QoS between 2 ASA's

Unanswered Question
Mar 22nd, 2010

Hello,

I have a VPN between an ASA 5520 (HQ) and ASA 5505 (Remote office) and I was wondering if it is possible to enable QoS for the remote site?  The remote uses Citrix Metaframe (Like Terminal services) and I need to make sure this gets priority?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Mon, 03/22/2010 - 14:44

You can use the doc below as a guide.  You could build a class-map on the ASA to match the Citrix traffic that you are looking to prioritize.  This could be achieved by matching on a particular TCP/UDP (match port) or extended access-list (match access-list).  Below would be one example of a very basic priority queueing policy.  You could also incorporate a shaper or policer into the configuration to provide for bandwidth management.

priority-queue outside

class-map CITRIX
match port tcp eq 1434

policy-map QOS
class CITRIX
  priority

service-policy QOS interface outside

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Andy White Mon, 03/22/2010 - 14:47

I've never used QoS before, do I just add this to the remote ASA 5505 only?  How can I see if it is being prioritied or used?

Thanks

Todd Pula Mon, 03/22/2010 - 14:52

Typically you will want to configure QoS bidirectionally.  Once enabled, you can use the "show service-policy" and "show priority-queue statistics" commands to review policy and traffic related stats.

Andy White Tue, 03/23/2010 - 01:08

Hi,

How can I get the HQ ASA only to prioritise Citrix traffic towards the remote ASA on the 172.19.5.x/24 subnet as I don't want to do it for all our VPN's/traffic fromt eh HQ etc?

Also it seems our Citrix uses 2 ports TCP, 2598, 1494 how can I put all2 in one policy?

This is what I have added:

priority-queue outside

class-map Citrix1
match port tcp eq 1494

policy-map QOS
class Citrix1
  priority

service-policy QOS interface outside

-------------------------------------


priority-queue outside

class-map Citrix2
match port tcp eq 2598

policy-map QOS
class Citrix2
  priority

show priority-queue statistics

Priority-Queue Statistics interface outside

Queue Type         = BE
Tail Drops         = 0
Reset Drops        = 0
Packets Transmit   = 18753
Packets Enqueued   = 0
Current Q Length   = 0
Max Q Length       = 0

Queue Type         = LLQ
Tail Drops         = 0
Reset Drops        = 0
Packets Transmit   = 58
Packets Enqueued   = 0
Current Q Length   = 0
Max Q Length       = 0
Newcastle-CBSO-ASA#show service-policy

Global policy:
  Service-policy: netflow-export-policy
    Class-map: netflow-export-class

Interface outside:
  Service-policy: QoS
    Class-map: Citrix1
      Priority:
        Interface outside: aggregate drop 0, aggregate transmit 68
    Class-map: Citrix2
      Priority:
        Interface outside: aggregate drop 0, aggregate transmit 68
    Class-map: class-default

Thanks

Todd Pula Tue, 03/23/2010 - 07:18

There are a few ways to approach this.  You can do exactly as you did and add a second class for the other TCP port.  From the hub's perspective, you can add a "match tunnel-group" clause to the CITRIX1 and CITRIX2 classes so that only the corresponding TCP traffic related to the specific tunnel group will be matched.  The other way you can achieve this is to build an extended ACL that matches the specific Citrix traffic flows for the tunnel.  You could then have a single class map that matches the ACL.  With the "match access-list" clause, however, you cannot use the "match tunnel-group" clause as well.

Andy White Tue, 03/23/2010 - 13:20

I'm quite interested on how I can from the hub's perspective (which I assume is the HQ ASA 5520), add a "match tunnel-group" clause to the CITRIX1 and CITRIX2 classes so that only the corresponding TCP traffic related to the specific tunnel group will be matched?  Tunne group I guess would be the peer address if the remote VPN?

As I have configured the remote site, I'm sure it is working, but how can I see the traffic is being processed before all other traffic?

Todd Pula Tue, 03/23/2010 - 13:30

A class-map with tunnel group association would look something like this.  You can use the "show priority-queue statistics" command and confirm that you are seeing packets transmitted in the LLQ.  You can also use the "show service-policy" command to view the policy stats.  If using ACLs instead, you can look at the ACL hit counters to confirm that traffic is being seen.

class-map CITRIX1
match port tcp eq 1494
match tunnel-group 1.1.1.1

Andy White Tue, 03/23/2010 - 13:35

Thanks,

So I add this to the HQ ASA,?

class-map CITRIX1
match port tcp eq 1494
match tunnel-group 1.1.1.1 (public peer IP?)

class-map CITRIX2
match port tcp eq 2958
match tunnel-group 1.1.1.1

Thing is I'm not actually sure I need a QoS back as Citirx doesn't really send much back to the user does it?

Todd Pula Tue, 03/23/2010 - 13:37

Correct.  For your L2L config, you should have an existing tunnel group that references the IP of the crypto peer.  You will reference this tunnel group name in the match tunnel-group statement.

Andy White Tue, 03/23/2010 - 13:42

Just once other thing, it seems I will also have to add QoS for the remote site for video conferencing as they have a Polycom system there, I will get the ports required as I think there are a few, how would I add this QoS so it's higher than the Citrix ones?

Actions

This Discussion