Page | 1
ASA VPN:QoS for Voice/Video Traffic
BACKGROUND
Generally, voice and video traffic are not able to tolerate long latencies. Using QOS can help to reduce latency and prioritize mission critical traffic. A Cisco IOS router has the ability to prioritize voice traffic and also command option to reserve bandwidth for voiceand video traffic. The bandwidth reservation command is not available on the ASA. This document describes howto prioritize voice/video traffic on a VPN network, reserve bandwidth for voice/video traffic and also the best practices for configuring QOS for voice/video traffic on CISCO ASA.
ASA QOS OVERVIEW
On the ASA,QOS is only supported in single mode and routed mode only. QOS is not supported for packet marking, Class Based Weighted Fair Queuing (CBWFQ), transparent firewall, security context, IPV6, AnyConnect VPN tunnel and Clientless SSL VPN (Cisco bug ID CSCsl73211). When one Configures QOS over a tunnel group withweb VPN attributes, one getsan error message indicating it is not supported. If one needs performance for voice and video traffic when using AnyConnect SSL VPN, one will have to implement Datagram Transport Layer Security (DTLS).
When QOS is configured on ASA, QOS bits in the original IP header will be copied to the IP header of the encrypted packet. This helps to enforce QOS after encryption. The ASA preservers the ToS bit as specified in RFC 2401, the DSCP bits can be used for QOS configuration. ASA does not mark or classify packet; it honors and preserves the existing packet marking it receives. It assumes that the traffic is already marked with a DSCP/ IP precedence value in the packet header. With this action, the ASA and the devices along the VPN tunnel can correctly prioritize traffic. For end-to-end QOS, the IP devices along the connection path need to be QOS capable.
ASA supports traffic policing, prioritization and shaping. Policing can help in limiting the maximum bandwidth used per traffic flow (bits/second) while prioritization can help transmit certain traffic flow before others. Traffic shaping helps in controlling device link speed (to avoid link saturation and delay) by rate limitingdevice traffic(but not drop the packet). It transmits the packet at a fixed speed. Packets that cannot be transmitted are stored in a data buffer and they are transmitted at a later time.
ASA maintains two different types of priority queue on an interface. 1) Standard priority queue: this queue is used when doing traffic prioritization without traffic shaping. When doing traffic prioritization without traffic shaping, this queue must be configured explicitly on the outside interface. 2) Hierarchical priority queue: is used by a portion of shaped traffic that can be prioritized (IPsec-over-TCP is not supported). When doing traffic prioritization with traffic shaping, the standard priority queue is not used, this queue is used. There is no configuration required for this queue on the outside interface.
The two types of QOS that exist on the ASA are called QOS engine and Egress Interface QOS. The QOS engine consists of traffic classifier, rate limiter and token bucket while the Egress Interface QOS consist of high-priority queue and low-priority queue. When traffic exits the QoS engine, they are forwarded to the egress interface for physical transmission. Another level of QOS is implemented at the physical interface to ensure traffic with a priority flag gets proper handling. At the physical interface, processing of packet depends on the depth of the queue and the conditions of the Transmit Ring (buffer space used by ASA to store packets before transmitting them at the driver level). When the Transmit Ring is congested, non-priority packets are queued to the low-priority queue while prioritized packets are queued to the high-priority queue. If the Transmit Ring is free from congestion, the non-priority packets are sent immediately after ensuring that the high-priority queue is empty. If the high-priority queue has apacket to send, the Transmit Ring will service this queue first.
When QOS is configured on ASA, the following sequence of events occurs :
- If the packet is the first of the flow, it is routed to the correct interface and a flow is created for subsequent similar packet type.
- The packet goes into the QOS engine and it is then classified by the classifier engine.If the packet is classified as priority, it goes quickly into a high-priority queue (Egress Interface QOS), and thesekinds of packet cannot be rate limited.
- If the traffic is classified for rate limiting (policing), it goes to rate limiting engine and the traffic is rate limited.If the rate limited packet exceeds specified rate configured, the packet is dropped (non-conform) else they are forwarded into the low-priority-queue(Egress Interface QOS)
- The ASA then transmits the packet over the physical transmission link
NOTE:If a packet is not classified as priority or rate limited, it is forwarded to the low-priority queue (Egress Interface QOS)and any existing rate limiting polices are not applied to this kind of traffic.
