cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2473
Views
0
Helpful
3
Replies

ASA QoS for SSLVPN

James.Longman
Beginner
Beginner

Hi,

I've written a nice simple QoS setup for VPN clients on an ASA5510 and it works perfectly for IPSEC clients.

class-map vpn-qos

match flow ip destination-address

match tunnel-group vpn-group

policy-map vpn-policy

  class vpn-qos

    priority

service-policy vpn-policy interface outside

And running:

show service-policy interface outside

Shows the policy and the packet count increasing.

However, if only SSLVPN (AnyConnect) users are connected, the count doesn't change. It appears SSLVPN clients just don't get the policy.

What can I do to apply it to them? Anything?

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

QoS is not supported for SSLVPN unfortunately.

View solution in original post

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

QoS is not supported for SSLVPN unfortunately.

D'oh! Well, at least that matches my testing. Any thoughts for a work around?

Maybe a policy on the inside interface that matches traffic to the address pool designated for AnyConnect (or otherwise) clients? Although marking priority on an inbound policy will do nothing, no?

Perhaps a crude attempt to reserve bandwidth? Shape all traffic through the ASA down to x% of the available to leave a gauranteed y% for VPN use? Again I guess this will need to be applied on the inside interface...

Any thoughts welcome.

For VPN specific traffic, since it will be traversing through the Internet, QoS is not that necessary as the Internet is normally the bottle neck anyway. I guess if your ASA is quite a busy ASA, it will ensure that the VPN traffic gets prioritise but as soon as it hits the internet, there is nothing you could do.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: