topic Hi; Use this example: http:/ in Network Security

QoS for Citrix traffic over over traffic in ASA 5505

Dean Romanelli — Tue, 12 Mar 2019 06:25:08 GMT

Hi All,

I have about 140 sites in the field that use ASA 5505's to VPN back to my data center for all services. Among those services are Citrix Published desktops. However, some of these sites had limited bandwidth, and when the lines are saturated, the Citrix expierience suffers. I am being asked by the Citrix team if there is a way to apply QoS in the ASA but only for Citrix traffic?

Our Citrix traffic rides on the same subnet at each site as all other data services (centralized internet, e-mail, etc....). What differentiates it is that it uses TCP port 1495 & 2598.

Is there any way I can set up QoS to prioritize only the flows using those ports?

Hi; Use this example: http:/

Maykol Rojas — Fri, 14 Aug 2015 17:33:11 GMT

Hi;

Use this example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc19

Instead of using the ports for H232 and SIP, change to the ports 1495 and 2598, that should do it.

It has to be under the tunnel-flow, if you do the regular one it would not work.

Mike.

Thanks Mike.Question for you:

Dean Romanelli — Tue, 18 Aug 2015 14:57:42 GMT

Thanks Mike.

Question for you: Once I drop in the configs from the example, how can I configure it on when I want the prioritization to trigger? For example: If I want it to prioritize Citrix traffic only if link saturation is at 1.1Mbps, for example? Or will it always prioritize Citrix, regardless of the environment conditions at any given time (i.e. whether the link bandwidth is at 1% or 99%).

Also, in the example on Cisco's site, I see that access-list 100 is applied to the outside interface. Is this step required? I only ask because right now I have another ACL applied to the outside interface (outside_access_in), so I can't apply another one to that same interface. I suppose I could roll up those rules into the new QOS access list but won't that give priority for those flows as well?

Hello; Unfortunately it

Maykol Rojas — Tue, 18 Aug 2015 19:49:18 GMT

Hello;

Unfortunately it cannot be on demand, it is always on. You can easily have every aspect of it on configured and then you can apply the service policy, but this would require for you to be adding config (on ASDM would be a single click) and clearing the conn table on the firewall (this can be service impacting)

Regarding the ACL, no, you dont need to use it on the interface, but you will need it on the inbound class map.

If you have any questions, let me know.

Mike

Thanks Mike. Actually after

Dean Romanelli — Wed, 19 Aug 2015 12:30:35 GMT

Thanks Mike. Actually after re-reading the example, they are saying to apply the ACL:

!--- Apply the ACL 100 for the inbound traffic of the outside interface.

ciscoasa(config)#access-group 100 in interface outside

Just want to double confirm that this step is OK to skip and the QOS will still work without it. ACL 100 is also the Voice-IN ACL match in the class map in the example.

One more question: Your statement above: "It has to be under the tunnel-flow, if you do the regular one it would not work." ---> So my crypto ACL for the VPN tunnel is "permit ip 192.168.186.0 255.255.255.0 any4." It is going to any4 because both internet & citrix come from the same data center. However, the Citrix traffic is only going to come from 192.168.120.0/24. Given that, are you saying that if my crypto ACL is "permit ip 192.168.186.0 255.255.255.0 any4" that my QOS ACL needs to also be that exact flow (permit tcp 192.168.186.0 255.255.255.0 any4 eq 1494)? Or can I be more specific and do "permit tcp 192.168.186.0 255.255.255.0 192.168.120.0 255.255.255.0 eq 1494?"

No issues, I think the reason

Maykol Rojas — Wed, 19 Aug 2015 17:31:33 GMT

No issues, I think the reason why that ACL 100 is configured on the interface is due to the fact that the document assume that the "sysopt connection permit-vpn" is not configured. Check if you have it (sh run all | inc sysopt).

With the ACL for QoS, you can be as specific as you want, it does not have to be the same as the tunnel ACL.

Mike.

Hi Mike,Yes it is in there.

Dean Romanelli — Thu, 20 Aug 2015 11:44:04 GMT

Hi Mike,

Yes it is in there. Thanks so much for all your help.