Adding QoS kills ssh access to Cisco interface

kevinhsieh
kevinhsieh used Ask the Experts™
on
Hello Experts!  I am having an interesting time with QoS on my Cisco routers.  My primary goal is to DSCP mark packets as they leave my network so that they can be appropriately handled by my service provider in route to my other offices.  I am using IPSec tunnels and I have an Ethernet handoff.  A secondary goal is to use CBWFQ to proactively drop packets and LLQ to keep VoIP running smoothly.  In all likelihood, queues will get congested on the provider equipment, not my own.  This is why its so important for me to be able to apply DSCP markings.

When I apply the service-policy to my WAN interface I see that packets are getting marked.  The problem is that I lose the ability to SSH to the WAN interface of my router.  I am still able to SSH to the LAN interface through the IPSec tunnel.  This is happening on all 3 routers that I have tried.  I am running 12.4(19) on 3640 routers.  The problem goes away as soon as I remove the service-policy from the WAN interface.

Thanks for your help!

version 12.4
!
class-map match-any NETWORKCONTROL-CS7
  description Traffic to be tagged CS7
 match access-group name ROUTING-ACL
 match  dscp cs7
 match  precedence 7
class-map match-any CRITICAL-EF
  description Traffic to be tagged EF
 match  dscp ef
 match  dscp cs5
 match  precedence 5
class-map match-any PRIORITY-AF11
  description Traffic to be tagged AF11
 match access-group name corpMAPI-ACL
 match access-group name internetHTTP-ACL
 match  dscp af11
 match  dscp cs1
 match  precedence 1
class-map match-any PRIORITY-AF13
  description Traffic to be tagged AF13
 match access-group name corpISCSI-ACL
 match  dscp af13
class-map match-any PRIORITY-AF12
  description Traffic to be tagged AF12
 match access-group name corpDOUBLETAKE-ACL
 match access-group name corpSERVER-RPC-ACL
 match access-group name internetOTHER-ACL
 match access-group name SMTP-ACL
 match  dscp af12
class-map match-any INTERNETWORKCONTROL-CS6
  description Traffic to be tagged CS6
 match access-group name ICMP-ACL
 match  dscp cs6
 match  precedence 6
class-map match-any FLASHOVERRIDE-AF42
  description Traffic to be tagged AF42
 match access-group name corpSHELL-ACL
 match  dscp af42
class-map match-any FLASHOVERRIDE-AF43
  description Traffic to be tagged AF43
 match  dscp af43
class-map match-any FLASHOVERRIDE-AF41
  description Traffic to be tagged AF41
 match  dscp af41
 match  dscp cs4
 match  precedence 4
class-map match-any IMMEDIATE-AF21
  description Traffic to be tagged AF21
 match access-group name corpCIFS-ACL
 match access-group name corpHTTP-ACL
 match  dscp af21
 match  dscp cs2
 match  precedence 2
class-map match-any FLASH-AF31
  description Traffic to be tagged AF31
 match access-group name corpBAY1-ACL
 match  dscp af31
 match  dscp cs3
 match  precedence 3
class-map match-any FLASH-AF33
  description Traffic to be tagged AF33
 match access-group name RDP-ACL
 match  dscp af33
!
!
policy-map OUT-POLICY-TEST
  description Here we tag the traffic with DSCP markings
 class PRIORITY-AF11
  set dscp af11
  bandwidth remaining percent 10
  random-detect dscp-based
 class PRIORITY-AF12
  set dscp af12
  bandwidth remaining percent 5
  random-detect dscp-based
 class PRIORITY-AF13
  set dscp af13
  bandwidth remaining percent 10
  random-detect dscp-based
 class IMMEDIATE-AF21
  set dscp af21
  bandwidth remaining percent 25
  random-detect dscp-based
 class FLASH-AF31
  set dscp af31
  bandwidth remaining percent 10
  random-detect dscp-based
 class FLASH-AF33
  set dscp af33
  bandwidth remaining percent 10
  random-detect dscp-based
 class FLASHOVERRIDE-AF41
  set dscp af41
  bandwidth remaining percent 25
  random-detect dscp-based
 class FLASHOVERRIDE-AF42
  set dscp af42
  bandwidth remaining percent 2
  random-detect dscp-based
 class FLASHOVERRIDE-AF43
  set dscp af43
  bandwidth remaining percent 2
  random-detect dscp-based
 class INTERNETWORKCONTROL-CS6
  set dscp cs6
  priority percent 1
 class NETWORKCONTROL-CS7
  set dscp cs7
  priority percent 1
 class CRITICAL-EF
  set dscp ef
  priority percent 20
 class class-default
  fair-queue
!
!
!
 
