I am trying to set up policing from 3 particular servers. The traffic that I want to limit is https (443) connections. The service policy rules that I have set up so far seem to have no effect at all. I'm using the traffic match criteria source and destination IP address, I have the source and destination configured, and I've tried several different services. Under rule actions, protocol selection is set to DCERPC selected, QoS is set to enable policing on input and output, rate is set to 250000.
What am I missing.
Do you have priority queueing enabled as well? This link may help you fix the problem:
NOTE 2: Priority queueing needs to be used with policing or traffic shaping. The reason is that unless the link that LLQ is saturated the packets will not be prioritized. Usually the interfaces of the ASA can be 100Mbps or 1Gbps or more, so saturating these links isn't something that will happen often . But implementing policing or traffic shaping along with LLQ actually makes LLQ kick in at the point the policing or shaping limits are met.
Hope that helps.
Please also send us the "sh run class-map", "sh run policy-map", "sh run service-policy" and the ACLs used in the class-maps in order to do a sanity check on the config.
I see the ACL lines being inactive. These will not be matching traffic.
Please put them in again without the inactive keyword.
You are applying your policy on the inside interface policing at 250kbps for traffic from your 172.... hosts to the 65.... hosts on port 443.
When the lines were active did you see hitcounts on them "sh access-list
do you want to policy https download from the hosts, or http uploads? If it is uploads the source port of the ACL should be https, and not the destination.
I hope it helps.