Solutions

Traffic not classified after upgrade to PacketWise version 8.5.2g1.

Solutions ID:    KB3714
Version:    5.0
Status:    Published
Published date:    03/02/2010
Updated:    03/02/2010
 

Problem Description

After upgrading to version 8.5.2g1, an IP-based class may fail to classify traffic which was classified prior to the upgrade.  This is due to the system making an unexpected change to a traffic class's matching rules when the following steps are performed:

  1. Edit matching rule through web UI.
  2. Apply changes with "service" set to "IP".


The issue is corrected in software version 8.5.3g1.  However, upgrading alone will not correct the definition of any class which may have already been incorrectly modified.  This must be done manually.  The change may not be apparent when viewed in the Web UI.  To determine whether a traffic class has been modified in this manner, issue the command "class show <class name>" via the command-line interface:


PacketShaper# class show /Inbound/TEST

Traffic Class: /Inbound/TEST
Partition: /Inbound
Class Flags:
Rule Types:

Current guaranteed rate 0   excess rate 0

Matching Rules:
  [1  ]   inside  net 192.168.0.0/16  service:Client  any port  IP
          outside any host  any port

No policy
Class id (for SNMP and Measurement Engine): 1366157061

 



The presence of the "service:Client" option results in classification solely of traffic where the server is on the PacketShaper's outside.  In this example, a server on the inside, such as in a DMZ network, will not be matched.  Child classes, such as HTTP, will also be affected since classification is broken at the top level:

PacketShaper# traffic tree /Inbound/TEST

Class name                         Type   Class   Policy  Cur  1 Min   Peak
                                           hits    hits  rate   avg    rate
----------------------------------------------------------------------------
/Inbound/TEST                                       n/a     0      0      0
 HTTP                                         0     n/a     0      0      0
 Default                                      0     n/a     0      0      0


The following is the correct definition, without the "service:client" option:


PacketShaper# class show /Inbound/TEST

Traffic Class: /Inbound/TEST
Partition: /Inbound
Class Flags: cacheable
Rule Types: address-is-cacheable

Current guaranteed rate 0   excess rate 0

Matching Rules:
  [1  ]   inside  net 192.168.0.0/16  any port  IP
          outside any host  any port

No policy
Class id (for SNMP and Measurement Engine): 1366157061


An equivalent, and also correct, form may have the "service:Client" option but it will be found as both "inside" and "outside" in separate matching rules.  This accounts for servers on either side of the PacketShaper:


PacketShaper# class show /Inbound/TEST

Traffic Class: /Inbound/TEST
Partition: /Inbound
Class Flags:
Rule Types:

Current guaranteed rate 0   excess rate 0

Matching Rules:
  [1  ]   inside  net 192.168.0.0/16  any port  IP
          outside any host  service:Client  any port

  [2  ]   inside  net 192.168.0.0/16  service:Client  any port  IP
          outside any host  any port

No policy
Class id (for SNMP and Measurement Engine): 1366157061

 

Resolution

The issue is corrected in software version 8.5.3g1.  However, upgrading alone will not correct the definition of any IP-class which may have already been incorrectly modified.  This must be done manually as follows:

  1. Go to the "Manage" page in the Web UI.
  2. Click on the class then select "edit matching rule". 
  3. Change "Service" to "any" and leave "Protocol" family as "IP".
  4. Click "apply changes".

 

 The class will now display the latter form, with two matching rules, accounting for both inside and outside servers.

Traffic Class: /Inbound/TEST
Partition: /Inbound
Class Flags:
Rule Types:

Current guaranteed rate 0   excess rate 0

Matching Rules:
  [1  ]   inside  net 192.168.0.0/16  any port  IP
          outside any host  service:Client  any port

  [2  ]   inside  net 192.168.0.0/16  service:Client  any port  IP
          outside any host  any port

No policy
Class id (for SNMP and Measurement Engine): 1366157061

 

In this example, it is not necessary to modify /Inbound/TEST/HTTP.  Only the IP-based class, /Inbound/TEST, must be corrected.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question