?
Solved

Priority queuing not working correctly on ASA 5505

Posted on 2014-01-24
1
Medium Priority
?
827 Views
Last Modified: 2014-02-14
Having an issue with QOS on a pair of ASA5505's.

Both are acting as the edge "router" at two locations. Each building has its own internet connection as well as a wireless bridge connecting the two.

The ASA's have security plus licenses on them and each one has separate internal VLANs for data and voice (and the wireless bridge) with appropriate routes.

The one building has phones which must connect to the "main" building. They do so over an ipsec VPN.

The wireless bridge carries everything for the "slave" side except voice (VPN), and internet traffic (which goes out their independent internet connection).

Everything is working fine except voice quality is terrible for the "slave" side.
===================================================================
I've implemented QOS based on this guide but it does not work:
http://netribe.blogspot.com/2013/03/cisco-asa-qos-for-voip.html

show service-policy does not show anything happening with the priority queue counters for any of the interfaces. This command on the main ASA DOES show incrementing counters for the voice vlan, however. I think the ASAs are not looking at ipsec traffic the same as normal traffic, which would explain these counters on the main ASA (since the phone system is housed on that side, and traffic is not leaving the building through a VPN tunnel like it is on the slave side.

Here is the relevant config from the main ASA. The "slave ASA" is damn near identical:
interface Vlan10
 nameif insideData
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan20
 nameif insidePhones
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface Vlan30
 nameif wifiBridge
 security-level 100
 ip address 10.254.254.1 255.255.255.0

access-list cryptoMap_toSlaveSide extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list cryptoMap_toSlaveSide extended permit ip 10.0.2.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list cryptoMap_toSlaveSide extended permit ip 10.0.5.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list noNat extended permit ip 10.0.5.0 255.255.255.0 any
access-list noNat extended permit ip any 10.0.5.0 255.255.255.0
access-list noNat extended permit ip 10.254.254.0 255.255.255.0 any
access-list noNat extended permit ip any 10.254.254.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list voip_inside extended permit ip any 10.0.2.0 255.255.255.0
access-list voip_outside extended permit ip 10.0.2.0 255.255.255.0 any

global (outside) 1 interface
nat (insideData) 0 access-list noNat
nat (insideData) 1 10.0.1.0 255.255.255.0
nat (insidePhones) 0 access-list noNat
nat (insidePhones) 1 10.0.2.0 255.255.255.0
nat (wifiBridge) 0 access-list noNat
nat (wifiBridge) 1 10.254.254.0 255.255.255.0

route wifiBridge 10.0.3.0 255.255.255.0 10.254.254.2 1

crypto map outside_map 2 match address cryptoMap_toSlaveSide
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set ESP-AES-256-SHA

priority-queue outside
priority-queue insideData
priority-queue insidePhones
priority-queue wifiBridge

class-map voice-inside-class
 match access-list voip_inside
class-map noTimeout
 match access-list noTimeout
class-map voip-outside-class
 match access-list voip_outside
class-map inspection_default
 match default-inspection-traffic

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map outside-policy
 class voip-outside-class
  priority
policy-map out-policy
 class class-default
  shape average 9000000
  service-policy outside-policy
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect ip-options
  inspect dns preset_dns_map
 class noTimeout
  set connection timeout embryonic 24:00:00 half-closed 24:00:00 idle 24:00:00
policy-map inside-policy
 class voice-inside-class
  priority
policy-map ins-policy
 class class-default
  shape average 9000000
  service-policy inside-policy
!
service-policy global_policy global
service-policy out-policy interface outside
service-policy ins-policy interface insideData
service-policy ins-policy interface insidePhones
=======================================================
Here is a show service-policy from the main ASA as well (notice in bold, which appears to be working, but nothing for outside):

Interface outside:
  Service-policy: out-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 2475698/1256802820
      (total drops/no-buffer drops) 287/0

      Service-policy: outside-policy
        Class-map: voip-outside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0


Shouldn't this have traffic going through it?

        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/287/0
          (pkts output/bytes output) 2440302/1223133735


Interface insideData:
  Service-policy: ins-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 4950203/4870233154
      (total drops/no-buffer drops) 626/0

      Service-policy: inside-policy
        Class-map: voice-inside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 5/626/0
          (pkts output/bytes output) 4886214/4808684578


Interface insidePhones:
  Service-policy: ins-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 2484683/226566236
      (total drops/no-buffer drops) 0/0

      Service-policy: inside-policy
        Class-map: voice-inside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 2460679/225332197


        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
0
Comment
Question by:TechGuy_007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 28

Accepted Solution

by:
asavener earned 1000 total points
ID: 39820664
Crypto takes place before QoS, so the voice packets are already encapsulated as IPSec packets by the time the priority queuing engine checks the packets against the list of what should get priority.

Change the access list assigned to the to class map, so that the access list matches IPSec.

You need to match ESP and UDP 4500.  (UDP 500 is only used for setting up the VPN, so it doesn't need to be prioritized.)

Note that this will match all traffic going out as VPN, so you may want to match the source and destination addresses as well in order to avoid prioritizing remote access VPNs, if you have any.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question