Hi Faizal,
CERM bandwidth limit reached indicates that the maximum TX bandwidth limit for the crypto functionality has been reached. The indicated TX bandwidth is the maximum that is allowed with your securityk9 license.
Due to strong crypto export restrictions enforced by the United States government, a securityk9 license only allows payload encryption up to rates close to 90 Megabits per second (Mbps) and limits the number of encrypted tunnels/Transport Layer Security (TLS) sessions to the device. 85Mbps is enforced on Cisco devices.
What often happens is that the device sends a huge burst of traffic (usually in a fraction of a second) over the physical interface, but then gets quickly rate-limited down to the actual supported speed. 85 Mbps TX is assigned to the ENTIRE box - it is not per interface.
Even if the burst is for a few milliseconds, it is enough to trigger the curtailed crypto bandwidth limit. And in these situations, the traffic that exceeds 85Mbps is dropped.
The router takes the incoming traffic, decides if it should be encrypted outbound, and then does the CERM calculations.
Let's say the inside network is attached to a GigabitEthernet port. If 200 Mbps of data comes in and the router decides it should all be encrypted, the router will drop said traffic before it even begins transmitting on the outbound interface. CERM occurs before outbound encryption by design, so that once it reaches the 85,000 Kb limit packets can no longer encrypt.
What we can do is, we can throttle the traffic down either at the application point or at a device before the router.
But, you can use HSEC-K9 license in order to mitigate this issue permanently.
With the HSEC-K9 license, the router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput
of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.
For HSEC Licensing Please refer to document given below: -
http://www.cisco.com/c/dam/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/qa_c67_606268.pdf
Do you see any drops or latency when you get this error on the router ?.
CERM limit can be easily hit with micro bursts, the counters may not be able to catch these bursts given the sampling granularity. CERM logically divides traffic into fixed time intervals (200 msec on the ISR, IIRC). It has a fixed budget for each time interval (which is the amount of traffic we're allowed to transmit over the wire that the maximum CERM rate within that time interval); if a burst of traffic causes us to use up the 'budget' for that time interval, we essentially block traffic until the time interval is over (and we get more budget).
Enhancement request CSCuz49319 has been filed to get more insight into how exactly micro-bursts are dealt when it comes to CERM limit.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz49319/?reffering_site=dumpcr
To troubleshoot issue where Bandwidth CERM Limit is Reached, we can do the below steps:
Mirror the traffic on the connected switch.
Use Wireshark in order to analyse the captured trace by going down to two to 10 msec time period granularity.
Traffic with micro bursts greater than 85Mbps is an expected behaviour.
In a nutshell, if you are experiencing any packet-loss when these logs are being printed, you will need to troubleshoot the packet loss issue. If this never runs above 85Mbps crypto traffic, you may simply ignore the CERM logs.
Regards,
Aditya
Please rate helpful posts and mark correct answers
