We have an ASA (running v7.2 software) at our head office. We have a large number of remote connected sites which connect to head office via IPSEC VPN.

We have the one internet pipe which is shared by everything i.e. head office internet use, FTP transfers, VPN connections to remote sites, remote VPN users, etc.

The problem we have is that whenever the internet pipe is fully utilised which typically happens, for example, if we send software updates out to all our remote sites from a head office server, then this obviously has a knock-on effect on everything else - network speeds slow right down for all the remote offices, sometimes disconnections occur, etc. (We have tried limiting the number of updates sent out at the one time but will still find that the bandwidth is all used up, but just for shorter times)

What would people advise as the best practise for managing the traffic in this kind of set-up? What can be done in terms of prioritisation and bandwidth management of the traffic using the ASA itself?

What I don't want to do is to, for example, restrict the server that sends the software updates to, say, only 80% of the available bandwidth because there are times, when the network might be quieter, that we don't mind it grabbing all the bandwidth it can - I don't know if there is any practical way to allow it to “burst” to 100% at these times?

Any suggestions/advice on best practise for handling this kind of thing would be welcome!

Thanks.