QOS on ASA based on tunnel-group not working

Unanswered Question
Jan 19th, 2010

Hello all,

I have a lan2lan vpn on an ASA 5520 and am trying to limit the bandwidth of this tunnel going outside.

I have created the following configuration, but it is not working:

match tunnel-group
match flow ip destination-address

policy-map VPNQOS_PM
  police output 1000000

service-policy VPNQOS_PM interface outside

As a workaround I created the following configuration, which does the trick, but not as nicely as the above config:

access-list extended permit ip host host
access-list extended deny ip any any

match access-list

policy-map VPNQOS_PM
  police output 1000000

service-policy VPNQOS_PM interface outside

Does anybody know what I am doing wrong?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 01/27/2010 - 10:46

By outside you mean traffic going out to the internet or going throgh the vpn tunnel?

siennax Wed, 01/27/2010 - 11:40

Hi Ivan,

By outside I mean indeed traffic to the internet.

I think I have configured traffic through the tunnel at the moment.

What I really would like to know, is what my faulty configuration should do and why it doesn't work...



Ivan Martinon Wed, 01/27/2010 - 11:41

Ok, so if that traffic is going out to the internet rather than going through the vpn tunnel this configuration will not work since the QoS config for a tunnel group applies only for traffic going through that crypto connection.

siennax Thu, 01/28/2010 - 02:26

Hi Ivan,

I thought we were differentiating between traffic going through the tunnel and the encrypted packets (ipsec/ike) going to the internet (peer). Not traffic that is not going through the vpn tunnel.

So what I really am trying to do, is limiting the bandwidth of a VPN site-to-site tunnel, which is tunnelgroup in my example.

I don't really care if the traffic within the tunnel is limited or the entire tunnel itself.

I can confirm that when I sent packets from to, the tunnel is established and the vpn works perfectly.

I can confirm that limiting works with the access-lists but I cannot get the limiting to work based on the tunnelgroup name (which is very dynamic and which I would prefer).


This Discussion