cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1035
Views
5
Helpful
3
Replies

CERM-4-TUNNEL_LIMIT error on 2901, not sure why?

jgeorge
Level 1
Level 1

I'm getting the following error in the log of a 2901:

%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.

I'm a bit confused by this since there is only 1 active SA at the time.

Here is some more info:

2901#sh crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active

Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session :   768 active,  2800 max, 0 failed

Could someone fill me in on why i'm getting this error?

3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

Hi Jason,

I am not entirely sure myself about this but the error message basically talks about a number of tunnels, not exactly about the number of SAs (although I admit they are related). How many tunnels does this 2901 actually terminate? The number of IPsec sessions (768 active) is also quite interesting.

The Error Message Decoder told me this:

%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of [dec] reached for Crypto  functionality with temporary license for securityk9 technology package.

The maximum limit for tunnels has been reached for the Crypto functionality with  temporary license for the securityk9 technology package.

Recommended Action:

Upgrade to permanent license for securityk9 technology package.

The error message is not entirely of the same wording as yours, but do you perhaps also run a temporary securityk9 package?

Best regards,

Peter

The device is running a permanent license for securityk9. I did have a temporary license but that went away a few months ago. I rebooted the device to see if the errors would come back and they did.

The reason I am even looking at this is because of a VPN tunnle that seems to go down once a day and this is the only error in the logs.

Any other ideas?

-bump-

I'm also seeing that VPN unable to pass traffic for about 5 minutes once a day. Could this be releated?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: