Hello.
One of my clients has been trying to set up QoS properly for traffic handling/shaping based on firewall rules and traffic matching. This is so we can rate limit certain traffic to a specific traffic speed/cap based on destination so as not to exhaust the tiny pipe of 75Mbps.
There is an XG at both sides of the network, and we are trying to rate-limit traffic at one of the remote offices. The specific traffic we want to rate limit is over an IPSec point-to-point tunnel between the machines.
The rules were set up as follows in this ordering:
SRC | DST | What/Svc | QoS Pri | QoS Guarantee-Limit |
LAN, 10.1.18.20 | VPN, 10.1.2.200, 10.1.2.206, 10.1.2.25 | Any | 1 |
30Mbps - 50Mbps Shared |
LAN, 10.1.6.0/23 | VPN, 10.1.123.0/24 | RDP | 1 | |
MGMT, Any Host | VPN, 10.1.2.20 | Any | 2 | 10Mbps-40Mbps * |
Any Zone, Any Host | VPN, 10.1.2.20 | tcp/7447 | 4 | 10Mbps-40Mbps * |
Any Zone, Any Host | VPN, Any | Any | 3 | 10Mbps-40Mbps * |
VPN,MGMT,LAN |
WAN, Any | Any | 7 | 10Mbps-40Mbps * |
* Because of the different QoS priorities each of the starred items is its own separate traffic shaping policy
When we implemented these rules, however, we discovered that, in fact:
- Traffic between the two networks (local branch office and remote over the IPSec tunnel) failed to work for the QoS 3 rules - Windows systems remote-profile syncing across the VPN tunnel couldn't reach the profile shares server on the remote side with a timeout, and it broke Windows logons.
- Traffic within one of the *same* VLANs on the network appeared to cease flowing between systems on the same VLAN.
With regards to issue #2, this makes zero logical sense as to why traffic in the same VLAN that does NOT pass through the firewall (therefore, only the VLAN on the remote office side is going to itself), is breaking. Does anyone know if the QoS rules as defined (which we put ahead of all other rules - none of which have QoS rules - so we could 'test' and then 'disable' if the rules stopped working) would have contributed to intra-VLAN packet failures of this type?
As for #1, I can only attribute QoS filtration to this.
When all QoS rules were disabled, *everything* went back to normal functionality.
I can provide information and setup details here if necessary, though I'll have to sanitize it for my client's privacy.
Does anyone have any ideas what went wrong here?
This thread was automatically locked due to age.