how do I configure qos for SIP on Cisco ASA 5505

Hello, first of all thank you very much for answer.

Well now I will describe my network scenario.

I have SIP (Linksys SPA) adapter which is connected with its WAN port on to LAN port in the Cisco ASA, than Cisco ASA is connected to the internet via a ZyXel Bridge. The Cisco ASA have Static WAN ip address. All needed ports are opened in the ASA for SIP traffic.

So nex hop from my ASA is ofcourse ISP provider CORE router, than via my ISP provider this SIP adapter connect to the SIP server in another town.

Now my problems are :

When I am uploading the files from our network, and if someone is than tolking via SIP tha he get bad sound with noises, latency etc...  So therfore I`ll try to configure the QOS for SIP traffic.

What you mean, will this config above you wrote help me ?? or I need to call my ISP too and as them to create the priority on their interface on the CORE router too ?? is this what you mean ????

Thank You !! waiting for answer from you before I do anything.

Best regards

btw my SIP phone is not clean IP phone, but analog phone which is connected to SIP Linksys adapter (SPA).

The config will help you as the packet exits your Cisco ASA, but once the traffic gets into your ISP's net, you do not have any control whatsoever over it.

By default the ISP will give all your traffic the same level of priority and gurantee them upto the purchased CIR; once you reach the CIR and it is a busy time with no burst, the ISP will start dropping your traffic indiscremently.

Except you are a special customer, no ISP will even agree to give your traffic a higher priority; ISP's that have this feature charge premium fee for this type of priority service.

If the ISP is willing to prioritize your SIP traffic, they will have to modified the access-list a little in other to limit it to traffic coming from only you and not from their other customers, in that case instead of the 'any any' representing all IP addresses, they will replace it with specific IP address of the SIP server & your IP address. Sincerely, I will doubt it if the ISP will agree to do it, because it makes their life easier to out everyone on a single pipe and blindly assign the default priority to all traffic. Moreso, the ISP might be sending the traffic to another ISP before it eventually get to your SIP Server in the next town.

However, with IP/MPLS the ISP own almost all the P & PE routers and they can assigned priority to customer's traffic.With IP/MPLS providers, you have to buy this service separate, a call to them will not do it.

If this is a frame relay connection to the ISP and you know your CIR, you can really do alot of stuff to drastically improve your voice quality and i.e. since your ISP will only start marking your traffic for dropping when you subscribe over your CIR, you can configure your network to obey the CIR and within that CIR give SIP traffic a priority or gurantee bandwidth.

Though this might reduce your speed, because you will not be using the bursting facility of the ISP to burst above CIR when the bandwidth is there, but it kind of give you predictability and controll over your network.

If this is a Cable/DSL provider, it is worst, because cable DS Lproviders put every subcriber within a particular location into a single pipe and hands off the traffic into the internet.

If I was in your shoe and seeing that the odds are against me, I will run the codes that were sent before and make sure that all the network devices under my control either here in this location or in the other location where the SIP server is located is giving SIP the highest priority, this might help a little.

very great explanation !!

but why the ISP`s can`t configure for example let say now 2 interfaces, than on the first interface give the SIP priority and another interface can be as usually. So in my case we are talking about DSL technology, with IPDSLAM in  the PSTN which is than connected to ISP`s core router. So than the ISP can ask the people when they are ordering the internet connection (shell you use SIP ip phone) ?? if YES og, than you will be connected to the interface where the SIP is priority traffic. And upstream bandwidth is defined in IP-DSLAM pr/port which means pr/user.

Can`t understand why this sould be extra fee for users..

Why there might be an extra fee will become obvious when you consider the total picture...

Take this simple scenario, in the town that I live in, the DSL provider is Verizon, let assume I took DSL from Verizon and hook up my SIP phone to Verizon.

Now I want to call my buddy (or connect to a SIP Server) who lives in Chicago and his local provider there is BellSouth and he got DSL through BellSouth. He have a SIP phone and hook it up with his DSL from BellSouth or whatsoever his local ISP is....

