prioritize vpn traffic on asa 5505

erwee1973 · ‎08-23-2013

Hello,

We have a customer who has an ipsec site2site vpn from their ASA5505 to a Datacenter, also ASA5505

I want to prioritize the vpn tunnel traffic since they notice performance issues. The internet interface has speed down/up: 20/5 Mbps.

I have configured qos like this:

priority-queue outside

queue limit 1024

class-map dcavpn_cm

match flow ip destination-address

match tunnel-group dcatunnelgroup

policy-map vpnqos_pm

class dcavpn_cm

priority

service-policy vpnqos_pm interface outside

Is this sufficient / will this work, when I configure this on both ends?

erwee1973 · ‎08-23-2013

this is the output I get with show priority-queue stat (see below)

Strange thing is that we still have delays and timeouts when pinging over the ipsec tunnel to a server in the Datacenter

Priority-Queue Statistics interface outside

Queue Type = BE

Tail Drops = 0

Reset Drops = 0

Packets Transmit = 155221

Packets Enqueued = 0

Current Q Length = 0

Max Q Length = 0

Queue Type = LLQ

Tail Drops = 0

Reset Drops = 0

Packets Transmit = 28810

Packets Enqueued = 0

Current Q Length = 0

Max Q Length = 0

Karsten Iwen · ‎08-23-2013

No, it won't be enough. Your ASA with a 100 MBit/s interface will never see any congestion because the next device is the one that restricts the traffic to 5 MBit/s and that drops packets.

To make sure that the ASA sees the congestion (which is needed to give QoS the possibility to control the traffic) you have to configure shaping on the outgoing interface to about 5 MBit/s. But test it in a timeframe with not so much mission-critical traffic. I had strange results with shaping a many ASA-versions.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni