Hi!
I need help to configure QoS for RA VPN tunnel terminated on Cisco ASA 5505,v8.3. I want to give remote users priority over other traffic. Since I have dsl modem behind Cisco ASA, I have to shape traffic on ASA also.
I configured ASA using trafffic shaping and hierarchical priority queuing. I classified traffic based on tunnel group. Here is configuration:
class-map DM_INLINE_Child-Class
match tunnel-group bigvpn
!
!
policy-map DM_INLINE_Child-Policy
class DM_INLINE_Child-Class
priority
policy-map outside-policy
class class-default
shape average 512000
service-policy DM_INLINE_Child-Policy
service-policy outside-policy interface outside
After I applied this policy, I tested it. I was uploading some other traffic out and in the same time made remote vpn connection to ASA. The result was bad since vpn traffic suffered and was not prioritized over other traffic.I found in ASA config guide,among other things, that there is restriction :
For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the DSCP or precedence setting; you cannot match a tunnel group.
Does it mean that I can not classify RA VPN traffic using tunnel group? Is there any other way to classify RA VPN traffic and give it a priority? How to mark it with DSCP value?
Also, can someone tell me what is the best way to monitor QoS? I know there is show service policy command but this command does not give me accurate information about configured QoS.
Thanks in advance,
Dejan