Now you can see that the path from me to my friend in Chicago passes through alot of routers, some of these routers are owned by Verizon & some are owned by BellSouth and some might be owned by other upstream ISPs that Verizon & BellSouth hands traffic off to. and Verizon/BellSouth have to also buy bandwidth from those upstream providers...

For true QoS to work, all the routers in the path from my house to my friend's house must individually be configured to obey the priority marking that I have assigned to my SIP traffic.

from your office where you have the SIP phone, try something like this from a PC
C:\>tracert <IP address of the SIP Server>

The number of hops you got from the above experiment is the number of routers (minus firewalls & other devices that have been configured not to reveal themselves in a traceroute) that must be configured to obey your priority marking and not all those routers are under the control of verizon or BellSouth in my case.

You see that it is a huge task.

Now to circumvent this and make prioritizing traffic happen; each of the ISP can negotiate with each of their upstream providers and ask that certain percentage of their traffic be assigned a higher priority, the ISP will in turn sell this priority to their customers.

Also remember that the ISP is putting every of his customer in a single pool of bandwidth and every customer is struggling for that bandwidth and the ISP can keep adding customer to that single pool of bandwidth to maximize profit, but once they assign a priority to you, they are bounded by contract to always provide you that guaranteed bandwidth and priority, you have in essence reduced their available bandwidth and the number of additional customers they would have signed on; so they would want to charge you more for that service to make up for the customer(s) they can no longer sign on.

There will be no need to use different interfaces for this type of service, all the ISP will need to do is create different priority classes for all their traffic and by default all traffic will be remark as best-effort & sent to the lowest priority class, but for customers who have purchased a higher priority for certain traffic, they will talk with you to determine how you are going to mark/tag the priority traffic before sending it into their network and once you marking it accordingly, their routers will recognize the marking/tag and give that traffic the priority level that you have paid for.

You can see that it will be costing the ISP more money in terms of:
1. Paying upstream providers to recognize and obey their priority markings/tags when they hand the traffic to them.
2. Reduced business from other potential customers who would have been pooled into the shared bandwidth that is now for your SIP traffic exclusive & guaranteed use.
3. Additional equipment they might have to purchase/upgrade to make this happen
4. Pay the Engineer(s) who is going to configure & make all these things happen.

Now the ISP must get those $$$ back & some profit too from somewhere; guess who they are going to get it from? ..............You the customer who need special end-to-end treatment for some of your traffic.

Well I understand now what you mean....  you have very good point there, there is no talk about it.

But after I readed your complete post, I think I should try to configure qos as you described above.
And hope that it will help me. Because there needs to be a way or workaround for this problem,  there is a lot of IP Telephone SIP providers in the world and they are selling their services to customers. So I am 100 % sure that many of these customers are using upload stream for both DATA and VoIP so........ it must work.

BTW what about SKYPE ? the  Skype is VoIP, and I can upload what ever I want but the sound is clean as water, no noises nothing... how this can work so ??? So no ports need to be opened either.... ?

THANK YOU VERY MUCH FOR VERY NICE AND PROFESSIONAL EXPLANATION !!
never seen someone write so good explanations for forum users !! I really RESPECT IT !!!!!!

I will try to reconfigure it tomorrow, so I`ll let you know ! if there is something more I need to take care off, so just please let me know ...... I`ll post QOS working policy when I finish the config..

I have to get this working, because it is not possible to upload anything before I configure QOS, the sound is wired just impossible.

Thank you again !!  I`ll be back ...

Best regards

Wait a min..........

when you say that ISP need to configure the SIP priority in order to make the whole ting working, than I have one question:

when I stop uploading of files from my network and just use the SIP ip phone, than there is nothing wrong with sound, EVEN if the ISP have not configured any priotiry for SIP as you know ?? how can you explain this ??

so I think the configuration you gave me should help in this case ..........

so you mean that QOS is working most optimal trough VPN Tunnel ?
where it does not metter how many hop and interfaces WAN is traweling trough ?
because VPN tunnel have not so many hops. Am I right ?

