Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
9
Replies

IPSec VPN upload Bandwidth

sos66
Level 1
Level 1

‎06-24-2024 08:01 AM

I'm an MSP what is managing a Cisco ASA firewall in a datacenter - Software Version 9.16(4)14
The ISP connection is 500MB down/100 MB up
We have about 20 IPSec VPN tunnels & 50 RAS VPN's at any given time on this firewall with a mixture of IKEv1 & IKEv2
One of the VPN tunnels is pulling data from an AS400 to an office, resulting in all 100Mb upload speed being utilized.  This in turn causes issues for all the other users. 

I do not have familiarity with policing traffic and there is nothing currently configured for policing on the network or firewall but I would like to rate limit this single IPSec VPN so they can only use up to 80% of the bandwidth. 

Datacenter - we have 30 sub-interfaces on the ASA.  The network in question is a VLAN sub-interface, layer-2, /24 subnet with its gateway being the firewall.  (10.10.10.0/24) - (firewall 10.10.10.1/24)
Office - it too is a Layer-2 network /24 with its gateway being the office firewall.  Please note I do not manage the office firewall - another MSP manages it.  (192.168.12.0/24) - (firewall 192.168.12.1/24)

Tunnel - PFS is turned off / all IP addresses are private IPv4 / All traffic is No-NAT (Section 1), so the real IP's from the Office talk to the real IP's in the Datacenter.  Of course the IP's I listed above are not the real IP's, I made them up to protect my client. 



Labels:
0 Helpful
9 Replies 9

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-24-2024 12:36 PM

"The ISP connection is 500MB down/100 MB up"

Connected directly to your FW or do you have a router in place (which you control)?

0 Helpful

sos66
Level 1
Level 1
In response to Joseph W. Doherty

‎06-26-2024 07:32 AM

We have a dumb layer 2 switch between the firewall pair and the ISP. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to sos66

‎06-26-2024 07:39 AM - edited ‎06-27-2024 05:22 AM

MHM

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎06-26-2024 10:41 AM

@MHM Cisco World wrote:

(I hate QoS) 

MHM

Really?!  I'm surprised, since you're very knowledgeable about so many aspects of networking.

That's just from lack of understanding QoS (which is common) or some other reason(s)?

If another reason(s), perhaps you'll open a posting on why QoS deserves to be hated.  Could be a worthwhile topic of discussion.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Joseph W. Doherty

‎06-26-2024 11:00 AM

Thanks for this nice words 

Two topics I hate QoS and multicast (even so multicast I start finish it but still hate it)

Why?

Because for SW there is cisco ready config for router you need to calculate qos settings according to BW of link and I see it lost of time' maybe one day one engineer or me (lol..) making app make it easy for engineers get right value instead of deal with many number.

Thanks again 

Have a nice day 

MHM

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎06-27-2024 09:36 AM

@MHM Cisco World wrote:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

check this link friend I think it solution for your case

MHM

BTW, came across that yesterday, too.  At first, I noticed it was published 2014, so I was worried how much might still be applicable (possibly a lot, as I read in that document it applies to version 9x).

Second, again, being unfamiliar with ASA QoS, off the top of my head, could not explain how to use that information, in that reference, in this case.  (At least without my additional study of ASA QoS and further clarifications about the OP's environment.)

That noted, it's possible ASA QoS might be a solution and it's possible that reference contains what you need to know.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to sos66

‎06-26-2024 07:55 AM

Normally, QoS could deal with your issue.  Likely a dumb L2:switch has no QoS features, and, unfortunately, I'm not knowledgeable about ASA QoS capabilities, if any.

0 Helpful

paul driver
VIP
VIP

‎06-28-2024 12:38 AM

Hello
Possible apply a moc policy to the client vpn to limit its traffic in/out on the tunnel

example -subnet 10.10.10.0/24

access-list vpnusers_acl permit ip 10.10.10.0 255.255.255.0 any

class-map vpn_cm
match access-list vpnusers_acl

policy-map vpn_pm
description police tunnel to 1mb
class-map vpn_cm
police input 1000000
police output 1000000


or just use the class class-default

policy-map vpn_pm
description police tunnel to 1mb
class class-default
police input 1000000
police output 1000000

service-policy vpn_pm interface <client tunnel>

access-list in_out permit any any
access-group in_out in interface <client tunnel>
access-group in_out out interface <client tunnel>


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card