ASA VPN: QoS for Voice/Video Traffic

Document

Mon, 11/07/2016 - 02:54
May 15th, 2012

ASA VPN: QoS for Voice/Video Traffic

BACKGROUND

Generally, voice and video traffic are not able to tolerate long latencies. Using QOS can help to reduce latency and prioritize mission critical traffic. A  Cisco IOS router has the ability to prioritize voice traffic and also command option to reserve bandwidth for voice and video traffic. The bandwidth reservation command is not available on the ASA. This document describes how to prioritize voice/video traffic on a VPN network, reserve bandwidth for voice/video traffic and also the best practices for configuring QOS for voice/video traffic on CISCO ASA.

ASA QOS OVERVIEW

  • On the ASA, QOS is only supported in single mode and routed mode only. QOS is not supported for packet marking, Class Based Weighted Fair Queuing (CBWFQ), transparent firewall, security context, IPV6, AnyConnect VPN tunnel and Clientless SSL VPN (Cisco bug ID CSCsl73211). When one Configures QOS over a tunnel group with web VPN attributes, one gets an error message indicating it is not supported. If one needs performance for voice and video traffic when using AnyConnect SSL VPN, one will have to implement Datagram Transport Layer Security (DTLS).
  • When QOS is configured on ASA, QOS bits in the original IP header will be copied to the IP header of the encrypted packet. This helps to enforce QOS after encryption. The ASA preservers the ToS bit as specified in RFC 2401, the DSCP bits can be used for QOS configuration. ASA does not mark or classify packet; it honors and preserves the existing packet marking it receives. It assumes that the traffic is already marked with a DSCP/ IP precedence value in the packet header. With this action, the ASA and the devices along the VPN tunnel can correctly prioritize traffic. For end-to-end QOS, the IP devices along the connection path need to be QOS capable.
  • ASA supports traffic policing, prioritization and shaping. Policing can help in limiting the maximum bandwidth used per traffic flow (bits/second) while prioritization can help transmit certain traffic flow before others. Traffic shaping helps in controlling device link speed (to avoid link saturation and delay) by rate limiting device traffic (but not drop the packet). It transmits the packet at a fixed speed. Packets that cannot be transmitted are stored in a data buffer and they are transmitted at a later time.
  • ASA maintains two different types of priority queue on an interface. 1) Standard priority queue: this queue is used when doing traffic prioritization without traffic shaping. When doing traffic prioritization without traffic shaping, this queue must be configured explicitly on the outside interface. 2) Hierarchical priority queue: is used by a portion of shaped traffic that can be prioritized (IPsec-over-TCP is not supported). When doing traffic prioritization with traffic shaping, the standard priority queue is not used, this queue is used. There is no configuration required for this queue on the outside interface.

  • The two types of QOS that exist on the ASA are called QOS engine and Egress Interface QOS. The QOS engine consists of traffic classifier, rate limiter and token bucket while the Egress Interface QOS consist of high-priority queue and low-priority queue. When traffic exits the QoS engine, they are forwarded to the egress interface for physical transmission. Another level of QOS is implemented at the physical interface to ensure traffic with a priority flag gets proper handling. At the physical interface, processing of packet depends on the depth of the queue and the conditions of the Transmit Ring (buffer space used by ASA to store packets before transmitting them at the driver level). When the Transmit Ring is congested, non-priority packets are queued to the low-priority queue while prioritized packets are queued to the high-priority queue. If the Transmit Ring is free from congestion, the non-priority packets are sent immediately after ensuring that the high-priority queue is empty. If the high-priority queue has a packet to send, the Transmit Ring will service this queue first.
  • When QOS is configured on ASA, the following sequence of events occurs :  
    • •1.       If the packet is the first of the flow, it is routed to the correct interface and a flow is created for subsequent similar packet type.
    • •2.       The packet goes into the QOS engine and it is then classified by the classifier engine. If the packet is classified as priority, it goes quickly into a high-priority queue (Egress Interface QOS), and these kinds of packet cannot be rate limited.
    • •3.        If the traffic is classified for rate limiting (policing), it goes to rate limiting engine and the traffic is rate limited. If the rate limited packet exceeds specified rate configured, the packet is dropped (non-conform) else they are forwarded into the low-priority-queue (Egress Interface QOS)
    • •4.       The ASA then transmits the packet over the physical transmission link

NOTE: If a packet is not classified as priority or rate limited, it is forwarded to the low-priority queue (Egress Interface QOS) and any existing rate limiting polices are not applied to this kind of traffic.

  • A token bucket exists in the ASA QOS engine. It is used to normalize different traffic flow. The normalization includes traffic policing or traffic shaping. The token (bit) in bucket are not prioritized. Tokens are assembled in the bucket at certain rate. This bucket has a capacity limit, after the limit is reached all newly arrived tokens are either dropped(policing) or wait until the bucket is free(traffic shaping). The largest packet that can be sent on the device within a given unit of time is directly proportion to the size of the bucket
  • Prioritization and policing of traffic are the two mutually exclusive techniques for configuration of QoS on ASA. Using a single class map, you cannot prioritize a traffic type and at the same time police the same traffic type, if you do, you will receive the error as follows ERROR: Must deconfigure priority in this class before issuing this command.
  • When priority queuing is configured , unless the LLQ is saturated, the packet will not be prioritized, if you have a high bandwidth interface such as 100Mbps or 1Gbps, link saturation will not occur so often. The use of Priority queuing along with policing or traffic shaping allows LLQ to kick when policing or shaping limits are met.


Standard Priority Queuing

Example: Assume our ASA has a VPN tunnel group named “2.2.2.2 “and also the ASA has a bandwidth of   1 mpbs (1000000 bps). We want to prioritize voice and also reserve a bandwidth of 0.1 mbps (100000 bps) for voice. Remember the ASA does not mark or classify voice packet; we assume that the voice traffic is already marked with a DSCP value of EF in this example

In this example, a nested approach is also used in the policy map and the default class traffic is policed. The ASA provides a way to apply actions to traffic not matched by any configured class maps. This is done by using the “class-default” class-map command. Using the “class-default” class-map is not supported for priority traffic. Since we are using the standard priority queue, we manually configure the standard priority queue on the outside interface.

On ASA 5580, a standard priority queue cannot be created for Ten Gig Ethernet interface. It can only be created on ASA 5585-X with Ten Gig Ethernet interface. Also, Priority queuing is not supported on the management interface “management 0/0” on ASA 5512-X through ASA 5555-X.

When priority queuing is configured, packet in IPSEC may be received out-of-order and not within the anti-replay window. This will cause a false positive warning Syslog messages to be generated. Configuration of the IPsec anti-replay window size can be used to avoid this false positive warning

GORIASA(config)# interface g0/0

GORIASA(config-if)# nameif outside

GORIASA(config-if)# speed auto

GORIASA(config-if)# duplex auto

GORIASA(config)# interface g0/1

GORIASA(config-if)# nameif inside

GORIASA(config-if)# speed auto

GORIASA(config-if)# duplex auto

ORIASA(config-if)# sysopt connection tcpmss 1200

GORIASA(config)# mtu outside 1380

GORIASA(config)# crypto IPsec df-bit clear-df outside

GORIASA(config)# crypto IPsec fragmentation before-encryption outside

GORIASA(config)# crypto IPsec security-association replay window-size 1024

GORIASA(config)# priority-queue outside

GORIASA(config-priority-queue)# tx-ring-limit 512

GORIASA(config-priority-queue)# queue-limit 2048

GORIASA(config)# class-map voice-qos

GORIASA(config-cmap)# match tunnel-group 2.2.2.2

GORIASA(config-cmap)# match dscp ef

GORIASA(config-cmap)# exit

GORIASA(config)# policy-map Gori-police

GORIASA(config-pmap)# class voice-qos

GORIASA(config-pmap-c)# priority

GORIASA(config-pmap-c)# exit

GORIASA(config-pmap)# class class-default

GORIASA(config-pmap-c)# police output 900000 conform-action transmit exceed-action drop

GORIASA(config)# service-policy Gori-police interface outside

The policing rate is in bits per seconds (bps). The link below can be used for data rate unit conversion.

http://www.sengpielaudio.com/calculator-transferrate.htm

Hierarchical Priority Queuing

In this example, a nested approach is used in the policy map and the default class traffic is shaped. On ASA, shaping can only be applied to outgoing traffic using class-default, because ASA requires all traffic to be matched for traffic shaping. Traffic shaping is similar to policing except that shaping will place the packet into a buffer and smoothen the traffic flow to match the limit imposed. Whereas policing will drop the packet once the limit has been exceeded.  Generally, traffic shaping applies to all types of traffic leaving the ASA. You cannot enable policy and traffic shaping for the same type of traffic even thou the ASA allows the configuration.

