[c-nsp] QoS not working - VPN acl conflicting???

Beck, Andre cisco-nsp at ibh.net
Wed Apr 10 16:29:10 EDT 2013

On Thu, Apr 04, 2013 at 09:48:37AM -0700, false wrote:
> I am trying to test my QoS policy by performing multiple file transfers outbound to our remote site over vpn which uses the same interface. You can see by the txload stats below that it should have been high enough to make the voip policy kick in bit it didn't.

Well, it actually did. You have drops in class-default, so the policy
as a whole is clearly passing traffic, and dropping when the egress
interface becomes congested.

> There were about six phones connected but not being used.

When they are not used, the policy doesn't have anything to do.

> They are just doing keepalives for regisration, etc to the main server, which is indicated in the access list below. Any ideas? Thank you,

Sure they do traffic to that exact address? Because:

> Class-map: VOIPcm (match-all)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group 156
> Priority: 33% (509 kbps), burst bytes 12700, b/w exceed drops: 0

The priority queue hasn't seen any traffic - 0/0 packets/bytes. 
> access-list 156 permit ip any host 66.x.x.x.x

Sure about that ACL? Is it showing hits with "show ip access-list 156"?
If all is correct, there is probably some misbehavior of several features
working on the router at the same time, when combined. For instance it's
a classic that traffic generated by the router itself won't hit outgoing
interface ACLs. Given the router here seems to NAT this traffic (correct
me if I'm wrong, but I'm seeing RFC1918 addresses there), or even has
complex inspectors running on it, maybe the traffic doesn't hit the ACL
and thus the priority queue even though it should. When you ping that
66.x.x.x from the inside or from the router, do you see hits on the ACL
and the VOIPcm entry in the policy (the prio queue)? Is VOIPcm complete
or are there more classifiers - it's a match-all class-map so they might
prevent it from working as intended? When not matching on the ACL but
something simpler (say, a DSCP or IP precedence or even ingress iface),
does the class start to catch traffic?

                    Cool .signatures are so 90s...

-> Andre Beck    +++ ABP-RIPE +++      IBH IT-Service GmbH, Dresden <-

More information about the cisco-nsp mailing list