06-24-2024 08:01 AM
I'm an MSP what is managing a Cisco ASA firewall in a datacenter - Software Version 9.16(4)14
The ISP connection is 500MB down/100 MB up
We have about 20 IPSec VPN tunnels & 50 RAS VPN's at any given time on this firewall with a mixture of IKEv1 & IKEv2
One of the VPN tunnels is pulling data from an AS400 to an office, resulting in all 100Mb upload speed being utilized. This in turn causes issues for all the other users.
I do not have familiarity with policing traffic and there is nothing currently configured for policing on the network or firewall but I would like to rate limit this single IPSec VPN so they can only use up to 80% of the bandwidth.
Datacenter - we have 30 sub-interfaces on the ASA. The network in question is a VLAN sub-interface, layer-2, /24 subnet with its gateway being the firewall. (10.10.10.0/24) - (firewall 10.10.10.1/24)
Office - it too is a Layer-2 network /24 with its gateway being the office firewall. Please note I do not manage the office firewall - another MSP manages it. (192.168.12.0/24) - (firewall 192.168.12.1/24)
Tunnel - PFS is turned off / all IP addresses are private IPv4 / All traffic is No-NAT (Section 1), so the real IP's from the Office talk to the real IP's in the Datacenter. Of course the IP's I listed above are not the real IP's, I made them up to protect my client.
06-24-2024 12:36 PM
"The ISP connection is 500MB down/100 MB up"
Connected directly to your FW or do you have a router in place (which you control)?
06-26-2024 07:32 AM
We have a dumb layer 2 switch between the firewall pair and the ISP.
06-26-2024 07:39 AM - edited 06-27-2024 05:22 AM
MHM
06-26-2024 10:41 AM
@MHM Cisco World wrote:
(I hate QoS)
MHM
Really?! I'm surprised, since you're very knowledgeable about so many aspects of networking.
That's just from lack of understanding QoS (which is common) or some other reason(s)?
If another reason(s), perhaps you'll open a posting on why QoS deserves to be hated. Could be a worthwhile topic of discussion.
06-26-2024 11:00 AM
Thanks for this nice words
Two topics I hate QoS and multicast (even so multicast I start finish it but still hate it)
Why?
Because for SW there is cisco ready config for router you need to calculate qos settings according to BW of link and I see it lost of time' maybe one day one engineer or me (lol..) making app make it easy for engineers get right value instead of deal with many number.
Thanks again
Have a nice day
MHM
06-27-2024 05:22 AM
check this link friend I think it solution for your case
MHM
06-27-2024 09:36 AM
@MHM Cisco World wrote:
check this link friend I think it solution for your case
MHM
BTW, came across that yesterday, too. At first, I noticed it was published 2014, so I was worried how much might still be applicable (possibly a lot, as I read in that document it applies to version 9x).
Second, again, being unfamiliar with ASA QoS, off the top of my head, could not explain how to use that information, in that reference, in this case. (At least without my additional study of ASA QoS and further clarifications about the OP's environment.)
That noted, it's possible ASA QoS might be a solution and it's possible that reference contains what you need to know.
06-26-2024 07:55 AM
Normally, QoS could deal with your issue. Likely a dumb L2:switch has no QoS features, and, unfortunately, I'm not knowledgeable about ASA QoS capabilities, if any.
06-28-2024 12:38 AM
Hello
Possible apply a moc policy to the client vpn to limit its traffic in/out on the tunnel
example -subnet 10.10.10.0/24
access-list vpnusers_acl permit ip 10.10.10.0 255.255.255.0 any
class-map vpn_cm
match access-list vpnusers_acl
policy-map vpn_pm
description police tunnel to 1mb
class-map vpn_cm
police input 1000000
police output 1000000
or just use the class class-default
policy-map vpn_pm
description police tunnel to 1mb
class class-default
police input 1000000
police output 1000000
service-policy vpn_pm interface <client tunnel>
access-list in_out permit any any
access-group in_out in interface <client tunnel>
access-group in_out out interface <client tunnel>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide