Solved: ASA QoS for SSLVPN

James.Longman · ‎05-14-2012

Hi,

I've written a nice simple QoS setup for VPN clients on an ASA5510 and it works perfectly for IPSEC clients.

class-map vpn-qos

match flow ip destination-address

match tunnel-group vpn-group

policy-map vpn-policy

class vpn-qos

priority

service-policy vpn-policy interface outside

And running:

show service-policy interface outside

Shows the policy and the packet count increasing.

However, if only SSLVPN (AnyConnect) users are connected, the count doesn't change. It appears SSLVPN clients just don't get the policy.

What can I do to apply it to them? Anything?

Jennifer Halim · ‎05-14-2012

QoS is not supported for SSLVPN unfortunately.

View solution in original post

Jennifer Halim · ‎05-14-2012

QoS is not supported for SSLVPN unfortunately.

James.Longman · ‎05-15-2012

D'oh! Well, at least that matches my testing. Any thoughts for a work around?

Maybe a policy on the inside interface that matches traffic to the address pool designated for AnyConnect (or otherwise) clients? Although marking priority on an inbound policy will do nothing, no?

Perhaps a crude attempt to reserve bandwidth? Shape all traffic through the ASA down to x% of the available to leave a gauranteed y% for VPN use? Again I guess this will need to be applied on the inside interface...

Any thoughts welcome.

Jennifer Halim · ‎05-16-2012

For VPN specific traffic, since it will be traversing through the Internet, QoS is not that necessary as the Internet is normally the bottle neck anyway. I guess if your ASA is quite a busy ASA, it will ensure that the VPN traffic gets prioritise but as soon as it hits the internet, there is nothing you could do.