03-12-2009 11:54 AM - edited 03-11-2019 08:04 AM
I have a strange problem,
Is there any way to make an ASA 5505 (IOS 7.2.3 12) preserve the DSCP tagging when packets pass through and get NATTEd..
Basically I have traffic that my voice cube is tagging as DSCP 46, but when it comes out of the ASA it's tagged with DSCP 0, how can I have it preserve this tag?
Thanks in advance
03-12-2009 12:21 PM
Marc
From the ASA 7.2 configurationn guide -
"DSCP and DiffServ Preservation
â¢DSCP markings are preserved on all traffic passing through the security appliance.
â¢The security appliance does not locally mark/remark any classified traffic, but it honors the Expedited Forwarding (EF) DSCP bits of every packet to determine if it requires "priority" handling and will direct those packets to the LLQ.
â¢DiffServ marking is preserved on packets when they traverse the service provider backbone so that QoS can be applied in transit (QoS tunnel pre-classification)."
Are you looking at the packets as soon as they leave the ASA ?. If so then this is contrary to what should happen.
It may be an interaction with NAT or it could be a bug with your particular version.
Jon
03-12-2009 12:24 PM
I took captures before the inside interface and after the outside interface, before it hits the ASA Im seeing the DSCP correct, when it exits everything is set to 0, all I can do with DSCP is use it to make the PIX assign that traffic to the priority Queue.
I've researched bugs for my version but didn't find any, and TAC was pretty much useless when I called in :(
03-12-2009 12:32 PM
Only thing i can suggest as i don't have an ASA to test with is
1) Can you temporarily remove NAT on these packets just to rule that out.
2) Problem with the ASA is you can't mark the packets which is why they are meant to preserve the existing markings !!
Is there anyway you can remark on the next device from the ASA ?
Jon
03-12-2009 12:40 PM
Yeah, I am marking them downstream from the ASA, problem is that the IP keeps changing and it's a lot of work to keep up (Internal devices get the IP via DNS) IF I could preserve the DSCP it would make my life a lot easier :)
03-12-2009 12:44 PM
Marc
Apologies if it seems like i am just making stupid suggestions !
Could you not identify the traffic based on port numbers rather than IP addresses and then mark them with the right DSCP. That way you wouldn't have to keep changing your acls.
Jon
03-12-2009 12:33 PM
Marc
One other thought occurred. When you capture the traffic from the outside of the ASA it is not passing through a switch first is it because it could be the switch that is remarking.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: