Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
2
Replies

ip sla over ipsec

Vasilij Laptev
Level 1
Level 1

‎03-15-2013 01:07 AM - edited ‎03-16-2019 04:16 PM

Hello folk!

I’ve faced the strange behavior of ip sla over ipsec.

We have remote office (cisco 891) connected to hub (asa 5520) via EzVPN.

This tunnel almost uses for VoIP traffic so we need to monitor quality.

There is the following Ip sla on 10.10.1.2: udp-jitter 10.10.5.1 37258 source-ip 10.10.1.2 source-port 37259 codec g729a.

Ip sla reports unexpected values of jitters, current jitter around 100 ms, only source to destination negative jitter is good.

      Source to destination positive jitter Min/Avg/Max: 1/2/95 milliseconds

       Source to destination positive jitter Number/Sum/Sum2: 314/854/27956

       Source to destination negative jitter Min/Avg/Max: 1/2/20 milliseconds

       Source to destination negative jitter Number/Sum/Sum2: 322/854/7204

       Destination to Source positive jitter Min/Avg/Max: 1/2/98 milliseconds

       Destination to Source positive jitter Number/Sum/Sum2: 150/443/27639

       Destination to Source negative jitter Min/Avg/Max: 1/2/97 milliseconds

Actually,  the quality of the call is no so bad, it’s acceptable.

I completed another test case - replaced vpn with gre tunnel and all jitters are well:

    Source to destination positive jitter Min/Avg/Max: 1/2/13 milliseconds

       Source to destination positive jitter Number/Sum/Sum2: 146/312/1560

       Source to destination negative jitter Min/Avg/Max: 1/2/13 milliseconds

       Source to destination negative jitter Number/Sum/Sum2: 151/312/1500

       Destination to Source positive jitter Min/Avg/Max: 1/1/28 milliseconds

       Destination to Source positive jitter Number/Sum/Sum2: 170/322/2960

       Destination to Source negative jitter Min/Avg/Max: 1/1/20 milliseconds

In both cases channel's Bandwidth is the same.

Is it the  issue when ip sla runs over ipsec or something else?

Labels:
0 Helpful
2 Replies 2

Akhil Behl
Level 1
Level 1

‎03-22-2013 10:20 PM

Hello Vasilij

Are you using QoS pre classification for the IP SLA traffic? If not, it could be because of IP SLA traffic being not treated at right priority and competing within other interesting traffic in IPSec ACL, that you're getting not the same results as traffic over GRE.

Regards,


Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953
0 Helpful

Vasilij Laptev
Level 1
Level 1
In response to Akhil Behl

‎03-27-2013 02:45 AM

Hello Akhil,

I applied QoS pre classification on the wan interface cisco 891 like this:

class-map match-all call-setup

match ip precedence 3

class-map match-any mission-critical

match ip precedence 2

match ip precedence 6

class-map match-all voice

match ip precedence 5

policy-map class_voice

class mission-critical

bandwidth percent 22

class voice

priority 5544

class call-setup

bandwidth percent 5

class class-default

fair-queue

!

but it didn’t help, besides, I don’t have an idea how to do the same on the ASA.

Actually, the matter is asa has too many vpn clients about 140 (almost ssl clients), when Ezvpn server has been moved to the ASA 5540 without any clients, jitters became far better.

0 Helpful
Customers Also Viewed These Support Documents