Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4330
Views
0
Helpful
1
Replies

RATE LIMIT (police) SSL VPN USERS ON ASA

veltech
Level 1
Level 1

‎12-04-2013 03:45 PM

Hi All,

We have a customer who has an ASA at head office and they want to limit bandwidth available to their remote users who login using the any connect client. We are considering a simple QoS policing policy which may work, but does anyone have a better solution or is this the best way?

Thanks,

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Itzcoatl Espinosa
Cisco Employee
Cisco Employee

‎12-11-2013 12:37 PM

Hello,

I understand that you want to configure bandwidth limits for each AnyConnect client connection. 

Unfortunately, the ASA does not currently support QoS policing of traffic on a per-user or per-IP-address basis:

https://supportforums.cisco.com/docs/DOC-1361#Q_Does_ASA_SSL_VPN_AnyConnect_Client_or_Clie

ntless_support_QOS_and_policing_bandwidth_management_capabilites

The feature has been requested but it seems it will not be integrated in the near future.

The available workaround is to use simple QoS as you mention but it is not scalable at all.

  You may police the ASA WAN bandwidth based on the public IP address of each remote-access AnyConnect user hogging bandwidth:

access-list SSLVPN_LIMIT extended permit udp host host

(ASA ip address) eq 443

access-list SSLVPN_LIMIT extended permit tcp host host

(ASA ip address)

eq 443

!

class-map SSLVPN

match access-list SSLVPN_LIMIT

!

policy-map LIMIT

class SSLVPN

    police input 1500000

     police output 1500000

!

service-policy LIMIT interface outside

Thanks,

Itzcoatl

0 Helpful
Customers Also Viewed These Support Documents