Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

QoS Policing on inbound L2L vpn tunnel possible?

We have an ASA 5505 configured to an integrated T1 that also provide VoIP through Unity Express.  The firewall also hosts a L2L vpn with a second site.  The problem is that when users download files from the second site, the T1 inbound becomes fully saturated and Unity users experiences voice breakage and difficult to hear on both ends.  I understand that an inbound police policy can be set to police all inbound traffic, but it will also affect overall inbound throughput which defeats the purpose of a link balancer that provides additional inbound bandwidth for non-critical traffic.  A brief layout of the network is below:

Unity ---> Switch ---> ASA 5505 ---> Link Balancer ---> T1, DSL1, DSL2

ASA 5505 is configured with T1 IP scheme.

IPSec tunnels are created by the ASA 5505 and flows through unbalanced.  Some suggested why not remove the ASA 5505 entirely and use the LB as the perimeter firewall/vpn terminal; the reason is because there are problems with Unity when a non-Cisco firewall is used.  A lot of examples I've seen only include prioritizing VoIP that needs go through a tunnel, but our VoIP doesn't.  I've added the following QoS policing config, but not sure if it is any help, but still see the T1 pipe fully saturated during file transfers.

priority-queue inside

priority-queue outside

class-map voice_non_marked

match rtp 16384 16383

class-map site_vpn

match flow ip destination-address

match tunnel-group xx.xx.xx.xx

class-map voice_marked

match dscp ef

policy-map voip
class voice_non_marked
class voice_marked
class site_vpn
  police output 100000
service-policy voip interface inside
service-policy voip interface outside


Re: QoS Policing on inbound L2L vpn tunnel possible?

The most effective way to handle this would be an an outbound policy at the remote site which prioritizes voice traffic above the download traffic. It is harder to be effective with an inbound policy because if your link is saturated it will be policed upstream by your ISP before you get a chance to see the traffic and drop the lower priority traffic. You could shape the inbound traffic below your committed rate to allow some headroom to ensure that you have opportunity to see and shape the traffic before it is rate limited by your ISP.

CreatePlease to create content