Hm, can you explain me next:
In many articles I read about copy DSCP from payload IP packet to carrier IP header (ESP).

But I captured packets before decryption and after decryption and see TSCP do not equal. ISP can rewrite DSCP.

also two questions, if I make class with match ACL which contains remote private net and local private net, how ASA can police this traffic ? We need to decrypt ESP packet before classify traffic, but it must be do before put it to incoming buffer , I think it impossible. It must work for outgoing traffic but not incoming, or I think wrong? :-)

who can explain how ESP traffic 

Hi,

    The ASA cannot mark the packet, but it keeps the marking (so ensure the packet is already properly marked by the time it reaches the ASA). Also, important to know is that when you configure QoS for a VPN tunnel, the QoS policy is pushed to the encryption engine, which will preserve the marking of the packet also in the outer ESP IP header, in order for QoS to be properly applied (if you don't see the proper markings on the other side the tunnel in the ESP IP header, your ISP changes it, but you should still see the proper marking on the decrypted/inner IP header, which is not visible in transit). To confirm the ASA preserves the packet marking in the ESP IP header, perform a packet capture on the outside interface and look at the ESP packets.

    Yes, when we speak QoS, queuing and shaping, we speak about egress direction, cause that's where the problem is. Look at the attached picture, the same process happens for a packet forwarded by the ASA through a VPN tunnel as well: the ESP packet will be in the priority queue (which is depleted first), or in the non-priority queue if it passed the policer in case it's configured (which is served FIFO), based on your configuration.

Regards,

Cristian Matei.