9 Replies Latest reply on Sep 24, 2013 1:44 PM by touristsis Branched to a new discussion.

    Qos cannot get it to work with ipsec over gre tunnel

    touristsis Visitor

      Hi Support,

      I cannot get Qos to work over IPsec over ip tunnel.  It use to work great with regular VPN.

       

        qos-policy out: VOIP

         map entry 10
           match dscp 46
           match dscp 26
           set DSCP value to 46
           priority bandwidth: unlimited
             note: since unlimited, other qos bandwidths cannot be assured
           packets matched: 170781, bytes matched: 66567385

         map entry default
           packets matched: 14038420, bytes matched: 3807165703
           packets dropped: 2088, bytes dropped: 2852972
           5 minute offered rate 455136 bits/sec, drop rate 480 bits/sec

       

      Is there a way to find out why the drop rate is 480 bits/sec?

      Is that because I don't have enough speed?

        • Re: Qos cannot get it to work with ipsec over gre tunnel
          Employee

          I will need some additional information to troubleshoot this.  Can you explain the WAN connection at this site (type, interface, upload/download, etc)?  Also, can you capture the output from a show interfaces along with a show qos map interface <int> during a test call while you are having issues?  I will also need a copy of your current configuration.  You can submit both of those to our FTP server with the instructions below:

           

          Open Internet Explorer web browser on their PC
          Type the following URL:  ftp://ftp.adtran.com

          Press the Alt key, click View, and then click Open FTP Site in Windows Explorer

          Double-click the "Incoming" folder
          Drag and drop files from PC into the Internet Explorer window

          Reply to this post with the exact filenames used so we can retrieve the files


          Thanks,

          Matt

            • Re: Qos cannot get it to work with ipsec over gre tunnel
              Employee

              Were you ever able to resolve this issue?  If so, can you come back to this thread to update it so others can benefit from the solution?  If you still need assistance I would be happy to help, but will need the information requested from my last response.

               

              Thanks,

              Matt

                • Re: Qos cannot get it to work with ipsec over gre tunnel
                  touristsis Visitor

                  The wan connection is just a Time Warner Cable connection with 35 X 5.  When I change the routing from ospf to static route it works better, yet we still have a bit of issue.  I'm thinking that time warner is not giving them consistent speed, yet I'm not sure.

                    • Re: Qos cannot get it to work with ipsec over gre tunnel
                      Employee

                      Thanks for the update.  Changing the type of routing should not make a difference.  Here is a post that covers setting up QoS for an Ethernet WAN connection over the Internet.  It has a sample configuration and I wanted to highlight that as shown in this example, an important step is matching your upload speed with the traffic-shape rate command on the WAN interface.  This video also shows how to setup QoS on an Ethernet WAN connection starting at 2 minutes and 45 seconds.  I would recommend doing several speed tests to ensure you know the proper upload speed to configure. Unfortunately, when the Internet is used instead of a private leased circuit voice quality cannot be guaranteed, but hopefully a proper QoS configuration and error free interfaces will help with the voice quality.

                       

                      Thanks,

                      Matt

                        • Re: Qos cannot get it to work with ipsec over gre tunnel
                          touristsis Visitor

                          Hi Matt

                           

                          Does this look right?

                           

                          qos map VOIP 10

                            match dscp 46

                            match dscp 26

                            priority unlimited

                           

                          interface eth 0/2

                            description Time Warner Cable

                            ip address  XX.XX.XX.XX  255.255.255.248

                            ip mtu 1500

                            ip access-policy Public

                            ip urlfilter Web_Http_Filter in

                            ip urlfilter Web_Http_Filter out

                            crypto map VPN

                            no rtp quality-monitoring

                            media-gateway ip primary

                            bandwidth 5000000

                            traffic-shape rate 5000000

                            qos-policy out VOIP

                            no awcp

                            no shutdown

                           

                          Here is what I get when I do show qos map int eth 0/2

                           

                            qos-policy out: VOIP

                             map entry 10
                               match IP packets with a DSCP value of 46
                               match IP packets with a DSCP value of 26
                               priority bandwidth: unlimited
                                 note: since unlimited, other qos bandwidths cannot be assured
                               packets matched: 6331575, bytes matched: 1859848514

                             map entry default
                               packets matched: 14319957, bytes matched: 4138970576
                               5 minute offered rate 137456 bits/sec, drop rate 0 bits/sec

                            Input QoS Map not assigned for this interface

                          !

                            • Re: Qos cannot get it to work with ipsec over gre tunnel
                              Employee

                              You made this post for a NetVanta 7000 series, but it looks like this is for a different product.  I forgot to mention it earlier, but the drop rate you pointed out in your first post is on the default map entry, which is your non-prioritized traffic. 

                               

                              The output from your last post looks correct.  Can you also supply the output of a show interfaces eth 0/2? Did you ever do the speed tests to confirm that you are in fact getting 5Mb upload?

                               

                              Thanks,

                              Matt

                                • Re: Qos cannot get it to work with ipsec over gre tunnel
                                  touristsis Visitor

                                  Hi Matt,

                                  I ran a speed test.  They were getting 35 down and 5 up.  Hree is the show int eth 0/2

                                   

                                  eth 0/2 is UP, line protocol is UP

                                    Description: Time Warner Cable

                                    Hardware address is 00:A0:C8:79:AE:69

                                    Ip address is XX.XX.XX.XX, netmask is 255.255.255.248

                                    MTU is 1500 bytes,  BW is 705032 Kbit

                                    10Mb/s, negotiated full-duplex, configured full-duplex

                                    ARP type: ARPA; ARP timeout is 20 minutes

                                    5 minute input rate 197368 bits/sec, 79 packets/sec

                                    5 minute output rate 186248 bits/sec, 83 packets/sec

                                      Queueing method

                                          Configured Queueing Method: fifo

                                          Effective  Queueing Method: weighted fair

                                      Output queue: 0/69/684/64/193 (size/highest/max total/threshold/drops)

                                        Conversations  0/23/256 (active/max active/max total)

                                        Available Bandwidth 3750000 kilobits/sec

                                      Interface Shaper: 5000/31250/31250 (rate/budget/max budget)

                                        625 bytes added to budget every 1 ms

                                        packet stats: 24185042/0/193/349371 (packets sent/waiting/dropped/delayed)

                                      28728507 packets input, 304077930 bytes

                                      22102269 unicasts, 6626238 broadcasts, 0 multicasts input

                                      0 unknown protocol, 0 symbol errors, 0 discards

                                      8 input errors, 0 runts, 0 giants

                                      8 no buffer, 0 overruns, 0 internal receive errors

                                      0 alignment errors, 0 crc errors

                                      24185235 packets output, 2783363691 bytes

                                      24162991 unicasts, 1416 broadcasts, 20828 multicasts output

                                      0 output errors, 0 deferred, 0 discards

                                      0 single, 0 multiple, 0 late collisions

                                      0 excessive collisions, 0 underruns

                                      0 internal transmit errors, 0 carrier sense errors

                                      0 resets, 5 throttles