• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5630
  • Last Modified:

Cisco ASA 5505 VPN w/ VOIP QoS configuration

Hi Gurus,

a friend of mine is using a vpn-site-to-site connection via his local Cisco ASA 5505 to a remote partner's Sonicwall (i'm not sure what the model is but it's one of the newer ones) to connect to their Fonality PBX server.  How do i go about optimizing and prioritizing traffic for VOIP/SIP?  From my understanding, I believe QoS needs to be configured for both end-points.  So with the above network setup, what's the best way to configure?

current config:

10 sip phones <==> Cisco ASA 5505 <==> VPN site-to-site (over Verizon DSL) <==> Sonicwall <==> Fonality PBX Server.

Thanks in advance.

  • 3
  • 3
2 Solutions
Alan Huseyin KayahanCommented:
Hello jetli87,
      If you already have a s2s VPN established and have data flowing through, and you also want your VOIP traffic flow through the same tunnel, your best option would be marking the SIP phone traffic (they should be in Voice VLAN of switch according to best practices) with a DSCP value (this can be done at switch which phones connect to) of ef, then at both sites, prioritize the traffic matching ef marking. An easier practise would be writing an ACL at both ends that defines the SIP phone traffic, then do prioritization matching on that specific ACL.
     What I would recommend is, create a seperate tunnel for VOIP phones, set transform set as esp-null at both ends so you disable encryption and lower the latency, than match tunnel-group for prioritization.

Please check the following previous answer of mine for step by step

jetli87Author Commented:
thanks for the response...I'll definitely try it out...however, both sites are small and are using cheap-0 switches.  With that being said, I assume going through the ACL solutions is my best option?

Also, I've read here at EE that QoS only workes if two sites are connected by a lease line, i.e. T1 or MPLS...Since a VPN tunnel is using the internet, QoS features is loss once traffic travels via internet...Can you confirm?
it is true that the Internet is not going to retain or respect your QOS/DSCP markings, but that doesn't mean you should not mark the traffic, you still need to prioritize, traffic shape and rate limit what goes into the tunnel.
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Alan Huseyin KayahanCommented:
   If we look at QoS in general, it is correct that Internet which consists of islands of ISP routers and switches, will not do QoS according to what you mark. ISPs do QoS according to their needs like prioritizing their routing protocol traffic so on where congestion may occur within their campus. There are some ISPs out there which can do QoS fo traffic you mark, by paying extra fees, but this is not a common scenario,  taken into consideration when your remote office is pretty many ASes away that may cause bidirectional raw packet exceed 140-150ms delay.
   From CompanyABC's Network Administrator standpoint, your QoS concerns begin and end where your network perimeter begins and ends, typically a WAN router or firewall, (excluding possible bottlnecks within distribution layer, trunk ports etc). Same for your branch office. So you should command your perimeter device "When congestion occurs at my router's interface, send/receive my voice packets first, meaning if there are data packets waiting in software queue because of congestion, (some guy is seeding/downloading torrents and killing our upstream/downstream bandwidth), move voice packets to first line, in front of these data packets. It will have no affect if you deliver my data packets late, but my voice will start jittering when you deliver it late. (Btw dont FIFO drop my voice packets, because this voice packet has to reach on time, so TCP's guaranteed delivery like retransmission of lost packets wont work here, since I dont want to hear my "hello" word you dropped, in the middle of my conversation. Yet Voice usually uses UDP for actual voice transmission and TCP for signaling, in general)" Then let Internet deliver the packets on its best effort. And finally at your branch office, command your perimeter device same as what you did at your main office. Follow the best practises to lower latency as much as possible like not using encryption for Voice VPN Tunnel, use transport mode if possible (dont add tunnel mode's additional header overhead).
     Long story short, regardless of being internet or dedicated line, if your interface congests, and if you dont have QoS in place, you will have jitter in voice!

jetli87Author Commented:
Wow, I appreciate the exlpanation since I'm still trying to grasp QoS and it's benefits and limitations.

As configuring the voice VPN tunnel w/ no encryption, can you list the sample phase1/2 commands on the ASA w/ QoS enabled for that tunnel?

basically, the s2s vpn is only used for VOIP connection to the fonality server, so i believe your solution will help alleviate some of latency.
Alan Huseyin KayahanCommented:
crypto ipsec transform-set nullset esp-null esp-md5-hmac
crypto map outside_map 10 match address crypto_10_map
crypto map outside_map 10 set peer   ( is an example peer)
crypto map outside_map 10 set transform-set nullset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *

priority-queue outside    (global config mode)

class VOIP_Tunnel
    match tunnel-group

policy-map outside_policy
     class VOIP_Tunnel

serice-policy outside_policy interface outside
jetli87Author Commented:

I'll test out and let you know.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now