11-28-2007 08:52 AM - edited 03-11-2019 04:36 AM
This may be a general VOICE ISSUE with something I need to change with inspection, ... but, ...
Hi. Currently, we have two ASA 5505s terminating a tunnel between NY and NM. All is fine except for the fact when VOICE traffic traverses the link, the policy drops go WAY UP and response time goes to almost nothing!! We have one Quintum Voice unit in NY, a Tenor DX 4048 and two in NM; a Tenor AXG 2400. SOMEBODY please HELP!!!
11-28-2007 12:53 PM
My first thought is itty bitty firewall asked to be a big one, perhaps its not the right box for the job.
But yet cisco says it can.... so
how much voice are you putting on the box? can it handle it? what does the cpu look like? what about your policy is it configured correctly? Can you share it?
11-28-2007 05:02 PM
Hi.
Only three voice lines.
The CPU looks fine.
Policy - no clue - using DEFAULT. I AM concerned about that 'cause I'm thinking inspection may 'need' to be off? All else is plain vanilla... Ideas please :( ??
11-29-2007 04:04 AM
Hello,
I tend to use one policy to match the voice traffic and apply this globally then use another policy to inspect all other required traffic types and apply this to the internal interface.
Not had any problems doing it that way.
HTH.
11-29-2007 04:31 AM
Hi and thank you!!!
What I did was delete the global inspection policy. Although setting up quite a few ASAa, NEVER have I ventured into the policy and inspection areas. If I may, how did you do this and would you be able to give me a brief example as I would GREATLY appreciate it.
THANKS SO MUCH!!!
11-29-2007 05:17 AM
Hello,
There is a good guide here -
http://www.cisco.com/en/US/partner/docs/security/asa/asa72/configuration/guide/qos.html#wp1043440
This is how i do it -
class-map Voice1
match access-list Voice_Map
class-map inspection_default
match default-inspection-traffic
class-map Voice
match dscp ef
match tunnel-group #Name of group#
policy-map qos
class Voice
priority
service-policy qos global
service-policy csc_out_policy interface Inside_VLAN_1000
This is matching against dscp values, an access-list and a vpn tunnel group.
The second service policy is for CSC modules but can be the default if needed.
HTH.
11-29-2007 05:24 AM
Thank you so much. I will try this today and post within 24 hours!! Thank you SO much!
11-30-2007 08:52 AM
I am almost ready to cry here. I am pasting the config without IPs ---- does this prioritize by voice correctly? :(
PLEASE HELP....
hostname ciscoasa
domain-name default.domain.invalid
enable password
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
boot system disk0:/asa802-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list OUTBOUND extended permit udp any any eq domain
access-list OUTBOUND extended permit tcp any any eq https
access-list OUTBOUND extended permit tcp any any eq www
access-list OUTBOUND extended permit ip any 192.168.23.0 255.255.255.0
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit ip any any
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.23.0 255.255.255.0 log
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.23.0 255.255.255.0 log
access-list OUTBOUNG extended permit ip any any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTBOUND in interface inside
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 63.148.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer aaaa
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
no threat-detection basic-threat
threat-detection statistics access-list
!
class-map Voice
match dscp ef
match tunnel-group aaaa
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map qos
class Voice
priority
!
encrypted privilege 15
tunnel-group aaaa type ipsec-l2l
tunnel-group aaaa ipsec-attributes
pre-shared-key *
prompt hostname context
11-30-2007 10:24 AM
Hello,
Viewing the config on a phone so I could be wrong but I can't see the policy applied anywhere.
If you apply that as the global policy it should work. The only problem you may get is if the dscp field is stripped out when trunked to the ASA. If you are not using VLAN'S it shouldn't matter.
HTH.
11-30-2007 11:19 AM
I tried to apply it [I think] and it did not take ... I am probably doing it wrong. Apply how - forgive the ignorance ...
:(
11-30-2007 11:39 AM
This is the error I get...
ciscoasa(config)# service-policy voice interface inside
ERROR: Class Voice has 'priority' set without 'priority-queue' in any interface
12-03-2007 02:16 AM
Hello,
OK, forgot to apply the priority queue. If yo do priority-queue outside.
Then do service-policy qos global.
That should apply the policy.
HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide