Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

QOS on ASA based on tunnel-group not working

Hello all,

I have a lan2lan vpn on an ASA 5520 and am trying to limit the bandwidth of this tunnel going outside.

I have created the following configuration, but it is not working:

class-map 1.1.1.1_CM
match tunnel-group 1.1.1.1
match flow ip destination-address

policy-map VPNQOS_PM
class 1.1.1.1_CM
  police output 1000000

service-policy VPNQOS_PM interface outside

As a workaround I created the following configuration, which does the trick, but not as nicely as the above config:

access-list 1.1.1.1_ACL extended permit ip host 2.2.2.2 host 3.3.3.3
access-list 1.1.1.1_ACL extended deny ip any any

class-map 1.1.1.1_CM
match access-list 1.1.1.1_ACL

policy-map VPNQOS_PM
class 1.1.1.1_CM
  police output 1000000

service-policy VPNQOS_PM interface outside

Does anybody know what I am doing wrong?

Thanks!

4 REPLIES

Re: QOS on ASA based on tunnel-group not working

By outside you mean traffic going out to the internet or going throgh the vpn tunnel?

New Member

Re: QOS on ASA based on tunnel-group not working

Hi Ivan,

By outside I mean indeed traffic to the internet.

I think I have configured traffic through the tunnel at the moment.

What I really would like to know, is what my faulty configuration should do and why it doesn't work...

Regards,

Tom

Re: QOS on ASA based on tunnel-group not working

Ok, so if that traffic is going out to the internet rather than going through the vpn tunnel this configuration will not work since the QoS config for a tunnel group applies only for traffic going through that crypto connection.

New Member

Re: QOS on ASA based on tunnel-group not working

Hi Ivan,

I thought we were differentiating between traffic going through the tunnel and the encrypted packets (ipsec/ike) going to the internet (peer). Not traffic that is not going through the vpn tunnel.

So what I really am trying to do, is limiting the bandwidth of a VPN site-to-site tunnel, which is tunnelgroup 1.1.1.1 in my example.

I don't really care if the traffic within the tunnel is limited or the entire tunnel itself.

I can confirm that when I sent packets from 2.2.2.2 to 3.3.3.3, the tunnel 1.1.1.1 is established and the vpn works perfectly.

I can confirm that limiting works with the access-lists but I cannot get the limiting to work based on the tunnelgroup name (which is very dynamic and which I would prefer).

467
Views
0
Helpful
4
Replies
CreatePlease to create content