We are getting the same messages from our FirePower system.
So do we just disable the signature or what is the proposed solution from TAC?
Are they fixing their IPS Signatures and we update?
Thanks for a reply
... View more
Hello Everyone. I might have some problems, or maybe not. I followed all the instructions on this document: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml "PIX/ASA 7.x: QoS for VoIP Traffic on VPN Tunnels Configuration Example" I managed to get the 3750X Stack to match the Citrix/ICA traffic with cs5 markings and adopted this document to the cs5 value. I also configured the BW policing for the tunnel-group as explained in the whitepaper. So here my problems tarts, I do see traffic matching the ICA policy but not the tunnel-group. I am applying this on a static L2L tunnel, as well as to the default L2L group, since one of the endstations is a dynamiclly assigned 1941 router. OUTPUT Shown below: Class-map: VOICE Priority: Interface OUTSIDE: aggregate drop 0, aggregate transmit 22966560 Class-map: DATA Output police Interface OUTSIDE: cir 4000000 bps, bc 67500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Class-map: ICA_TRAFFIC Priority: Interface OUTSIDE: aggregate drop 0, aggregate transmit 22966560 Class-map: DATA_L2L_DMVPN Output police Interface OUTSIDE: cir 2000000 bps, bc 37500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Class-map: class-default Output police Interface OUTSIDE: cir 4000000 bps, bc 67500 bytes conformed 106656777 packets, 61270299026 bytes; actions: transmit exceeded 711856 packets, 979504945 bytes; actions: drop conformed 285016 bps, exceed 11280 bps ! Here is the configuration part of the ASA Config, I just don't understand why there is no matching or where the error in the config is: class-map DATA match flow ip destination-address match tunnel-group 220.127.116.11 class-map VOICE match dscp ef class-map ICA_TRAFFIC match dscp cs5 class-map DATA_L2L_DMVPN match flow ip destination-address match tunnel-group DefaultL2LGroup class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map CITRIX_POLICY policy-map VOICE_POLICY class VOICE priority class DATA police output 4000000 67500 class ICA_TRAFFIC priority class DATA_L2L_DMVPN police output 2000000 37500 class class-default police output 4000000 67500 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect sip inspect xdmcp inspect pptp policy-map DSCP_POLICY ! service-policy global_policy global service-policy VOICE_POLICY interface OUTSIDE Hopefully someone can help me out here. Kind regards and thanks for any help in advance Alex The reason for this configuration is, that we have a high load on the OUTSIDE link of the ASA and would like to try to give the ICA & Voice traffic priority and the VPN Tunnels some policing.
... View more