Traffic doesn't hit the QoS policy

xzjleo2005 · ‎09-21-2009

Hi

We are using ASA - router to build up VPN tunnel base on DSL connection. On router, I added the follwoing QoS policy on the router outside port, but looks like no traffic hit the QoS on router. But on the ASA, I can see the traffic hit the QoS policy. Anyone has any ideas for this issue?

Thanks, Leo

IOS: c2800nm-advipservicesk9-mz.124-15.T7.bin

ip access-list extended lighthouse

permit ip any host 192.168.9.2

access-list 198 permit esp host X.X.X.X any

access-list 198 permit udp host X.X.X.X any eq isakmp

access-list 198 permit tcp any any eq 22

access-list 198 deny ip any any

class-map match-any lighthouse

match access-group name lighthouse

policy-map ALL-TRAFFIC

class lighthouse

priority percent 50

class class-default

fair-queue

random-detect

interface FastEthernet0/0

description connect to DSL modem

bandwidth 1024

ip address Y.Y.Y.Y

ip access-group 198 in

ip route-cache flow

duplex auto

speed auto

crypto map mymap

service-policy output ALL-TRAFFIC

andrew.prince · ‎09-22-2009

Double check your routing, how do you actually get to 192.168.9.2 - is it out the Fa0/0 interface?

xzjleo2005 · ‎09-22-2009

Only one default route pointing to ISP GW. All traffic will go through VPN tunnel, including the traffic to 192.168.9.2. The F0/0 is outside interface connect to ISP DSL modem

Thanks,Leo

andrew.prince · ‎09-23-2009

Do you see any hits on the access list?

Another thing - you have given the acl traffic a priority of 50% of the interface bandwidith = 50mbs, how big is the DSL pipe?

xzjleo2005 · ‎09-23-2009

I can't see any traffic hit the acl, but I can see the traffic in netflow. That's very strange.

andrew.prince · ‎09-23-2009

well there is your issue - if it's not hitting the acl, it won't hit the policy.

try this:-

Write a policy that uses the acl to "mark" the traffic on the inbound interface. Once its marked - then you can write the policy to give it priority.

xzjleo2005 · ‎09-23-2009

Thanks for your reply.

I tried the way you suggested and here is the show policy-map interface output. We can see a lot of traffic to be marked now, but wondering why not too much traffic to be put in the priority queue?

Thanks. Leo

-----------------------------------------

AP816N0001#sh policy-map interface

FastEthernet0/0

Service-policy output: ALL-TRAFFIC

Class-map: outgo (match-any)

7446 packets, 926436 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: precedence 5

0 packets, 0 bytes

5 minute rate 0 bps

Match: ip precedence 5

7446 packets, 926436 bytes

5 minute rate 0 bps

Queueing

Strict Priority

Output Queue: Conversation 264

Bandwidth 512 (kbps) Burst 12800 (Bytes)

(pkts matched/bytes matched) 8/1520

(total drops/bytes drops) 0/0

Class-map: class-default (match-any)

140707 packets, 68075067 bytes

5 minute offered rate 25000 bps, drop rate 0 bps

Match: any

Queueing

Flow Based Fair Queueing

Maximum Number of Hashed Queues 256

(total queued/total drops/no-buffer drops) 0/0/0

exponential weight: 9

class Transmitted Random drop Tail drop Minimum Maximum Mark

pkts/bytes pkts/bytes pkts/bytes thresh thresh prob

0 127616/66283953 0/0 0/0 20 40 1/10

1 0/0 0/0 0/0 22 40 1/10

2 0/0 0/0 0/0 24 40 1/10

3 0/0 0/0 0/0 26 40 1/10

4 0/0 0/0 0/0 28 40 1/10

5 0/0 0/0 0/0 30 40 1/10

6 13091/1791114 0/0 0/0 32 40 1/10

7 0/0 0/0 0/0 34 40 1/10

rsvp 0/0 0/0 0/0 36 40 1/10

FastEthernet0/1

Service-policy input: income

Class-map: income (match-any)

7446 packets, 485157 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name income

7446 packets, 485157 bytes

5 minute rate 0 bps

QoS Set

precedence 5

Packets marked 7446

Class-map: class-default (match-any)

124216 packets, 60574939 bytes

5 minute offered rate 23000 bps, drop rate 0 bps

Match: any

-----------------------------------------

andrew.prince · ‎09-23-2009

Don't forget this is QoS - Congestion management, if there is no congestion - there is nothing to do.