07-27-2016 08:11 AM
Hello,
The node configured with a source interface and source adress can't be matched : the qos node Qid should be 1 and not 0.. PAN OS : 5.0.6
///////////////////////////////
admin@Bellan-PA-3020-1(active)> show qos interface ethernet1/1 match-rule
QoS match rule for interface ethernet1/1:
Qid node node-id src-i/f src-addr
-------------------------------------------------------------------------------
1 Limit-to-SIEGE 5 ethernet1/4 192.168.0.0/24
0 0 any any
admin@Bellan-PA-3020-1(active)> show qos interface ethernet1/1 counter
QoS counter for interface ethernet1/1:
number of queued packets: 0
Parent Qid node base-bw ldshare max-bw pass-pak drop-pak time-out delay vtime qlen qlmt
-------------------------------------------------------------------------------
8 0 default-group 1 99999 100000 0 0 0 0 0 150
-Class 4 1 24999 100000 768711 0 0 1 0 4 150
-Class 6 1 6249 100000 88607 0 0 1 51 0 150
8 1 Limit-to-SIEGE 3000 2000 5000 0 0 0 0 0 150
9 2 tunnel 1 96999 97000 0 0 0 0 0 150
-Class 4 1 24249 97000 46123 0 0 1 0 0 150
9 3 tunnel.3 1 96999 97000 0 0 0 0 0 150
9 4 tunnel.5 1 96999 97000 0 0 0 0 0 150
-Class 4 1 24249 97000 147 0 0 0 0 0 150
9 5 tunnel.6 1 96999 97000 0 0 0 0 0 150
-Class 4 1 24249 97000 24 0 0 0 0 0 150
9 6 tunnel.4 1 96999 97000 0 0 0 0 0 150
9 7 tunnel.1 1 96999 97000 0 0 0 0 0 150
11 8 regular-traffic 3000 97000 100000 0 0 0 13 0 150
11 9 tunnel-traffic 97000 0 97000 0 0 0 0 0 150
11 10 bypass-traffic 100000 0 100000 0 0 0 0 0 150
* -Class 4 100000 0 100000 409 0 0 1 0 0 150
-1 11 ethernet1/1 100000 0 100000 0 0 0 0 0 150
admin@Bellan-PA-3020-1(active)> show session id 249217
Session 249217
c2s flow:
source: 192.168.0.64 [MPLS]
dst: 195.167.195.42
proto: 6
sport: 65523 dport: 80
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
qos node: ethernet1/1, qos member Qid 0
match src interface: any
match src address: ('any ',)
s2c flow:
source: 195.167.195.42 [EXTERNAL]
dst: 92.103.131.228
proto: 6
sport: 80 dport: 26389
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Wed Jul 27 16:51:07 2016
timeout : 3600 sec
time to live : 3481 sec
total byte count(c2s) : 1862
total byte count(s2c) : 5527
layer7 packet count(c2s) : 9
layer7 packet count(s2c) : 6
vsys : vsys1
application : web-browsing
rule : WEB_MPLS_OUT
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : NAT-OUT(vsys1)
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/1
session QoS rule : Limit-To-Ext-Siege (class 6)
admin@Bellan-PA-3020-1(active)>
07-28-2016 05:10 AM
I'd recommend upgrading, since 5.0.6 is already 2 years old. The latest version in the 5.0 train is 5.0.19
5.0 is also nearing it's end of life and so is 6.0, so it might be worth considering going up to 6.1 ?
07-28-2016 07:33 AM
I might suggust going to 7.0.6 or 7.0.8 and moving away from 5.* or 6.*. I can confirm that on our 3020's both versions are running without issues and I can't think of anything off-hand that was removed since 5.*.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
