Limit interface bandwidth on an ASA 5508x

itsupport · ‎06-08-2017

Have just purchased and am beginning to configure an ASA 5508x. Our ISP has provided a 50mb/50mb fibre service, which is delivered via a Gbit port on a supplied "basement switch".

I have set up a Firepower Management Centre, running 6.2.0.1 (build 53). The ASA 5508x is running Threat Defence 6.2.0.2. So far, my config is just two interfaces, Int and Ext, with static IPs. The internal interface uses a 192.168.x.x/24 range, and the external uses the IP and gateway defined by the ISP. A single dynamic NAT rule allows the single (for now) internal PC to NAT out using any ports, via a default action rule. Really simple, and works as expected.

The ISP limits incoming traffic rate to 50Mb, but have requested that we limit outgoing traffic to the same rate. Otherwise, if we exceed 50Mb, they just will just drop packets. This is where I am having trouble.

Under Devices, QoS, I have set up a policy. It saves and applies to the device OK, however it does not seem to actually do anything, regardless of how I set it up. Even setting to 2Mb up/down seems to make no difference, regardless of how I configure it.

1. Is this actually supposed to work?

2. Is the attached screenshot a correct and valid setup?

Marvin Rhoads · ‎06-08-2017

That looks correct.

Assuming the rule has been successfully deployed to the target device, I would expect it to work.

If it isn't working then I'd engage the TAC - I'd be interested to hear what they advise.

itsupport · ‎06-14-2017

Logged a call with TAC around 68 hours ago. Got the following response after 3 hours "Kindly give me some to research on your requirement. Shall keep you updated.". 23 hours ago, I nudged them via email, no response yet.

Seems this must be a very difficult question, requiring days of research! Will post back when I hear something useful.

Marvin Rhoads · ‎06-15-2017

You can always request your case be requeued if the assigned engineer is not providing satisfactory service.

A priority 3 or 4 case has an SLA of 72 or 96 hours respectively. Reference:

https://www.cisco.com/legal/Cisco_Severity_and_Escalation_Guidelines.pdf

itsupport · ‎06-15-2017

Just had a Webex session with TAC. The analyst saw the problem. She then enabled some logging, and checked that packets were passing through the QoS rule. They were. Retest, and I saw throttling working as expected! Turned off logging and tried again, now no throttling.

Upshot is that throttling only works if packets are being logged, otherwise it does nothing. Looks like a bug to me. The analyst is going to attempt to reproduce this problem and get back to me, I will post back what happens.

Marvin Rhoads · ‎06-15-2017

Thanks for the update. Let us know if the analyst confirms it.

itsupport · ‎06-28-2017

TAC connected in again. Seems the problem awas that I did not have any "real" access rules in place, just a "default action". It seems that with that configuration, QoS is not applied, unless logging is on. Added a few proper rules, and everything works as expected.

Marvin Rhoads · ‎06-28-2017

Thanks for updating us.

That's good information to have filed away.