Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2482
Views
5
Helpful
4
Replies

VOIP QOS ASA Issue

Go to solution
John Apricena
Beginner
Beginner

‎07-21-2014 11:39 AM - edited ‎03-11-2019 09:30 PM

Hello Support,

 

We have two locations which each have an ASA. See attached for models. There are VOIP phones at Office 2, and basically all calls from the phone device 172.30.30.10 route through the phone device 192.168.8.10. The idea behind this design from the beginning was so that Office 2 could dial out from the same number as Office 1. Users at Office 2 are experiencing about 10-15 drops in call quality per day. Call completes, but there are time when users cannot hear the other end and then it just reconnects during the call. It's my understanding, that I will need QOS on all the devices in route which I have depicted in the diagram. Internet circuit at office 1 is 1000 Mb, and internet circuit at office 2 is 50 Mb. I have the below configured on the devices. Please advise if I'm missing anything, as calls continue to experience drops in service.

Office 2

ASA 5505

class-map VOIP
 match dscp ef

policy-map QOS
 class class-default
  shape average 1000000

policy-map global_policy

class VOIP

  priority

service-policy global_policy global
service-policy QOS interface outside

Office 1

ASA 5550

class-map VOIP
 match dscp ef

policy-map QOS
 class class-default
  shape average 10000000

policy-map global_policy

 class VOIP
  priority

service-policy global_policy global

Cisco 3560

mls qos

interface GigabitEthernet0/1 (uplink to ASA 5550)

 

 

 

mls qos trust cos

interface GigabitEthernet0/3 (uplink to 2960)

mls qos trust cos

Cisco 2960

mls qos

access-list 101 permit ip any any

class-map match-all VOIP
 match access-group 101

policy-map QOS

 class VOIP
  set ip dscp ef

interface GigabitEthernet1/0/25 (uplink to IS Device)

 mls qos trust dscp
 service-policy input QOS

 

 

 

 

 

 

Labels:
Preview file
149 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Rising star
Rising star
In response to John Apricena

‎07-28-2014 02:23 AM

Hi,

You can try setting priority queuing on the interfaces and verify the required inspect statements for h323 h225, h323 ras, skinny, sip is enabled already.... if not try with the below mentioned Qos on your firewalls and check if that solves the problem.....

 

Office 1:1000 Mbps

access-list voip_inside extended permit ip <other end voip subnet> <inside Voip Subnet>
!
access-list voip_outside extended permit ip <inside Voip Subnet> <other end voip subnet>
!
priority-queue inside
priority-queue outside
!
class-map voice-inside-class
 match access-list voip_inside
class-map voip-outside-class
 match access-list voip_outside
!
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect skinny
  inspect sip
!
policy-map outside-policy
 class voip-outside-class
  priority
policy-map inside-policy
 class voice-inside-class
  priority
!
policy-map ins-policy
 class class-default
  shape average 100000000
  service-policy inside-policy
!
policy-map out-policy
 class class-default
  shape average 100000000
  service-policy outside-policy
!
service-policy global_policy global
service-policy ins-policy interface inside
service-policy out-policy interface outside

Office 2: 50 Mbps

access-list voip_inside extended permit ip any <inside Voip Subnet>
!
access-list voip_outside extended permit ip <inside Voip Subnet> any
!
priority-queue inside
priority-queue outside
!
class-map voice-inside-class
 match access-list voip_inside
class-map voip-outside-class
 match access-list voip_outside
!
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect skinny
  inspect sip
!
policy-map outside-policy
 class voip-outside-class
  priority
policy-map inside-policy
 class voice-inside-class
  priority
!
policy-map ins-policy
 class class-default
  shape average 5000000
  service-policy inside-policy
!
policy-map out-policy
 class class-default
  shape average 5000000
  service-policy outside-policy
!
service-policy global_policy global
service-policy ins-policy interface inside
service-policy out-policy interface outside

 

Regards

Karthik

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
Advisor
Advisor

‎07-21-2014 10:12 PM

Hello,

 

Pls answer the following question.

 

How many MB do you want to give on each site based on the pipe to the ISP for Regular Data traffic?

 

Regards,

 

jcarvaja
CCIE R&S 42930, 2-CCNP,JNCIS-SEC
Looking for a quick remote support session? Contact us at inetworks.cr 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
John Apricena
Beginner
Beginner
In response to Julio Carvajal

‎07-27-2014 01:03 PM

Hi jcarvaja,

 

i'd like to give 97+% of the pipe on both ends. Free up about 1% of the internet line on both ends for phone traffic. So on Site 1 since they have 1000 Mb internet, I'd like to dedicate about 10 Mb to phone traffic, and on site has a 50 Mb connection, so I'd like to free up about .5 - 1 Mb for phone traffic, and the rest dedicated for data. I hope this best answers your question.

0 Helpful

Go to solution
nkarthikeyan
Rising star
Rising star
In response to John Apricena

‎07-28-2014 02:23 AM

Hi,

You can try setting priority queuing on the interfaces and verify the required inspect statements for h323 h225, h323 ras, skinny, sip is enabled already.... if not try with the below mentioned Qos on your firewalls and check if that solves the problem.....

 

Office 1:1000 Mbps

access-list voip_inside extended permit ip <other end voip subnet> <inside Voip Subnet>
!
access-list voip_outside extended permit ip <inside Voip Subnet> <other end voip subnet>
!
priority-queue inside
priority-queue outside
!
class-map voice-inside-class
 match access-list voip_inside
class-map voip-outside-class
 match access-list voip_outside
!
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect skinny
  inspect sip
!
policy-map outside-policy
 class voip-outside-class
  priority
policy-map inside-policy
 class voice-inside-class
  priority
!
policy-map ins-policy
 class class-default
  shape average 100000000
  service-policy inside-policy
!
policy-map out-policy
 class class-default
  shape average 100000000
  service-policy outside-policy
!
service-policy global_policy global
service-policy ins-policy interface inside
service-policy out-policy interface outside

Office 2: 50 Mbps

access-list voip_inside extended permit ip any <inside Voip Subnet>
!
access-list voip_outside extended permit ip <inside Voip Subnet> any
!
priority-queue inside
priority-queue outside
!
class-map voice-inside-class
 match access-list voip_inside
class-map voip-outside-class
 match access-list voip_outside
!
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect skinny
  inspect sip
!
policy-map outside-policy
 class voip-outside-class
  priority
policy-map inside-policy
 class voice-inside-class
  priority
!
policy-map ins-policy
 class class-default
  shape average 5000000
  service-policy inside-policy
!
policy-map out-policy
 class class-default
  shape average 5000000
  service-policy outside-policy
!
service-policy global_policy global
service-policy ins-policy interface inside
service-policy out-policy interface outside

 

Regards

Karthik

0 Helpful

Go to solution
John Apricena
Beginner
Beginner
In response to nkarthikeyan

‎07-28-2014 08:43 PM

Thanks Karthnik. I'm on vacation, but once I'm back I'll look to apply what you have. Thanks again!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents