The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

Hi Support,

I cannot get Qos to work over IPsec over ip tunnel.  It use to work great with regular VPN.

  qos-policy out: VOIP

   map entry 10
     match dscp 46
     match dscp 26
     set DSCP value to 46
     priority bandwidth: unlimited
       note: since unlimited, other qos bandwidths cannot be assured
     packets matched: 170781, bytes matched: 66567385

   map entry default
     packets matched: 14038420, bytes matched: 3807165703
     packets dropped: 2088, bytes dropped: 2852972
     5 minute offered rate 455136 bits/sec, drop rate 480 bits/sec

Is there a way to find out why the drop rate is 480 bits/sec?

Is that because I don't have enough speed?

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

This makes me think you are getting routed out a different interface.  Your output showed the interface negotiated to 10Mb/s, but you mentioned you got 35 Mb/s with a speed test.

View solution in original post

0 Kudos
9 Replies
Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

I will need some additional information to troubleshoot this.  Can you explain the WAN connection at this site (type, interface, upload/download, etc)?  Also, can you capture the output from a show interfaces along with a show qos map interface <int> during a test call while you are having issues?  I will also need a copy of your current configuration.  You can submit both of those to our FTP server with the instructions below:


Open Internet Explorer web browser on their PC
Type the following URL:  ftp://ftp.adtran.com


Press the Alt key, click View, and then click Open FTP Site in Windows Explorer


Double-click the "Incoming" folder
Drag and drop files from PC into the Internet Explorer window


Reply to this post with the exact filenames used so we can retrieve the files



Thanks,

Matt

Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

Were you ever able to resolve this issue?  If so, can you come back to this thread to update it so others can benefit from the solution?  If you still need assistance I would be happy to help, but will need the information requested from my last response.

Thanks,

Matt

Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

The wan connection is just a Time Warner Cable connection with 35 X 5.  When I change the routing from ospf to static route it works better, yet we still have a bit of issue.  I'm thinking that time warner is not giving them consistent speed, yet I'm not sure.

Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

Thanks for the update.  Changing the type of routing should not make a difference.  Here is a post that covers setting up QoS for an Ethernet WAN connection over the Internet.  It has a sample configuration and I wanted to highlight that as shown in this example, an important step is matching your upload speed with the traffic-shape rate command on the WAN interface.  This video also shows how to setup QoS on an Ethernet WAN connection starting at 2 minutes and 45 seconds.  I would recommend doing several speed tests to ensure you know the proper upload speed to configure. Unfortunately, when the Internet is used instead of a private leased circuit voice quality cannot be guaranteed, but hopefully a proper QoS configuration and error free interfaces will help with the voice quality.

Thanks,

Matt

Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

Hi Matt

Does this look right?

qos map VOIP 10

  match dscp 46

  match dscp 26

  priority unlimited

interface eth 0/2

  description Time Warner Cable

  ip address  XX.XX.XX.XX  255.255.255.248

  ip mtu 1500

  ip access-policy Public

  ip urlfilter Web_Http_Filter in

  ip urlfilter Web_Http_Filter out

  crypto map VPN

  no rtp quality-monitoring

  media-gateway ip primary

  bandwidth 5000000

  traffic-shape rate 5000000

  qos-policy out VOIP

  no awcp

  no shutdown

Here is what I get when I do show qos map int eth 0/2

  qos-policy out: VOIP

   map entry 10
     match IP packets with a DSCP value of 46
     match IP packets with a DSCP value of 26
     priority bandwidth: unlimited
       note: since unlimited, other qos bandwidths cannot be assured
     packets matched: 6331575, bytes matched: 1859848514

   map entry default
     packets matched: 14319957, bytes matched: 4138970576
     5 minute offered rate 137456 bits/sec, drop rate 0 bits/sec

  Input QoS Map not assigned for this interface

!

Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

You made this post for a NetVanta 7000 series, but it looks like this is for a different product.  I forgot to mention it earlier, but the drop rate you pointed out in your first post is on the default map entry, which is your non-prioritized traffic. 

The output from your last post looks correct.  Can you also supply the output of a show interfaces eth 0/2? Did you ever do the speed tests to confirm that you are in fact getting 5Mb upload?

Thanks,

Matt

Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

Hi Matt,

I ran a speed test.  They were getting 35 down and 5 up.  Hree is the show int eth 0/2

eth 0/2 is UP, line protocol is UP

  Description: Time Warner Cable

  Hardware address is 00:A0:C8:79:AE:69

  Ip address is XX.XX.XX.XX, netmask is 255.255.255.248

  MTU is 1500 bytes,  BW is 705032 Kbit

  10Mb/s, negotiated full-duplex, configured full-duplex

  ARP type: ARPA; ARP timeout is 20 minutes

  5 minute input rate 197368 bits/sec, 79 packets/sec

  5 minute output rate 186248 bits/sec, 83 packets/sec

    Queueing method

        Configured Queueing Method: fifo

        Effective  Queueing Method: weighted fair

    Output queue: 0/69/684/64/193 (size/highest/max total/threshold/drops)

      Conversations  0/23/256 (active/max active/max total)

      Available Bandwidth 3750000 kilobits/sec

    Interface Shaper: 5000/31250/31250 (rate/budget/max budget)

      625 bytes added to budget every 1 ms

      packet stats: 24185042/0/193/349371 (packets sent/waiting/dropped/delayed)

    28728507 packets input, 304077930 bytes

    22102269 unicasts, 6626238 broadcasts, 0 multicasts input

    0 unknown protocol, 0 symbol errors, 0 discards

    8 input errors, 0 runts, 0 giants

    8 no buffer, 0 overruns, 0 internal receive errors

    0 alignment errors, 0 crc errors

    24185235 packets output, 2783363691 bytes

    24162991 unicasts, 1416 broadcasts, 20828 multicasts output

    0 output errors, 0 deferred, 0 discards

    0 single, 0 multiple, 0 late collisions

    0 excessive collisions, 0 underruns

    0 internal transmit errors, 0 carrier sense errors

    0 resets, 5 throttles

Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

This makes me think you are getting routed out a different interface.  Your output showed the interface negotiated to 10Mb/s, but you mentioned you got 35 Mb/s with a speed test.

0 Kudos
Anonymous
Not applicable

Re: Qos cannot get it to work with ipsec over gre tunnel

Jump to solution

Thanks Matt, that was a big deal.  I can't believe I missed that.