We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Cisco ASA 5505 VPN w/ VOIP QoS configuration

jetli87 asked
Medium Priority
Last Modified: 2013-12-21
Hi Gurus,

a friend of mine is using a vpn-site-to-site connection via his local Cisco ASA 5505 to a remote partner's Sonicwall (i'm not sure what the model is but it's one of the newer ones) to connect to their Fonality PBX server.  How do i go about optimizing and prioritizing traffic for VOIP/SIP?  From my understanding, I believe QoS needs to be configured for both end-points.  So with the above network setup, what's the best way to configure?

current config:

10 sip phones <==> Cisco ASA 5505 <==> VPN site-to-site (over Verizon DSL) <==> Sonicwall <==> Fonality PBX Server.

Thanks in advance.

Watch Question

Top Expert 2007
Hello jetli87,
      If you already have a s2s VPN established and have data flowing through, and you also want your VOIP traffic flow through the same tunnel, your best option would be marking the SIP phone traffic (they should be in Voice VLAN of switch according to best practices) with a DSCP value (this can be done at switch which phones connect to) of ef, then at both sites, prioritize the traffic matching ef marking. An easier practise would be writing an ACL at both ends that defines the SIP phone traffic, then do prioritization matching on that specific ACL.
     What I would recommend is, create a seperate tunnel for VOIP phones, set transform set as esp-null at both ends so you disable encryption and lower the latency, than match tunnel-group for prioritization.

Please check the following previous answer of mine for step by step

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


thanks for the response...I'll definitely try it out...however, both sites are small and are using cheap-0 switches.  With that being said, I assume going through the ACL solutions is my best option?

Also, I've read here at EE that QoS only workes if two sites are connected by a lease line, i.e. T1 or MPLS...Since a VPN tunnel is using the internet, QoS features is loss once traffic travels via internet...Can you confirm?

it is true that the Internet is not going to retain or respect your QOS/DSCP markings, but that doesn't mean you should not mark the traffic, you still need to prioritize, traffic shape and rate limit what goes into the tunnel.
Top Expert 2007

   If we look at QoS in general, it is correct that Internet which consists of islands of ISP routers and switches, will not do QoS according to what you mark. ISPs do QoS according to their needs like prioritizing their routing protocol traffic so on where congestion may occur within their campus. There are some ISPs out there which can do QoS fo traffic you mark, by paying extra fees, but this is not a common scenario,  taken into consideration when your remote office is pretty many ASes away that may cause bidirectional raw packet exceed 140-150ms delay.
   From CompanyABC's Network Administrator standpoint, your QoS concerns begin and end where your network perimeter begins and ends, typically a WAN router or firewall, (excluding possible bottlnecks within distribution layer, trunk ports etc). Same for your branch office. So you should command your perimeter device "When congestion occurs at my router's interface, send/receive my voice packets first, meaning if there are data packets waiting in software queue because of congestion, (some guy is seeding/downloading torrents and killing our upstream/downstream bandwidth), move voice packets to first line, in front of these data packets. It will have no affect if you deliver my data packets late, but my voice will start jittering when you deliver it late. (Btw dont FIFO drop my voice packets, because this voice packet has to reach on time, so TCP's guaranteed delivery like retransmission of lost packets wont work here, since I dont want to hear my "hello" word you dropped, in the middle of my conversation. Yet Voice usually uses UDP for actual voice transmission and TCP for signaling, in general)" Then let Internet deliver the packets on its best effort. And finally at your branch office, command your perimeter device same as what you did at your main office. Follow the best practises to lower latency as much as possible like not using encryption for Voice VPN Tunnel, use transport mode if possible (dont add tunnel mode's additional header overhead).
     Long story short, regardless of being internet or dedicated line, if your interface congests, and if you dont have QoS in place, you will have jitter in voice!



Wow, I appreciate the exlpanation since I'm still trying to grasp QoS and it's benefits and limitations.

As configuring the voice VPN tunnel w/ no encryption, can you list the sample phase1/2 commands on the ASA w/ QoS enabled for that tunnel?

basically, the s2s vpn is only used for VOIP connection to the fonality server, so i believe your solution will help alleviate some of latency.
Top Expert 2007
crypto ipsec transform-set nullset esp-null esp-md5-hmac
crypto map outside_map 10 match address crypto_10_map
crypto map outside_map 10 set peer   ( is an example peer)
crypto map outside_map 10 set transform-set nullset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *

priority-queue outside    (global config mode)

class VOIP_Tunnel
    match tunnel-group

policy-map outside_policy
     class VOIP_Tunnel

serice-policy outside_policy interface outside



I'll test out and let you know.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.