IPSec Tunnel QoS

Reply
Not applicable

IPSec Tunnel QoS

I have a PA-2050 running 4.0.7. I have an IPSec tunnel that runs between 2 sites (one is a Palo, the other is ??)

I would like to guarantee some level of bandwidth available for this tunnel, to ensure that it gets a level of priority at least over basic web and streaming traffic.

I'm confused about how to assign this priority.

Here's what I've done, based on the doc "How to Configure Quality of Service (QOS)" for PanOS 3.0.0 and above.

I've created a QoS policy Called "Bandwidth Guarantee", with the source zone being "Untrust" and the source IP being the Internet IP of the remote site. The "Destination" zone is also "untrust", with my internet facing IP as the "Destination address". I've added IPSec and IKE as the applications this guarantee applies to. I assigned it to "Class 1".

Next, I created a QoS network profile called "Rate Guarantee" and assigned Class 1 a "Guaranteed Egress" of 50 mbps, a "Maximum Egress" of 100 mbps, and a priority of "Real Time"

Finally, for network QoS I added my Internet facing ethernet interface (ethernet1/1), enabled QoS, assigned "Clear Text" traffic the default QoS policy, and assigned the "Tunnel Interface Default Profile" to "Rate Guarantee".

Now, I would expect that once I committed this config, that I would be able to look at the QoS statistics and see the traffic from my tunnel being applied to Ethernet1/1...Tunnel Traffic...tunnel1.1...Class 1. However, I see nothing being applied, even though the tunnel is up and functioning.

I'm sure I'm missing something. What am I missing?

Highlighted
L6 Presenter

QoS is applied to the egress interface.

So if you are trying to guarantee bandwidth to your internal users then you would want to apply this policy to your internal trusted interface with the source zone being the zone applied to the tunnel.

-Benjamin

Highlighted
L2 Linker

bpappas - Please excuse me if I'm wrong, and David certainly correct me if I am, but I think David is asking how to guarantee bandwidth for his IPSec tunnel, not necessarily the traffic that flows over that tunnel.  Reason I say I think that's what he's after, is that is exactly what I'm after as well.  I want to be able to set QoS such that the IPSec tunnel will always have enough bandwidth to stay up, as we've seen circuits get so saturated that the entire tunnel will drop.  At least that's how I read David's question.  If I am wrong, please respond to my question as well.  Thanks - Jay

Highlighted
L6 Presenter

Since you can setup QoS in PAN using appid's I think it should work to add QoS rule that will prioritize ipsec (or subtypes ipsec-ah, ipsec-esp, ipsec-esp-udp, ike depending on your needs) for the physical interface.

The tricky part here is that QoS only works for egress traffic. To bring QoS for incoming ipsec traffic you would need to do equal stuff in your switch/router which your PAN is connected to.

Highlighted
Not applicable

That's exactly what I'm going for, Jay, thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!