Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

low-latency prio queue for udp traffic, but not matching ACL?

Hi,

I have an OpenVPN service running behind an ASA for which I would like to prioritize the packets.

The OpenVPN service connects to a remote OpenVPN service on 1194/udp, and accepts traffic on udp/1194 for yet another OpenVPN server.

Here's what I did:

access-list priority extended permit udp any any eq 1194

!

priority-queue outside

!

class-map priotraffic

match access-list priority

!

policy-map QoS_policy

class priotraffic

  priority

!

service-policy QoS_policy global

!

priority-queue outside

I know there are hundreds of packets per second on this OpenVPN, but still I only see 2 matched packets on the ACL "priority":

# show access-list | inc priority

access-list priority line 1 extended permit udp any any eq 1194 (hitcnt=2) 0xbbdd01d4

Am I missing something? Must I know both src AND destination ports in order to achieve this?

Everyone's tags (3)
3 REPLIES

low-latency prio queue for udp traffic, but not matching ACL?

Hello,

Nop, the ACL its properly configured, you do not need to set the source port!

If you do a capture on the ASA do you see more than 2 packets?

What happens if you do sh service-policy?

How much packets do you see in the service policy you configured?

Regards,

Julio

Rate all helpful posts!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

low-latency prio queue for udp traffic, but not matching ACL?

Hi,

The asa had rebooted due to a power failure, so now hitcount=0 (although the vpn works as expected).

Do you propose I do a capture based on my ACL (which doesnt have any hit count), or should I create a capture with port 1194/udp on interface outside?

Some stats:

asa# show access-list  | inc priority

access-list priority line 1 extended permit udp any any eq 1194 (hitcnt=0) 0xbbdd01d4

asa# sh service-policy

Global policy:

  Service-policy: QoS_policy

    Class-map: priotraffic

      Priority:

        Interface outside: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface inside: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface mobenga: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface escom: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface management: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface server: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface vpn: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface cafe_member: aggregate drop 0, aggregate transmit 0

    Class-map: class-default

New Member

Re: low-latency prio queue for udp traffic, but not matching ACL

I started suspecting that it only matched packets for new connections (in iptables called NEW / UNREPLIED). I tested my thesis by restarting one of my openvpn tunnels, and indeed I see now a hit count of one packet.

Question is, how come only new udp connections being matched? I would obviously like to prioritize all packets for an already established session.

Thanks,

By the way, the statistics after I reinitiated one of the tunnels:

asa# show access-list | inc priority

access-list priority line 1 extended permit udp any any eq 1194 (hitcnt=1) 0xbbdd01d4

asa# show service-policy

Global policy:

  Service-policy: QoS_policy

    Class-map: priotraffic

      Priority:

        Interface outside: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface inside: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface mobenga: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface escom: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface management: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface server: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface vpn: aggregate drop 0, aggregate transmit 0

      Priority:

        Interface cafe_member: aggregate drop 0, aggregate transmit 0

    Class-map: class-default

630
Views
4
Helpful
3
Replies
CreatePlease login to create content