Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1152
Views
0
Helpful
6
Replies

QoS ASA 5505 policing

kgreenway
Level 1
Level 1

‎06-11-2013 01:46 AM - edited ‎03-11-2019 06:55 PM

Hi All,

I'm looking for some assistance on QoS policing configuration on an ASA 5505.

The ASA is situated behind a cable modem which provides an SLA of 3.2Mbps out.

I've configured a QOS policy to place VoIP and other essential traffic (RDP/Citrix/PCoIP) into a priority queue, whilst policing default class to 3.2Mbps to police out to the cable modem.

I can see on the outside interface graphs that this is rating the output traffic down to 3.2Mbps as expected, but noticing at certain points of high output traffic drops down to 1.6Mbps.  I can't see anything obvious in syslog or any other areas to look, so looking for any pointers as to why the speed is suddenly dropping down.  Likewise if I rate the output to 2Mbps, it will suddenly drop down to 1Mbps at high output rates.

The ASA is running on 8.0(5) and I enclose a copy of the sample QoS config below and attached a sanitized run config, as well as screenshot taken of the outside interface Bit Rates plus service-policy.

Any help much appreciated!

access-list VoIP-Traffic-OUT extended permit tcp 172.16.6.0 255.255.255.0 host 68.98.217.252 eq h323

access-list VoIP-Traffic-OUT extended permit udp 172.16.6.0 255.255.255.0 host 68.98.217.252 object-group rtp

access-list VoIP-Traffic-OUT extended permit tcp 172.16.6.0 255.255.255.0 host 68.98.217.252 eq 2000

access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq 3389

access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq citrix-ica

access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq 4172

access-list VMs-Traffic-Out extended permit udp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq 4172

access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq 32111

class-map UKVoice-OUT

match dscp ef

class-map Voice-OUT

match access-list VoIP-Traffic-OUT

class-map VMs-OUT

match access-list VMs-Traffic-Out

policy-map QOS-TRAFFIC-OUT

class Voice-OUT

  priority

class UKVoice-OUT

  priority

class VMs-OUT

  priority

class class-default

  police output 3200000

service-policy QOS-TRAFFIC-OUT interface outside

Labels:
Preview file
181 KB
15362078-ASA sanitized.txt.zip
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎06-11-2013 08:04 AM

Hello,

So at the moment of the issue the traffic rate is the same than when we are running at 3.2 mbps?

One thing I notice is that on the running configuration you attached you only are using one service-policy

service-policy global_policy global

I do not see this:

service-policy QOS-TRAFFIC-OUT interface outside

Can U doble check that

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

kgreenway
Level 1
Level 1
In response to Julio Carvajal

‎06-11-2013 12:27 PM

Hi,

Thanks for replying.

Yes you are correct the service-policy QOS-TRAFFIC-OUT interface outside command was temporarily disabled from the sh run, to confirm the issue with rate drop is not due to the cable modem itself.

I can confirm 100% this was in the config at the point the screenshots were observed. 

Any ideas?

Thanks,

Kevin

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to kgreenway

‎06-11-2013 12:51 PM

Hello Kevin,

Well, If that's the case I do not see a reason why this should not be working,

Any reason why we have on 2 different policy-maps the priority queue configured?

Do you want to apply it globally and not just on the outside interface?

How is the ASA CPU/Interface errors/Memory when you see that drop?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

kgreenway
Level 1
Level 1
In response to Julio Carvajal

‎06-17-2013 04:15 AM

Hi,

The other policy-map is left in there for historical reasons and I inherited that as is.

The CPU runs between 18-23%, Memory at 200MB with no spikes or interface errors at the time the problem occurs., so very strange..

Any further ideas would be appreciated, as this is really confusing me..

Thanks,

Kevin

0 Helpful

Favaloro.
Level 1
Level 1
In response to kgreenway

‎06-17-2013 02:33 PM

What's the total amount of bandwidth on the outside?

Do you notice any problems with the downloads while the problem is happening?

Does it happen with the police and priority configuration in place?

If you compare the results you get in that graph, on the "Table" tab with the output of the "show traffic" command from the ASA right after issuing a "clear traffic", do the numbers match?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to kgreenway

‎06-17-2013 03:26 PM

Hello,

The question here would be, is the ASA the one causing the drop on the rate,

Can you share the show service-policy

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card