With this I will not police VPN session. I will police all VPN traffic. Am I right?

MMMM that all depends on how you have your VPN tunnels configured and where you actually apply the policy.

If the traffic is entering a VPN tunnel over the internet - simple QoS will not fix the issue.....as how can you tell the VPN encrypting device there is congestion 2 hops away in the internet - you can't.

Please explain your issue and topology with as much detail as you have and lets see if we can fix it. All info in a diagram would be best - real IP addresses are not required for this.

HTH>

Inside -> ASA <- INTERNET

Users from Internet connects via Cisco VPN Client with ASA. Some users take too much bandwidth. I want to fix that, I want to allocate bandwidth for each VPN sessions and police or shape them with threshold 1Mbps

OK - not sure if you can do it per users/session, but I suppose if each user gets a specific IP every time then it's possible.

In the past I have performed QoS Policing on a specific group of users = the tunnel remtoe VPN group.

HTH>

Maybe this will be helpful.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

This link doesn't open

Forbidden File or Application