Traffic not classified after upgrade to PacketWise version 8.5.2g1.


<< Back to Knowledge Search

Solution

Overview

After upgrading to version 8.5.2g1, an IP-based class may fail to classify traffic which was classified prior to the upgrade.  This is due to the system making an unexpected change to a traffic class's matching rules when the following steps are performed:

  1. Edit matching rule through web UI.
  2. Apply changes with "service" set to "IP".


The issue is corrected in software version 8.5.3g1.  However, upgrading alone will not correct the definition of any class which may have already been incorrectly modified.  This must be done manually.  The change may not be apparent when viewed in the Web UI.  To determine whether a traffic class has been modified in this manner, issue the command "class show <class name>" via the command-line interface:


PacketShaper# class show /Inbound/TEST

Traffic Class: /Inbound/TEST
Partition: /Inbound
Class Flags:
Rule Types:

Current guaranteed rate 0   excess rate 0

Matching Rules:
  [1  ]   inside  net 192.168.0.0/16  service:Client  any port  IP
          outside any host  any port

No policy
Class id (for SNMP and Measurement Engine): 1366157061

 



The presence of the "service:Client" option results in classification solely of traffic where the server is on the PacketShaper's outside.  In this example, a server on the inside, such as in a DMZ network, will not be matched.  Child classes, such as HTTP, will also be affected since classification is broken at the top level:

PacketShaper# traffic tree /Inbound/TEST

Class name                         Type   Class   Policy  Cur  1 Min   Peak
                                           hits    hits  rate   avg    rate
----------------------------------------------------------------------------
/Inbound/TEST                                       n/a     0      0      0
 HTTP                                         0     n/a     0      0      0
 Default                                      0     n/a     0      0      0


The following is the correct definition, without the "service:client" option:


PacketShaper# class show /Inbound/TEST

Traffic Class: /Inbound/TEST
Partition: /Inbound
Class Flags: cacheable
Rule Types: address-is-cacheable

Current guaranteed rate 0   excess rate 0

Matching Rules:
  [1  ]   inside  net 192.168.0.0/16  any port  IP
          outside any host  any port

No policy
Class id (for SNMP and Measurement Engine): 1366157061


An equivalent, and also correct, form may have the "service:Client" option but it will be found as both "inside" and "outside" in separate matching rules.  This accounts for servers on either side of the PacketShaper:


PacketShaper# class show /Inbound/TEST

Traffic Class: /Inbound/TEST
Partition: /Inbound
Class Flags:
Rule Types:

Current guaranteed rate 0   excess rate 0

Matching Rules:
  [1  ]   inside  net 192.168.0.0/16  any port  IP
          outside any host  service:Client  any port

  [2  ]   inside  net 192.168.0.0/16  service:Client  any port  IP
          outside any host  any port

No policy
Class id (for SNMP and Measurement Engine): 1366157061

 

Cause
Resolution

The issue is corrected in software version 8.5.3g1.  However, upgrading alone will not correct the definition of any IP-class which may have already been incorrectly modified.  This must be done manually as follows:

  1. Go to the "Manage" page in the Web UI.
  2. Click on the class then select "edit matching rule". 
  3. Change "Service" to "any" and leave "Protocol" family as "IP".
  4. Click "apply changes".

 

 The class will now display the latter form, with two matching rules, accounting for both inside and outside servers.

Traffic Class: /Inbound/TEST
Partition: /Inbound
Class Flags:
Rule Types:

Current guaranteed rate 0   excess rate 0

Matching Rules:
  [1  ]   inside  net 192.168.0.0/16  any port  IP
          outside any host  service:Client  any port

  [2  ]   inside  net 192.168.0.0/16  service:Client  any port  IP
          outside any host  any port

No policy
Class id (for SNMP and Measurement Engine): 1366157061

 

In this example, it is not necessary to modify /Inbound/TEST/HTTP.  Only the IP-based class, /Inbound/TEST, must be corrected.

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3714
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      PacketShaper 10000, PacketShaper 1700, PacketShaper 3500, PacketShaper 7500, PacketShaper 900
Topic      Configuration / WUI / CLI
Article Number      000014092
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat