Showing results for 
Search instead for 
Did you mean: 

DSCP values is copied to


If we have an IPSec tunnel established between 2 FTDs (tunnel mode). The tunnel was created via an FMC.

If before been encrypted/encapsulated, packets were marked with DSCP values. Does the FTD copies the DSCP value to the outer header of the tunnel ? (so the DSCP value can be viewed by the routers in the middle).

We did a test, we marked traffic before the tunnel (with ef) , after the tunnel with the traffic with dscp value of 0

Can someone help us confirm if it can be copied to the outer header and what config is needed ?


I saw an article about ToS preservation , but the article is only for IPSec over GRE. (which i guess doesn't work on FTD)


Thank you






1. I think or rather i believe that "copy of DSCP from Inner IP-Header to Outer IP-Header" is NOT supported (yet...) for IPSec Tunneled traffic on FTD-routers



- The Inner-IP-Header would be of "outbound" IPv4 and/or IPv6 plain packet that is being routed thru the ipsec tunnel under consideration

- The Outer-IP-Header would be of IPv4 and/or IPv6 "outbound" ESP packet that is generated by the FTD-router for that specified IPsec tunnel to remote peer



2. I dont really know how at this time, but since you are a cisco customer You should kindly submit a new-feature request for supporting the "Copy of DSCP values from Inner-IP-Header to Outer-ESP-packet-Header for IPsec tunnels.


- becos unlike policies for handling DF-bit flag for ipsec tunneled packets which is mentioned as a MUST in the RFC-4301 (section-8 i guess) and is supported/implemented  as such on FTD routers too (details in next point below), the implementation/support for copy-dscp-value to outer-header is a custom-vendor-specific implementation and NOT all vendors implement/support it. 


- This will be very very useful for setting QoS policies for ipsec tunnels too. Maybe this will also mean that there will be a related new-feature request to enhance QoS support for IPsec tunneled traffic too...lots of possibilities.



3. In FTD, if you check the ESPv3 settings for the site-to-site tunnel configured, you have the below options for DF-bit flag handling in ipsec you can run a check for DF-bit to confirm in your deployments


ESPv3 Settings
a). Validate incoming ICMP error messages

Choose whether to validate ICMP error messages received through an IPsec tunnel and destined for an interior host on the private network.

b). Enable 'Do Not Fragment' Policy

Define how the IPsec subsystem handles large packets that have the do-not-fragment (DF) bit set in the IP header.

* Copy DF bit—Maintains the DF bit.

* Clear DF bit—Ignores the DF bit.

* Set DF bit—Sets and uses the DF bit.


c). Enable Traffic Flow Confidentiality (TFC) Packets

Enable dummy TFC packets that mask the traffic profile which traverses the tunnel. Use the Burst, Payload Size, and Timeout parameters to generate random length packets at random intervals across the specified SA.




best regards




Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (39%)

Content for Community-Ad