Who's skilled enough to know the reason for this symptom...

My workplace has a UC-540 attached to a cable modem, attached to the world wide web.

When we make VOIP outbound calls through the standard ISP, there is no auditory packet loss sympton; however, when we make calls to out sister branch through our VPN, we experience auditory packet loss symptoms.

I would think the VPN should only be affecting the encapsulation of the data. To my understanding the VPN packets and non-vpn packets all hit the router at the same time, and transport over the web in the same manner. Why would there be packet loss over only the VPN???

--Regarding QoS, if a standard layer 3 device receives a VOIP packet encapsulated in a VPN, do the QoS bits in the VOIP packet get acknowledged, or are they hidden by the VPN encapsulation?

They are hidden by the vpn.
There is a command that makes the router maintains it but not likely to be cause your problem.
How is the traffic normally? Not just voice over the vpn?

_________________
Networking is much like making love to a beautiful woman
Slide your equipment in to the rack, Stick your plug in the socket, and if you have done it right at the end everyone is happy

You should be able to configure your device to put the original packets dscp marking into the tunnel header packets, preserving that marking.

Are you sure your firewall/vpn device (on both sides) has enough CPU to be able to encapsulate, encrypt and decrpyt those millions of tiny voice packets? If not, that could be your problem.

_________________
www.mellowd.co.uk/ccie/

The symptom is that packet loss is experienced only over the VPN, not the un-encapsulated network; so in my thinking, the encapsulated unread QoS bits would be a prime culprit for this symptom.

?? Prey tell, what is that command that enables the QoS bits to be exposed throughout the encapsulation??

Is the CPU adequate? I surely dont know. The device is a standard UC540. How can i tell if the CPU can handle the VPN encapsulation in an acceptable speedy fashion?

How can I configure my device to preserver the dscp marking at the tunnel header packets?

IPP/DSCP QoS tags are automatically copied from the unencrypted packet to the encrypted one. You don't need to do anything special to do this.

Unless you are classifying packets at the same time (for example, if you're using 'match protocol rtp'). The classification process will not see the original IP headers, so it doesn't know how to prioritize them. In that case, you do need 'qos pre-classify'.

what device is at the sister branch terminating your vpn from the uc540? another uc500?

not all equipment supports qos on ipsec encrypted traffic

also how do you know its packet loss and not something else - what are you seeing exactly?

When you next run the VPN run sh proc cpu then sh proc cpu hist and these will tell you how your device is handling the encryption process.
When you run the first show command look for the encryption process and see what it's running at.

_________________
Good Luck,

David

Thx for your help!!!