A token bucket exists in the ASA QOS engine. It is used to normalize different traffic flow.The normalization includes traffic policing or traffic shaping. The token (bit) in bucket are not prioritized. Tokens are assembled in the bucket at certain rate. This bucket has a capacity limit, after the limit is reached all newly arrived tokens are either dropped(policing) or wait until the bucket is free(traffic shaping). The largest packet that can be sent on the device within a given unit of time is directly proportion to the size of the bucket
Prioritization and policing of traffic are the two mutually exclusive techniques for configuration of QoS on ASA. Using a single class map, you cannot prioritize a traffic type and at the same time police the same traffic type, if you do, you will receive the error as follows ERROR: Must deconfigure priority in this class before issuing this command.
When priority queuing is configured , unless the LLQ is saturated, the packet will not be prioritized, if you have a high bandwidth interface such as 100Mbps or 1Gbps, link saturation will not occur so often. The use of Priority queuing along with policing or traffic shaping allows LLQ to kick when policing or shaping limits are met.
Standard Priority Queuing
Example: Assume our ASA has a VPN tunnel group named “2.2.2.2“and also the ASA has a bandwidth of 1 mpbs (1000000 bps). We want to prioritize voice and also reserve a bandwidth of 0.1mbps (100000 bps) for voice. Remember the ASA does not mark or classify voice packet; we assume that the voice traffic is already marked with a DSCPvalue of EF in this example
In this example, a nested approach is also used in the policy map and the default class traffic is policed. The ASA provides a way to apply actions to traffic not matched by any configured class maps. This is done by using the “class-default” class-map command. Using the “class-default” class-map is not supported for priority traffic. Since we are usingthe standard priority queue, we manually configure the standard priority queue on the outside interface.
On ASA 5580, a standard priority queue cannot be created for Ten Gig Ethernet interface. It can only be created on ASA 5585-X with Ten Gig Ethernet interface. Also, Priority queuing is not supported on the management interface “management 0/0” on ASA 5512-X through ASA 5555-X.
When priority queuing is configured, packet in IPSEC may be received out-of-order and not within the anti-replay window. This will cause a false positive warning Syslog messages to be generated. Configuration of the IPsec anti-replay window size can be used to avoid this false positive warning
GORIASA(config)# interface g0/0
GORIASA(config-if)# nameif outside
GORIASA(config-if)# speed auto
GORIASA(config-if)# duplex auto
GORIASA(config)# interface g0/1
GORIASA(config-if)# nameif inside
GORIASA(config-if)# speed auto
GORIASA(config-if)# duplex auto
ORIASA(config-if)# sysopt connection tcpmss 1200
GORIASA(config)# mtu outside 1380
GORIASA(config)# crypto IPsec df-bit clear-df outside
GORIASA(config)# crypto IPsec fragmentation before-encryption outside
GORIASA(config)# crypto IPsec security-association replay window-size 1024
GORIASA(config)# priority-queue outside
GORIASA(config-priority-queue)# tx-ring-limit 512
GORIASA(config-priority-queue)# queue-limit 2048
GORIASA(config)# class-map voice-qos
GORIASA(config-cmap)# match tunnel-group 2.2.2.2
GORIASA(config-cmap)# match dscpef
GORIASA(config-cmap)# exit
GORIASA(config)# policy-map Gori-police
GORIASA(config-pmap)# class voice-qos
GORIASA(config-pmap-c)# priority
GORIASA(config-pmap-c)# exit
GORIASA(config-pmap)# class class-default
GORIASA(config-pmap-c)# police output 900000 conform-action transmit exceed-action drop
GORIASA(config)# service-policy Gori-police interface outside
The policing rate is in bits per seconds (bps). The link below can be used for data rate unit conversion.
Hierarchical Priority Queuing
In this example, a nested approach is used in the policy map and the default class traffic is shaped. On ASA, shaping can only be applied to outgoing traffic using class-default, because ASA requires all traffic to be matched for traffic shaping. Traffic shaping is similar to policing except that shaping will place the packet into a buffer and smoothen the traffic flow to match the limit imposed. Whereas policing will drop the packet once the limit has been exceeded. Generally, traffic shaping applies to all types of traffic leaving the ASA.You cannot enable policy and traffic shaping for the same type of traffic even thou the ASA allows the configuration.
The total maximum traffic size for shaped traffic includes IPSEC overhead and layer two (L2) headers. Shaping usually takes place after encryption and does not allow for prioritization on the inner packet or tunnel-group basis for VPN. When using hierarchical priority queuing for encrypted VPN traffic, only the DSCP/IP precedence value can be used to match the traffic, the tunnel group cannot be used.
Since we are using the hierarchical priority queue, in this example, we do not need to configure priority queuing on the outside ASA. It is important to know that traffic shaping is not yet supported on ASA 5580.
GORIASA(config)# interface g0/0
GORIASA(config-if)# nameif outside
GORIASA(config-if)# speed auto
GORIASA(config-if)# duplex auto
GORIASA(config)# interface g0/1
GORIASA(config-if)# nameif inside
GORIASA(config-if)# speed auto
GORIASA(config-if)# duplex auto
ORIASA(config-if)# sysopt connection tcpmss 1200
GORIASA(config)# mtu outside 1380
GORIASA(config)# crypto IPsec df-bit clear-df outside
GORIASA(config)# crypto IPsec fragmentation before-encryption outside
GORIASA(config)# crypto IPsec security-association replay window-size 1024
GORIASA(config)# class-map voice-qos
GORIASA(config-cmap)# match dscpef
GORIASA(config)# policy-map voice-qos
GORIASA(config-pmap)# class voice-qos
GORIASA(config-pmap-c)# priority
GORIASA(config-pmap-c)# policy-map gory-shape
GORIASA(config-pmap)# class class-default
GORIASA(config-pmap-c)# shape average 896000
GORIASA(config-pmap-c)# service-policy voice-qos
GORIASA(config)# service-policy gory-shape interface outside
NOTE: Target Bit Rate (bits per second) for traffic shapping needs to be in multiple of 8000.
Using the“sh priority-queue statistics” command tells us if the ASA is actually prioritizing the traffic.As show below; it displays the statistics of both traffic that are forwarded using BE (best effort) and LLQ.
Sh priority-queue statistics before QOS is configured
Priority-Queue Statistics interface OUTSIDE
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 642459
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Queue Type = LLQ
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 0
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Sh priority-queue statistics after QOS is configured
Priority-Queue Statistics interface OUTSIDE
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 1618882
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Queue Type = LLQ
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 757
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
NOTES:
Once configured, the QOS policies will not apply to established VPN traffic, for it to immediately apply to established VPN traffic; you will have to bounce the tunnel. Also, if a service policy applied to an interface is removed, the QOS that applies to all the established VPN traffic are not removed until you reestablished the tunnel.
Again, the ASA does not mark or classify voice packet; it assume that the voice/video traffic is already marked with a DSCP value. After QOS is configured, if the LLQ in the “Sh priority-queue statistics”output is still showing zero, you need to make sure the ASA is actually receiving packet already marked with theDSCP value. A packet capture on the interface can help you with this.
For effective traffic prioritization, QOS traffic prioritization must be end to end. All devices along the traffic path must honor the DSCP/IP precedence value in the packet header. This helps to avoid bottleneck along the traffic path
ASA QOS Commands
Clear service-policy policynameinterface ifname
sh service-policy global
sh service-policy interface ifname
sh service-policy priority
sh priority-queue statistics
sh service-policy shape
Clear service-policy policynameinterface ifname
show running-config priority-queue
clear configure priority-queue
The following bugs are introduced by the traffic shaping feature:
CSCsq08550 / Traffic shaping with priority queueing causes traffic failure on ASACSCsx07862 / Traffic shaping with priority queueing causes packet delay and drops
CSCsq07395 / Adding shaping service-policy fails if policy-map has been edited
GORI DAWODU
CISCO TAC VPN, SAN JOSE