Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
2
Replies

Can i limit IPSec encrypted traffic on a router to a certain level?

vitumbiko nkhwazi
Level 1
Level 1

‎07-11-2021 10:55 AM

Hello Guys.

I have a 4351 ISR running IOS Version 15.5(2)S3, it has the Securityk9 license, two days ago i noticed that all my remote sites went down but we could reach the remote tunnel IPs for the branches, it looked that it was an issue with IPSec encryption, the router was unable to process IPSec connections, upon reviewing the syslog messages we noted the below warning :

 

"Maximum Tx bandwidth Limit of 85000 kbps reached for crypto functionality with SecurityK9 technology license"

 

is there a way i can limit the IPSec encrypted traffic to not go beyond 80000 kbps? instead of having it reach the limit and then loosing connectivity to the remote sites, i know we can install the HSEC license to remove the limitation but at the moment we are looking for an option to limit the traffic to not go beyond 85000 kbps.

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎07-11-2021 11:02 AM

Hi @vitumbiko nkhwazi 

Yes, I've had this issue before, you can use QoS to limit the traffic. Here is an example.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-11-2021 11:11 AM

how about an example like this (will this works for you ?)

 

access-list 100permit ip any x.x.x.x x.x.x.x

class-map mysubnet
match access-group 100

policy-map 80MBmap
class-map mysubnet
  bandwidth percent 80 <-- change this based on interface

policy-map physical
class class-default
  police 8000000 conform-action transmit exceed-action drop
  service-policy 80MBmap

int gix/x
service-policy output physical

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents