topic Re: QOS on ASA based on tunnel-group not working in Network Security

QOS on ASA based on tunnel-group not working

siennax — Mon, 11 Mar 2019 16:58:59 GMT

Hello all,

I have a lan2lan vpn on an ASA 5520 and am trying to limit the bandwidth of this tunnel going outside.

I have created the following configuration, but it is not working:

class-map 1.1.1.1_CM
match tunnel-group 1.1.1.1
match flow ip destination-address

policy-map VPNQOS_PM
class 1.1.1.1_CM
police output 1000000

service-policy VPNQOS_PM interface outside

As a workaround I created the following configuration, which does the trick, but not as nicely as the above config:

access-list 1.1.1.1_ACL extended permit ip host 2.2.2.2 host 3.3.3.3
access-list 1.1.1.1_ACL extended deny ip any any

class-map 1.1.1.1_CM
match access-list 1.1.1.1_ACL

policy-map VPNQOS_PM
class 1.1.1.1_CM
police output 1000000

service-policy VPNQOS_PM interface outside

Does anybody know what I am doing wrong?

Thanks!

Re: QOS on ASA based on tunnel-group not working

Ivan Martinon — Wed, 27 Jan 2010 18:46:38 GMT

By outside you mean traffic going out to the internet or going throgh the vpn tunnel?

Re: QOS on ASA based on tunnel-group not working

siennax — Wed, 27 Jan 2010 19:40:06 GMT

Hi Ivan,

By outside I mean indeed traffic to the internet.

I think I have configured traffic through the tunnel at the moment.

What I really would like to know, is what my faulty configuration should do and why it doesn't work...

Regards,

Tom

Re: QOS on ASA based on tunnel-group not working

Ivan Martinon — Wed, 27 Jan 2010 19:41:53 GMT

Ok, so if that traffic is going out to the internet rather than going through the vpn tunnel this configuration will not work since the QoS config for a tunnel group applies only for traffic going through that crypto connection.

Re: QOS on ASA based on tunnel-group not working

siennax — Thu, 28 Jan 2010 10:26:07 GMT

Hi Ivan,

I thought we were differentiating between traffic going through the tunnel and the encrypted packets (ipsec/ike) going to the internet (peer). Not traffic that is not going through the vpn tunnel.

So what I really am trying to do, is limiting the bandwidth of a VPN site-to-site tunnel, which is tunnelgroup 1.1.1.1 in my example.

I don't really care if the traffic within the tunnel is limited or the entire tunnel itself.

I can confirm that when I sent packets from 2.2.2.2 to 3.3.3.3, the tunnel 1.1.1.1 is established and the vpn works perfectly.

I can confirm that limiting works with the access-lists but I cannot get the limiting to work based on the tunnelgroup name (which is very dynamic and which I would prefer).