Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Traffic shaping on the tunnel interface

0

0

Article ID: KB9937 KB Last Updated: 19 Jun 2010Version: 3.0
Summary:
Problem with route-based VPN traffic with traffic shaping enabled on the policy. 

 

Symptoms:

With a route-based VPN, if the tunnel interface is in the Untrust zone and a policy is required to control the traffic from the Trust to Untrust zones, traffic shaping may not work on those policies in the following condition:

  • Ingress and Egress bandwidth allocated on the outgoing interface is set to 1544
  • On the policy which controls the VPN traffic, the guaranteed bandwidth of 512kbps is configured with priority 1
  • The traffic across the VPN fails even though the VPN is UP
The problem here is that 1544 kbps has been allocated on the egress interface.   The tunnel interface is the virtual interface.
When the firewall does a route lookup, the outgoing interface for the VPN traffic is tunnel.1.  Hence the bandwidth configured on the egress interface does not apply to the tunnel interface.

The policy will not be able to guarantee the bandwidth.

Event logs report the following:

## 2007-06-14 22:31:06 : shaper: warning, not enough bandwidth (<512) at (tunnel.1)
## 2007-06-14 22:31:06 : shaper: packet dropped by 'null' tmng
 
Solution:
In ScreenOS 5.3 and above, there is the ability to put traffic shaping on the virtual interfaces, such as tunnel interfaces.

Therefore, in this scenario with the route-based VPN, the route lookup on the firewall points the traffic to the tunnel.1 interface.  Since their traffic is mainly VPN traffic matching the tunnel interface tunnel.1, the ingress and egress bandwidth on the tunnel interface can be configured.  For example, 512Kbps MBW can be assigned to the tunnel.1 interface, instead of configuring it on the policy:
set interface tunnel.1 bandwidth ingress mbw 512
set interface tunnel.1 bandwidth egress mbw 512


Note:  The following debugs are helpful for verifying the problem too: 
undebug all
debug shaper all
undebug shaper token
(attempt passing traffic)
undebug all  (to stop debugs from overwriting circular debug buffer)
get db stream  (to see output of debug buffer)
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search