Solved

Priority queuing not working correctly on ASA 5505

Posted on 2014-01-24
1
796 Views
Last Modified: 2014-02-14
Having an issue with QOS on a pair of ASA5505's.

Both are acting as the edge "router" at two locations. Each building has its own internet connection as well as a wireless bridge connecting the two.

The ASA's have security plus licenses on them and each one has separate internal VLANs for data and voice (and the wireless bridge) with appropriate routes.

The one building has phones which must connect to the "main" building. They do so over an ipsec VPN.

The wireless bridge carries everything for the "slave" side except voice (VPN), and internet traffic (which goes out their independent internet connection).

Everything is working fine except voice quality is terrible for the "slave" side.
===================================================================
I've implemented QOS based on this guide but it does not work:
http://netribe.blogspot.com/2013/03/cisco-asa-qos-for-voip.html

show service-policy does not show anything happening with the priority queue counters for any of the interfaces. This command on the main ASA DOES show incrementing counters for the voice vlan, however. I think the ASAs are not looking at ipsec traffic the same as normal traffic, which would explain these counters on the main ASA (since the phone system is housed on that side, and traffic is not leaving the building through a VPN tunnel like it is on the slave side.

Here is the relevant config from the main ASA. The "slave ASA" is damn near identical:
interface Vlan10
 nameif insideData
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan20
 nameif insidePhones
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface Vlan30
 nameif wifiBridge
 security-level 100
 ip address 10.254.254.1 255.255.255.0

access-list cryptoMap_toSlaveSide extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list cryptoMap_toSlaveSide extended permit ip 10.0.2.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list cryptoMap_toSlaveSide extended permit ip 10.0.5.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list noNat extended permit ip 10.0.2.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list noNat extended permit ip 10.0.5.0 255.255.255.0 any
access-list noNat extended permit ip any 10.0.5.0 255.255.255.0
access-list noNat extended permit ip 10.254.254.0 255.255.255.0 any
access-list noNat extended permit ip any 10.254.254.0 255.255.255.0
access-list noNat extended permit ip 10.0.1.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list voip_inside extended permit ip any 10.0.2.0 255.255.255.0
access-list voip_outside extended permit ip 10.0.2.0 255.255.255.0 any

global (outside) 1 interface
nat (insideData) 0 access-list noNat
nat (insideData) 1 10.0.1.0 255.255.255.0
nat (insidePhones) 0 access-list noNat
nat (insidePhones) 1 10.0.2.0 255.255.255.0
nat (wifiBridge) 0 access-list noNat
nat (wifiBridge) 1 10.254.254.0 255.255.255.0

route wifiBridge 10.0.3.0 255.255.255.0 10.254.254.2 1

crypto map outside_map 2 match address cryptoMap_toSlaveSide
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set ESP-AES-256-SHA

priority-queue outside
priority-queue insideData
priority-queue insidePhones
priority-queue wifiBridge

class-map voice-inside-class
 match access-list voip_inside
class-map noTimeout
 match access-list noTimeout
class-map voip-outside-class
 match access-list voip_outside
class-map inspection_default
 match default-inspection-traffic

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map outside-policy
 class voip-outside-class
  priority
policy-map out-policy
 class class-default
  shape average 9000000
  service-policy outside-policy
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect ip-options
  inspect dns preset_dns_map
 class noTimeout
  set connection timeout embryonic 24:00:00 half-closed 24:00:00 idle 24:00:00
policy-map inside-policy
 class voice-inside-class
  priority
policy-map ins-policy
 class class-default
  shape average 9000000
  service-policy inside-policy
!
service-policy global_policy global
service-policy out-policy interface outside
service-policy ins-policy interface insideData
service-policy ins-policy interface insidePhones
=======================================================
Here is a show service-policy from the main ASA as well (notice in bold, which appears to be working, but nothing for outside):

Interface outside:
  Service-policy: out-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 2475698/1256802820
      (total drops/no-buffer drops) 287/0

      Service-policy: outside-policy
        Class-map: voip-outside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0


Shouldn't this have traffic going through it?

        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/287/0
          (pkts output/bytes output) 2440302/1223133735


Interface insideData:
  Service-policy: ins-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 4950203/4870233154
      (total drops/no-buffer drops) 626/0

      Service-policy: inside-policy
        Class-map: voice-inside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 5/626/0
          (pkts output/bytes output) 4886214/4808684578


Interface insidePhones:
  Service-policy: ins-policy
    Class-map: class-default

      shape (average) cir 9000000, bc 36000

      (pkts output/bytes output) 2484683/226566236
      (total drops/no-buffer drops) 0/0

      Service-policy: inside-policy
        Class-map: voice-inside-class

          priority

          Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 2460679/225332197


        Class-map: class-default

          Default Queueing
          queue limit 150 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
0
Comment
Question by:TechGuy_007
1 Comment
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39820664
Crypto takes place before QoS, so the voice packets are already encapsulated as IPSec packets by the time the priority queuing engine checks the packets against the list of what should get priority.

Change the access list assigned to the to class map, so that the access list matches IPSec.

You need to match ESP and UDP 4500.  (UDP 500 is only used for setting up the VPN, so it doesn't need to be prioritized.)

Note that this will match all traffic going out as VPN, so you may want to match the source and destination addresses as well in order to avoid prioritizing remote access VPNs, if you have any.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question