Solved: I got this answer from TAC on

startx001 · ‎10-24-2013

Hi ,

Strange situation on 3925 , there is no 85Mbps traffic on the router and message apears .

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

IOS: flash0:c3900-universalk9-mz.SPA.153-2.T.bin"

There is 13 tunnels like this one

ip tcp adjust-mss 1240
tunnel source FastEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile xxxxx

Any solution?

Regards,

Vladimir

Vasilii Mikhailovskii · ‎10-25-2013

But there is no 80Mbps at all , in one direction, so what triggered that log message ?

There is 85M (not 80M )in one direction.

Please check your interfaces for crypto maps and VTIs for tunnel protection.

View solution in original post

Vasilii Mikhailovskii · ‎10-25-2013

Hello.

If you do not have a HSEC-k9 license installed on your ISR G2 router, you will see the following error message

on the console if the traffic exceeds 85-Mbps unidirectional or 170-Mbps bidirectional.

Please refer to https://www.cisco.com/en/US/prod/collateral/routers/ps10536/qa_c67_606268.pdf for details.

startx001 · ‎10-25-2013

But there is no 80Mbps at all , in one direction, so what triggered that log message ?

I know about that HSECk9 , but Cisco said only if there is above 80Mbps .

feauture set.

ipbasek9 no no no yes no

securityk9 yes yes no yes yes

uck9 yes yes no yes yes

datak9 yes yes no no yes

gatekeeper yes yes no no yes

LI yes no no no no

SSL_VPN yes yes no no yes

ios-ips-update yes yes yes no yes

SNASw yes yes no no yes

hseck9 yes no no no no

cme-srst yes yes no no yes

WAAS_Express yes yes no no yes

UCVideo yes yes no no yes

and

*Oct 24 10:53:56.151: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:00:00.376: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:07:35.044: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 13:31:19: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=0006E8F5

*Oct 24 13:40:01: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=00098060

*Oct 24 14:01:57: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=5585, sequence number=422523 *Oct 24 10:53:56.151: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:00:00.376: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:07:35.044: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 13:31:19: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=0006E8F5
*Oct 24 13:40:01: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=00098060
*Oct 24 14:01:57: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=5585, sequence number=422523

Regards,

Vasilii Mikhailovskii · ‎10-25-2013

But there is no 80Mbps at all , in one direction, so what triggered that log message ?

There is 85M (not 80M )in one direction.

Please check your interfaces for crypto maps and VTIs for tunnel protection.

b.gamble · ‎06-11-2015

I got this answer from TAC on the same message received on a 4331:

"The securityK9 license you are running has a limit of 85000 Kbps unidirectional or 170000 Kbps bi-directional of crypto traffic. This doesn’t reflect the traffic allowed across the link but the amount of traffic the router will encrypt and is measured in microseconds, so short bursts of traffic could trigger this issue."

jend.chow · ‎08-01-2019

Is there a fix action for this 'issue'? or a difference license set?

Strange issue on 3925