SRX

Hi everybody,

yesterday I configured a simple QoS on a SRX210. I thought this should be no big deal, but I was wrong... This is my QoS config:

interfaces {
    ge-0/0/0 {
        per-unit-scheduler;
        unit 0 {
            family inet {
                filter {
                    input bandwidth-management;
                    output bandwidth-management;
                }
            }
        }
    }
}
policy-options {
    prefix-list preferred-hosts-4-10mbit {
        193.xxx.xxx.21/32;
        193.xxx.xxx.22/32;
	193.xxx.xxx.23/32;
    }
}
class-of-service {
    forwarding-classes {
        queue 4 bandwidth-10mb;
        queue 5 bandwidth-5mb;
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                scheduler-map bandwidth-limit;
                shaping-rate 15m;
            }
        }
    }
    scheduler-maps {
        bandwidth-limit {
            forwarding-class bandwidth-10mb scheduler scheduler-10mb;
            forwarding-class bandwidth-5mb scheduler scheduler-5mb;
        }
    }
    schedulers {
        scheduler-10mb {
            transmit-rate {
                10m;
                exact;
            }
            priority high;
        }
        scheduler-5mb {
            transmit-rate {
                5m;
                exact;
            }
        }
    }
}
firewall {
    family inet {
        filter bandwidth-management {
            term 0 {
                from {
                    destination-prefix-list {
                        preferred-hosts-4-10mbit;
                    }
                }
                then {
                    count bw-10mb;
                    forwarding-class bandwidth-10mb;
                    accept;
                }
            }
            term 1 {
                then {
                    count bw-5mb;
                    forwarding-class bandwidth-5mb;
                    accept;
                }
            }
        }
    }
}

My main problem is, that Client-2-Site VPN tunnels fail with a Phase 2 error, after applying this configuration. I figured out, that the Client-2-Site tunnels are working again, when I remove "per-unit-scheduler" from the interface config. If I re-apply "per-unit-scheduler", the Client-2-Site tunnels fail again.

Jul  2 06:24:05  srx-firewall kmd[1441]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=0.0.0.0/0), p2_local_proxy_id=ipv4(any:0,[0..3]=10.10.10.208)] for local ip: 10.0.0.1, remote peer ip:109.41.xxx.xxx

 Any idea why this happens?

Thanks for advice.

I think that you could give it a try and explicitly define schedulers / scheduler-map for the default queues - 0 and 3. I do not think you can skip them in your config - IMO traffic still goes into those queues and will not be dequeued correctly without proper definition and some bandwidth assigned.

Regards,

Pawel Mazurkiewicz

Hello Pawel,

thanks for your reply. I saw that all traffic went to my two bandwidth-management queues. What irritates me is the Phase2 error, that no valid proxy ID was found. I see no relation to QoS and per-unit-scheduler here.

Hi Patrick,

Could you post the output of 'show class-of-service' and 'show interfaces extensive' of the device that is just experiencing the problem (i.e. with per-unit-scheduler configured and VPN failing), please?

Regards,

Pawel Mazurkiewicz

This is odd, I wonder if your CoS policy is dropping something crucial to the tunnel negotiation?  It's a long shot, but:

A couple of questions:

- Is the IPSEC tunnel sourced from your ge-0/0/0 interface or somewhere else?

- What is the output of the following command on the egress interface of the IPSEC tunneleg: not st0.0 but the underlying "external-interface" defined in your IKE gateway: 

show interfaces queue <external-interface> egress forwarding-class bandwidth-5mb

There are a few bits in your CoS policy that won't work.  

For example - you're applying the firewall filter to both input and output on the interface, but it matches only when traffic has a destination-prefix from your list - this will only be true for input or output (hard to tell without seeing your route table), but never both, so you'll end up with 10Mbps in one direction, and 5 in the other.

Hello Ben,

thanks for your reply. I had some time to play a bit with the config. First of all: You're right about the input & output direction. One very interesting thing is, that I had no problems when applying the config to a Firefly Perimeter. Even with "per-unit-scheduler" the tunnel was created.

What would you to recommend in respect of the filter? I have to restrict traffic to and from these hosts to 10Mb/s. Any other traffic should use the remaining bandwidth.

Thanks for advice.

Hi Patrick,

You would be best served creating two distinct filters (Input and Output) that reference the same prefix list, but as source and destination.  Something like:

Input Filter - Applied to Ingress interface (not tunnel-side), limit traffic destined to prefix-list to 10Mbps

Output Filter - Applied to Egress interface (not tunnel-side), limit traffic sourced from prefix-list to 10Mbps

I don't think either will work on the tunnel interface or underlying interface, because the source/destination IP will be obfuscated by IPSEC.

You may run into issues though if you have multiple interfaces heading for the IPSEC tunnel.

Hope this helps

Hi Ben,

sounds like a plan. Thanks for your help!