Like I mentioned before, implementing the config that I gave you above might help to reduce the problem, also add the service policy inward as well, in my prior configure I only added it outward.

Adding it inward will make your router to give incoming SIP packets prior over other traffic.

What I said was that, the ISP will also need to configure QoS and obey your SIP marking for QoS to work end-to-end. But you can take steps to give SIP the most priority within the devices under your administrative control.

GRE or IPSec tunnel though will give you one hop between the source & the destination, but the tunnel is still been negotiated across multiple hops and your traffic will still travel across those multiple hop, the only difference now is that no router along the path will be able to unencrpt or interprete your packets except the end point router. With tunnelling, you will incur additional overhead to setup & maintain the tunnel, which in essence means less bandwidth to your user traffic.

Latency might even increase with Tunnel because of the added overhead, which is not good for your voice traffic.

My advice for now is to implement that QoS, apply in both direction and see what happen.

Like I mentioned before, implementing the config that I gave you above might help to reduce the problem, also add the service policy inward as well, in my prior configure I only added it outward.

Adding it inward will make your router to give incoming SIP packets prior over other traffic.

What I said was that, the ISP will also need to configure QoS and obey your SIP marking for QoS to work end-to-end. But you can take steps to give SIP the most priority within the devices under your administrative control.

GRE or IPSec tunnel though will give you one hop between the source & the destination, but the tunnel is still been negotiated across multiple hops and your traffic will still travel across those multiple hop, the only difference now is that no router along the path will be able to unencrpt or interprete your packets except the end point router. With tunnelling, you will incur additional overhead to setup & maintain the tunnel, which in essence means less bandwidth to your user traffic.

Latency might even increase with Tunnel because of the added overhead, which is not good for your voice traffic.

My advice for now is to implement that QoS, apply in both direction and see what happen.

I should just configure it now, but I am being little confised because of ACL`s. Below is the config of my ACL :

object-group service udp_ports_for_sipura_adapter udp
 port-object eq sip
 port-object range 16300 16700

object-group service ports_for_sipura_adapter tcp
 port-object eq sip
 port-object range 16300 16700

access-group outside_access_in in interface outside_wan
access-group outside_wan_access_out out interface outside_wan

access-list outside_access_in extended permit icmp any any object-group allowed_icmp
access-list outside_access_in extended permit tcp any host wan_ip object-group ports_for_sipura_adapter
access-list outside_access_in extended permit udp any host wan_ip object-group udp_ports_for_sipura_adapter

so I am not sure how can I implement this ACL in the config bewlo:

Class-map match-any SIP
match access-group 101 ??? shel I use outside_access_in or outside_wan_access_out ??
!

Policy-map SIP
Class SIP
set dscp ef
priority percent 10
!
Interface serial 0/0
description outside
service-policy output SIP

You will use the "outside_access_in"
i.e.
!
object-group service udp_ports_for_sipura_adapter udp
 port-object eq sip
 port-object range 16300 16700
!
object-group service ports_for_sipura_adapter tcp
 port-object eq sip
 port-object range 16300 16700
!
access-list outside_access_in extended permit tcp any host wan_ip object-group ports_for_sipura_adapter
access-list outside_access_in extended permit udp any host wan_ip object-group udp_ports_for_sipura_adapter
access-list outside_access_in extended permit tcp host wan_ip object-group ports_for_sipura_adapter any
access-list outside_access_in extended permit udp host wan_ip object-group udp_ports_for_sipura_adapter any
!
Class-map match-any SIP
match access-list outside_access_in
!
Policy-map SIP
Class SIP
set dscp ef
priority percent 10
class class-default
fair-queue
!
Interface serial 0/0
description outside
service-policy output SIP
service-policy input SIP
!

