Hi All,

I have a branch ASA 5505 with a VPN tunnel over a T-1 WAN to the data center, which has a centralized internet pipe.

Branch ASA 5505=========VPN TUNNEL===========Data Center ASA 5520=====Internet Pipe

I am trying to roll out hierarchical priority on all of my branch 5505's for VOIP, but applying these configs seems to be intermittently crashing my beta-branch 3 times in a row now (last Friday, this Monday, & today), I have to power cycle the ASA to restore services.  When I leave the QOS configs off, the branch stays up for weeks with no problems.  I am pretty sure what is doing it is the shape average command, since I have to use it to tell the priority when to trigger since the WAN line is only 1.5Mbps, and the physical port of the ASA is 100Mbps. I have another site where the ISP circuit is truly 100Mbps, so I don't have to configure a shaper policy and that site has been up for 4+ months with identical configs as what is shown below minus the shape average part.

Are there any known bugs for the 5505 and shaping the interfaces? Below is my config:

firmware: asa913-k8, base license.

object-group network VOIP
network-object 192.xx.xx.0 255.255.255.0
network-object 192.xx.xx.0 255.255.255.0
network-object 63.xxx.xx.0 255.255.255.0
network-object 8.x.xxx.0 255.255.255.0
network-object 8.xx.x.0 255.255.252.0

object-group service VOIP_Ports tcp-udp
port-object range 5196 5199
port-object range 5060 5061
port-object range 2222 2269
port-object eq 5299
port-object eq 5443

access-list qos_priority extended permit udp 192.168.154.0 255.255.255.0 object-group VOIP object-group VOIP_Ports
access-list qos_priority extended permit tcp 192.168.154.0 255.255.255.0 object-group VOIP object-group VOIP_Ports

class-map QOS-VOICE
 match access-list qos_priority

policy-map QOS-POLICY
 class QOS-VOICE
 priority

policy-map QOS-TRIGGER
 class class-default
  shape average 1528000
 service-policy QOS-POLICY

service-policy QOS-TRIGGER interface outside