08-23-2013 05:54 AM
Hello,
We have a customer who has an ipsec site2site vpn from their ASA5505 to a Datacenter, also ASA5505
I want to prioritize the vpn tunnel traffic since they notice performance issues. The internet interface has speed down/up: 20/5 Mbps.
I have configured qos like this:
priority-queue outside
queue limit 1024
class-map dcavpn_cm
match flow ip destination-address
match tunnel-group dcatunnelgroup
policy-map vpnqos_pm
class dcavpn_cm
priority
service-policy vpnqos_pm interface outside
Is this sufficient / will this work, when I configure this on both ends?
08-23-2013 06:23 AM
this is the output I get with show priority-queue stat (see below)
Strange thing is that we still have delays and timeouts when pinging over the ipsec tunnel to a server in the Datacenter
Priority-Queue Statistics interface outside
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 155221
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Queue Type = LLQ
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 28810
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
08-23-2013 10:18 AM
No, it won't be enough. Your ASA with a 100 MBit/s interface will never see any congestion because the next device is the one that restricts the traffic to 5 MBit/s and that drops packets.
To make sure that the ASA sees the congestion (which is needed to give QoS the possibility to control the traffic) you have to configure shaping on the outgoing interface to about 5 MBit/s. But test it in a timeframe with not so much mission-critical traffic. I had strange results with shaping a many ASA-versions.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide