Cisco – How to reduce latency on ASA 5510 WAN link

ciscocisco-asah-qosipv4latency

I have a Cisco ASA 5510 connecting our office via 2Mbit/s Internet. When Internet link fills up, latency to a well-connected host on Internet goes from 5-8 ms to 500-800 ms. With ping, it may look something like this (TCP performance seems to match this):

64 bytes from X: icmp_req=242 ttl=59 time=450 ms
64 bytes from X: icmp_req=243 ttl=59 time=458 ms
64 bytes from X: icmp_req=244 ttl=59 time=495 ms
64 bytes from X: icmp_req=245 ttl=59 time=186 ms
64 bytes from X: icmp_req=246 ttl=59 time=103 ms
64 bytes from X: icmp_req=247 ttl=59 time=5.18 ms
64 bytes from X: icmp_req=248 ttl=59 time=4.94 ms
64 bytes from X: icmp_req=249 ttl=59 time=4.65 ms
64 bytes from X: icmp_req=250 ttl=59 time=4.85 ms

I assume this is because large send queues on the 2 Mbit link. Since this is mainly office IT (from < 20 ppl), lateny is more important than throughput.

How can I measure how this latency is divided between outbound and inbound leg? If it turns out to be generated equally or mostly on inbound traffic, can I affect that (i.e. ingress throttling) or do I have to contact my ISP? How best to achieve this on ASA 8.2?

UPDATE: Short topolgy:

Ping node -[gbit]->
  ProCurve dist -[gbit]->
    ProCurve core -[gbit]->
      ASA -[100 mbit]->
        DSL -[copper]->
          upstream

ASA interface upstream:

asa# show interface Ethernet 0/3
Interface Ethernet0/3 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Input flow control is unsupported, output flow control is off
    Description: ### Upstream ###
    MAC address X, MTU 1500
    IP address X, subnet mask 255.255.255.252
    3480433364 packets input, 2625479988848 bytes, 0 no buffer
    Received 1010728 broadcasts, 0 runts, 11 giants
    11 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 pause input, 0 resume input
    0 L2 decode drops
    3160567056 packets output, 1537515646562 bytes, 0 underruns
    0 pause output, 0 resume output
    0 output errors, 0 collisions, 15 interface resets
    0 late collisions, 0 deferred
    6 input reset drops, 0 output reset drops, 0 tx hangs
    input queue (blocks free curr/low): hardware (255/240)
    output queue (blocks free curr/low): hardware (255/109)
Traffic Statistics for "outside":
    3487933998 packets input, 2561681053821 bytes
    3160334264 packets output, 1477359288037 bytes
    57746233 packets dropped
  1 minute input rate 193 pkts/sec,  209755 bytes/sec
  1 minute output rate 122 pkts/sec,  12734 bytes/sec
  1 minute drop rate, 1 pkts/sec
  5 minute input rate 177 pkts/sec,  174578 bytes/sec
  5 minute output rate 131 pkts/sec,  17600 bytes/sec
  5 minute drop rate, 2 pkts/sec

Best Answer

How can I measure how this latency is divided between outbound and inbound leg?

You can find the congested ping direction with hping on linux / cygwin.

If it turns out to be generated equally or mostly on inbound traffic, can I affect that (i.e. ingress throttling) or do I have to contact my ISP?

You can do it either way, but the ISP method is better since it won't transmit across the DSL before controlling the traffic. However, there is nothing fundamentally wrong with controlling both directions on the ASA (as long as you implement it correctly). I agree with you that linux is not a good enterprise qos solution, since there are non-trivial supportability issues with anyone who has to maintain the iptables policies.

How best to achieve this on ASA 8.2?

First be sure you know how much bandwidth you have in the Tx / Rx direction. Note that DSL uses ATM, which can be a little tricky due to the ATM cell tax.

Then, use hierarchical priority queueing (aka hierarchical QoS, or HQoS) on the ASA; this is a sample policy:

class-map CLASS_VOICE
 match dscp ef
 exit
class-map CLASS_VOICE_SIGNAL
 match dscp af31
 exit
!
policy-map POLICY_PRIORITIZE_VOICE
 ! Give VOICE and VOICE SIGNAL priority
 class CLASS_VOICE
  priority
 class CLASS_VOICE_SIGNAL
  priority
 class class-default
policy-map POLICY_TRAFFIC_SHAPE_INSIDE
 ! Shape all traffic to slightly less than the DSL modem's ingress bandwidth
 ! I assume you have 2Mbps here, but please measure what you have
 class class-default
  shape average 2000000 16000
  service-policy POLICY_PRIORITIZE_VOICE
!
policy-map POLICY_TRAFFIC_SHAPE_OUTSIDE
 ! Shape all traffic to slightly less than the DSL modem's egress bandwidth
 ! I assume you have 512Kbps here, but please measure what you have
 class class-default
  shape average 512000
  service-policy POLICY_PRIORITIZE_VOICE
!
service-policy POLICY_TRAFFIC_SHAPE_INSIDE interface INSIDE
service-policy POLICY_TRAFFIC_SHAPE_OUTSIDE interface OUTSIDE

This example assumes you implement both Tx and Rx HQoS on the ASA (and that you only use two interfaces on your ASA). It also assumes you have already marked your traffic correctly. However, by the time you finish trying to mark traffic on your powerconnects, you might think it's easier to put a real Cisco router in-line to do the marking for you. If you put a router inline, it's usually better to do the qos on the router.

Related Solutions

Cisco – What causes total output drops on a cisco switch interface

Unless someone is clearing counters you should never see any odometer-type counters (those that increment based on a packet action) decrease, they should always increase. That part sounds like a bug.

As far as what causes output drops in particular, there are so many different causes that it's very difficult to pinpoint it exactly. Sometimes there is congestion inside the switch's backplane and those might show up as output drops on the outgoing interface. In rare circumstances you can also get microbursts that don't show up when polled at 1 minute intervals that quickly overload the interface, but then drop back down very quickly. I would suggest grabbing the SNMP OID for output drops and then graphing that and see how it corresponds to the CLI counter.

Generally speaking, you don't want any output drops as they indicate a packet that did not make it to its destination. But, if you're running your links hot (which you say you're not) they're unavoidable to an extent, mostly due to interior switch buffering, etc.

Cisco – Output Drops on Serial interface: Better queueing or Output queue size

You're right, you wouldn't really see the burstiness easily on SNMP. 1GE can send 1.48Mpps, so it takes very very little time to congest the the 45Mbps, which can handle less than 75kpps.

If your ingress is 1GE and egress is 45Mbps, then obviously the congestion point of 45Mbps will need to drop packets. This is normal and expected. If you increase buffers you'll introduce more delay.
1GE takes 0.45ms to send 40 1500B IP frames, which is right now the amount of burst you can handle. However dequeueing them on the 45Mbps already takes 10ms.

If you don't have any acute problem, I would probably not do anything about it. But if some traffic is more eligible for dropping than other, then you should replace FIFO with class-based queueing. Say maybe you want to prioritize so that more ftp is dropped and less voip.
Then it'll also make more sense to add more buffering on the ftp traffic, as it's not really sensitive to delay.

If you want to try your luck with deeper buffers, something like this should suffice:

policy-map WAN-OUT
 class class-default
    fair-queue
    queue-limit 200 packets
!
interface Serial1/0
  service-policy output WAN-OUT

This would cause 50ms buffers on the Serial1 and would allow you to handle up-to 2.25ms burst from single Gige interface.

Best Answer

Related Solutions

Cisco – What causes total output drops on a cisco switch interface

Cisco – Output Drops on Serial interface: Better queueing or Output queue size

Related Topic