cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3911
Views
0
Helpful
2
Replies

Can QoS be configured for Anyconnect clients?

Hawk
Level 1
Level 1

We have a lot of home users using soft phones and some have poor call quality.  Is it possible to configure QoS on the ASA so that voice traffic is preffered on the user's anyconnect tunnels/sessions?  I understand that wont fix the problem if there are internet issues or home user network/wifi issues.  Thanks!

2 Replies 2

Hi @Hawk 

 

You can apply QOS to an IPSec or SSL-VPN tunnel-group. Refer to this link for more information on ASA QOS.

 

To get the best performance you may want to check you are running ASA v9.10 or newer and using DTLS 1.2 (if using SSL-VPN). DTLS performs better and is preferred over just TLS, so ensure you are actually using DTLS (if using SSL-VPN). Ensure you are using AnyConnect 4.7 or newer.

 

Additionally you could look to use split-tunneling and ensure only traffic destined to the DC is routed via the VPN and reduce congestion.

 

HTH

@Rob Ingram hope you doing well. I find a document here written by Firas Fawzi Ahmed

I also noted you posted a document too. i agree 9.10 with DTLS is the way to out but here we have a conflict information from cisco.

Is QoS for each AnyConnect session possible?

Unfortunately it is not supported. If you try to set the tunnel-group QoS, the following error occurs and you cannot set it.

ASAv10 # show ver | in Ver
Cisco Adaptive Security Appliance Software Version 9.12(3)9
SSP Operating System Version 2.6(1.192)
Device Manager Version 7.13(1)
ASAv10 (config) #
ASAv10 (config) # tunnel-group a1 type webvpn
ASAv10 (config) # tunnel-group a1 webvpn-attributes
ASAv10 (config-tunnel-webvpn) #   class-map c1
ASAv10 (config-cmap) #   match tunnel-group a1
ASAv10 ( config-cmap) # match flow ip destination-address
ASAv10 (config-cmap) # policy-map p1
ASAv10 (config-pmap) # class c1
ASAv10 (config-pmap-c) #   police output 100000
ERROR: tunnel with WEBVPN attributes doesn't support police!
ASAv10 (config-pmap-c) #

In addition, the use of QoS leads to equipment load. Therefore, if you want to limit the download speed via the tunnel of the AnyConnect terminal for some reason, you can limit the download speed and the number of simultaneous downloads on the connected file server, and set the QoS for the IP address and segment assigned to the AnyConnect terminal. It is effective to maintain the performance of the entire system by distributing the processing load by using the device of the route (for example, L3 switch accommodating ASA or another device of the route).

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: