Is there any workaround for

Ilya Geraskin · ‎01-22-2015

Hello all,

I'm trying to implement service policy on our ipsec tunnels on ASR1001. Version: asr1001-universalk9.03.13.01.S.154-3.S1-ext.bin

Here is the typical Tunnel configuration:

interface Tunnel100
 ip address 172.x.x.x 255.255.255.252
 ip mtu 1450
 ip access-group ACL_IN in
 ip access-group ACL_OUT out
 ip policy route-map ForwardIP
 ip ospf network point-to-point
 ip ospf mtu-ignore
 ip ospf cost 40
 qos pre-classify
 tunnel source ZZ.ZZ.ZZ.ZZ
 tunnel mode ipip
 tunnel destination YY.YY.YY.YY
 tunnel protection ipsec profile IPSec-AES
 service-policy input Tunnel_IN

When I try to add an output service-policy on that interface, I get an error:

(nbar): (err): NBAR is not supported on  Tunnel10042

If I try to enable ip nbar protocol-discovery, I get an error:

% NBAR Error: Can not enable Protocol-discovery NBAR is not supported on this interface

Is it possible to use NBAR on that interface?

Collin Clark · ‎01-23-2015

NBAR is not supported on the following logical interfaces:

Dialer interfaces
Dynamic tunnels such as Dynamic Virtual Tunnel Interface (DVTI)
Fast Etherchannels
IPv6 tunnels that terminate on the device
MPLS
Overlay Transport Virtualization (OTV) overlay interfaces

Ilya Geraskin · ‎01-23-2015

Is there any workaround for it?

Collin Clark · ‎01-23-2015

Configure NBAR on the downstream physical interface

Ilya Geraskin · ‎01-23-2015

Will this policy work on IPSEC tunnels?

I thought

qos pre-classify

works only when you implement qos on tunnel interface.

With NBAR enabled on physical interface the tunnel is still not configurable with NBAR policies

NBAR on Tunnel Interface on ASR1001