Noticed that Voice Quality Monitoring (VQM) doesn't seem to be detecting RTP flow across stateless policies. I found mention of stateless allow policies on page 5 of the manual Configuring Voice Quality Monitoring (VQM) in AOS in 'Section 1.' But I'm not sure I understand the condition described there about non-default ACPs.
I usually configure policies related to private/trusted traffic as stateless (e.g., VPN selectors or allow statements for a remote office ppp interface). Is this practice keeping my RTP flows from being picked up by VQM?
Chris
Chris,
When the firewall is enabled on an AOS device, it automatically creates a policy-class labeled as "default". This policy-class applies to traffic that does not have go through a configured access-policy/security zone that is applied to an interface. For example, say you have an AOS device with 2 interfaces (WAN/LAN). If you were to simply enable the firewall with the "ip firewall" command, all sessions going through the router would be listed under the "default" policy-class. Now let's say you configure an access-policy named "Trusted" for your LAN interface. This access-policy will NAT outgoing traffic so it can traverse the internet. In this case, if you will see sessions initiated from the LAN listed under the "Trusted" policy-class, while all other traffic is listed under the "default" policy-class.
Regarding VQM, if the RTP flows happen to match a non-default access-policy rule that is configured as stateless, then VQM will not be able to capture the flows to provide you with statistics. Therefore, you are correct in your assumption that by configuring your policies as stateless, if the RTP flows match those statements, then it will prevent VQM from working properly.
I hope this answers your question, but do not hesitate to let us know if you have any further questions regarding this.
Thanks,
Noor
Chris,
When the firewall is enabled on an AOS device, it automatically creates a policy-class labeled as "default". This policy-class applies to traffic that does not have go through a configured access-policy/security zone that is applied to an interface. For example, say you have an AOS device with 2 interfaces (WAN/LAN). If you were to simply enable the firewall with the "ip firewall" command, all sessions going through the router would be listed under the "default" policy-class. Now let's say you configure an access-policy named "Trusted" for your LAN interface. This access-policy will NAT outgoing traffic so it can traverse the internet. In this case, if you will see sessions initiated from the LAN listed under the "Trusted" policy-class, while all other traffic is listed under the "default" policy-class.
Regarding VQM, if the RTP flows happen to match a non-default access-policy rule that is configured as stateless, then VQM will not be able to capture the flows to provide you with statistics. Therefore, you are correct in your assumption that by configuring your policies as stateless, if the RTP flows match those statements, then it will prevent VQM from working properly.
I hope this answers your question, but do not hesitate to let us know if you have any further questions regarding this.
Thanks,
Noor
Thanks for the thorough answer, Noor!