Re: 4331 router IPSEC VPN tunnel limit 225

Ma'moun Mohammad shanableh · ‎09-02-2019

Dears,

i am having a problem that the VPN session keeps disconnecting and the following log message appears:

%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.

please find the show crypto eli brie below:

INT#sh crypto eli all
Hardware Encryption : ACTIVE
Number of crypto engines = 3

CryptoEngine IOSXE-ESP(9) details: state = Active
Capability : DES, 3DES, AES, GCM, GMAC, IPv6, GDOI, FAILCLOSE

IPSec-Session : 471 active, 10240 max, 0 failed

CryptoEngine Software Crypto Engine details: state = Active
Capability : IPPCP, DES, 3DES, AES, SEAL, GCM, GMAC, RSA, IPv6, GDOI, FAILCLOSE, HA

IKE-Session : 90 active, 10340 max, 0 failed
IKEv2-Session : 21 active, 10340 max, 0 failed
DH : 2 active, 5170 max, 0 failed
IPSec-Session : 0 active, 1000 max, 0 failed
SSL support : Yes
SSL versions : SSLv3.0, TLSv1.0, DTLSv1.0, DTLS-pre-rfc,
TLSv1.1, TLSv1.2
Max SSL connec: 1000
SSL namespace : 1

SSLv3.0 suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.0 suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
DTLSv1.0 suite:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

CryptoEngine act2 details: state = Active
Capability : RSA

Do i have to consider the HSEC license? any idea

thank you

Rob Ingram · ‎09-02-2019

Hi,

Yes, without the HSECK9 license, only 225 secure tunnels and 85 Mbps of crypto bandwidth would be available.

Reference here page 59.

HTH

Ma'moun Mohammad shanableh · ‎09-02-2019

thank you for the reply,

how to know how much bandwidth is reached and the exact number of tunnels

Rob Ingram · ‎09-02-2019

"show platform cerm-information" - this command will indicate the maximum limit and the number currently available.

"show crypto ipsec sa count" - will also indicate the number of tunnels