Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA with QOS using a Service-Policy

I am running 8.2.5 on 5505s and set up a service policy qos to try to give VOIP packets priority. I used policing on the other interface of the ASA and police both the input and output packets. I have a priority que, a class for my VPN tunneled traffic, a class for TCP traffic (for mainly Internet traffic) and a default class.  The classes TG-NonVoice-Out and TG-NonVoice_In use an access list match for any traffic over the VPN tunnel. The VOIP traffic also is all tunneled traffic - priority que out and class-map TG-Voice-In although there is none over this link but I use the same setup on all my ASAs. The class-map TCP-Traffic is for both in and out tcp packets. The default class map is in and out for all other packets. The config for all this is below. Not too complex and appeared to work for both incoming and outgoing when I watch bit rates using the asdm with test files. ...


..BUT>>>>>>  I find that it starts failing after running for a while. If I do a 1GB file transfer over the tunnel between two end hosts, the transfer starts and assuming the values below are in use, I would see the transfer start and hold at 30Mb for a long time. Then out of the blue it may drop and hold at 2Mb (the default class) and that is where it stays for then on for any tunneled traffic. If I were to set the default class rate to 6 Mb, I would see the rate drop down to 6Mb so I know it is placing all the tunneled traffic in the default class and not in the TG-NonVoice-xx class where it should be since the packets are matching the acl for the class.


Any idea what is going on and why this is failing? Does anyone see a mistake in the setup that would cause this




access-list tg-nonvoice-out extended permit ip any

access-list tcp-traffic extended permit tcp any any

access-list tg-nonvoice-in extended permit ip any

priority-queue outside

  tx-ring-limit 20

class-map TG-NonVoice-Out

 match access-list tg-nonvoice-out

class-map TG-Voice-Out

 match dscp ef

class-map TG-Voice-In

 match dscp ef

class-map TCP-Traffic

 match access-list tcp-traffic

class-map inspection_default

 match default-inspection-traffic

class-map TG-NonVoice-In

 match access-list tg-nonvoice-in

policy-map qos

 class TG-Voice-Out


 class TG-Voice-In

  police input 500000

 class TG-NonVoice-Out

  police output 30000000

 class TG-NonVoice-In

  police input 30000000

 class TCP-Traffic

  police output 1000000

  police input 1000000

 class class-default

  police output 2000000

  police input 2000000

service-policy qos interface outside