https://community.cisco.com/t5/network-security/voip-latency-when-in-line-on-4255/m-p/1468195#M67518 <HTML><HEAD></HEAD><BODY><P>Hi David,</P><P>&nbsp;&nbsp; The first thing I would suggest doing is browsing&nbsp; through the recent events from the sensor for any which may have been&nbsp; triggered by traffic coming from addresses in use by your VoIP system.&nbsp;&nbsp; In the absence of any relevant events, you can create an Event Action&nbsp; Override for Risk Rating 0-100 to add the Produce Alert action, setup a&nbsp; few more calls and then check the event store again.&nbsp; The EAO will cause&nbsp; all signatures, even those without the Produce Alert action configured&nbsp; by default, to log events to the event store. When you're done testing,&nbsp; disable the EAO to prevent wasting resources on the sensor.</P><P></P><P>If you still don't see any events, it's possible that&nbsp; the sensor is oversubscribed despite the fact that your capture may&nbsp; appear to be well under the 600Mb documented for that model.&nbsp; The 600Mb&nbsp; metric is measured using a sensor with completely default signature sets&nbsp; and transfering "media rich" traffic (i.e. a lower number of higher&nbsp; volume streams), while in promiscuous mode.&nbsp; The "transactional" rating&nbsp; is 500Mb, under the same conditions.&nbsp; Voice is generally considered&nbsp; "transactional" traffic.&nbsp; When deploying a sensor inline, a very rough&nbsp; estimate is to shave 20% off the expected performance, so you'd end up&nbsp; with 400Mb in this case.&nbsp; This would be the theoretical maximum of the&nbsp; aggregate traffic in both directions.&nbsp; If you start altering the default&nbsp; signatures that Cisco provides the performance can begin to drop off&nbsp; rapidly depending on the complexity and number of signatures you tune..</P><P></P><P>If,&nbsp; after double check in the signatures firing, defaulting the signature&nbsp; set and checking the traffic rate (which should be monitored at peak&nbsp; times, or at least those during which you are consistently experiencing&nbsp; the problem) you are still unable to explain the degredation, it may be&nbsp; worth it to open a TAC case.</P><P></P><P>Best Regards,<BR /> JT</P></BODY></HTML> Fri, 30 Apr 2010 18:00:56 GMT Justin Teixeira 2010-04-30T18:00:56Z https://community.cisco.com/t5/network-security/voip-latency-when-in-line-on-4255/m-p/1468194#M67517 <P>We are experiencing an issue with latency when we place our remote office traffic in-line using a 4255.&nbsp; The latency is impacting our VoIP traffic and causing voice quality issues.&nbsp; The problem goes away if the 4255 is (physically) bypassed.</P><P></P><P>From looking at packet captures, the traffic through the interface pairs does not seem excessive and is well below the 600Mbs the appliance is rated for. </P><P></P><P>Are there any settings on the the device or signatures that I should look at tuning to help reduce the latency?</P><P></P><P>Thanks in advance.</P><P></P><P>David</P> Sun, 10 Mar 2019 11:58:49 GMT https://community.cisco.com/t5/network-security/voip-latency-when-in-line-on-4255/m-p/1468194#M67517 davidelon 2019-03-10T11:58:49Z https://community.cisco.com/t5/network-security/voip-latency-when-in-line-on-4255/m-p/1468195#M67518 <HTML><HEAD></HEAD><BODY><P>Hi David,</P><P>&nbsp;&nbsp; The first thing I would suggest doing is browsing&nbsp; through the recent events from the sensor for any which may have been&nbsp; triggered by traffic coming from addresses in use by your VoIP system.&nbsp;&nbsp; In the absence of any relevant events, you can create an Event Action&nbsp; Override for Risk Rating 0-100 to add the Produce Alert action, setup a&nbsp; few more calls and then check the event store again.&nbsp; The EAO will cause&nbsp; all signatures, even those without the Produce Alert action configured&nbsp; by default, to log events to the event store. When you're done testing,&nbsp; disable the EAO to prevent wasting resources on the sensor.</P><P></P><P>If you still don't see any events, it's possible that&nbsp; the sensor is oversubscribed despite the fact that your capture may&nbsp; appear to be well under the 600Mb documented for that model.&nbsp; The 600Mb&nbsp; metric is measured using a sensor with completely default signature sets&nbsp; and transfering "media rich" traffic (i.e. a lower number of higher&nbsp; volume streams), while in promiscuous mode.&nbsp; The "transactional" rating&nbsp; is 500Mb, under the same conditions.&nbsp; Voice is generally considered&nbsp; "transactional" traffic.&nbsp; When deploying a sensor inline, a very rough&nbsp; estimate is to shave 20% off the expected performance, so you'd end up&nbsp; with 400Mb in this case.&nbsp; This would be the theoretical maximum of the&nbsp; aggregate traffic in both directions.&nbsp; If you start altering the default&nbsp; signatures that Cisco provides the performance can begin to drop off&nbsp; rapidly depending on the complexity and number of signatures you tune..</P><P></P><P>If,&nbsp; after double check in the signatures firing, defaulting the signature&nbsp; set and checking the traffic rate (which should be monitored at peak&nbsp; times, or at least those during which you are consistently experiencing&nbsp; the problem) you are still unable to explain the degredation, it may be&nbsp; worth it to open a TAC case.</P><P></P><P>Best Regards,<BR /> JT</P></BODY></HTML> Fri, 30 Apr 2010 18:00:56 GMT https://community.cisco.com/t5/network-security/voip-latency-when-in-line-on-4255/m-p/1468195#M67518 Justin Teixeira 2010-04-30T18:00:56Z