cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3060
Views
0
Helpful
14
Replies

asa priority queue not working

Random44F
Level 1
Level 1

Hi All.

I am going crazy with the Hierarchical priority queuing on asa 5505 .

Basically here is an example of my setup but when I use show service-policy interface outside or the interface name all the class defaults have their counter increased apart from any of the priority queues

Class-map http

Match port tcp eq www

Class-map https

Match port tcp eq https

Class-map default

Match any

Policy-map priority-policy

Class http

Priority

Exit

Policy-map standard-policy

Class default

Shape average 200000 1600

Service-policy priority-policy

Exit

Service-policy standard-policy interface outside

But  all traffics do go through the normal queue which is driving me mad

When I type show service-policy priority nothing comes up

And when typing show service-policy interface outside , the counter for none of the priority classes increase

many thanks

14 Replies 14

Julio Carvajal
VIP Alumni
VIP Alumni

Can you share the output of the following command:

show service-policy flow tcp host inside_ip host 4.2.2.2 eq 80

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks very much for this . sorry for the delay but here it is

btw , would I have to enable flow checking on the specific interface and if so how ?

Interface x1:

  Service-policy:priority-policy    Class-map: class-default

      Match: any

      Action:

        Output flow:  Shape average 200000 1600

        Output flow:  police input 2000000 2500 conform-action transmit exceed-action transmit

Interface x2

etc

But what is relevant to the traffic should be interface x1 which shows it but the wrong policy which aplies to all traffic and not the specific policy which applies to the specific port 80 and 443

by the way what is the output that I should expect to see from flow command ?

Also why does it show both as output flow? one should be for download which is the police thus input and one for upload which is the shape command but shows both as output .

Also what plays with my mind is , if the flow command is to tell you which policy the asa is going to apply to it , why does it show the service policy from other interfaces which will not apply to this traffic in any circumstances

The way i have my bandwidth management setup is, I have applied the traffic management on the internal interface and not the internet one thus upload in here means download and vice versa as the internal interface has to pass traffic through the internet interface

You will not see the packets in the standard priority queue if you use Hierarchical priority queuing. Priority packets are sent ahead of all others in your setup, but will not be seen in the counters of a show service-policy priority as that queue is not used. Dont think there is a way to see the trasmitted priority packets using this method, a little trust involved.

You may be better off doing the following so you can be sure your required traffic is hitting the LLQ.


Policy-map standard-policy

Class default

Shape average 200000 1600

Exit

Policy-map priority-policy

Class http

Priority

Class https

Priority

Service-policy standard-policy

Exit

Service-policy prioirty-policy interface outside

This will of course not shape the priority traffic but you will see the stats.

Using the priority queue is usually for voip etc, which is significantly less traffic than HTTP so you should be sure you want to prioritise this over all else. If the standard prioirty queue is used, this will be serviced first always and if you are sending loads of traffic to this queue you could starve all other comms through the ASA.

HTH

Andy

thanks for this, I tried to put the standard queue under priority queue as suggested but didn't work and returned

ERROR: The service-policy (

standard-policy

) that is being installed contains actions other than 'priority'.  Only 'priority' is allowed in a child policy.

I have seen a guide in the internet which suggests this way I am doing it is correct but obviously it is not .

if I take of the service-policy under the standard-policy , all priority queues disappear form the show service-policy but when there the queues show up but the counter does not raise

also it seems like I don't have to enable priority queue interface name in the global config for heirarical queue as is the case with the standard/priority queue so I have not enable it which I don't know If i am making a mistake or not. I did also enabl it but it did not make any difference

Ah Nuts!

sorry my bad

You will need to police the default class, not shape. This does have slightly different permitations in that it will drop traffic that exceeds the police parameter. Its going to be a little bit of a trade off.

You can only shape all and nest priority within that shape.

so:

Policy-map priority-policy

Class http

Priority

Class https

Priority

Class Default (you may need to use the built in class-default class here, I cannot remember)

Police output 200000 1600

Exit

Service-policy priority-policy interface outside

You cannot shape and use standard priority queueing on the same interface....you can only nest a priority policy in a shape policy which will not use the standard priority queue.

HTH

Andy

thanks for this.

I know I did look at the cisco document and read it all and here is aqoute from it

"

You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed."

This means if I used Hierarchical priority queuing I can use shaping which is what I am doing , isn't that correct ?

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

Hi,

You are correct. But what you will not see is the standard priority queue stats as this queue is not used in hierachical priority queuing. You will not be able to see your prioirty packets, although the process is to send these within the shape first.

So if you shape and nest priority, the standard queue is not used, hence why you dont see any hits on the commands you are running. BUT - the ASA should be prioritising your traffic as required.

The config including policing above was to get stats into the priority queue for you to see the difference.

HTH

Andy

Thanks for taking time and replying. I am trying to understand this standard vs heirarichal queuing and have a hard time grasping a concept which may be very easy.

Basically I know that asa has two qos mode, standard and heirarchical .

standard has two queues , standard and priority and no shaping is allowed

heirarchical has two queues which are again normal and priority . so when you reference standard in the text above, is that a reference to the heirarchical standard queue or the basic model standard queue.

