cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3241
Views
0
Helpful
1
Replies
Highlighted
Beginner

RATE LIMIT (police) SSL VPN USERS ON ASA

Hi All,

We have a customer who has an ASA at head office and they want to limit bandwidth available to their remote users who login using the any connect client. We are considering a simple QoS policing policy which may work, but does anyone have a better solution or is this the best way?

Thanks,

1 REPLY 1
Highlighted
Cisco Employee

Hello,

I understand that you want to configure bandwidth limits for each AnyConnect client connection. 

Unfortunately, the ASA does not currently support QoS policing of traffic on a per-user or per-IP-address basis:

https://supportforums.cisco.com/docs/DOC-1361#Q_Does_ASA_SSL_VPN_AnyConnect_Client_or_Clie

ntless_support_QOS_and_policing_bandwidth_management_capabilites

The feature has been requested but it seems it will not be integrated in the near future.

The available workaround is to use simple QoS as you mention but it is not scalable at all.

  You may police the ASA WAN bandwidth based on the public IP address of each remote-access AnyConnect user hogging bandwidth:

access-list SSLVPN_LIMIT extended permit udp host host

(ASA ip address) eq 443

access-list SSLVPN_LIMIT extended permit tcp host host

(ASA ip address)

eq 443

!

class-map SSLVPN

match access-list SSLVPN_LIMIT

!

policy-map LIMIT

class SSLVPN

    police input 1500000

     police output 1500000

!

service-policy LIMIT interface outside

Thanks,

Itzcoatl