Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Per-Tunnel QoS on ISR 4451-X


we are migrating our VPN Hub routers from ISR 3825 to ISR 4451-X. With the 4451-X everything works fine, except the per-tunnel qos. When a spoke is signaling its nhrp group, the hub returns this error message

%NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy SHAPE_BW2000 mapped to NHRP group BW2000 on interface Tunnel0, to tunnel x.x.x.x due to policy installation failure

The router installs the qos policy only when the policy is empty. So there is no action like "shape average" or a child policy.

This is an example of my qos configuration for one group:


!acl for matching several dscp values
ip access-list extended Match_AK_CONTROL
 permit ip any any dscp cs6
 permit ip any any dscp cs5
!class-map matching dscp
class-map match-all AK_IPT
 match dscp ef
class-map match-all AK_CONTROL
 match access-group name Match_AK_CONTROL
!child policy
 class AK_IPT
  priority 200
  bandwidth remaining percent 5
 class class-default
  bandwidth remaining percent 95
!parent policy for bandwidth shaping
policy-map SHAPE_BW2000
 class class-default
  shape average 2000000
   service-policy WAN_AGGREGATION_OUT_V200
!nhrp group on Tunnel interface
interface Tunnel0
  ip nhrp map group BW2000 service-policy output SHAPE_BW2000


Any suggestions? Are there any changes I have to do in the configuration? I've tried many variations without any success. Only a policy-map like this is acceppted:

policy-map SHAPE_BW2000
 class class-default

But this policy is useless.

I've read about a bug, that there was a limitation to max. 8 spokes on the tunnel with ASR901 CSCts62082

Currently there are 82 spokes connected to this router.




Everyone's tags (7)

Accepted Solutions

Hello.I believe, that appxk9


I believe, that appxk9 licence (not enabled) is your problem.

Please enable it and let me know how it goes.


Hello.What is the firmware


What is the firmware version you are running?

Do you have license "appxk9" enabled?

What is the source interface for your tunnel?

hi,im currently running Cisco


im currently running Cisco IOS XE Software, Version 03.10.04.S, Version 15.3(3)S4

but I've already tried newer versions without success.


No, appxk9 is not enabled. Installed licences are: securityk9, ipbasek9, hseck9, throughput


The source interface of the tunnel is GigabitEthernet0/0/1

On the source interface is no qos policy applied (this is recommended in config guides)

Hello.I believe, that appxk9


I believe, that appxk9 licence (not enabled) is your problem.

Please enable it and let me know how it goes.

I've tried this, activating

I've tried this, activating the appxk9 eval licence. No change.

I'm only doing a normal QoS, no application routing or acceleration. So appx shouldn't matter.

Did you reload the router

Did you reload the router (after you enabled the license) and reapplied the policy after?

Could you provide "show lic" and "show ver".

after the reboot it acutally

after the reboot it acutally works! So you really need the appx license for qos!

Very very poor by cisco!!! There is no hint, neither in the documentation nor in the ordering guide.


Thanks for your help.

New Member

I know this issue has been

I know this issue has been resolved but maybe this link could help future comers. It is basically what has already been confirmed hear.


Per-Tunnel QoS for DMVPN 


Restrictions for Per-Tunnel QoS for DMVPN

 On ISR 4K series routers, you have to enable the appxk9 license for per-tunnel QOS feature. If you do not enable the appxk9 license, the commands are accepted but the QoS feature will not be enabled on tunnels.