The total maximum traffic size for shaped traffic includes IPSEC overhead and layer two (L2) headers. Shaping usually takes place after encryption and does not allow for prioritization on the inner packet or tunnel-group basis for VPN. When using hierarchical priority queuing for encrypted VPN traffic, only the DSCP/IP precedence value can be used to match the traffic, the tunnel group cannot be used.

Since we are using the hierarchical priority queue, in this example, we do not need to configure priority queuing on the outside ASA. It is important to know that traffic shaping is not yet supported on ASA 5580.

GORIASA(config)# interface g0/0

GORIASA(config-if)# nameif outside

GORIASA(config-if)# speed auto

GORIASA(config-if)# duplex auto

GORIASA(config)# interface g0/1

GORIASA(config-if)# nameif inside

GORIASA(config-if)# speed auto

GORIASA(config-if)# duplex auto

ORIASA(config-if)# sysopt connection tcpmss 1200

GORIASA(config)# mtu outside 1380

GORIASA(config)# crypto IPsec df-bit clear-df outside

GORIASA(config)# crypto IPsec fragmentation before-encryption outside

GORIASA(config)# crypto IPsec security-association replay window-size 1024

GORIASA(config)# class-map voice-qos

GORIASA(config-cmap)# match dscp ef

GORIASA(config)# policy-map voice-qos

GORIASA(config-pmap)# class voice-qos

GORIASA(config-pmap-c)#   priority

GORIASA(config-pmap-c)# policy-map gory-shape

GORIASA(config-pmap)# class class-default

GORIASA(config-pmap-c)#   shape average 896000

GORIASA(config-pmap-c)#   service-policy voice-qos

GORIASA(config)# service-policy gory-shape interface outside

NOTE: Target Bit Rate (bits per second) for traffic shapping needs to be in multiple of 8000.

Using the “sh priority-queue statistics” command tells us if the ASA is actually prioritizing the traffic. As show below; it displays the statistics of both traffic that are forwarded using BE (best effort) and LLQ.

Sh priority-queue statistics before QOS is configured

Priority-Queue Statistics interface OUTSIDE

Queue Type         = BE

Tail Drops         = 0

Reset Drops       = 0

Packets Transmit   = 642459

Packets Enqueued   = 0

Current Q Length   = 0

Max Q Length       = 0

Queue Type         = LLQ

Tail Drops         = 0

Reset Drops        = 0

Packets Transmit   = 0

Packets Enqueued   = 0

Current Q Length   = 0

Max Q Length       = 0

Sh priority-queue statistics after QOS is configured

Priority-Queue Statistics interface OUTSIDE

Queue Type         = BE

Tail Drops         = 0

Reset Drops       = 0

Packets Transmit   = 1618882

Packets Enqueued   = 0

Current Q Length   = 0

Max Q Length       = 0

Queue Type         = LLQ

Tail Drops         = 0

Reset Drops       = 0

Packets Transmit   = 757

Packets Enqueued   = 0

Current Q Length   = 0

Max Q Length       = 0

NOTES:

  • •v  Once configured, the QOS policies will not apply to established VPN traffic, for it to immediately apply to established VPN traffic; you will have to bounce the tunnel. Also, if a service policy applied to an interface is removed, the QOS that applies to all the established VPN traffic are not removed until you reestablished the tunnel.
  • •v  Again, the ASA does not mark or classify voice packet; it assume that the voice/video traffic is already marked with a DSCP value. After QOS is configured, if the LLQ in the “Sh priority-queue statistics” output is still showing zero, you need to make sure the ASA is actually receiving packet already marked with the DSCP value. A packet capture on the interface can help you with this.
  • •v  For effective traffic prioritization, QOS traffic prioritization must be end to end. All devices along the traffic path must honor the DSCP/IP precedence value in the packet header. This helps to avoid bottleneck along the traffic path

ASA QOS Commands

Clear service-policy policyname interface ifname

sh service-policy global

sh service-policy interface ifname

sh service-policy priority

sh priority-queue statistics

sh service-policy shape

Clear service-policy policyname interface ifname

show running-config priority-queue

clear configure priority-queue

The following bugs are introduced by the traffic shaping feature:

CSCsq08550

Traffic shaping with priority queueing causes   traffic failure on ASA

CSCsx07862

Traffic shaping with priority queueing causes   packet delay and drops

CSCsq07395

Adding shaping service-policy fails if policy-map   has been edited

GORI DAWODU

CISCO TAC VPN, SAN JOSE

Attachment: 
Loading.

Actions

This Document