Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Control Congestion on ADSL / IPSec VPN WAN


We have a wan consisting of a mix of ADSL 1 and ADSL 2+ links with variable sync speeds. Over the ADSL links we run 3DES IPSec Site to Site VPN.

Over this WAN we would like to put Citrix ICA traffic as the highest priority and let everything else battle over what is left.

We have tried Priority based queing but found that can lead to loads of interface resets and other errors on ethernet interfaces.

We thought of LLQ but as the sync speed can vary dpending on line conditions I had no idea what value to put into kbps for shaping etc.

Hardware wise we run a mox of 32mb, 48Mb and 64MB 837-k9's, 877-k9's with a core router of a 2821 K9 Hsec (with AIM VPN Module).

Any ideas on how to perhaps use LLQ but what values to use, does the % option work? When I look at the recorded bandwidth on the dialer or atm interfaces it doesnt equal the sync speed.....




Re: Control Congestion on ADSL / IPSec VPN WAN

check out the following link for configuring LLQ for IPSec Encryption Engine :

New Member

Re: Control Congestion on ADSL / IPSec VPN WAN

thanks for the link, which gives me more confidence on configuring for IPSec tunnels. One query though is that the CIR or at least the sync speed of the links varies on a daily/weekly basis depending on line quality. SO how should I specify bandwidths?

Re: Control Congestion on ADSL / IPSec VPN WAN


as a rule of thumb when setting the bandwidth: at least make sure, that there is enough for your CITRIX class. In case the speed varies it still means that there will be a guaranty of say 512 kbps (or any other value which makes sense in your environment) to this traffic. Anything else will "battle for the rest".

Queueing is only involved, when there is an overload situation detected (HW queue full). So I would be cautious in setting bandwidth. A too high value hurts and a too low value does not.

Also be aware, that you only can control the output interface, i.e. what you send to the ISP. You cannot prioritize the return traffic without the help of the ISP. It is his interface towards you which would require qos settings as well (presumably).

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: Control Congestion on ADSL / IPSec VPN WAN

Just wondering how does using the percent option go with LLQ Priority?


Re: Control Congestion on ADSL / IPSec VPN WAN

Hi Scott,

That option works quite well. We use it in our network when we intend to apply the same policy to interfaces with different bandwidths (allowing better re-use of policies).

You will, of course, have to accept that if your interface bandwidth changes dynamically, your actual priority bandwidth allocation (in kbps) will also vary.

Hope that helps - pls rate the post if it does.


CreatePlease login to create content