[c-nsp] QoS not working - VPN acl conflicting???

false jctx09 at yahoo.com
Thu Apr 4 12:48:37 EDT 2013

I have a QoS  policy in place that is set to reserve/prioritize traffic for my outgoing VoIP traffic. We outsource our voip solution.

I am trying to test my QoS policy by performing multiple file transfers outbound to our remote site over vpn which uses the same interface. You can see by the txload stats below that it should have been high enough to make the voip policy kick in bit it didn't. There were about six phones connected but not being used. They are just doing keepalives for regisration, etc to the main server, which is indicated in the access list below. Any ideas? Thank you,

Serial0/1/0 is up, line protocol is up
Hardware is GT96K with integrated T1 CSU/DSU
Internet address is x.x.x.x/30
MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 218/255, rxload 19/255

router#sh policy-map interface serial 0/1/0

Service-policy output: VOIPpm
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: VOIPcm (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 156
Priority: 33% (509 kbps), burst bytes 12700, b/w exceed drops: 0

Class-map: class-default (match-any)
898811 packets, 199817314 bytes
5 minute offered rate 23000 bps, drop rate 3000 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/81175/0/81175
(pkts output/bytes output) 824273/184794616
Fair-queue: per-flow queue limit 16

access-list 156 permit ip any host 66.x.x.x.x

class-map match-all VOIPcm
match access-group 156

policy-map VOIPpm
class VOIPcm
priority percent 33
class class-default

interface Serial0/1/0
ip address
ip access-group 101 in
ip flow ingress
ip flow egress
ip nat outside
ip inspect ISP2-cbac out
ip virtual-reassembly
encapsulation ppp
crypto map vpnmap
service-policy output VOIPpm

crypto map vpnmap 21 ipsec-isakmp
 set peer x.x.x.x
 set transform-set vpn_set
 match address 121
crypto map vpnmap 32 ipsec-isakmp
 set peer x.x.x.x
 set transform-set vpn_set
 match address 132

access-list 121 permit gre host host 67.x.x.x.
access-list 132 permit gre host host 57.x.x.x.x

More information about the cisco-nsp mailing list