I’m not sure if this is related to this announcment regarding outbound policy problems with grouped networks or domains.
I have a pair of Balance 305’s connected with a SpeedfusionVPN with 3 subtunnels. I created one of the sub tunnels so I can limit the bandwidth between a few of the devices on each side. I have an Outbound policy on the 305 that has the device that is sending data. I’ve tried several difference ways of defining this policy to enforce traffic to the bandwidth limited sub-tunnel. This outbound policy isn’t being enforced at all. @WeiMing do you think this issue is part of the grouped policy enfornment issue and solved in 8.5.3s093? If so, can you please share this release with me to test?
Thank you both for the responses. Just to be clear, should I try 8.5.3S042 or 8.5.3S093 and @WeiMing do you think this issue is related? It doesn’t involve grouped networks or domains.
Yes @meb. I have the policies for this at the very top so they should be taking precedence. I opened a ticket so will update this thread with what we find. I have a feeling that a rule further down in the Outbound policy is creating a route that is sending all traffic to the default subtunnel. That will be one thing we try to change that policy to see if that resolves the issue. There are other policies directing traffic to a different subtunnel for a different VLAN/network that are working fine.
Problem solved on this after a lot of testing. First off, @meb was right. I thought I had the policy all the way at the top. It was at the top, but apparently it needed to go even higher in an area was hidden and I didn’t know I could go even higher. That got traffic flowing into the tunnel. But even after I did this, my bandwidth limit was still getting exceeded, by a lot.
The problem was I had WAN smoothing set at maximum for this subtunnel. As we all know how this works, it was sending many duplicate packets across the subtunnel to prevent packet loss, obviously exceeding the limit I had set. After disabling WAN smoothing, the bandwitch limits for the subtunnel are spot on!
So lesson learned. If you really want to enforce bandwidth limits on Speedfusion VPN tunnels, you need to either turn off WAN smoothing, or set the limits based on how high you have WAN smoothing set, and dial in the bandwidth limit accordingly based on test traffic.
