03-15-2013 01:07 AM - edited 03-16-2019 04:16 PM
Hello folk!
I’ve faced the strange behavior of ip sla over ipsec.
We have remote office (cisco 891) connected to hub (asa 5520) via EzVPN.
This tunnel almost uses for VoIP traffic so we need to monitor quality.
There is the following Ip sla on 10.10.1.2: udp-jitter 10.10.5.1 37258 source-ip 10.10.1.2 source-port 37259 codec g729a.
Ip sla reports unexpected values of jitters, current jitter around 100 ms, only source to destination negative jitter is good.
Source to destination positive jitter Min/Avg/Max: 1/2/95 milliseconds
Source to destination positive jitter Number/Sum/Sum2: 314/854/27956
Source to destination negative jitter Min/Avg/Max: 1/2/20 milliseconds
Source to destination negative jitter Number/Sum/Sum2: 322/854/7204
Destination to Source positive jitter Min/Avg/Max: 1/2/98 milliseconds
Destination to Source positive jitter Number/Sum/Sum2: 150/443/27639
Destination to Source negative jitter Min/Avg/Max: 1/2/97 milliseconds
Actually, the quality of the call is no so bad, it’s acceptable.
I completed another test case - replaced vpn with gre tunnel and all jitters are well:
Source to destination positive jitter Min/Avg/Max: 1/2/13 milliseconds
Source to destination positive jitter Number/Sum/Sum2: 146/312/1560
Source to destination negative jitter Min/Avg/Max: 1/2/13 milliseconds
Source to destination negative jitter Number/Sum/Sum2: 151/312/1500
Destination to Source positive jitter Min/Avg/Max: 1/1/28 milliseconds
Destination to Source positive jitter Number/Sum/Sum2: 170/322/2960
Destination to Source negative jitter Min/Avg/Max: 1/1/20 milliseconds
In both cases channel's Bandwidth is the same.
Is it the issue when ip sla runs over ipsec or something else?
03-22-2013 10:20 PM
Hello Vasilij
Are you using QoS pre classification for the IP SLA traffic? If not, it could be because of IP SLA traffic being not treated at right priority and competing within other interesting traffic in IPSec ACL, that you're getting not the same results as traffic over GRE.
Regards,
Akhil Behl
Solutions Architect
akbehl@cisco.com
Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953
03-27-2013 02:45 AM
Hello Akhil,
I applied QoS pre classification on the wan interface cisco 891 like this:
class-map match-all call-setup
match ip precedence 3
class-map match-any mission-critical
match ip precedence 2
match ip precedence 6
class-map match-all voice
match ip precedence 5
policy-map class_voice
class mission-critical
bandwidth percent 22
class voice
priority 5544
class call-setup
bandwidth percent 5
class class-default
fair-queue
!
but it didn’t help, besides, I don’t have an idea how to do the same on the ASA.
Actually, the matter is asa has too many vpn clients about 140 (almost ssl clients), when Ezvpn server has been moved to the ASA 5540 without any clients, jitters became far better.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide