Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7458
Views
0
Helpful
6
Replies

CSCut31948 HSEC Bandwidth limit exceeded. Packet drops. CERM_DP-4-DP_TX_BW_LIMIT and CERM_DP-4-DP_RX_BW_LIMIT

jerecassidy
Level 1
Level 1

‎06-16-2015 08:47 AM - edited ‎03-20-2019 08:37 PM

Both myself and a colleague of mine are running ISR 4331 routers that experience the same bug as described in:

https://tools.cisco.com/bugsearch/bug/CSCut31948/

Note that this bug report only mentions 4400 series - not the 4300 series.

Even so, I was running a version directly in between the known affected release (15.4.3S1) and the fix release (15.4.3S3).   Therefore I upgraded to 15.4.3S3.   This did not fix the problem.   I don't see how this issue wasn't identified as also having affected the 4300 series, but I could not find another bug tracking the same issue for that series.

 

Any advice on how to proceed would be appreciated.  I have a 15.5.1S1 code image also on the router - but it is one that is directly listed as affected (on the 4400 series of course, but I would expect it to be affected).

 

Thanks in advance for any suggestions/input!

 

8 people had this problem
Labels:
0 Helpful
6 Replies 6

Brian Schultz
Level 4
Level 4

‎06-24-2015 06:50 PM

I also have the same issue running 15.5(1)S2.  I opened a case with TAC and was told it is cosmetic.  Our throughput is nowhere close to the 85Mbps threshold.  

0 Helpful

mr_dalvin10
Level 1
Level 1
In response to Brian Schultz

‎09-09-2015 12:44 PM

I have the same issue on a 10 meg fiber hand-off.  I am only running two tunnels and my throughput is sitting at about 330Kbps, nowhere near the 85Mpbs threshold. Has anybody found a resolution to the issue besides installing a license I don't need?

 

Sep  9 15:21:33 EDT: %IOSXE-4-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00003719107246997243 %CERM_DP-4-DP_TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

 

baltimore_dc2_rtr1# sh platform software cerm-information
Crypto Export Restrictions Manager(CERM) Information:
 CERM functionality: ENABLED

 ----------------------------------------------------------------
 Resource                             Maximum Limit           Available
 ----------------------------------------------------------------
 Tx Bandwidth(in kbps)            85000                      D    
 Rx Bandwidth(in kbps)            85000                      D    
 Number of tunnels                   225                          223
 Number of TLS sessions         1000                        1000

 Resource reservation information:
 D - Dynamic
 -----------------------------------------------------------------------
 Client         Tx Bandwidth    Rx Bandwidth    Tunnels    TLS Sessions
                 (in kbps)       (in kbps)
 -----------------------------------------------------------------------
 VOICE           0               0                0         0   
 IPSEC           D               D                2         N/A
 SSLVPN          D               D                0         N/A

 Statistics information:
 Failed tunnels     : 0
 Failed sessions    : 0
 Failed tx bandwidth: 0
 Failed rx bandwidth: 0
 Failed encrypt pkts: 0
 Failed decrypt pkts: 0
 Failed encrypt pkt bytes: 0
 Failed decrypt pkt bytes: 0
 Passed encrypt pkts: 0
 Passed decrypt pkts: 0
 Passed encrypt pkt bytes: 0
 Passed decrypt pkt bytes: 0

0 Helpful

mr_dalvin10
Level 1
Level 1
In response to mr_dalvin10

‎09-11-2015 03:30 PM

Update -

I did a packet capture on my router with TAC and found that I was getting microbursts over 85Mbps that would last more that .01 seconds coming in from my network towards the routers.  Since this traffic would hit my Tunnel interface going outbound (to the internet) it would trigger this problem. I was told in the version of code I am running the algorithm checks for traffic averaging over 85Mbps every .01 seconds in both directions. They say this was changed to 1 second in the later IOS updates.  I will try version 15-5-2s1 and see if the problem continues.

0 Helpful

mr_dalvin10
Level 1
Level 1
In response to mr_dalvin10

‎09-16-2015 07:32 AM

Moving to isr4300-universalk9.03.15.01c.S.155-2.S1c-std.SPA.bin seems to have resolved my issue.

 

0 Helpful

Brian Schultz
Level 4
Level 4
In response to mr_dalvin10

‎09-16-2015 07:37 AM

Same here, I'm no longer seeing the log messages in 3.15.1 XE code.

0 Helpful

hasitha siriwardhana
Level 1
Level 1
In response to Brian Schultz

‎08-22-2016 12:47 AM

we are running software version isr4400-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bin.

We have suffered this issue. TAC has requested us to install HSEC license. But we doesnt have such 85Mbps traffic.

0 Helpful
Customers Also Viewed These Support Documents