Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tim_Bernat
Contributor

Internet link QoS bandwidth limiting not working on 620 Appliance

Hi All,

I have tried using the bandwidth limiting (is that actually policing or shaping?) on a couple of our 600 appliances but without success. Seems simple enough, but just to be sure I checked with the Appliance Administration Guide:

QoS Settings (bandwidth control) - supported in IPv4 connections only
To enable QoS bandwidth control for download and upload for this specified connection, select the
applicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximum
Kbps rates for the selected options as provided by your ISP for the Internet upload and download
bandwidth.
Make sure that the QoS blade has been turned on. You can do this from Home > Security
Dashboard > QoS > ON.

All the commands are accepted, but seemingly nothing happens, I can't see anything in either of the logs. 

I tried different values, high and low, but no change on the devices:
Policing on the Internet link.PNG

I know 100 bit is a bit silly, but this was just to make a point. I have also tried other higher rates :  )

End user devices still can pull what they usually can:

500KB download speed actual.PNG

On one of the appliances I saw this error after enabling QoS blade, but I have tried a different, no error, but no limiting.

CP600 qos error.PNG

Can you suggest anything? We have a lot of these and this option would be really useful. 

Cheers, Tim 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

0 Kudos
Tim_Bernat
Contributor

Hi Dameon,

thank you for your reply. I have swapped out that device and don't get the error anymore. I have actually tried 2 devices (no errors) but the policing doesn't happen. I can't see anything useful in the logs either. 

Can you think of anything else? 

the blade is active and licensed, and QoS is set in the Internet connections advanced section (as per the screen). According to the user guide, this should be throttling the bandwidth. 

I am testing this on a 3.8Mb link, and no matter what I set on the device, I can still maxout the link no problem. 

Thank you, Tim 

0 Kudos
Aidan_Luby
Collaborator

Have you tried configuring any QOS rules in the QOS Rulebase to throttle specific things? If that works then you should be able to make a rule that includes all traffic.

0 Kudos
Tim_Bernat
Contributor

Hi Aidan,

thank you, yes, I have tried something like that (in various ways):

CP600QoSpolicy.PNG

Am I missing something? I also can't see anything in the Security logs; the system log does record the QoS policy change. 

Regardless of these manual QoS rules, has anybody managed to get it to work using only the Internet connection Edit menu?

Thanks for any advice.


Thanks, Tim

 

0 Kudos
HristoGrigorov

Just forget about limiting Inbound traffic. It is technically difficult to do.

Do not use Any - Any - Any rule for tests. Use something like Internal - Internet - Web.

Traffic shaper has never worked well on slow speeds.

Traffic shaping on SMB is overkill and you should really not be using it at all.  

0 Kudos
Tim_Bernat
Contributor

Hi @HristoGrigorov,

thank you for your reply. 

Yes, I have read that somewhere about inbound traffic, but since the option was there, I thought it was worth trying. Do you know why that is the case? In reality this is what we are most interested in; we have a couple of sites with very bad connections (a couple of Mb or even less) and wanted to use policing to avoid the tunnels going down/links becoming unusable.  

I think what I would really like, is a way (that QoS setting on the Internet link seemed perfect) to limit the available bandwidth of the Internet uplink. 

I have adjusted the rules to:

Inside - Any - Web

and

Any - Inside -Web

I understand that the second inbound traffic line is a lost cause?

Anyways, in the Guarantee/Limit column, if I do 0/90% -will that drop 90% or 10% of the traffic? I tried both and don't see any difference.

I understand that it may be overkill on these 600 appliances but if the functionality is there, I would at least like to know how to use it. 

Thanks for any advice, Tim 

0 Kudos
HristoGrigorov

As you may know traffic shaping is essentially traffic delaying in means of buffering excess packets and releasing them in a schedule that shall achieve desired speed restrictions. This implies use of more memory and higher CPU which is an area where SMBs are quite limited. Hence why it is not recommended to enable QoS on these devices.

Low traffic shaping limits usually require large processing buffers. That's why they are not recommended on systems with limited resources. 

While we talk about traffic shaping we shall not forget that QoS is also capable of traffic prioritizing in order to guarantee some applications (such as VoIP) the low latency they need to operate properly.

For the outbound traffic, shaping makes sense and shall work even on SMB providing you have set properly interface limits and QoS policy. 

For the inbound traffic, shaping makes no sense (except if you are an ISP) because packets have already arrived on the interface and delaying them does not bring any useful benefit. However, traffic prioritizing makes sense here as well. QoS on inbound traffic is good in case of VoIP or other low latency traffic.

It is worth mentioning that as most traffic (broadcast and multicast excluded) sessions are duplex by limiting the outbound traffic you are also limiting the inbound one.

The difference between Guarantee and Limit is apparent - the first one is a weight ratio that limits lower value to not less than XX% (the avail. bandwidth) and no restriction on the upper one. The  Limit on the other hand is a restriction on the upper limit and is usually a fixed value (say 1Mbps).

You could try to play with preset interface limits and also disable SecureXL temporarily to see if that will make any difference. If your SMB is constantly bombarded with outbound traffic you could think of offloading traffic shaping job to a more capable device deployed right before the gateway. These devices are just not built for such things. Security and connectivity in one place has its price you know...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events