How to setup QoS to prioritize voice on SR520W/UC520 Remote Teleworker setup

Unanswered Question
Jul 29th, 2009

Hey guys,

I've searched quite a bit for instructions on how to do this, but can't seem to find anything that documents it very well.  Here's the scenario that we're currently seeing:

Remote Teleworker setup with UC520 (32user version) and SR520W.  When the remote teleworker is on a voice call and he downloads anything from our corporate server, he hears choppy voice.  This seems to suggest that the upstream bandwidth from UC520W is the bottleneck.  Is there any way to setup QoS on the UC520 to prioritize voice traffic over the VPN?  I already have him on a G729 codec, so QoS is the last option before ordering a bigger pipe.  Thanks in advance,

Seth

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven DiStefano Wed, 07/29/2009 - 11:25

There is a crypto map CLI configuration command (QOS pre-classify) on the IOS router which can be used to change the what I am told is default behavior of voice in tunnels, which is first encrypt and then queue, which will cause loss of visibility to voice inside the IPSEC tunnel.

You want to first prioritize and then encrypt , which will make the most of limited bandwidth between the remote and the host, which I think is what you are looking to do.  See if this helps....

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfvpn.html#wp1005317

sethschmautz Wed, 07/29/2009 - 15:54

Hi Steve,

Thanks for the help.  I read and tried to follow the instructions, but came up with the following:

UC520#sh crypto map
Crypto Map "Virtual-Access4-head-0" 65536 ipsec-isakmp
        ISAKMP Profile: sdm-ike-profile-1
        Profile name: SDM_Profile1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA:  { esp-3des esp-sha-hmac  } ,
        }

Crypto Map "Virtual-Access4-head-0" 65537 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = xxx.xxx.xxx.xxx
        ISAKMP Profile: sdm-ike-profile-1
        Extended IP access list
            access-list  permit ip any any
        Current peer: xxx.xxx.xxx.xxx
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA:  { esp-3des esp-sha-hmac  } ,
        }
        Reverse Route Injection Enabled
        Interfaces using crypto map Virtual-Access4-head-0:
                Virtual-Access4


Crypto Map "Virtual-Template14-head-0" 65536 ipsec-isakmp
        ISAKMP Profile: sdm-ike-profile-1
        Profile name: SDM_Profile1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA:  { esp-3des esp-sha-hmac  } ,
        }
        Interfaces using crypto map Virtual-Template14-head-0:
                Virtual-Template14


UC520#

The "xxx.xxx.xxx.xxx" is a valid remote teleworker IP address.  I'm stuck at where to go from here.  I try the command:

UC520(config)#crypto map Virtual-Access4-head-0

and get the following result:

% Incomplete command.

I've tried many other combinations also, but no luck.  My CLI savvy is greatly lacking, so I could use any help I can get.  Thanks,

Seth

sethschmautz Fri, 07/31/2009 - 08:02

Hey guys,

Can anybody see where I've gone wrong in my post above?  I'd like to activate this pre-classify statement on the VPN traffic, but have no idea why my commands aren't working.  I've followed them directly from Steve's post above, but must be making a mistake somewhere.  Thanks in advance,

Seth

Steven Smith Fri, 07/31/2009 - 08:40

Where did you do the preclassify statements?  Was it on the UC520 or the SR520?  It really needs to be on the UC, won't hurt to have it on both.  Realize though that this will only effect traffic coming over the VPN tunnel.  Traffic outside the VPN tunnel could still cause QoS problems.

sethschmautz Fri, 07/31/2009 - 10:41

Hi Steven,

All of those commands are done on the UC, but it wasn't liking the commands that I was inputting.  If you look at what I inserted inline, it was giving me a strange error message about an incomplete command.  There seems to be an error somewhere.  Any ideas where I'm making a mistake?

Thanks,

Seth

sethschmautz Fri, 11/13/2009 - 16:41

Hi Steven,

I'm back working on this problem as one of our remote workers is really struggling with this problem once again.  I have been trying to follow the document that Steve referenced above, but it doesn't seem to be working.  In that document, it says if you have an IPSEC VPN, you should enter the command "crypto map [map-name]"  When I enter this command, I get an "Incomplete command".  As we are using an IPSEC VPN, I should apply this to the crypto map, shouldn't I?

1. Will this apply the pre-qualify command to ALL IPSec VPN connections or only to the connections (map names) that I specify? I would like this to be a global command that affects all VPN users as all will likely be using voice.

2. If this is true, what is the "map-name" that is referenced?  Is it found in the attached "show crypto map"?

Thanks,

Seth

Steven Smith Tue, 11/17/2009 - 15:28

This would require a good deal of time to work of the community.  I would recommend a TAC.

Actions

This Discussion