"But what you will not see is the standard priority queue stats as this queue is not used in hierachical priority queuing"

I don't have standard queue in my config , it is heirarchical which has 2 queues of standard and priority.

what you are explaining is that the traffic is first shapped and then prioritised hence why If i have shaping i can not see the counter go up . I don't understand the comment which says "

the standard queue is not used, hence why you dont see any hits on the commands you are running"

thanks once again

Hi,

Apologies for any confusion.

There are two queues per interface. One of these is the standard-priority queue and the other the default queue which you can optionally configure shaping or policing on. So with no service-policy configuration the default queue is used FIFO (first in first out).

You then have two methods of priority queuing. Standard or Hierarchical. Standard requires that packets are placed in the standard-priority queue and the rest of the traffic is placed in the default queue, which you can optionally police. You cannot shape in this scenario.

If you need to shape and use priority, hierarchical queuing is necessary, which means the standard-priority queue is not used at all. This is because of the way the standard-priority queue sits around the scheduler to deliver packets very quickly in a LLQ manner. If shaping or policing needed to happen in this queue, it would defeat the point as would need much more additional processing. All traffic is placed in the default queue with the necessary restrictions, but the scheduler will place the priority traffic identified within the hierarchy into the queue first.

So regardless of the methodology of priority queuing you are using, there are only ever two actual output queues on the interface. Unlike a 3750 switch for example which has four output queues.

Hope that make things a little clearer. Its the terminology I think. Think of the standard-priority queue as the LLQ and the default queue as the shape/policing queue. Then "standard priority" and "hierarchical priority" are methods to utilize these queues in different combinations. Policing and Shaping are needing to be processed, so dont touch the LLQ (standard-priority queue).

This is why you are getting the statistics you are when using hierarchical priority queuing, IE no hits in the standard-priority queue when you run "show priority-queue statistics"

if you run a:

hostname# show service-policy standard-policy

What do you see?

This should show you some info on the hierarchical service-policy in terms of packets transmitted in the nested class. I.E. in your original setup policy "priority-policy".

Cheers


Andy

much apprecited and thank you. You explained it better than the cisco book.

One thing though, based on my understanding the hierarchical queue is even processed quicker than standard-priority hence why nothing it logged. I know you mentioned that there are fifo and llq queues and standard and heirarchical queue are llq and are almost the same but it looks like hei.. is even higher compared to standard queue.

if this is the case, why does cisco shows the queues but no increament on the data when shapping is enabled?

my asa is 9.1(3) and does not support

show service-policy standard-policy

.

However I tried show service-policy priority and it shows the priority queue which I have on another interface ( it is simple, fifo and priority ) but

shows nothing about heirarchical queues

however I do get some info about heirarchical queue if I typre show service-policy as below

Interface outside:

  Service-policy : standard-policy

    Class-map: class-default

      shape (average) cir 2000000, bc 20000      Input police Interface outside:

        cir 2000000 bps, bc 2500 bytes

        conformed 480675 packets, 74135176 bytes; actions:  transmit

        exceeded 735 packets, 1036335 bytes; actions:  transmit

        conformed 1640 bps, exceed 0 bps

      (pkts output/bytes output) 215886/71418262

      (total drops/no-buffer drops) 0/0

      Service-policy: ITWireless-QOS-Priority

        Class-map: ITWireless-QOS-Priority-80

          priority

          Queueing

          queue limit 83 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

        Class-map: http

          priority

          Queueing

          queue limit 83 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

        Class-map: https

          priority

          Queueing

          queue limit 83 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

        Class-map: default

          Default Queueing

          queue limit 83 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 215896/71419176



which way are you testing this traffic? In to the outside interface or from the inside out? do you have a quick diagram of your scenario?

try "show service-policy shape", mostly the same info I think.

So your shape policy is outbound on the outside interface. If you are connecting to a web server on the inside, the policy would not be hit, but return traffic would be shaped due to the L4 port. Hierarchical priority queuing is egress only due to the parent shaper.

Just a quick ask at this juncture to understand a little more of what you are testing. Pictures and a thousand words and all that!

If you are using the Hierarchical queueing method, you wont be using the LLQ, you will be using a tuned default queue. So the technically "slower" queue, due to the work performed to shape/buffer the traffic flow. LLQ or standard-priority queue is effectively a "short cut".

Cheers

Andy

alieas007
Level 1
Level 1

I had this same exact problem last month when I tried QoS, couldn't get anything in the shape priority queue.   I ended up putting all my priority traffic into the standard priority LLQ queue and then policing the rest of the traffic to 1/5th of the pipe, but the result has been less than optimal.  It seams that when the upload pipe gets saturated the LLQ traffic still suffers greatly.  I wish I could get shaping to work I hope somebody knows why...

here it is ,

basically outside is my internal network ( don't ask why I have named it that way   )

Internet is the real outside, so traffic goes through outside out to internet and then out

[IMG]http://i39.tinypic.com/2v167o1.jpg[/IMG]

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: