Page |1 ASA VPN: QoS for Voice/Video Traffic BACKGROUND Generally, voice and video traffic are not able to tolerate long latencies. Using QOS can help to reduce latency and prioritize mission critical traffic. A Cisco IOS router has the ability to prioritize voice traffic and also command option to reserve bandwidth for voice and video traffic. The bandwidth reservation command is not available on the ASA. This document describes how to prioritize voice/video traffic on a VPN network, reserve bandwidth for voice/video traffic and also the best practices for configuring QOS for voice/video traffic on CISCO ASA. ASA QOS OVERVIEW On the ASA, QOS is only supported in single mode and routed mode only. QOS is not supported for packet marking, Class Based Weighted Fair Queuing (CBWFQ), transparent firewall, security context, IPV6, AnyConnect VPN tunnel and Clientless SSL VPN (Cisco bug ID CSCsl73211). When one Configures QOS over a tunnel group with web VPN attributes, one gets an error message indicating it is not supported. If one needs performance for voice and video traffic when using AnyConnect SSL VPN, one will have to implement Datagram Transport Layer Security (DTLS). When QOS is configured on ASA, QOS bits in the original IP header will be copied to the IP header of the encrypted packet. This helps to enforce QOS after encryption. The ASA preservers the ToS bit as specified in RFC 2401, the DSCP bits can be used for QOS configuration. ASA does not mark or classify packet; it honors and preserves the existing packet marking it receives. It assumes that the traffic is already marked with a DSCP/ IP precedence value in the packet header. With this action, the ASA and the devices along the VPN tunnel can correctly prioritize traffic. For end-to-end QOS, the IP devices along the connection path need to be QOS capable. ASA supports traffic policing, prioritization and shaping. Policing can help in limiting the maximum bandwidth used per traffic flow (bits/second) while prioritization can help transmit certain traffic flow before others. Traffic shaping helps in controlling device link speed (to avoid link saturation and delay) by rate limiting device traffic (but not drop the packet). It transmits the packet at a fixed speed. Packets that cannot be transmitted are stored in a data buffer and they are transmitted at a later time. ASA maintains two different types of priority queue on an interface. 1) Standard priority queue: this queue is used when doing traffic prioritization without traffic shaping. When doing traffic prioritization without traffic shaping, this queue must be configured explicitly on the outside interface. 2) Hierarchical priority queue: is used by a portion of shaped traffic that can be Page |2 prioritized (IPsec-over-TCP is not supported). When doing traffic prioritization with traffic shaping, the standard priority queue is not used, this queue is used. There is no configuration required for this queue on the outside interface. The two types of QOS that exist on the ASA are called QOS engine and Egress Interface QOS. The QOS engine consists of traffic classifier, rate limiter and token bucket while the Egress Interface QOS consist of high-priority queue and low-priority queue. When traffic exits the QoS engine, they are forwarded to the egress interface for physical transmission. Another level of QOS is implemented at the physical interface to ensure traffic with a priority flag gets proper handling. At the physical interface, processing of packet depends on the depth of the queue and the conditions of the Transmit Ring (buffer space used by ASA to store packets before transmitting them at the driver level). When the Transmit Ring is congested, non-priority packets are queued to the low-priority queue while prioritized packets are queued to the high-priority queue. If the Transmit Ring is free from congestion, the non-priority packets are sent immediately after ensuring that the high-priority queue is empty. If the high-priority queue has a packet to send, the Transmit Ring will service this queue first. When QOS is configured on ASA, the following sequence of events occurs : 1. If the packet is the first of the flow, it is routed to the correct interface and a flow is created for subsequent similar packet type. 2. The packet goes into the QOS engine and it is then classified by the classifier engine. If the packet is classified as priority, it goes quickly into a high-priority queue (Egress Interface QOS), and these kinds of packet cannot be rate limited. 3. If the traffic is classified for rate limiting (policing), it goes to rate limiting engine and the traffic is rate limited. If the rate limited packet exceeds specified rate configured, the packet is dropped (non-conform) else they are forwarded into the low-priority-queue (Egress Interface QOS) 4. The ASA then transmits the packet over the physical transmission link NOTE: If a packet is not classified as priority or rate limited, it is forwarded to the low-priority queue (Egress Interface QOS) and any existing rate limiting polices are not applied to this kind of traffic. Page |3 A token bucket exists in the ASA QOS engine. It is used to normalize different traffic flow. The normalization includes traffic policing or traffic shaping. The token (bit) in bucket are not prioritized. Tokens are assembled in the bucket at certain rate. This bucket has a capacity limit, after the limit is reached all newly arrived tokens are either dropped(policing) or wait until the bucket is free(traffic shaping). The largest packet that can be sent on the device within a given unit of time is directly proportion to the size of the bucket Prioritization and policing of traffic are the two mutually exclusive techniques for configuration of QoS on ASA. Using a single class map, you cannot prioritize a traffic type and at the same time police the same traffic type, if you do, you will receive the error as follows ERROR: Must deconfigure priority in this class before issuing this command. When priority queuing is configured , unless the LLQ is saturated, the packet will not be prioritized, if you have a high bandwidth interface such as 100Mbps or 1Gbps, link saturation will not occur so often. The use of Priority queuing along with policing or traffic shaping allows LLQ to kick when policing or shaping limits are met. Page |4 Standard Priority Queuing Example: Assume our ASA has a VPN tunnel group named “2.2.2.2 “and also the ASA has a bandwidth of 1 mpbs (1000000 bps). We want to prioritize voice and also reserve a bandwidth of 0.1 mbps (100000 bps) for voice. Remember the ASA does not mark or classify voice packet; we assume that the voice traffic is already marked with a DSCP value of EF in this example In this example, a nested approach is also used in the policy map and the default class traffic is policed. The ASA provides a way to apply actions to traffic not matched by any configured class maps. This is done by using the “class-default” class-map command. Using the “class-default” class-map is not supported for priority traffic. Since we are using the standard priority queue, we manually configure the standard priority queue on the outside interface. On ASA 5580, a standard priority queue cannot be created for Ten Gig Ethernet interface. It can only be created on ASA 5585-X with Ten Gig Ethernet interface. Also, Priority queuing is not supported on the management interface “management 0/0” on ASA 5512-X through ASA 5555-X. When priority queuing is configured, packet in IPSEC may be received out-of-order and not within the anti-replay window. This will cause a false positive warning Syslog messages to be generated. Configuration of the IPsec anti-replay window size can be used to avoid this false positive warning GORIASA(config)# interface g0/0 GORIASA(config-if)# nameif outside GORIASA(config-if)# speed auto GORIASA(config-if)# duplex auto GORIASA(config)# interface g0/1 GORIASA(config-if)# nameif inside GORIASA(config-if)# speed auto GORIASA(config-if)# duplex auto ORIASA(config-if)# sysopt connection tcpmss 1200 GORIASA(config)# mtu outside 1380 GORIASA(config)# crypto IPsec df-bit clear-df outside Page |5 GORIASA(config)# crypto IPsec fragmentation before-encryption outside GORIASA(config)# crypto IPsec security-association replay window-size 1024 GORIASA(config)# priority-queue outside GORIASA(config-priority-queue)# tx-ring-limit 512 GORIASA(config-priority-queue)# queue-limit 2048 GORIASA(config)# class-map voice-qos GORIASA(config-cmap)# match tunnel-group 2.2.2.2 GORIASA(config-cmap)# match dscp ef GORIASA(config-cmap)# exit GORIASA(config)# policy-map Gori-police GORIASA(config-pmap)# class voice-qos GORIASA(config-pmap-c)# priority GORIASA(config-pmap-c)# exit GORIASA(config-pmap)# class class-default GORIASA(config-pmap-c)# police output 900000 conform-action transmit exceed-action drop GORIASA(config)# service-policy Gori-police interface outside The policing rate is in bits per seconds (bps). The link below can be used for data rate unit conversion. http://www.sengpielaudio.com/calculator-transferrate.htm Page |6 Hierarchical Priority Queuing In this example, a nested approach is used in the policy map and the default class traffic is shaped. On ASA, shaping can only be applied to outgoing traffic using class-default, because ASA requires all traffic to be matched for traffic shaping. Traffic shaping is similar to policing except that shaping will place the packet into a buffer and smoothen the traffic flow to match the limit imposed. Whereas policing will drop the packet once the limit has been exceeded. Generally, traffic shaping applies to all types of traffic leaving the ASA. You cannot enable policy and traffic shaping for the same type of traffic even thou the ASA allows the configuration. The total maximum traffic size for shaped traffic includes IPSEC overhead and layer two (L2) headers. Shaping usually takes place after encryption and does not allow for prioritization on the inner packet or tunnel-group basis for VPN. When using hierarchical priority queuing for encrypted VPN traffic, only the DSCP/IP precedence value can be used to match the traffic, the tunnel group cannot be used. Since we are using the hierarchical priority queue, in this example, we do not need to configure priority queuing on the outside ASA. It is important to know that traffic shaping is not yet supported on ASA 5580. GORIASA(config)# interface g0/0 GORIASA(config-if)# nameif outside GORIASA(config-if)# speed auto GORIASA(config-if)# duplex auto GORIASA(config)# interface g0/1 GORIASA(config-if)# nameif inside GORIASA(config-if)# speed auto GORIASA(config-if)# duplex auto ORIASA(config-if)# sysopt connection tcpmss 1200 GORIASA(config)# mtu outside 1380 GORIASA(config)# crypto IPsec df-bit clear-df outside GORIASA(config)# crypto IPsec fragmentation before-encryption outside GORIASA(config)# crypto IPsec security-association replay window-size 1024 GORIASA(config)# class-map voice-qos GORIASA(config-cmap)# match dscp ef GORIASA(config)# policy-map voice-qos GORIASA(config-pmap)# class voice-qos GORIASA(config-pmap-c)# priority GORIASA(config-pmap-c)# policy-map gory-shape Page |7 GORIASA(config-pmap)# class class-default GORIASA(config-pmap-c)# shape average 896000 GORIASA(config-pmap-c)# service-policy voice-qos GORIASA(config)# service-policy gory-shape interface outside NOTE: Target Bit Rate (bits per second) for traffic shapping needs to be in multiple of 8000. Using the “sh priority-queue statistics” command tells us if the ASA is actually prioritizing the traffic. As show below; it displays the statistics of both traffic that are forwarded using BE (best effort) and LLQ. Sh priority-queue statistics before QOS is configured Priority-Queue Statistics interface OUTSIDE Queue Type Tail Drops = BE =0 Reset Drops =0 Packets Transmit = 642459 Packets Enqueued = 0 Current Q Length = 0 Max Q Length =0 Queue Type Tail Drops = LLQ =0 Reset Drops =0 Packets Transmit = 0 Packets Enqueued = 0 Current Q Length = 0 Max Q Length =0 Sh priority-queue statistics after QOS is configured Priority-Queue Statistics interface OUTSIDE Queue Type Tail Drops = BE =0 Reset Drops =0 Packets Transmit = 1618882 Packets Enqueued = 0 Current Q Length = 0 Max Q Length =0 Queue Type Tail Drops Reset Drops = LLQ =0 =0 Packets Transmit = 757 Packets Enqueued = 0 Current Q Length = 0 Max Q Length =0 Page |8 NOTES: Once configured, the QOS policies will not apply to established VPN traffic, for it to immediately apply to established VPN traffic; you will have to bounce the tunnel. Also, if a service policy applied to an interface is removed, the QOS that applies to all the established VPN traffic are not removed until you reestablished the tunnel. Again, the ASA does not mark or classify voice packet; it assume that the voice/video traffic is already marked with a DSCP value. After QOS is configured, if the LLQ in the “Sh priority-queue statistics” output is still showing zero, you need to make sure the ASA is actually receiving packet already marked with the DSCP value. A packet capture on the interface can help you with this. For effective traffic prioritization, QOS traffic prioritization must be end to end. All devices along the traffic path must honor the DSCP/IP precedence value in the packet header. This helps to avoid bottleneck along the traffic path ASA QOS Commands Clear service-policy policyname interface ifname sh service-policy global sh service-policy interface ifname sh service-policy priority sh priority-queue statistics sh service-policy shape Clear service-policy policyname interface ifname show running-config priority-queue clear configure priority-queue Page |9 The following bugs are introduced by the traffic shaping feature: CSCsq08550 Traffic shaping with priority queueing causes traffic failure on ASA CSCsx07862 Traffic shaping with priority queueing causes packet delay and drops CSCsq07395 Adding shaping service-policy fails if policy-map has been edited GORI DAWODU CISCO TAC VPN, SAN JOSE