low-latency prio queue for udp traffic, but not matching ACL?

3moloz123 · ‎02-10-2012

Hi,

I have an OpenVPN service running behind an ASA for which I would like to prioritize the packets.

The OpenVPN service connects to a remote OpenVPN service on 1194/udp, and accepts traffic on udp/1194 for yet another OpenVPN server.

Here's what I did:

access-list priority extended permit udp any any eq 1194

!

priority-queue outside

!

class-map priotraffic

match access-list priority

!

policy-map QoS_policy

class priotraffic

priority

!

service-policy QoS_policy global

!

priority-queue outside

I know there are hundreds of packets per second on this OpenVPN, but still I only see 2 matched packets on the ACL "priority":

# show access-list | inc priority

access-list priority line 1 extended permit udp any any eq 1194 (hitcnt=2) 0xbbdd01d4

Am I missing something? Must I know both src AND destination ports in order to achieve this?

Julio Carvajal · ‎02-10-2012

Hello,

Nop, the ACL its properly configured, you do not need to set the source port!

If you do a capture on the ASA do you see more than 2 packets?

What happens if you do sh service-policy?

How much packets do you see in the service policy you configured?

Regards,

Julio

Rate all helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

3moloz123 · ‎02-13-2012

Hi,

The asa had rebooted due to a power failure, so now hitcount=0 (although the vpn works as expected).

Do you propose I do a capture based on my ACL (which doesnt have any hit count), or should I create a capture with port 1194/udp on interface outside?

Some stats:

asa# show access-list | inc priority

access-list priority line 1 extended permit udp any any eq 1194 (hitcnt=0) 0xbbdd01d4

asa# sh service-policy

Global policy:

Service-policy: QoS_policy

Class-map: priotraffic

Priority:

Interface outside: aggregate drop 0, aggregate transmit 0

Priority:

Interface inside: aggregate drop 0, aggregate transmit 0

Priority:

Interface mobenga: aggregate drop 0, aggregate transmit 0

Priority:

Interface escom: aggregate drop 0, aggregate transmit 0

Priority:

Interface management: aggregate drop 0, aggregate transmit 0

Priority:

Interface server: aggregate drop 0, aggregate transmit 0

Priority:

Interface vpn: aggregate drop 0, aggregate transmit 0

Priority:

Interface cafe_member: aggregate drop 0, aggregate transmit 0

Class-map: class-default

3moloz123 · ‎02-13-2012

I started suspecting that it only matched packets for new connections (in iptables called NEW / UNREPLIED). I tested my thesis by restarting one of my openvpn tunnels, and indeed I see now a hit count of one packet.

Question is, how come only new udp connections being matched? I would obviously like to prioritize all packets for an already established session.

Thanks,

By the way, the statistics after I reinitiated one of the tunnels:

asa# show access-list | inc priority

access-list priority line 1 extended permit udp any any eq 1194 (hitcnt=1) 0xbbdd01d4

asa# show service-policy

Global policy:

Service-policy: QoS_policy

Class-map: priotraffic

Priority:

Interface outside: aggregate drop 0, aggregate transmit 0

Priority:

Interface inside: aggregate drop 0, aggregate transmit 0

Priority:

Interface mobenga: aggregate drop 0, aggregate transmit 0

Priority:

Interface escom: aggregate drop 0, aggregate transmit 0

Priority:

Interface management: aggregate drop 0, aggregate transmit 0

Priority:

Interface server: aggregate drop 0, aggregate transmit 0

Priority:

Interface vpn: aggregate drop 0, aggregate transmit 0

Priority:

Interface cafe_member: aggregate drop 0, aggregate transmit 0

Class-map: class-default