Thanks Mike.

Question for you: Once I drop in the configs from the example, how can I configure it on when I want the prioritization to trigger? For example: If I want it to prioritize Citrix traffic only if link saturation is at 1.1Mbps, for example? Or will it always prioritize Citrix, regardless of the environment conditions at any given time (i.e. whether the link bandwidth is at 1% or 99%).

Also, in the example on Cisco's site, I see that access-list 100 is applied to the outside interface.  Is this step required? I only ask because right now I have another ACL applied to the outside interface (outside_access_in), so I can't apply another one to that same interface.  I suppose I could roll up those rules into the new QOS access list but won't that give priority for those flows as well?

Hello; 

Unfortunately it cannot be on demand, it is always on. You can easily have every aspect of it on configured and then you can apply the service policy, but this would require for you to be adding config (on ASDM would be a single click) and clearing the conn table on the firewall (this can be service impacting)  

Regarding the ACL, no, you dont need to use it on the interface, but you will need it on the inbound class map. 

If you have any questions, let me know. 

Mike 

Thanks Mike. Actually after re-reading the example, they are saying to apply the ACL:

!--- Apply the ACL 100 for the inbound traffic of the outside interface.

ciscoasa(config)#access-group 100 in interface outside

Just want to double confirm that this step is OK to skip and the QOS will still work without it. ACL 100 is also the Voice-IN ACL match in the class map in the example.

One more question: Your statement above: "It has to be under the tunnel-flow, if you do the regular one it would not work."  ---> So my crypto ACL for the VPN tunnel is "permit ip 192.168.186.0 255.255.255.0 any4."  It is going to any4 because both internet & citrix come from the same data center.  However, the Citrix traffic is only going to come from 192.168.120.0/24.  Given that, are you saying that if my crypto ACL is "permit ip 192.168.186.0 255.255.255.0 any4" that my QOS ACL needs to also be that exact flow (permit tcp 192.168.186.0 255.255.255.0 any4 eq 1494)? Or can I be more specific and do "permit tcp 192.168.186.0 255.255.255.0 192.168.120.0 255.255.255.0 eq 1494?"

No issues, I think the reason why that ACL 100 is configured on the interface is due to the fact that the document assume that the "sysopt connection permit-vpn" is not configured. Check if you have it (sh run all | inc sysopt). 

With the ACL for QoS, you can be as specific as you want, it does not have to be the same as the tunnel ACL. 

Mike.  

Hi Mike,

Yes it is in there.  Thanks so much for all your help.