Solved

Priority queuing not working correctly on ASA 5505

Posted on 2014-01-24
1
780 Views
Last Modified: 2014-02-14
Having an issue with QOS on a pair of ASA5505's.

Both are acting as the edge "router" at two locations. Each building has its own internet connection as well as a wireless bridge connecting the two.

The ASA's have security plus licenses on them and each one has separate internal VLANs for data and voice (and the wireless bridge) with appropriate routes.

The one building has phones which must connect to the "main" building. They do so over an ipsec VPN.

The wireless bridge carries everything for the "slave" side except voice (VPN), and internet traffic (which goes out their independent internet connection).

Everything is working fine except voice quality is terrible for the "slave" side.
===================================================================
I've implemented QOS based on this guide but it does not work:
http://netribe.blogspot.com/2013/03/cisco-asa-qos-for-voip.html

show service-policy does not show anything happening with the priority queue counters for any of the interfaces. This command on the main ASA DOES show incrementing counters for the voice vlan, however. I think the ASAs are not looking at ipsec traffic the same as normal traffic, which would explain these counters on the main ASA (since the phone system is housed on that side, and traffic is not leaving the building through a VPN tunnel like it is on the slave side.

Here is the relevant config from the main ASA. The "slave ASA" is damn near identical:
interface Vlan10
 nameif insideData
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan20
 nameif insidePhones
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface Vlan30
 nameif wifiBridge
 security-level 100
 ip address 10.254.254.1 255.255.255.0

access-list cryptoMap_toSlaveSide extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list cryptoMap_toSlaveSide extended permit ip 10.0.2.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list cryptoMap_toSlaveSide extended permit ip 10.0.5.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list noNat extended permit ip 10.0.5.0 255.255.255.0 any
access-list noNat extended permit ip any 10.0.5.0 255.255.255.0
access-list noNat extended permit ip 10.254.254.0 255.255.255.0 any
access-list noNat extended permit ip any 10.254.254.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list voip_inside extended permit ip any 10.0.2.0 255.255.255.0
access-list voip_outside extended permit ip 10.0.2.0 255.255.255.0 any

global (outside) 1 interface
nat (insideData) 0 access-list noNat
nat (insideData) 1 10.0.1.0 255.255.255.0
nat (insidePhones) 0 access-list noNat
nat (insidePhones) 1 10.0.2.0 255.255.255.0
nat (wifiBridge) 0 access-list noNat
nat (wifiBridge) 1 10.254.254.0 255.255.255.0

route wifiBridge 10.0.3.0 255.255.255.0 10.254.254.2 1

crypto map outside_map 2 match address cryptoMap_toSlaveSide
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set ESP-AES-256-SHA

priority-queue outside
priority-queue insideData
priority-queue insidePhones
priority-queue wifiBridge

class-map voice-inside-class
 match access-list voip_inside
class-map noTimeout
 match access-list noTimeout
class-map voip-outside-class
 match access-list voip_outside
class-map inspection_default
 match default-inspection-traffic

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map outside-policy
 class voip-outside-class
  priority
policy-map out-policy
 class class-default
  shape average 9000000
  service-policy outside-policy
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect ip-options
  inspect dns preset_dns_map
 class noTimeout
  set connection timeout embryonic 24:00:00 half-closed 24:00:00 idle 24:00:00
policy-map inside-policy
 class voice-inside-class
  priority
policy-map ins-policy
 class class-default
  shape average 9000000
  service-policy inside-policy
!
service-policy global_policy global
service-policy out-policy interface outside
service-policy ins-policy interface insideData
service-policy ins-policy interface insidePhones
=======================================================
Here is a show service-policy from the main ASA as well (notice in bold, which appears to be working, but nothing for outside):

Interface outside:
  Service-policy: out-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 2475698/1256802820
      (total drops/no-buffer drops) 287/0

      Service-policy: outside-policy
        Class-map: voip-outside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0


Shouldn't this have traffic going through it?

        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/287/0
          (pkts output/bytes output) 2440302/1223133735


Interface insideData:
  Service-policy: ins-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 4950203/4870233154
      (total drops/no-buffer drops) 626/0

      Service-policy: inside-policy
        Class-map: voice-inside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 5/626/0
          (pkts output/bytes output) 4886214/4808684578


Interface insidePhones:
  Service-policy: ins-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 2484683/226566236
      (total drops/no-buffer drops) 0/0

      Service-policy: inside-policy
        Class-map: voice-inside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 2460679/225332197


        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
0
Comment
Question by:TechGuy_007
1 Comment
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
Comment Utility
Crypto takes place before QoS, so the voice packets are already encapsulated as IPSec packets by the time the priority queuing engine checks the packets against the list of what should get priority.

Change the access list assigned to the to class map, so that the access list matches IPSec.

You need to match ESP and UDP 4500.  (UDP 500 is only used for setting up the VPN, so it doesn't need to be prioritized.)

Note that this will match all traffic going out as VPN, so you may want to match the source and destination addresses as well in order to avoid prioritizing remote access VPNs, if you have any.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now