user which uses excessive amounts of bandwidth (citrix traffic) and I need to limit it. The ASA has a trunk to our backbone switch and over this trunk, two subinterfaces: lan and wan. QoS is configured as following:
! range of citrix servers
access-list citrix_traffic extended permit ip any 194.x.x.0 255.255.255.0
access-list citrix_traffic extended permit ip 194.x.x.0 255.255.255.0 any
class-map citrix
match access-list citrix_traffic
policy-map throttle
class citrix
police input 4000000 3000
police output 4000000 3000
service-policy throttle interface wan
This is not doing anything at all. We have a 8Mbps wan connection (mpls) and the citrix traffic is using all of it. If I look at the access list I see only a few hits:
sh access-list citrix_traffic
access-list citrix_traffic; 2 elements; name hash: 0xe77efd3e
access-list citrix_traffic line 1 extended permit ip any 194.x.x.0 255.255.255.0 (hitcnt=243) 0xdcf3fc4a
access-list citrix_traffic line 2 extended permit ip 194.x.x.0 255.255.255.0 any (hitcnt=228) 0xffe6a0ff
That must be wrong, wireshark on the switch port connected to the mpls gateway shows 8mbps. The policy map shows this:
Interface wan:
Service-policy: throttle
Class-map: citrix
Input police Interface wan:
cir 4000000 bps, bc 3000 bytes
conformed 41 packets, 6612 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Output police Interface wan:
cir 4000000 bps, bc 3000 bytes
conformed 38 packets, 6065 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
This also can't be right, how can I have only 38 conformed packets ? Even the ASA shows a LOT of traffic to citrix servers:
sh local-host 194.x.x.159
Conn:
TCP wan 194.x.x.159:2598 vlan_sds_lan 10.226.201.70:60189, idle 0:00:02, bytes 4248754624, flags UIO
What exactly am I doing wrong ? I tried putting the policy-map also on the lan interface, no change. I notice that if I change the ACL to basically say "any any" then it seems to work, I see the real bandwidth in the "show service-policy" output.
Best regards,
Stefan
03-01-2013 06:09 AM
Which version of ASA u r running on?
If u r using 8.4 then u Will use private addresses while applying acl for interesting traffic on wan interface
If u r using 8.0 version then u will use public addresses while applying acl for interesting traffic on wan interface.
The reason why u put any any and it worked is because u r matching public ip instead instead of private ip or vice versa.
Sent from Cisco Technical Support iPad App
03-02-2013 02:07 AM
I am using version 8.2.6. There is no NAT involved and nothing goes to the Internet. The wan interface is not the outside interface, it's just going towards the MPLS provider and to another of our remote locations. All IP addresses are internal, the 194.x.x.x too (yes, that is a public range but it's used internally. Don't ask ... ).
Regards,
Stefan
08-01-2013 10:13 AM
Did you ever get a resolution to this problem?
08-02-2013 02:32 AM
Kinda. The fact is, it started working all of a sudden without me doing anything. I have no explanation for it but it does show that the configuration I used was correct or it would not work now.
Regards,
Stefan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide