We have an ASA 5505 configured to an integrated T1 that also provide VoIP through Unity Express. The firewall also hosts a L2L vpn with a second site. The problem is that when users download files from the second site, the T1 inbound becomes fully saturated and Unity users experiences voice breakage and difficult to hear on both ends. I understand that an inbound police policy can be set to police all inbound traffic, but it will also affect overall inbound throughput which defeats the purpose of a link balancer that provides additional inbound bandwidth for non-critical traffic. A brief layout of the network is below:
IPSec tunnels are created by the ASA 5505 and flows through unbalanced. Some suggested why not remove the ASA 5505 entirely and use the LB as the perimeter firewall/vpn terminal; the reason is because there are problems with Unity when a non-Cisco firewall is used. A lot of examples I've seen only include prioritizing VoIP that needs go through a tunnel, but our VoIP doesn't. I've added the following QoS policing config, but not sure if it is any help, but still see the T1 pipe fully saturated during file transfers.
Re: QoS Policing on inbound L2L vpn tunnel possible?
The most effective way to handle this would be an an outbound policy at the remote site which prioritizes voice traffic above the download traffic. It is harder to be effective with an inbound policy because if your link is saturated it will be policed upstream by your ISP before you get a chance to see the traffic and drop the lower priority traffic. You could shape the inbound traffic below your committed rate to allow some headroom to ensure that you have opportunity to see and shape the traffic before it is rate limited by your ISP.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...