05-13-2008 11:36 AM
We are trying to setup Traffic Shaping on a single policy. Here is what we tried:
1)Traffic-shaping mode - Auto
2)Loopback int- no special config (cannot add BW of int here)
3)Int that is Loopback member - Ingress/Egress BW of 8000Kbps
4)Policy from Untrust to MIP (HTTPS, SMTP) Trust, traffic shaping max of 1000Kbps, lowest priority, counting ON
We are trying to limit HTTPS traffic to our Exchange server because users are downloading public folder contents to their local Public folder favorites. When there is an update to the contents of the folder users are downloading around 1.0GB of data. Ping times to external hosts will come in at 700ms, with the Exchange server will use 7-9Mbps of bandwidth (traffic monitor program).
With the shaping enabled, ping times will drop to the normal 50-150ms, but then our VPNs will all go down, even though we can still ping the external VPN endpoint. We only want the shaping to be ON for this one policy, but for some reason it seems to affect our policy-based VPN's. I have gone through the documentation regarding traffic shaping (this is a first for us), and what we have tried seems to be the correct method. However, the examples given usually are only for a 3 policy system and they setup shaping on each policy. Also, I do not know if the loopback int is a possible source of issues.
Anyone have any ideas?
ScreenOS 5.4 R2.0
05-13-2008 02:32 PM
Can u tell me:
1) How many VPN connections are terminated on ur NS-25? Whats the average maximum BW is for each VPN?
2) For traffic shaping two parameters are important one is Gurranted BW and other is maximum BW and then priority (which is related to maximum BW). Whats are Gurrented BW for HTTPS traffic?
3) Can u explain why r u using loopback interface? I guess u defined NATTING on loopback interface and made internet interfaces part of it.
4) When u disable traffic shaping on HTTPS traffic is there no issues??
05-14-2008 06:44 AM
To answer your questions (as best I can)
1) 25 VPN connections, avg. max bandwidth for each one would only be 20-40Kbps
2) I did not enter a guarenteed BW for HTTPS, left it as 0. Priority was set to lowest.
3) You are correct, we have two physical interfaces that are members of the loopback, and we want to only have the one public IP for VPN termination (we also do NAT through the loopback as you mentioned)
4) Correct, other than the case where users are downloading the public folder data and it bogs down our entire network (as the HTTPS traffic will take 8-10Mbps of BW)
05-14-2008 07:20 AM
Ok do the following:
1) HTTPS policy define Guarrented BW (Thats the value of BW which u want for HTTTPS traffic) and give the same value in Maximum BW.
2) Monitor the BW given to HTTPS policy by enabling counting in HTTPS policy.
3) Also define the actual BW terminated on untrust physical interfaces
How many ISP links u have?
How much BW on each link?
Are all ISP links part of loopback interface
Are u able to define BW on loopback interface.
Let me know the outcome.