ASA 5510 traffic policing

Unanswered Question

I am trying to set up policing from 3 particular servers. The traffic that I want to limit is https (443) connections. The service policy rules that I have set up so far seem to have no effect at all. I'm using the traffic match criteria source and destination IP address, I have the source and destination configured, and I've tried several different services. Under rule actions, protocol selection is set to DCERPC selected, QoS is set to enable policing on input and output, rate is set to 250000.

What am I missing.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mirober2 Fri, 09/03/2010 - 10:09

Hi Mike,

Do you have priority queueing enabled as well? This link may help you fix the problem:

NOTE 2: Priority queueing needs to be used with policing or traffic shaping. The reason is that unless the link that LLQ is saturated the packets will not be prioritized. Usually the interfaces of the ASA can be 100Mbps or 1Gbps or more, so saturating these links isn't something that will happen often . But implementing policing or traffic shaping along with LLQ actually makes LLQ kick in at the point the policing or shaping limits are met.

Hope that helps.


Panos Kampanakis Fri, 09/03/2010 - 12:20

Please also send us the "sh run class-map", "sh run policy-map", "sh run service-policy" and the ACLs used in the class-maps in order to do a sanity check on the config.


mirober2 Tue, 09/07/2010 - 08:02

Hi Mike,

To see the ACLs used for this config, you can use the following command:

show run access-list inside_mpc


Panos Kampanakis Tue, 09/07/2010 - 11:15

I see the ACL lines being inactive. These will not be matching traffic.

Please put them in again without the inactive keyword.


Panos Kampanakis Tue, 09/07/2010 - 11:29

You are applying your policy on the inside interface policing at 250kbps for traffic from your 172.... hosts to the 65.... hosts on port 443.

When the lines were active did you see hitcounts on them "sh access-list . If yes, they you were policing.

do you want to policy https download from the hosts, or http uploads? If it is uploads the source port of the ACL should be https, and not the destination.

I hope it helps.



This Discussion

Related Content