Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2470
Views
0
Helpful
4
Replies

VPN Traffic Policing between two ASA 5510s (Traffic doesn't match tunnel group)

Roland.Corbet
Level 1
Level 1

‎11-20-2012 09:43 AM - edited ‎03-12-2019 06:04 PM

Hi,

We have two ASA 5510s in separate locations, connected across the internet.

We have a site-to-site VPN between each of the ASAs that enables a SAN device at each end to replicate data to the other.

The replication, when running, will consume all available bandwidth on each WAN connection.

We wish to police the traffic on the VPN to 2 megabits per second, which in turn will limit the rate of replication.

I've extracted the required config from some examples:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml#tab11

http://blog.ipexpert.com/2010/01/04/quality-of-service-for-vpn-part-1-asa/

and our config is as follows:

(Define a class map to identify VPN traffic)

class-map HQ-VPN-QoS

match flow ip destination-address

match tunnel-group <tunnel group name - which is the external IP address on the remote firewall - think this was set up by the ASDM VPN Wizard>

(Rate-Limit VPN traffic by defining the policy)

policy-map Outside-policy

class HQ-VPN-QoS

  police output 2000000 1500

(Attach the policy to the outside interface to implement it)

service-policy Outside-policy interface Outside

However, when we run:

show service-policy police

Interface Outside:

  Service-policy: Outside-policy

    Class-map: HQ-VPN-QoS

      Output police Interface Outside:

        cir 2000000 bps, bc 1500 bytes

        conformed 0 packets, 0 bytes; actions:  drop

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

We don't see any traffic conforming to the policy.  However, there is plenty of traffic flowing across the VPN as replication was in operation at the time.

The very last comment at: http://blog.ipexpert.com/2010/01/04/quality-of-service-for-vpn-part-1-asa/  states:

"What about a case where the VPN tunnel terminates on ASA peers (2 ASAs connected to form a VPN tunnel). QoS doesnt seem to work as all traffic is placed in the best effort queue. Am I missing something here?"

I've not been able to confirm that our traffic is placed in the best effort queue (not sure how to check this) - however, we don't see the traffic matching the QoS policy - so perhaps it is being placed elsewhere?

Could anyone provide any further insight into this situation, please?

Many thanks in anticipation of your help.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

jackdobiash
Level 1
Level 1

‎10-07-2013 11:10 AM

Sorry to bring back up an older post, but I've ran into the same problem and was hoping someone would answer it.  I can't seem to get my ASA 5505's to police VPN traffic (they have a tunnel between them).  I have it set to police any traffic that matches the VPN tunnel group, and even set it to a really low number to see if it would match, but nothing's happening.   I too ran across that post from the URL he referenced, but no one there followed up with a response either.

Is there something specific that has to be set to get peered ASAs to police VPN traffic that's different than the normal config?

0 Helpful

Roland.Corbet
Level 1
Level 1
In response to jackdobiash

‎10-07-2013 03:51 PM

Hi,

I don't think there was actually anything wrong with the config we made.  I'm now able to see that stats to confirm that the policy is working...  I just grabbed these from our device.

Service-policy: Outside-Internet-policy

    Class-map: HQ-VPN-QoS

      Output police Interface Outside-Internet:

        cir 9500000 bps, bc 4748 bytes

        conformed 30457366 packets, 34437963684 bytes; actions:  transmit

        exceeded 8405 packets, 12523038 bytes; actions:  drop

        conformed 1755648 bps, exceed 632 bps

Service-policy: Outside-Internet-policy

    Class-map: HQ-VPN-QoS

      Output police Interface Outside-Internet:

        cir 9500000 bps, bc 4748 bytes

        conformed 30457366 packets, 34437963684 bytes; actions:  transmit

        exceeded 8405 packets, 12523038 bytes; actions:  drop

        conformed 1755648 bps, exceed 632 bps

If I recall correctly, I think the "gotcha" is that the policy doesn't get applied until the VPN is started up next time.

After applying your QoS policy, try logging off the VPN.  This can be done using ASDM via:

Monitoring > VPN > VPN Statistics > Sessions > Select Session > hit "logout" on the right hand side.

You should find that your VPN then disconnects and reestablishes itself with the policy in place.

Create some traffic that should show up in your policy stats and check them with:

show service-policy police

I think that you'll then find that the counters start to populate and no longer appear blank.

If I recall correctly, we found this out by accident, when working on the VPN at the same time as making some QoS changes - we suddenly noticed that the stats had started working, and suspected that the policy didn't get applied until next time the VPN came up.

HTH

0 Helpful

jackdobiash
Level 1
Level 1
In response to Roland.Corbet

‎10-07-2013 04:02 PM

Ah-ha, thanks Robert.  I think I had just about came to that same conclusion when I saw your response come in.  It looks like any policy map won't apply to existing connections/flows, they have to be new ones.  Once I cleared all existing connections (clear conn) it started working.  Thanks!

0 Helpful

Stroemblad
Level 1
Level 1

‎10-08-2013 01:38 PM

I had the same problem when using Ikev2, when i switched to Ikev1 (and restarted the VPN) it worked like a charm.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card