This may be a general VOICE ISSUE with something I need to change with inspection, ... but, ...
Hi. Currently, we have two ASA 5505s terminating a tunnel between NY and NM. All is fine except for the fact when VOICE traffic traverses the link, the policy drops go WAY UP and response time goes to almost nothing!! We have one Quintum Voice unit in NY, a Tenor DX 4048 and two in NM; a Tenor AXG 2400. SOMEBODY please HELP!!!
My first thought is itty bitty firewall asked to be a big one, perhaps its not the right box for the job.
But yet cisco says it can.... so
how much voice are you putting on the box? can it handle it? what does the cpu look like? what about your policy is it configured correctly? Can you share it?
Only three voice lines.
The CPU looks fine.
Policy - no clue - using DEFAULT. I AM concerned about that 'cause I'm thinking inspection may 'need' to be off? All else is plain vanilla... Ideas please :( ??
I tend to use one policy to match the voice traffic and apply this globally then use another policy to inspect all other required traffic types and apply this to the internal interface.
Not had any problems doing it that way.
Hi and thank you!!!
What I did was delete the global inspection policy. Although setting up quite a few ASAa, NEVER have I ventured into the policy and inspection areas. If I may, how did you do this and would you be able to give me a brief example as I would GREATLY appreciate it.
THANKS SO MUCH!!!
There is a good guide here -
This is how i do it -
match access-list Voice_Map
match dscp ef
match tunnel-group #Name of group#
service-policy qos global
service-policy csc_out_policy interface Inside_VLAN_1000
This is matching against dscp values, an access-list and a vpn tunnel group.
The second service policy is for CSC modules but can be the default if needed.
I am almost ready to cry here. I am pasting the config without IPs ---- does this prioritize by voice correctly? :(
ip address 192.168.1.252 255.255.255.0
switchport access vlan 2
boot system disk0:/asa802-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
access-list OUTBOUND extended permit udp any any eq domain
access-list OUTBOUND extended permit tcp any any eq https
access-list OUTBOUND extended permit tcp any any eq www
access-list OUTBOUND extended permit ip any 192.168.23.0 255.255.255.0
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit ip any any
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.23.0 255.255.255.0 log
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.23.0 255.255.255.0 log
access-list OUTBOUNG extended permit ip any any
pager lines 24
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTBOUND in interface inside
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 184.108.40.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer aaaa
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
no threat-detection basic-threat
threat-detection statistics access-list
match dscp ef
match tunnel-group aaaa
policy-map type inspect dns preset_dns_map
message-length maximum 512
encrypted privilege 15
tunnel-group aaaa type ipsec-l2l
tunnel-group aaaa ipsec-attributes
prompt hostname context
Viewing the config on a phone so I could be wrong but I can't see the policy applied anywhere.
If you apply that as the global policy it should work. The only problem you may get is if the dscp field is stripped out when trunked to the ASA. If you are not using VLAN'S it shouldn't matter.
This is the error I get...
ciscoasa(config)# service-policy voice interface inside
ERROR: Class Voice has 'priority' set without 'priority-queue' in any interface
OK, forgot to apply the priority queue. If yo do priority-queue outside.
Then do service-policy qos global.
That should apply the policy.