Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA QoS for SSLVPN

Hi,

I've written a nice simple QoS setup for VPN clients on an ASA5510 and it works perfectly for IPSEC clients.

class-map vpn-qos

match flow ip destination-address

match tunnel-group vpn-group

policy-map vpn-policy

  class vpn-qos

    priority

service-policy vpn-policy interface outside

And running:

show service-policy interface outside

Shows the policy and the packet count increasing.

However, if only SSLVPN (AnyConnect) users are connected, the count doesn't change. It appears SSLVPN clients just don't get the policy.

What can I do to apply it to them? Anything?

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA QoS for SSLVPN

QoS is not supported for SSLVPN unfortunately.

3 REPLIES
Super Bronze

ASA QoS for SSLVPN

QoS is not supported for SSLVPN unfortunately.

New Member

ASA QoS for SSLVPN

D'oh! Well, at least that matches my testing. Any thoughts for a work around?

Maybe a policy on the inside interface that matches traffic to the address pool designated for AnyConnect (or otherwise) clients? Although marking priority on an inbound policy will do nothing, no?

Perhaps a crude attempt to reserve bandwidth? Shape all traffic through the ASA down to x% of the available to leave a gauranteed y% for VPN use? Again I guess this will need to be applied on the inside interface...

Any thoughts welcome.

Super Bronze

ASA QoS for SSLVPN

For VPN specific traffic, since it will be traversing through the Internet, QoS is not that necessary as the Internet is normally the bottle neck anyway. I guess if your ASA is quite a busy ASA, it will ensure that the VPN traffic gets prioritise but as soon as it hits the internet, there is nothing you could do.

840
Views
0
Helpful
3
Replies