cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
770
Views
0
Helpful
4
Replies

QOS on ASA based on tunnel-group not working

siennax
Level 1
Level 1

Hello all,

I have a lan2lan vpn on an ASA 5520 and am trying to limit the bandwidth of this tunnel going outside.

I have created the following configuration, but it is not working:

class-map 1.1.1.1_CM
match tunnel-group 1.1.1.1
match flow ip destination-address

policy-map VPNQOS_PM
class 1.1.1.1_CM
  police output 1000000

service-policy VPNQOS_PM interface outside

As a workaround I created the following configuration, which does the trick, but not as nicely as the above config:

access-list 1.1.1.1_ACL extended permit ip host 2.2.2.2 host 3.3.3.3
access-list 1.1.1.1_ACL extended deny ip any any

class-map 1.1.1.1_CM
match access-list 1.1.1.1_ACL

policy-map VPNQOS_PM
class 1.1.1.1_CM
  police output 1000000

service-policy VPNQOS_PM interface outside

Does anybody know what I am doing wrong?

Thanks!

4 Replies 4

Ivan Martinon
Level 7
Level 7

By outside you mean traffic going out to the internet or going throgh the vpn tunnel?

Hi Ivan,

By outside I mean indeed traffic to the internet.

I think I have configured traffic through the tunnel at the moment.

What I really would like to know, is what my faulty configuration should do and why it doesn't work...

Regards,

Tom

Ok, so if that traffic is going out to the internet rather than going through the vpn tunnel this configuration will not work since the QoS config for a tunnel group applies only for traffic going through that crypto connection.

Hi Ivan,

I thought we were differentiating between traffic going through the tunnel and the encrypted packets (ipsec/ike) going to the internet (peer). Not traffic that is not going through the vpn tunnel.

So what I really am trying to do, is limiting the bandwidth of a VPN site-to-site tunnel, which is tunnelgroup 1.1.1.1 in my example.

I don't really care if the traffic within the tunnel is limited or the entire tunnel itself.

I can confirm that when I sent packets from 2.2.2.2 to 3.3.3.3, the tunnel 1.1.1.1 is established and the vpn works perfectly.

I can confirm that limiting works with the access-lists but I cannot get the limiting to work based on the tunnelgroup name (which is very dynamic and which I would prefer).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: