Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
5
Helpful
3
Replies

CERM-4-TUNNEL_LIMIT error on 2901, not sure why?

jgeorge
Level 1
Level 1

‎10-12-2012 11:48 AM - edited ‎03-04-2019 05:50 PM

I'm getting the following error in the log of a 2901:

%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.

I'm a bit confused by this since there is only 1 active SA at the time.

Here is some more info:

2901#sh crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active

Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session :   768 active,  2800 max, 0 failed

Could someone fill me in on why i'm getting this error?

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎10-12-2012 10:34 PM

Hi Jason,

I am not entirely sure myself about this but the error message basically talks about a number of tunnels, not exactly about the number of SAs (although I admit they are related). How many tunnels does this 2901 actually terminate? The number of IPsec sessions (768 active) is also quite interesting.

The Error Message Decoder told me this:

%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of [dec] reached for Crypto  functionality with temporary license for securityk9 technology package.

The maximum limit for tunnels has been reached for the Crypto functionality with  temporary license for the securityk9 technology package.

Recommended Action:

Upgrade to permanent license for securityk9 technology package.

The error message is not entirely of the same wording as yours, but do you perhaps also run a temporary securityk9 package?

Best regards,

Peter

jgeorge
Level 1
Level 1
In response to Peter Paluch

‎10-15-2012 01:17 PM

The device is running a permanent license for securityk9. I did have a temporary license but that went away a few months ago. I rebooted the device to see if the errors would come back and they did.

The reason I am even looking at this is because of a VPN tunnle that seems to go down once a day and this is the only error in the logs.

Any other ideas?

0 Helpful

jgeorge
Level 1
Level 1
In response to jgeorge

‎10-18-2012 10:32 AM

-bump-

I'm also seeing that VPN unable to pass traffic for about 5 minutes once a day. Could this be releated?

0 Helpful
Customers Also Viewed These Support Documents