Showing results for 
Search instead for 
Did you mean: 



As per the subject, we are receiving this error in the log buffer on a 3845 router running 12.4(24)T4. Our setup is that we're running DMVPN, and have configured per-tunnel QoS for DMVPN, exactly as per the Cisco documentation ( and the issue we're finding is that on the hub end (the 3845), the following full error is being received:

Dec  8 10:04:11: %NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy qos_setoutbound_lb-sh_pm mapped to NHRP group LB_tunnel0 on interface Tunnel0, to tunnel due to policy installation failure

There is not much info on this error... I've looked it up, and all I can find is this fairly useless document:

Has anyone seen this sort of issue before when configuring per-tunnel QoS for DMVPN? Any assistance would be much appreciated. I'll try and include some show command outputs when I can.

10 Replies 10

Cisco Employee
Cisco Employee


Could you share your QoS configuration on the hub router? One restriction with per-tunnel QoS for DMVPN is that, you cannot have an user-defined class under the parent policy-map with queuing actions. The only class allowed is "class-default" with action "shaping", and all user-defined classes with queuing actions would have to be applied to the child policy under the shaper. This would be one reason you'd see the NHRP-3-QOS_POLICY_APPLY_FAILED error you observed.

Hope this helps,



Interesting, thanks for that Wen. Our QoS is primarily aimed at ensuring bandwidth for certain applications, but we do use the priority command to ensure voice traffic is queued faster so that will be our problem, I think; in essence our QoS is configured as follows:

  1. A series of ACLs define the traffic to match on (some port-based such as TCP25, TCP3389 etc. and some address-based such as any traffic from certain servers)
  2. A series of class maps reference these ACLs
  3. A policy map is then used to set outbound bandwidth and priority statements against those class maps - our requirement here is to ensure certain traffic gets a stated amount of the bandwidth, and the priority statement ensures voice traffic is queued first (unless we've got that wrong!?)
  4. A second policy map is then used to shape traffic to the remote router (based on a class map that refers to an ACL matching the destination IP range) and also applies the first policy map

The policy maps are as follows:

policy-map qos_setoutbound_lb-sh_pm

class qos_voip_cm

    priority 3072

class qos_rdp_cm

    bandwidth 2048

class qos_msds_cm

    bandwidth 2048

class qos_rmi_cm

    bandwidth 1024

class qos_http_cm

    bandwidth 5632

class class-default


     random-detect dscp-based

policy-map qos_shapeoutbound_lb-sh_pm

class qos_to_lb-sh_cm

    shape average 18000000

  service-policy qos_setoutbound_lb-sh_pm

The command on the tunnel interface is: ip nhrp map group LB_tunnel0 service-policy output qos_setoutbound_lb-sh_pm

I think that the policy map that sets the priority and bandwidth statements would be the problem then, as that affects the queuing? I'd be interested in what you think a solution might be - maybe we mark traffic on the ingress to the hub router (from the LAN) and then let the QoS engine queue based on that?

Frustrating that this restriction isn't listed in the Cisco document, which has a "restrictions" section....