Showing results for 
Search instead for 
Did you mean: 

Maximum Tunnel bandwidth


can someone explain me why Cisco restricts tunnel bandwidths to 85000 Kbps?

And, in addition, is this the complete summarized bandwidth available for _all_ tunnels? Or per single tunnel?

Jul 22 8:00:00.097: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Jul 22 8:00:00.973: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

And yes, i´m quite aware of CPU-intensive jobs like encrypting for a router, but is there a possibility to modifiy this limit?

We are using:

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE250/K9 with 678912K/304128K bytes of memory.


Technology Package License Information for Module:'c3900e'


Technology    Technology-package          Technology-package

              Current       Type          Next reboot 


ipbase        ipbasek9      Permanent     ipbasek9

security      securityk9    Permanent     securityk9

uc            None          None          None

data          None          None          None

In my opinion a capable Router for terminating 4 tunnels, 2 of them with 100MBit, 2 of them with 5MBit WAN-IF bandwidth.

Thanks for your input!

21 Replies 21

Not to forget:

ASAs or other firewalls are _not_ an option, since we are also using OSPF and other tricks on this routers.

Level 4
Level 4

Hi Andreas:

On the ISRG2 there is a limited encrypted throuput of  85Mbps unideractional(170 biderectional)  with the security license(


. This error occurs as the crypto engine processes the packets and the flow exceeds the mentioned limit. There is an additional license Cisco sells (hseck9) that will allow you to encrypt beyond 85Mbps.

Here is a link which explains both products.


I am facing same kind of issue as above

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

I would like to know what happens to the tunnel when it reaches the Maximum Tx Bandwidth

does it tear down the tunnel or does it throttle the speed?

can someone answer this for me please.

thanks in advance


I'd also like to hear an answer to Lancellot's question above:

Lance Wendel wrote:


I am facing same kind of issue as above

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

I would like to know what happens to the tunnel when it reaches the Maximum Tx Bandwidth

does it tear down the tunnel or does it throttle the speed?

can someone answer this for me please.

thanks in advance


I remembered way back in the ISR G1, the input/output tunnel bandwidth is set to a certain level (forgot the figures) and the command to change it doesn't exist if and when you are running the base feature set.  Once you've upgraded to IP Services feature set, the option to change the input/output tunnel bandwidth is enabled.


CERM keeps two separate counters one for tunnel count and one for total BW.

Reaching one SHOULD NOT impact the other.


Hi, I agree. Just to add that the 3945 and 3925 can handle 85 mbps without the extra module.

>>does it tear down the tunnel or does it throttle the speed?


It certainly does NOT tear dwon the tunnel, so it must throttle it.



Level 1
Level 1


im facing the same problem too, but in our case we are not using this amount of bandwidth(were talking about 6Mbps).

another thing, a normal router (ISR G2) will never rach 85Mbps rate, when you are transfring 40Mbps the CPU will be around 100% 24/7.

if you are intrested in getting this kind of preformance and getting more than 85Mbps you shoud buy the ISM-vpn card it comes with the HSEC license so you will be able to around 140-Mbps.


Hi ,

Similar situation , there is no 85Mbps traffic on the router and message apears .

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

IOS: flash0:c3900-universalk9-mz.SPA.153-2.T.bin"

There is 13 tunnels like this one

ip tcp adjust-mss 1240
tunnel source FastEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile xxxxx

Any solution?



What is the feature set of the IOS you are running?  If it's IP Base, then upgrade to IP Services and the command "ip tunnel bandwidth input" or "output" should be available.

Hi Leo ,

But there is no 80Mbps at all , in one direction, so what triggered that log message ?

feauture set.

ipbasek9                 no           no          no             yes      no        

securityk9               yes          yes         no             yes      yes       

uck9                     yes          yes         no             yes      yes       

datak9                   yes          yes         no             no       yes       

gatekeeper               yes          yes         no             no       yes       

LI                       yes          no          no             no       no        

SSL_VPN                  yes          yes         no             no       yes       

ios-ips-update           yes          yes         yes            no       yes       

SNASw                    yes          yes         no             no       yes       

hseck9                   yes          no          no             no       no        

cme-srst                 yes          yes         no             no       yes       

WAAS_Express             yes          yes         no             no       yes       

UCVideo                  yes          yes         no             no       yes       


*Oct 24 10:53:56.151: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:00:00.376: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:07:35.044: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 13:31:19: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=0006E8F5

*Oct 24 13:40:01: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=00098060

*Oct 24 14:01:57: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=5585, sequence number=422523 *Oct 24 10:53:56.151: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:00:00.376: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:07:35.044: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 13:31:19: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=0006E8F5
*Oct 24 13:40:01: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=00098060
*Oct 24 14:01:57: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=5585, sequence number=422523

Also people said to me , upgrade license hseck9 , but i said i dont have 80Mbps at all and CIsco said in documents that only above 85Mbps nee hseck9  license.

To add, curently there is 20Mbps Sum on router , and message still apears.



I've got this happening too. It only happens on our 2951 running securityk9, 15.2. This router only got upgraded to 15.2 last week, and thats when it started. When it was on 15.1 it did not do it. The other routers still on 15.1 don't do this.

Hello guys,

Exactly the same issue here - I'm using 2951 running the latest (recommended) IOS - 15.2.4M6a with total of 15Mbps and this message constantly appears. I've searched for bugs and I couldn't find anything similar and I definatelly don't have that amount of traffic. And the question is - is it something cosmetic that I can ignore it?