05-23-2019 04:15 AM
Hi,
We have an ISR4431 which according to it's logs is hitting it's IPsec limit indicated by "Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license."
Although this router does have some IPsec traffic from VPN tunnels, it does not appear that the amount of traffic on those tunnels should be enough to be tripping this limit as often as it seems. So we're suspecting that the limit may not apply exactly as we thought. Does anyone know if either of the following apply?
(1) Does the limit of 85meg apply to the total transmit traffic, so long as it includes some IPsec? For example sending 10meg of IPsec + 80meg unencrypted.
(2) Does it include IPsec traffic passing through the router but not encrypted by it, for example traffic from a third-party VPN appliance?
Thanks, Tony S
05-23-2019 11:44 AM
05-24-2019 12:01 AM
After monitoring for a while I think that might be correct. Do you know what time interval the rate is measured over?
05-24-2019 08:02 AM
11-25-2019 08:46 AM
This thread is a little old but to follow up, the older versions of code sampled at a 10ms rate, the new versions of code around 16.x sample at 250ms rate. This is for traffic going to the crypto engine for processing, so it would only be traffic that was either being encrypted or decrypted by the router, and not encrypted traffic passing through the router
05-24-2019 08:25 AM
Hello Tony,
You're hitting a limitation that can be removed with the HSEC license. Going through its documentation you'll find the following:
(1) "With the HSEC-K9 license, the router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic"; the limit applies to encrypted throughput only.
(2) "The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput". Based on this, I'd say it applies to all encrypted traffic including that from 3rd Party Appliances.
Cheers,
Carlos
05-27-2019 12:11 AM
Thanks. I was aware of the limit and of the HSEC licence option, however what I was hoping to do is to avoid buying that licence for an installation where IPsec throughput is in fact less than 85meg. It shouldn't be needed.
I have had a response from Cisco TAC, saying firstly that the limit should apply only to traffic encrypted by the device, not to IPsec traffic passing through it but encrypted elsewhere. Importantly they have also highlighted a number of bugs causing the limit to be incorrectly triggered by traffic below 85meg. Finally I note that later IOS versions, needed to avoid these bugs, also raise the CERM limit to 250meg. So that sounds like a win all round.
05-27-2019 01:59 AM
Hi Tony,
Thank you for sharing; I wasn't sure about the encrypted traffic from other devices although now that I've thought about it again, it makes sense. Glad to have a confirmed answer.
Cheers, Carlos
05-27-2019 10:36 AM
05-28-2019 12:50 AM
@Joseph W. Doherty wrote:
I wouldn't expect it to apply to transit traffic but you might double check it it only applies to outbound IPSec traffic sourced by the device. I could see ti also counting against traffic being received and decrypted by the device.
Everything that I've seen suggests a separate limit for received IPsec, again I understand this to apply only to traffic decrypted by the device. For example ..
sh platform cerm-information
Crypto Export Restrictions Manager(CERM) Information: CERM functionality: ENABLED ---------------------------------------------------------------- Resource Maximum Limit Available ---------------------------------------------------------------- Tx Bandwidth(in kbps) 85000 85000 Rx Bandwidth(in kbps) 85000 85000 Number of tunnels 225 224 Number of TLS sessions 1000 1000
05-28-2019 09:29 AM
06-17-2019 01:45 AM
With the software upgrade finally installed this is what it shows. The new 250 meg limit if indeed there is one, is not mentioned. On the other hand we haven't seen the limit message in the logs either since the upgrade.
#show platform software cerm Crypto Export Restrictions Manager(CERM) Information: CERM functionality: ENABLED ---------------------------------------------------------------- Resource Maximum Limit Available ---------------------------------------------------------------- Number of tunnels 225 220 Number of TLS sessions 1000 1000 Resource reservation information: D - Dynamic ----------------------------------------------------------------------- Client Tunnels TLS Sessions ----------------------------------------------------------------------- VOICE 0 0 IPSEC 5 N/A SSLVPN 0 N/A Statistics information: Failed tunnels : 0 Failed sessions : 0
01-22-2021 12:53 PM
Anyone have any idea why there were restrictions placed by the Govt in the first place? Seems strange that the Govt would regulate the # of tunnels you could have or the amount of traffic you could pump through a VPN.
Thanks.
01-22-2021 02:27 PM
Hello,
it comes down to National Security and Anti-Terrorism. It has it's origins in the WWII era; encryption is basically considered a 'weapon'.
Read the link below. You might have heard of the Enigma code used by German U-boats, the ultimate example of how encryption was used with deadly consequences.
https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States
01-22-2021 02:31 PM
Don't know if they still do, but US Government (I recall?) classified certain encryption levels as munitions for export. They didn't (I recall) care much about Mbps or number of tunnels, just how "good" (i.e. hard to break) the encryption was.
I think (?) the bandwidth limits was actually a way to ease up on the restrictions, i.e. for small volumes, they didn't care.
If what I remember is correct, you may still be wondering does it really make sense? Well, I'm sure it does to the bureaucracy that defines all this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide