Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1055
Views
0
Helpful
0
Replies

AnyConnect and ASAv DSCP Preservation behaviour

dongill
Level 1
Level 1

‎08-06-2020 02:10 AM - edited ‎08-06-2020 02:16 AM

Hi,

 

I'm trying to understand the behaviour of the ASAv with AnyConnect Client SSL encapsulation and DSCP markings.

 

When encapsulating traffic destined to a remote AnyConnect SSL Client, does the ASAv preserve the DSCP markings from the original packet and copy these to the outer SSL / DTLS tunnel IP header?

 

We are investigating the use of this with a WAN Edge QoS policy and need to use DSCP values for traffic management rather than IP address [the QoS policy is application based].

 

There wont be any QoS functions applied to traffic at the ASAv, just preserve the DSCP value for an upstream router to then act on.

 

This slightly older guide refers to "Until ASA Version 9.2, the ASA did not preserve the ToS bits." and isn't clear whether it now does?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc11

 

I have also found this feature request, but it isn't clear:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCty28878

 

Can anyone provide an explanation or advice on how this can be achieved?

 

Thanks!

2 people had this problem
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents