Query regarding Video traffic

Unanswered Question
May 26th, 2010

Hi halijenn / pkampana / all

I have an issue where i am trying to access the video from inside of the ASA 5510 towards Outside ; however i am observing delay in the videos and images appear a little later (jitters) .The ISP Bandwidth is 100MBbps , currently inspect rtsp is not applied ; however other ASA 5540 with the same config doesnot show any delay (in this inspect rtsp is applied) . I tried enabling inspect rtsp in the ASA 5510 however no success .

The video devices are polycom as shown below , when i bypass the ASA everything works fine .

PolyCom video device 1 -> ASA -> Polycom video device 2

The inside Video device is having Public IP and access-list applied on the logical interface for the UDP and TCP Video ports

access-list VIDEO extended permit tcp 38.4.20.0 255.255.255.0 any object-group VID_TCP

access-list VIDEO extended permit udp 38.4.20.0 255.255.255.0 any object-group VID_UDP

Also the inside to Outside access is via the static configured for the inside video device 1

static (VIDEO,outside) 38.4.20.9 38.4.20.9 netmask 255.255.255.255

( All IPs above are changed )

I have observed one more thing that the video device kept inside is behind one of the firewalls' logical interfaces and i can see L2 Errors on the physical i/f and packet drops on the logical interface

Note : The video traffic is not embedded in http

I am yet to apply the captures and debugs , let me know your coments

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Wed, 05/26/2010 - 21:53

This could be QoS related and drops related.

If you see L2 errors or other errors on the interface that sees the upload stream it could relate to issues. You would need packet captures to see if you have Dup-ACK and Retransmissions for the video which could point to a drop issue.

Also, if you oversubscribe the upload bandwidth it could be that you need to apply QoS.

I hope it helps.

PK

ankurs2008 Thu, 05/27/2010 - 03:02

hi

thanks for the reply , my queries are

1) Currently no QoS is applied and i am thinking of applying priority to the video traffic ; however the issue is that no priority is applied on the other

ASA 5540 which is not observing any jittery images .So i am just having a doubt whether ASA 5510 being a little low end firewall (compared to asa 5540) having certain amount of throughput could be a probable convincing reason so as to make us think about configuring "priority"  ?

2) The exact topology is as below .I have told the person who manages Polycom device to bypass the ASA

PolyCom video device 1 -> L2 Switch -> Router -> ASA -> Polycom video device 2

Here is how they have done it .Device 3 is a testing device as they cannt take device 2 out .

PolyCom video device 1 -> L2 Switch -> Router ->Polycom video device 3

When this is the scenario no jittery issue is there , This rules out the possibility of any errors related to the intermediate hops like L2 Switch and router

which falls in the midway when packet traverses from Video device 1 to 2 via ASA

3) If i apply priority for this traffic is it necessary to apply policing too for the non-video traffic or just applying priority for the video traffic will do ?

4) The polycom device is using H323 as a protocol for communicating towards the other video device and currently the inspect for H323 is not applied .Shall i try applying and see whether it effects ?

5) The physical interface is giving L2 Decode drops and logical interface of this behind which video device sits is giving lot of packet drops .Whether the video call is initiated or not (i.e when hanged)  , it keeps on giving packet drops .Hence do you recommend to change the switch port connected to firewall as well as changing the Firewall Gig port as well just for testing purpose ? Also shall i hard code the duplex and speed of this interface at firewall and corresponding switch port ends ?

I will apply the captures and debugs and let u know the results

Panos Kampanakis Thu, 05/27/2010 - 07:11

1) Currently no QoS is applied and i am thinking of applying priority to the video traffic ; however the issue is that no priority is applied on the other

ASA 5540 which is not observing any jittery images .So i am just having a doubt whether ASA 5510 being a little low end firewall (compared to asa 5540) having certain amount of throughput could be a probable convincing reason so as to make us think about configuring "priority"  ?

It could be that your ISP connection is less efficient or the ISP path is busier for the ASA that has the issue. We can't be sure.

2) The exact topology is as below .I have told the person who manages Polycom device to bypass the ASA

PolyCom video device 1 -> L2 Switch -> Router -> ASA -> Polycom video device 2

Here is how they have done it .Device 3 is a testing device as they cannt take device 2 out .

PolyCom video device 1 -> L2 Switch -> Router ->Polycom video device 3

If the device2 and device 3 were using the same ISP connection the probably it is not QoS.

3)
 If i apply priority for this traffic is it necessary to apply policing 
too for the non-video traffic or just applying priority for the video 
traffic will do ?

Yes, here is a doc with example that explains why http://supportforums.cisco.com/docs/DOC-1230

4) The polycom device is using H323 as a protocol for 
communicating towards the other video device and currently the inspect 
for H323 is not applied .Shall i try applying and see whether it effects
 ?

You could, but jitter for voice and video is likely to do interfere with H323 because voice and videa are not H323. H323 is signaling so usually it relates to calls not being established.

5) 
The physical interface is giving L2 Decode drops and logical interface 
of this behind which video device sits is giving lot of packet drops 
.Whether the video call is initiated or not (i.e when hanged)  , it 
keeps on giving packet drops .Hence do you recommend to change the 
switch port connected to firewall as well as changing the Firewall Gig 
port as well just for testing purpose ? Also shall i hard code the 
duplex and speed of this interface at firewall and corresponding switch 
port ends ?

Make sure you have no duplex mismatch between the ASA and the device that connects to it. Also check "sh traffic" to see if the interface sees too much traffic. If still the errors go up check to see for L2 tagging issues or change to another interface as a test, if possible.

I will apply the captures and debugs and let u know the results

Yes that will help you to see if there are drops for the video traffic or the signaling.

I hope it helps.

PK

ankurs2008 Fri, 05/28/2010 - 05:17

Hi pkampana,

1) The ISP Bandwidth is 100MBps which I believe is sufficient enough , the video image jittery are observed in off peak hours as well.

2) The device 3 is not using ASA at all . It is just connected directly to one of the inside router interfaces.It doesnot even crosses ASA and internet.

3) If 100 MBps is the bandwidth , what amount of CIR should i give to non-video traffic while policing ?

4) As the device is Polycom , it intiates the call and establish session ; hence do we need to apply inspect ?

5) I am on the process of changing the switchport connected to ASA Physical as well as hardcoding the duplex and speed testings.Let me see if that works


Attached are the packet capture snapshot [IP Address used are different from one mentioned above : 72.3.20.14 is source video device and 72.3.33.226 is the Video device 2 (destination)] ; both being Polycom. There are no drops for the call signalling session however there is a "TCPZeroWindow" sent by the server to client in the 12th frame and frame 13 (in inside capture) shows client sending RST ACK to the server .

If require the actual pcap file , i will attach the same too . There were no deny logs for this video session in the debug level syslog

Please suggest how to proceed .

Attachment: 

Actions

This Discussion