Try the above commands and see if you will get an error, I am using your commands essentially and using writing the extra code on notepad, I am not in front of a PIX/ASA box at this time and as such, you might get a syntax error on placement of the modified code, but correct the error and you should be fine.

Also I invoked a 'class class-default', I know in some IOS deployments you cannot queue traffic inward, when you go to apply the service map on your interface if you get an error message about the fair-queue, simply remove it.

Let me know how it goes.

it goes usually with error in the begining, have a look.....

ciscoasa(config)# Class-map match-any SIP
ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)# Class-map match-any ?    
configure mode commands/options:
  <cr>
ciscoasa(config)# Class-map match-any

I use Cisco ASA 8.03 (5505)

Try.....

!
Class-map SIP
match access-list outside_access_in
!

ciscoasa(config)# Class-map SIP
ciscoasa(config-cmap)# match access-list outside_access_in
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map SIP
ciscoasa(config-pmap)# class SIP
ciscoasa(config-pmap-c)# set dscp ef
                             ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# match dscp ef
                           ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# set dscp ef

Try...
!
set ip dscp ef
!
match ip dscp ef
!
Cisco keeping changing syntax even within the same product line...

unbeliveble


ciscoasa# config t
ciscoasa(config)# Class-map SIP
ciscoasa(config-cmap)# match access-list outside_access_in
ciscoasa(config-cmap)# exit
ciscoasa(config)# Policy-map SIP
ciscoasa(config-pmap)# Class SIP
ciscoasa(config-pmap-c)# set ip dscp ef
                             ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# match ip dscp ef
                           ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)#

the command "priority percent 10" isn`t working too but only command "priority" is wokring.'
can`t understand why cisco is changing these commands so often there is no reason for it

I will be testing the commands on my PIX firewall this morning and will post the corrected statements.

My initial commands were writtens based off Cisco IOS router and I was using notepad to write the commands, I did not have the advantage of the case-sensitive help, and now that I look at it, even if I had

it would not have made any different because you are using a firewall with a differeny syntax.

that was what I tought, so here is what I use now:

Cisco ASA (not pix) model 5505 ASA OS version 8.03

Hope you caught the type mis-match above...it should be:
!
policy-map voice
class-map voice <---and not vocie as indicated in the previous post.
priority
!
Though if you made the same mistake on the ASA, it will correct you and say, the class map is not configured.

no problems dude I understand...... I saw it once in the config.
I have not access to this ASA now from this office, but once I get access I`ll try this and I`ll let you know !! it is about 2-3 hour, but I`ll let you know !

Thank You very much for helping me !!!!!!

btw, what about access lists in this case, I see no need for them now ?? am I righ

Yes, no need for them.

this is how it looks like now:

ciscoasa(config)# class-map voice
ciscoasa(config-cmap)#  match port tcp eq sip
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map voice
ciscoasa(config-pmap)# class-map vocie
ciscoasa(config-cmap)# priority
ERROR: % Incomplete command
ciscoasa(config-cmap)# priority?

configure mode commands/options:
  priority-queue  
ciscoasa(config-cmap)#


this is not a priority-queue  we are defining here but just priority...

it is a priority queue, different IOS have a different way of accomplishing it...

I am running 8.02 on my PIX 515E in my home lab and the syntax is that you have to defined the priority queue seperate and outside the policy map, but it appears that ASA want you to also defined the priority queue inside the policy map statements...

hmm, ok I`ll try again so we``ll see... it must work, I am running 8.03 on ASA 5505 shouldn`t be  big difference...

