Cisco ASA 5505 VPN w/ VOIP QoS configuration

Posted on 2009-02-11
Last Modified: 2013-12-21
Hi Gurus,

a friend of mine is using a vpn-site-to-site connection via his local Cisco ASA 5505 to a remote partner's Sonicwall (i'm not sure what the model is but it's one of the newer ones) to connect to their Fonality PBX server.  How do i go about optimizing and prioritizing traffic for VOIP/SIP?  From my understanding, I believe QoS needs to be configured for both end-points.  So with the above network setup, what's the best way to configure?

current config:

10 sip phones <==> Cisco ASA 5505 <==> VPN site-to-site (over Verizon DSL) <==> Sonicwall <==> Fonality PBX Server.

Thanks in advance.

Question by:jetli87
    LVL 29

    Accepted Solution

    Hello jetli87,
          If you already have a s2s VPN established and have data flowing through, and you also want your VOIP traffic flow through the same tunnel, your best option would be marking the SIP phone traffic (they should be in Voice VLAN of switch according to best practices) with a DSCP value (this can be done at switch which phones connect to) of ef, then at both sites, prioritize the traffic matching ef marking. An easier practise would be writing an ACL at both ends that defines the SIP phone traffic, then do prioritization matching on that specific ACL.
         What I would recommend is, create a seperate tunnel for VOIP phones, set transform set as esp-null at both ends so you disable encryption and lower the latency, than match tunnel-group for prioritization.

    Please check the following previous answer of mine for step by step

    LVL 1

    Author Comment

    thanks for the response...I'll definitely try it out...however, both sites are small and are using cheap-0 switches.  With that being said, I assume going through the ACL solutions is my best option?

    Also, I've read here at EE that QoS only workes if two sites are connected by a lease line, i.e. T1 or MPLS...Since a VPN tunnel is using the internet, QoS features is loss once traffic travels via internet...Can you confirm?
    LVL 6

    Expert Comment

    it is true that the Internet is not going to retain or respect your QOS/DSCP markings, but that doesn't mean you should not mark the traffic, you still need to prioritize, traffic shape and rate limit what goes into the tunnel.
    LVL 29

    Expert Comment

    by:Alan Huseyin Kayahan
       If we look at QoS in general, it is correct that Internet which consists of islands of ISP routers and switches, will not do QoS according to what you mark. ISPs do QoS according to their needs like prioritizing their routing protocol traffic so on where congestion may occur within their campus. There are some ISPs out there which can do QoS fo traffic you mark, by paying extra fees, but this is not a common scenario,  taken into consideration when your remote office is pretty many ASes away that may cause bidirectional raw packet exceed 140-150ms delay.
       From CompanyABC's Network Administrator standpoint, your QoS concerns begin and end where your network perimeter begins and ends, typically a WAN router or firewall, (excluding possible bottlnecks within distribution layer, trunk ports etc). Same for your branch office. So you should command your perimeter device "When congestion occurs at my router's interface, send/receive my voice packets first, meaning if there are data packets waiting in software queue because of congestion, (some guy is seeding/downloading torrents and killing our upstream/downstream bandwidth), move voice packets to first line, in front of these data packets. It will have no affect if you deliver my data packets late, but my voice will start jittering when you deliver it late. (Btw dont FIFO drop my voice packets, because this voice packet has to reach on time, so TCP's guaranteed delivery like retransmission of lost packets wont work here, since I dont want to hear my "hello" word you dropped, in the middle of my conversation. Yet Voice usually uses UDP for actual voice transmission and TCP for signaling, in general)" Then let Internet deliver the packets on its best effort. And finally at your branch office, command your perimeter device same as what you did at your main office. Follow the best practises to lower latency as much as possible like not using encryption for Voice VPN Tunnel, use transport mode if possible (dont add tunnel mode's additional header overhead).
         Long story short, regardless of being internet or dedicated line, if your interface congests, and if you dont have QoS in place, you will have jitter in voice!

    LVL 1

    Author Comment

    Wow, I appreciate the exlpanation since I'm still trying to grasp QoS and it's benefits and limitations.

    As configuring the voice VPN tunnel w/ no encryption, can you list the sample phase1/2 commands on the ASA w/ QoS enabled for that tunnel?

    basically, the s2s vpn is only used for VOIP connection to the fonality server, so i believe your solution will help alleviate some of latency.
    LVL 29

    Assisted Solution

    by:Alan Huseyin Kayahan
    crypto ipsec transform-set nullset esp-null esp-md5-hmac
    crypto map outside_map 10 match address crypto_10_map
    crypto map outside_map 10 set peer   ( is an example peer)
    crypto map outside_map 10 set transform-set nullset
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400

    tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
     pre-shared-key *

    priority-queue outside    (global config mode)

    class VOIP_Tunnel
        match tunnel-group

    policy-map outside_policy
         class VOIP_Tunnel

    serice-policy outside_policy interface outside
    LVL 1

    Author Comment


    I'll test out and let you know.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    ACLs per VPN User 12 58
    Fiber Patch Panel 6 23
    Cisco ASA 5505 Configuration Issue 8 34
    Separating Default Gateway from VPN 1 12
    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video discusses moving either the default database or any database to a new volume.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now