09-21-2009
10:15 PM
- last edited on
02-21-2020
11:20 PM
by
cc_security_adm
Hi
We are using ASA - router to build up VPN tunnel base on DSL connection. On router, I added the follwoing QoS policy on the router outside port, but looks like no traffic hit the QoS on router. But on the ASA, I can see the traffic hit the QoS policy. Anyone has any ideas for this issue?
Thanks, Leo
IOS: c2800nm-advipservicesk9-mz.124-15.T7.bin
ip access-list extended lighthouse
permit ip any host 192.168.9.2
access-list 198 permit esp host X.X.X.X any
access-list 198 permit udp host X.X.X.X any eq isakmp
access-list 198 permit tcp any any eq 22
access-list 198 deny ip any any
class-map match-any lighthouse
match access-group name lighthouse
policy-map ALL-TRAFFIC
class lighthouse
priority percent 50
class class-default
fair-queue
random-detect
interface FastEthernet0/0
description connect to DSL modem
bandwidth 1024
ip address Y.Y.Y.Y
ip access-group 198 in
ip route-cache flow
duplex auto
speed auto
crypto map mymap
service-policy output ALL-TRAFFIC
09-22-2009 06:24 AM
Double check your routing, how do you actually get to 192.168.9.2 - is it out the Fa0/0 interface?
09-22-2009 03:00 PM
Only one default route pointing to ISP GW. All traffic will go through VPN tunnel, including the traffic to 192.168.9.2. The F0/0 is outside interface connect to ISP DSL modem
Thanks,Leo
09-23-2009 12:49 AM
Do you see any hits on the access list?
Another thing - you have given the acl traffic a priority of 50% of the interface bandwidith = 50mbs, how big is the DSL pipe?
09-23-2009 03:11 AM
I can't see any traffic hit the acl, but I can see the traffic in netflow. That's very strange.
09-23-2009 03:14 AM
well there is your issue - if it's not hitting the acl, it won't hit the policy.
try this:-
Write a policy that uses the acl to "mark" the traffic on the inbound interface. Once its marked - then you can write the policy to give it priority.
09-23-2009 04:12 AM
Thanks for your reply.
I tried the way you suggested and here is the show policy-map interface output. We can see a lot of traffic to be marked now, but wondering why not too much traffic to be put in the priority queue?
Thanks. Leo
-----------------------------------------
AP816N0001#sh policy-map interface
FastEthernet0/0
Service-policy output: ALL-TRAFFIC
Class-map: outgo (match-any)
7446 packets, 926436 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: precedence 5
0 packets, 0 bytes
5 minute rate 0 bps
Match: ip precedence 5
7446 packets, 926436 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 512 (kbps) Burst 12800 (Bytes)
(pkts matched/bytes matched) 8/1520
(total drops/bytes drops) 0/0
Class-map: class-default (match-any)
140707 packets, 68075067 bytes
5 minute offered rate 25000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
exponential weight: 9
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
0 127616/66283953 0/0 0/0 20 40 1/10
1 0/0 0/0 0/0 22 40 1/10
2 0/0 0/0 0/0 24 40 1/10
3 0/0 0/0 0/0 26 40 1/10
4 0/0 0/0 0/0 28 40 1/10
5 0/0 0/0 0/0 30 40 1/10
6 13091/1791114 0/0 0/0 32 40 1/10
7 0/0 0/0 0/0 34 40 1/10
rsvp 0/0 0/0 0/0 36 40 1/10
FastEthernet0/1
Service-policy input: income
Class-map: income (match-any)
7446 packets, 485157 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name income
7446 packets, 485157 bytes
5 minute rate 0 bps
QoS Set
precedence 5
Packets marked 7446
Class-map: class-default (match-any)
124216 packets, 60574939 bytes
5 minute offered rate 23000 bps, drop rate 0 bps
Match: any
-----------------------------------------
09-23-2009 04:20 AM
Don't forget this is QoS - Congestion management, if there is no congestion - there is nothing to do.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: