• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2239
  • Last Modified:

QoS pre-classify for VPNs on Cisco ASA

My company has recently acquired a new customer that is using Cisco ASA 5520s to connect to their hub network via our satellite network.  Recently, they called complaining about call quality.  We performed a packet capture, and, as expected, we only see ESP packets with the DSCP value set at 0.

I have found documentation on Cisco's website stating that the firewally preserves the DSCP values, but it doesn't say if it does this when the ASA is encapsulating it in a VPN header.

Is there a way to apply "qos pre-classify" on the crypto maps in the ASA in order to preserve the DSCP values on the unencrypted packet?
1 Solution
Check to see if the packets do come into the ASA with the DSCP set since its default behaivor that the ASA copies the ToS of the IP header to the IP header of the encrypted packet for QoS after encryption

Just for some QoS reading on the ASA you can check this link out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now