!
crypto map MYMAP 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set MEDIUM
 match address CRYPTOMAP
 qos pre-classify
!
!
!
!
interface FastEthernet1/0
description LAN
 ip address 10.100.152.1 255.255.254.0
 duplex auto
 speed auto
 h323-gateway voip interface
 h323-gateway voip bind srcaddr 10.100.152.1
!
interface Ethernet3/0
 description WAN
 bandwidth 1544
 ip address x.x.x.x 255.255.255.252
 ip access-group INBOUND in
 full-duplex
 crypto map MYMAP
 service-policy output OUT-POLICY-TEST
!
ip access-list extended CRYPTOMAP
 permit ip 10.100.152.0 0.0.1.255 any
ip access-list extended ICMP-ACL
 remark match corporate and Internet ICMP INTERNETWORKCONTROL CS6
 permit icmp any any
ip access-list extended INBOUND
 permit tcp any any established
 permit esp X.X.X.X 0.0.0.1 any
 permit udp X.X.X.X 0.0.0.1 any eq isakmp
 permit icmp any any ttl-exceeded
 permit icmp X.X.X.X 0.0.0.255 any echo
 permit tcp X.X.X.X 0.0.0.1 any eq 22
 permit icmp any any echo-reply
ip access-list extended RDP-ACL
 remark Match Remote Desktop Protocol FLASH AF33
 permit tcp any any eq 3389
 permit tcp any eq 3389 any
ip access-list extended ROUTING-ACL
 remark match Routing Protocols NETWORKCONTROL CS7
 permit eigrp any any
ip access-list extended SMTP-ACL
 remark match SMTP traffic PRIORITY AF12
 permit tcp any any eq smtp
 permit tcp any eq smtp any
ip access-list extended corpBAY1-ACL
 remark match corporate SBN Bay1 traffic FLASH AF31
 permit tcp 10.0.0.0 0.255.255.255 host 10.100.6.107 eq 4100
 permit tcp host 10.100.6.107 eq 4100 10.0.0.0 0.255.255.255
ip access-list extended corpCIFS-ACL
 remark match corporate CIFS traffic IMMEDIATE AF21
 permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 445
 permit tcp 10.0.0.0 0.255.255.255 eq 445 10.0.0.0 0.255.255.255
ip access-list extended corpDOUBLETAKE-ACL
 remark match corporate Double-Take traffic PRIORITY AF12
 permit tcp 10.101.22.0 0.0.1.255 10.100.22.0 0.0.1.255 eq 1100
 permit tcp 10.100.22.0 0.0.1.255 10.101.22.0 0.0.1.255 eq 1100
 permit tcp 10.101.22.0 0.0.1.255 eq 1100 10.100.22.0 0.0.1.255
 permit tcp 10.100.22.0 0.0.1.255 eq 1100 10.101.22.0 0.0.1.255
ip access-list extended corpHTTP-ACL
 remark match corporate HTTP/HTTPS traffic IMMEDIATE AF21
 permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq www
 permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 443
 permit tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 eq www
 permit tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 eq 443
 permit tcp 10.0.0.0 0.255.255.255 eq www any
 permit tcp 10.0.0.0 0.255.255.255 eq 443 any
 permit tcp 192.168.0.0 0.0.255.255 eq www any
 permit tcp 192.168.0.0 0.0.255.255 eq 443 any
ip access-list extended corpISCSI-ACL
 remark match corporate iSCSI traffic PRIORITY AF13
 permit tcp 10.101.24.0 0.0.1.255 10.100.24.0 0.0.1.255 eq 3260
 permit tcp 10.100.24.0 0.0.1.255 10.101.24.0 0.0.1.255 eq 3260
 permit tcp 10.101.24.0 0.0.1.255 eq 3260 10.100.24.0 0.0.1.255
 permit tcp 10.100.24.0 0.0.1.255 eq 3260 10.101.24.0 0.0.1.255
ip access-list extended corpMAPI-ACL
 remark match corporate Exchange MAPI traffic PRIORITY AF11
 permit tcp 10.0.0.0 0.255.255.255 10.0.22.0 0.255.0.255 eq 7830
 permit tcp 10.0.22.0 0.255.0.255 eq 7830 10.0.0.0 0.255.255.255
ip access-list extended corpSERVER-RPC-ACL
 remark match server to server RPC traffic PRIORITY AF12
 permit tcp 10.100.0.10 0.0.255.0 gt 1024 10.100.0.10 0.0.255.0 gt 1024
 permit tcp 10.0.22.0 0.255.0.255 gt 1024 10.100.0.10 0.0.255.0 gt 1024
 permit tcp 10.100.0.10 0.0.255.0 gt 1024 10.0.22.0 0.255.0.255 gt 1024
ip access-list extended corpSHELL-ACL
 remark Match Corporate SSH and Telnet traffic FLASHOVERRIDE AF42
 permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 22
 permit tcp 10.0.0.0 0.255.255.255 eq 22 10.0.0.0 0.255.255.255
 permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq telnet
 permit tcp 10.0.0.0 0.255.255.255 eq telnet 10.0.0.0 0.255.255.255
ip access-list extended internetHTTP-ACL
 remark Match Internet HTTP/HTTPS traffic PRIORITY AF11
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 permit tcp 10.0.0.0 0.255.255.255 any eq www
 permit tcp 10.0.0.0 0.255.255.255 any eq 443
ip access-list extended internetOTHER-ACL
 remark match Internet traffic NOT HTTP(s) PRIORITY AF12
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 permit tcp 10.0.0.0 0.255.255.255 any
 
line vty 0 4
 access-class 65 in
 exec-timeout 30 0
 password 7 XXXXXXXXXXXXXXX
 transport input ssh

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

I advise you to make priority 64Kbps to SSH
kevinhsiehNetwork Engineer

Author

Commented:
That didn't do anything.  However, adding the following line to my corpSHELL-ACL access-list fixed the issue.

     permit tcp any eq 22 any

Points if you can tell me why that makes a difference.  I would think that the return traffic would have fallen under the default class.

ip access-list extended corpSHELL-ACL
 remark Match Corporate SSH and Telnet traffic FLASHOVERRIDE AF42
 permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 22
 permit tcp 10.0.0.0 0.255.255.255 eq 22 10.0.0.0 0.255.255.255
 permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq telnet
 permit tcp 10.0.0.0 0.255.255.255 eq telnet 10.0.0.0 0.255.255.255
 permit tcp any any eq 22
 permit tcp any eq 22 any

Open in new window

kevinhsiehNetwork Engineer

Author

Commented:
Additionally my IPSec tunnel dies after a period of time.  Something else is going on here.
Commented:
Because your WAN interface is not a 10.x.x.x which your original ACL was configured for.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial