Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2592
Views
5
Helpful
1
Replies

Rate Limit AnyConnect vpn users on ASA 5525

andy_4578
Level 1
Level 1

‎12-16-2019 04:46 AM - edited ‎02-21-2020 09:49 PM

We currently operate a "Tunnel All" policy for vpn traffic due to conditional access of hosted applications (Traffic must come from the head Office IP).

 

What were finding with the increase in remote workers with fast home connections is there saturating the HQ bandwidth.

 

Is there a way we can rate limit the VPN users (AnyConnect IP pool - 10.1.0.0/24), only allowing them 40Mbps.  

6 people had this problem
Labels:
0 Helpful
1 Reply 1

Jerome BERTHIER
Level 1
Level 1

‎02-04-2022 07:53 AM - edited ‎02-04-2022 08:04 AM

Hello

According with this document, per tunnel QOS is supported only on FTD software :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html#anc19

 

But if you have a look to this document, it seems possible to apply a per flow policing on tunnel group.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc11

 

It doesn't seem supported on SSL client tunnel :

https://tools.cisco.com/bugsearch/bug/CSCsl73211/?reffering_site=dumpcr

 

This other document seems to confirm that it is applied per flow :

"The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. " :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/m_match_e-match_q.html#wp2222732868

 

As each Anyconnect client has its own IP address, it seems that downstream traffic from headend could be rate limited per client this way.

Note that it seems that there is limitation on tunnel with webvpn attributes as it does not support policing.So if it works, it would be only on IKEv2 client tunnel.

Moreover, policing is not supported on clientless VPN :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/webvpn-overview.html?bookSearch=true#ID-2278-00000020

 

I did not try any of these configuration. Not sure it works.

 

Hope this helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents