ASA Priority Queue and Ping - Page 2 - Cisco Community

4334

Views

0

Helpful

19

Replies

Hello,

I have setup a small network with 2 routers and an asa.

one router is on the "inside" and the other on the "outside".

i have inspect icmp to allow pings through from the inside to the outside and it works.

the purpose of this network is to try and setup QoS on the ASA for voice traffic. so i wanna to put in place a priority queue that looks for traffic marked with a dscp value

but the problem is that everytime i enable the priority queue on the outside interface, the pings stop going through. im guessing it's the echo thats not going through because the queue is on the outgoing traffic naturally.

Any ideas?

Thank you in advance

19 Replies 19

Sorry i thought you meant the stats of the queue when it happened, my mistake.

Here are the logs of the asa without the queue enabled:

%ASA-5-111008: User 'enable_15' executed the 'logging buffered 7' command.

%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffered 7'

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/3 laddr 10.0.0.2/3

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/4 laddr 10.0.0.2/4

With the priority queue enabled :

%ASA-5-111008: User 'enable_15' executed the 'priority-queue outside' command.

%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'priority-queue outside'

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/5 laddr 10.0.0.2/5

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/5 laddr 10.0.0.2/5

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/5 laddr 10.0.0.2/5

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/5 laddr 10.0.0.2/5

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/5 laddr 10.0.0.2/5

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/5 laddr 10.0.0.2/5

%ASA-6-302020: Built outbound ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/5 laddr 10.0.0.2/5

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.1.2/0 gaddr 10.0.0.2/5 laddr 10.0.0.2/5

it looks the same

do you need another type of logging?

btw i forgot to say that im using gns3 with asa-8.4 image.

i dont know if its simulator related. but everythin else works flawlessly on it. so i dont see why it wld be the problem.

Your help is much appreciated Jcarva. Thank you

Hello Ali,

Agree, same logs with both configurations,

Please send me the entire show running-config and I will run it in GNS as well as this should be working

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

this is the entire config for asa:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 10.0.1.1 255.255.255.0

!

interface GigabitEthernet2

nameif management

security-level 0

ip address 10.0.2.1 255.255.255.0

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route inside 10.0.3.0 255.255.255.0 10.0.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.0.2.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

priority-queue outside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

!

class-map VOIP-TRAFFIC

match dscp ef

class-map inspection_default

match default-inspection-traffic

!

!

policy-map PRIORITY-POLICY

class VOIP-TRAFFIC

priority

policy-map QOS-TRAFFIC-OUT

class class-default

shape average 1000000

service-policy PRIORITY-POLICY

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

service-policy QOS-TRAFFIC-OUT interface outside

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:02452dfcac71fd7ce34cbac28a210a41

: end

entire config for inside router :

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname inside

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

!

!

no ip domain lookup

ip domain name lab.local

!

!

!

interface FastEthernet0/0

ip address 10.0.0.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.0.3.1 255.255.255.0

duplex auto

speed auto

!

ip forward-protocol nd

ip route 10.0.1.0 255.255.255.0 10.0.0.1

!

no ip http server

!

!

control-plane

!

!

gatekeeper

shutdown

entire config for outside router:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname outside

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

!

no ip domain lookup

ip domain name lab.local

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

ip route 10.0.0.0 255.255.255.0 FastEthernet0/0

ip route 10.0.0.0 255.255.255.0 10.0.1.1

ip route 10.0.3.0 255.255.255.0 FastEthernet0/0

ip route 10.0.3.0 255.255.255.0 10.0.1.1

!

no ip http server

!

!

!

control-plane

!

!

!

gatekeeper

shutdown

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

i removed rip from the config and added static routes, just wanted to eliminate rip as a potential reason for this behaviour

any updates?

im still stuck on it

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card