PA-3020 - PANOS 5.0.6 - Can't confgure QOS with source address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-3020 - PANOS 5.0.6 - Can't confgure QOS with source address

L0 Member

Hello,

The node configured with a source interface and source adress can't be matched : the qos node Qid should be 1 and not 0.. PAN OS : 5.0.6

///////////////////////////////

 

admin@Bellan-PA-3020-1(active)> show qos interface ethernet1/1 match-rule

QoS match rule for interface ethernet1/1:
Qid node node-id src-i/f src-addr
-------------------------------------------------------------------------------
1 Limit-to-SIEGE 5 ethernet1/4 192.168.0.0/24
0 0 any any

 

admin@Bellan-PA-3020-1(active)> show qos interface ethernet1/1 counter

QoS counter for interface ethernet1/1:
number of queued packets: 0
Parent Qid node base-bw ldshare max-bw pass-pak drop-pak time-out delay vtime qlen qlmt
-------------------------------------------------------------------------------
8 0 default-group 1 99999 100000 0 0 0 0 0 150
-Class 4 1 24999 100000 768711 0 0 1 0 4 150
-Class 6 1 6249 100000 88607 0 0 1 51 0 150
8 1 Limit-to-SIEGE 3000 2000 5000 0 0 0 0 0 150
9 2 tunnel 1 96999 97000 0 0 0 0 0 150
-Class 4 1 24249 97000 46123 0 0 1 0 0 150
9 3 tunnel.3 1 96999 97000 0 0 0 0 0 150
9 4 tunnel.5 1 96999 97000 0 0 0 0 0 150
-Class 4 1 24249 97000 147 0 0 0 0 0 150
9 5 tunnel.6 1 96999 97000 0 0 0 0 0 150
-Class 4 1 24249 97000 24 0 0 0 0 0 150
9 6 tunnel.4 1 96999 97000 0 0 0 0 0 150
9 7 tunnel.1 1 96999 97000 0 0 0 0 0 150
11 8 regular-traffic 3000 97000 100000 0 0 0 13 0 150
11 9 tunnel-traffic 97000 0 97000 0 0 0 0 0 150
11 10 bypass-traffic 100000 0 100000 0 0 0 0 0 150
* -Class 4 100000 0 100000 409 0 0 1 0 0 150
-1 11 ethernet1/1 100000 0 100000 0 0 0 0 0 150

 

 

admin@Bellan-PA-3020-1(active)> show session id 249217

Session 249217

c2s flow:
source: 192.168.0.64 [MPLS]
dst: 195.167.195.42
proto: 6
sport: 65523 dport: 80
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
qos node: ethernet1/1, qos member Qid 0
match src interface: any
match src address: ('any ',)

s2c flow:
source: 195.167.195.42 [EXTERNAL]
dst: 92.103.131.228
proto: 6
sport: 80 dport: 26389
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown

start time : Wed Jul 27 16:51:07 2016
timeout : 3600 sec
time to live : 3481 sec
total byte count(c2s) : 1862
total byte count(s2c) : 5527
layer7 packet count(c2s) : 9
layer7 packet count(s2c) : 6
vsys : vsys1
application : web-browsing
rule : WEB_MPLS_OUT
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : NAT-OUT(vsys1)
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/1
session QoS rule : Limit-To-Ext-Siege (class 6)
admin@Bellan-PA-3020-1(active)>

 

2 REPLIES 2

Cyber Elite
Cyber Elite

I'd recommend upgrading, since 5.0.6 is already 2 years old. The latest version in the 5.0 train is 5.0.19

5.0 is also nearing it's end of life and so is 6.0, so it might be worth considering going up to 6.1 ?

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

I might suggust going to 7.0.6 or 7.0.8 and moving away from 5.* or 6.*. I can confirm that on our 3020's both versions are running without issues and I can't think of anything off-hand that was removed since 5.*. 

  • 1743 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!