Maximum Tunnel bandwidth

Andreas Wittemann · ‎07-25-2011

Hello,

can someone explain me why Cisco restricts tunnel bandwidths to 85000 Kbps?

And, in addition, is this the complete summarized bandwidth available for _all_ tunnels? Or per single tunnel?

Jul 22 8:00:00.097: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Jul 22 8:00:00.973: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

And yes, i´m quite aware of CPU-intensive jobs like encrypting for a router, but is there a possibility to modifiy this limit?

We are using:

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE250/K9 with 678912K/304128K bytes of memory.

c3900e-universalk9-mz.SPA.151-1.T2.bin

Technology Package License Information for Module:'c3900e'

----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

-----------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security securityk9 Permanent securityk9

uc None None None

data None None None

In my opinion a capable Router for terminating 4 tunnels, 2 of them with 100MBit, 2 of them with 5MBit WAN-IF bandwidth.

Thanks for your input!

Andreas Wittemann · ‎07-25-2011

Not to forget:

ASAs or other firewalls are _not_ an option, since we are also using OSPF and other tricks on this routers.

OQ · ‎11-18-2011

Hi Andreas:

On the ISRG2 there is a limited encrypted throuput of 85Mbps unideractional(170 biderectional) with the security license(

securityk9)

. This error occurs as the crypto engine processes the packets and the flow exceeds the mentioned limit. There is an additional license Cisco sells (hseck9) that will allow you to encrypt beyond 85Mbps.

Here is a link which explains both products.

http://www.cisco.com/en/US/prod/collateral/routers/ps10536/qa_c67_606268.pdf

Lance Wendel · ‎08-28-2012

Hi

I am facing same kind of issue as above

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

I would like to know what happens to the tunnel when it reaches the Maximum Tx Bandwidth

does it tear down the tunnel or does it throttle the speed?

can someone answer this for me please.

thanks in advance

Lancellot

adamtodd16 · ‎01-30-2013

I'd also like to hear an answer to Lancellot's question above:

Lance Wendel wrote:
Hi 
I am facing same kind of issue as above
%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
I would like to know what happens to the tunnel when it reaches the Maximum Tx Bandwidth
does it tear down the tunnel or does it throttle the speed?
can someone answer this for me please.
thanks in advance
Lancellot

Leo Laohoo · ‎01-30-2013

I remembered way back in the ISR G1, the input/output tunnel bandwidth is set to a certain level (forgot the figures) and the command to change it doesn't exist if and when you are running the base feature set. Once you've upgraded to IP Services feature set, the option to change the input/output tunnel bandwidth is enabled.

Marcin Latosiewicz · ‎01-30-2013

Adam,

CERM keeps two separate counters one for tunnel count and one for total BW.

Reaching one SHOULD NOT impact the other.

M.

OQ · ‎06-26-2013

Hi, I agree. Just to add that the 3945 and 3925 can handle 85 mbps without the extra module.

Peter Long · ‎08-20-2014

>>does it tear down the tunnel or does it throttle the speed?

It certainly does NOT tear dwon the tunnel, so it must throttle it.

Pete

impervainc · ‎06-26-2013

hi,

im facing the same problem too, but in our case we are not using this amount of bandwidth(were talking about 6Mbps).

another thing, a normal router (ISR G2) will never rach 85Mbps rate, when you are transfring 40Mbps the CPU will be around 100% 24/7.

if you are intrested in getting this kind of preformance and getting more than 85Mbps you shoud buy the ISM-vpn card it comes with the HSEC license so you will be able to around 140-Mbps.

thanks,

startx001 · ‎10-24-2013

Hi ,

Similar situation , there is no 85Mbps traffic on the router and message apears .

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

IOS: flash0:c3900-universalk9-mz.SPA.153-2.T.bin"

There is 13 tunnels like this one

ip tcp adjust-mss 1240
tunnel source FastEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile xxxxx

Any solution?

Regards,

Vladimir

Leo Laohoo · ‎10-24-2013

What is the feature set of the IOS you are running? If it's IP Base, then upgrade to IP Services and the command "ip tunnel bandwidth input" or "output" should be available.

startx001 · ‎10-25-2013

Hi Leo ,

But there is no 80Mbps at all , in one direction, so what triggered that log message ?

feauture set.

ipbasek9 no no no yes no

securityk9 yes yes no yes yes

uck9 yes yes no yes yes

datak9 yes yes no no yes

gatekeeper yes yes no no yes

LI yes no no no no

SSL_VPN yes yes no no yes

ios-ips-update yes yes yes no yes

SNASw yes yes no no yes

hseck9 yes no no no no

cme-srst yes yes no no yes

WAAS_Express yes yes no no yes

UCVideo yes yes no no yes

and

*Oct 24 10:53:56.151: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:00:00.376: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:07:35.044: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 13:31:19: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=0006E8F5

*Oct 24 13:40:01: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=00098060

*Oct 24 14:01:57: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=5585, sequence number=422523 *Oct 24 10:53:56.151: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:00:00.376: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:07:35.044: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 13:31:19: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=0006E8F5
*Oct 24 13:40:01: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=00098060
*Oct 24 14:01:57: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=5585, sequence number=422523

Also people said to me , upgrade license hseck9 , but i said i dont have 80Mbps at all and CIsco said in documents that only above 85Mbps nee hseck9 license.

To add, curently there is 20Mbps Sum on router , and message still apears.

Regards,

DigitalCindie · ‎11-10-2013

Hi,

I've got this happening too. It only happens on our 2951 running securityk9, 15.2. This router only got upgraded to 15.2 last week, and thats when it started. When it was on 15.1 it did not do it. The other routers still on 15.1 don't do this.

Plamen Mladenov · ‎08-19-2014

Hello guys,

Exactly the same issue here - I'm using 2951 running the latest (recommended) IOS - 15.2.4M6a with total of 15Mbps and this message constantly appears. I've searched for bugs and I couldn't find anything similar and I definatelly don't have that amount of traffic. And the question is - is it something cosmetic that I can ignore it?