Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] QoS shaping that exceeds the guaranteed bandwidth in policies leads to drop in traffic

0

0

Article ID: KB23597 KB Last Updated: 18 Dec 2017Version: 4.0
Summary:
ScreenOS supports the QoS shaping feature, which is based on bandwidth that is configured in policies. Ingress and Egress guaranteed bandwidth will be assigned for each policy, after the first packet of the corresponding policy is received.

All of the guaranteed bandwidth, which is configured in the policies, must be below the bandwidth of the physical interface or configured maximum bandwidth. If the total configured guaranteed bandwidth in policies exceeds the bandwidth of the physical interface or configured maximum bandwidth, there may be a drop in the received packets.
Symptoms:
If the configured guaranteed bandwidth in policies exceeds the bandwidth of the physical interface or configured maximum bandwidth, some policies will not be able to assign guaranteed bandwidth.

For example:

Topology:
   Trust                                  Untrust
   [Host1]-------(eth0/0)[SSG140](eth0/1)-------[Host2]
Configuration:
set interface ethernet0/0 bandwidth egress mbw 1500 ingress mbw 0
set interface ethernet0/1 bandwidth egress mbw 1500 ingress mbw 0

set policy id 1 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" permit traffic gbw 1500
set policy id 2 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" permit traffic gbw 1500

 
If the packet is received first from Host1 (trust) to Host2 (untrust), policy 1 will assign the guaranteed bandwidth for both ingress and egress traffic and it consumes all the maximum bandwidth. Traffic for policy 1 will be transmitted. This can be verified via get policy id 1. It will properly create tmng.

get policy id 1:
SSG140-> get policy id 1
name:"none" (id 1), zone Trust -> Untrust,action Permit, status "enabled"
src "Any-IPv4", dst "Any-IPv4", serv "ANY"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00000000, session backup: on
traffic shaping on, scheduler n/a, serv flag 00
log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 1184, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state on, gbw/mbw 1500/0 policing (no)
---------------------------------------------------------------
tmng (27): interface ethernet0/0 state on priority 7 < Created
bw usage [for last one second]: 0 kbps
pak queue(cur/max): 0/124
pak received: 4
pak dropped(out/shared): 0/0
PreShapingBytes (dropped/total): 0/296
diffserv-marking: 0x0
elapsed time: 3004 ms
gbw/mbw: 1500/0 (kbps)
gbw_q/mbw_q: 187/0
shared_tmng: 8
PostShapingBytes(total/borrowed):296/0
tokens (regular/borrowd): 0/0
token bucket (gbl/mbl): 187500/2128
tokens(gua/max): 187500/0
---------------------------------------------------------------
tmng (28): interface ethernet0/1 state on priority 7 < Created
bw usage [for last one second]: 0 kbps
pak queue(cur/max): 0/124
pak received: 4
pak dropped(out/shared): 0/0
PreShapingBytes (dropped/total): 0/296
diffserv-marking: 0x0
elapsed time: 3006 ms
gbw/mbw: 1500/0 (kbps)
gbw_q/mbw_q: 187/0
shared_tmng: 9
PostShapingBytes(total/borrowed):296/0
tokens (regular/borrowd): 0/0
token bucket (gbl/mbl): 187500/2128
tokens(gua/max): 187500/0
No Authentication
No User, User Group or Group expression set

 
If traffic from Host2 (untrust) to Host1 (trust), which is using policy 2, is received after policy 1assigns the guaranteed bandwidth, it cannot be assigned the guaranteed bandwidth and the traffic queue will not be created. This can be verified via get policy id 2. It will not be able to create tmng.

get policy id 2:
SSG140-> get policy id 2
name:"none" (id 2), zone Untrust -> Trust,action Permit, status "enabled"
src "Any-IPv4", dst "Any-IPv4", serv "ANY"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00000000, session backup: on
traffic shaping on, scheduler n/a, serv flag 00
log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 518, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state on, gbw/mbw 1500/0 policing (no)
No Authentication
No User, User Group or Group expression set
Cause:
  • This issue is due to configured guaranteed bandwidth exceeding the available bandwidth.

  • Even if both of the policies are permitting the same types of traffic, it is required to reduce the total amount of configured guaranteed bandwidth to lower than the bandwidth of the physical interface or configured maximum bandwidth; for both ingress and egress traffic.
Solution:
It is required to reduce the total amount of configured guaranteed bandwidth in the policies. For example:


Topology:
Trust                                  Untrust
 [Host1]-------(eth0/0)[SSG140](eth0/1)-------[Host2]

 
Configuration:
set interface ethernet0/0 bandwidth egress mbw 1500 ingress mbw 0
set interface ethernet0/1 bandwidth egress mbw 1500 ingress mbw 0

set policy id 1 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" permit traffic gbw 750
set policy id 2 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" permit traffic gbw 750
Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search