Sophos XG QoS Headaches

Hello.

One of my clients has been trying to set up QoS properly for traffic handling/shaping based on firewall rules and traffic matching.  This is so we can rate limit certain traffic to a specific traffic speed/cap based on destination so as not to exhaust the tiny pipe of 75Mbps.

There is an XG at both sides of the network, and we are trying to rate-limit traffic at one of the remote offices.  The specific traffic we want to rate limit is over an IPSec point-to-point tunnel between the machines.

The rules were set up as follows in this ordering:

SRC DST What/Svc QoS Pri QoS Guarantee-Limit
LAN, 10.1.18.20 VPN, 10.1.2.200, 10.1.2.206, 10.1.2.25 Any 1

30Mbps - 50Mbps Shared

LAN, 10.1.6.0/23 VPN, 10.1.123.0/24 RDP 1
MGMT, Any Host VPN, 10.1.2.20 Any 2 10Mbps-40Mbps *
Any Zone, Any Host VPN, 10.1.2.20 tcp/7447 4 10Mbps-40Mbps *
Any Zone, Any Host VPN, Any Any 3 10Mbps-40Mbps *

VPN,MGMT,LAN
Any

WAN, Any Any 7 10Mbps-40Mbps *

* Because of the different QoS priorities each of the starred items is its own separate traffic shaping policy

 

When we implemented these rules, however, we discovered that, in fact:

  1. Traffic between the two networks (local branch office and remote over the IPSec tunnel) failed to work for the QoS 3 rules - Windows systems remote-profile syncing across the VPN tunnel couldn't reach the profile shares server on the remote side with a timeout, and it broke Windows logons.
  2. Traffic within one of the *same* VLANs on the network appeared to cease flowing between systems on the same VLAN.

With regards to issue #2, this makes zero logical sense as to why traffic in the same VLAN that does NOT pass through the firewall (therefore, only the VLAN on the remote office side is going to itself), is breaking.  Does anyone know if the QoS rules as defined (which we put ahead of all other rules - none of which have QoS rules - so we could 'test' and then 'disable' if the rules stopped working) would have contributed to intra-VLAN packet failures of this type?

As for #1, I can only attribute QoS filtration to this.

When all QoS rules were disabled, *everything* went back to normal functionality.

 

I can provide information and setup details here if necessary, though I'll have to sanitize it for my client's privacy.

 

Does anyone have any ideas what went wrong here?

  • Hi  

    Thank you for providing a detailed description of the issue.

    QoS should not block the traffic or communication when it's applied on the firewall rules. It seems to be strange behavior.

    The issue required a further investigation, I would request you to contact technical support and open a service request.

    Please PM us the service request number.

  • We spent a few hours on the phone with Sophos Support and managed to figure this one out.  We *think* the  application and web controls added on top of the QoS was interfering.  Removing those and reactivating the rules (off/on) seemed to have fixed the issue for now.

  • In reply to Thomas Ward:

    Hi  

    Thank you for sharing details, it will help other community members.