Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2827
Views
0
Helpful
6
Replies

Cisco ASA VPN QoS

Go to solution
vttendere
Level 1
Level 1

‎11-29-2009 10:40 AM - edited ‎03-11-2019 09:43 AM

Hi

Does the ASA copy the ToS byte from the original packet into the newly created IP header of an encrypted packet (VPN)? I'd appreciate a pointer to a Cisco doc that has the details.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to vttendere

‎12-01-2009 06:46 AM

On the ASA the TOS bits in the original IP header are copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption.

It is done by default with no extra commands needed as on the routers.

Please check if your incoming packet have the DSCP bits set if you see that there are no DSCP on the outside.

PK

View solution in original post

0 Helpful
6 Replies 6

Go to solution
andrew.prince
Level 10
Level 10

‎11-30-2009 05:33 AM

Have  a look at the below config example:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

HTH>

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to andrew.prince

‎11-30-2009 03:11 PM

Along with the link that Andrew sent I would like to add that the ASA maintains and copies the ToS field

.

And provide one more link to help you do QoS on the ASA https://supportforums.cisco.com/docs/DOC-1230

I hope it helps.

PK

0 Helpful

Go to solution
vttendere
Level 1
Level 1
In response to andrew.prince

‎12-01-2009 12:10 AM

Hi

Thanks for your response. I had actually configured QoS on the ASA, however when I was sniffing traffic after the ASA I noticed that the traffic traversing the VPN (ESP packets) had DSCP DEFAULT markings, so I was a bit concerned about the preservation of the TOS information. I thought that maybe there is an extra command I need to put, I cant see this in the doc you sent me though.

Thanks guys

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to vttendere

‎12-01-2009 06:46 AM

On the ASA the TOS bits in the original IP header are copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption.

It is done by default with no extra commands needed as on the routers.

Please check if your incoming packet have the DSCP bits set if you see that there are no DSCP on the outside.

PK

0 Helpful

Go to solution
vttendere
Level 1
Level 1
In response to Panos Kampanakis

‎12-02-2009 02:56 AM

Hi

Indeed traffic coming into the ASA was not marked correctly.

Thanks a lot for your assistance.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to vttendere

‎12-02-2009 07:00 AM

I am glwe could  out.

Take care,

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card