QoS on Cisco ASA 5520

I have apporx 200 users on a remote site.
They connect to the central site with two site-to-site ipsec vpns.
All applications are running as published applications on a citrix farm at the central site.
I want enable priority for the traffic going to and from the remote site

I see that it is possible to add a service policy, specify tunnel-group as match criteria and check the "enable priority for this flow" box. That is OK, i can do this for each tunnel-group.

First question:
Under "Configuration - Device Management - Advanced - Priority queue" i have to configure priority queue parameters on a interface. In this scenario, should i use the Outside interface? And i see that the default values are: Queue limit 2048 and Transmission ring limit 512. Is there a rule of thumb or something like when setting theese values?

Second question:
It seemes a bit weird to just put priority on the tunnel-groups, i would really like to specify what i want to put priority on. So, keeping in mind that the traffic is going to and from the central environment over ipsec, is it possible to just define a outside-policy and one class for each tcp/udp port i want to enable priority on?

Third question:
if i am far off, what do you think i should do with my ASA 5520 to implement some kind of QoS for my citrix traffic to and from the remote site?
Who is Participating?
jjmartineziiiConnect With a Mentor Commented:
access-list OUTSIDE_PQTRAFFIC extended permit ip host host
access-list OUTSIDE_PQTRAFFIC extended permit ip host host
access-list OUTSIDE_PQTRAFFIC extended permit ip host host
access-list OUTSIDE_PQTRAFFIC extended permit ip host host

class-map PQTRAFFIC
 match access-list OUTSIDE_PQTRAFFIC


service-policy OUTSIDE_PQTRAFFIC interface outside

Here is an example of some QoS I did on an ASA. It seems to be working.

Hope this helps.
QoS is a good idea if the VPN link is used for multiple kinds of traffic like the Citrix farm, email and internet browsing. Then you can give the Citrix farm high priority and Internet low priority.

Use class maps and ACLs to match traffic and assign priorities

Reset_Author Commented:
That is an interesting approach jjmartineziii, i will try to implement it on my ASA.

Is it possible to have levels of priority, like:
priority 1
priority 2

This will be a good solution in putting priority on the traffic to and from the remote servers over the ipsec connection. But it would have been great to have more than one priority level.

the newer version of xenapp will have keystrokes and screen updates on one port, and print/file traffic  on another port  etc (not like now where everything runs over port 1494 or 2598). It would make sense to have a higher priority on keystrokes, lower on print/file traffic and no priority on everything else.

I guess i would also have to be able to specify protocol/port in the extended access list and not only IPs.
Reset_Author Commented:
I implemented this on my ASA jjmartineziii and i will award you the points.
Thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.