now I did it but I don`t think this will help, or I forgot something, this is what I did :

class-map voice
 match port tcp eq sip
!
policy-map voice
 class-map voice
!
priority-queue outside_wan
 queue-limit 2048
 tx-ring-limit 256
!
service-policy voice interface outside_wan

detailed described below:

ciscoasa(config)# class-map voice
ciscoasa(config-cmap)#  match port tcp eq sip
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map voice
ciscoasa(config-pmap)# class-map voice
ciscoasa(config-cmap)# exit
ciscoasa(config)# priority-queue outside_wan
ciscoasa(config-priority-queue)# queue-limit 2048
ciscoasa(config-priority-queue)# tx-ring-limit 256
ciscoasa(config-priority-queue)# exit
ciscoasa(config)# service-policy voice interface outside_wan
ciscoasa(config)#

but the sound on SIP is the exact the same as before :(

The other thing that I can think of is to use access-list, because access-list will enable us to also match udp port 5060 and we will be able to match the traffic in both directions, the script will be like this:
!
access-list sip extended permit tcp any eq sip any
access-list sip extended permit udp any eq sip any
access-list sip extended permit tcp any any eq sip
access-list sip extended permit udp any any eq sip
!
class-map voice
 match access-list sip
!
!
policy-map voice
 class voice
  priority
!
priority-queue outside_wan
 queue-limit 2048
 tx-ring-limit 256
!
service-policy voice interface outside_wan
!
After coding the configuration, do the following....
#sh service-policy interface outside_wan

Then try make a SIP call while the call is on do another:
#sh service-policy interface outside_wan

Then download data and while making a call and take another snapshot:
#sh service-policy interface outside_wan

Compare all three outputs and post them as well, I want to see if the policy is working...

no problems dude, leme do it right ahead....... be back in couple min after I did as you told me to do....

now after I configured exact as you described above, I run show commands and here is output from show commands:

config used:
access-list sip extended permit tcp any eq sip any
access-list sip extended permit udp any eq sip any
access-list sip extended permit tcp any any eq sip
access-list sip extended permit udp any any eq sip
!
class-map voice
 match access-list sip
!
!
policy-map voice
 class voice
  priority
!
priority-queue outside_wan
 queue-limit 2048
 tx-ring-limit 256
!
service-policy voice interface outside_wan
!

_____________________________________________________________
code output when SIP offline :

ciscoasa(config)# sh service-policy interface outside_wan

Interface outside_wan:
  Service-policy: voice
    Class-map: voice
      Priority:
        Interface outside_wan: aggregate drop 0, aggregate transmit 0
_____________________________________________________________
code while holding on (talking on sip)

ciscoasa(config)# sh service-policy interface outside_wan

Interface outside_wan:
  Service-policy: voice
    Class-map: voice
      Priority:
        Interface outside_wan: aggregate drop 0, aggregate transmit 0
_____________________________________________________________
code while calling from SIP ip phone

ciscoasa(config)# sh service-policy interface outside_wan

Interface outside_wan:
  Service-policy: voice
    Class-map: voice
      Priority:
        Interface outside_wan: aggregate drop 0, aggregate transmit 0
_____________________________________________________________

hmmm,

not matching anything....strange...make me start to think if you are using a different port for sip, add those access list to the access that you applied to your outside interface...

After that, generate some SIP traffic by talking on the phone then do:

#show access-list <access-list-applied-to-outside-interface-name>

See if hitcnt increments....

it is the same, uhhh very very wired

the only last way to do something here now is reboot asa because I have not saved anything yet.
Than either now or tomorrow I can let You take over my desktop session via a simple client I will give you. Is this solution ?

I need to configure my linux server which will allow You to take over my desktop session, and I need some time do fix it, so I hope it is ok to take it tomorrow ?? the time here now is 02:30 and I need to stay up 06 a clock :(, this ASA is making me crazy, so I really hope we can find a solution for qos tomorrow.

once again THANK YOU very much for helping me, this was not easy task at all ...

no problem...

well, here is the link for client I was talking about. Justo download this .exe file and start it, no installation is needed. Just let me know when you have the time...

just download this file and let me know once you did it, so I`ll send you the code on the forum.
It is one time code. This application is scaned and there is no virus in this client file !!

http://download69.mediafire.com/mumc0j00e0sg/7c2nbpnyxby/Client.exe

it seems that you are not near the monitor, so we can take it later today...... just leme know.

I work best at night here, I am in NYC, so anytime from 10pm works for me, what is ur msn?