cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36130
Views
4
Helpful
21
Replies
Highlighted
Participant

It's mostly cosmetic.  I

It's mostly cosmetic.  I  bought the hseck9 licensing to get rid of it, but didn't see any change in performance. 

Highlighted
Beginner

Any one resolve this problem

Any one resolve this problem ? Please tell me the solution except upgrade hsec license  ,Thanks.

Highlighted
Beginner

Re: Any one resolve this problem

I had the same issue with a ISR 4451 and I rebooted the router which resolved the issue. 

Highlighted
Beginner

Hi, I just wanted to see if

Hi, I just wanted to see if anyone had found an answer to this issue or not.  It appears that some with an ISRG2 router and various 15.2 versions of IOS are getting the below error even though they do not have over 225 tunnels or 85 Mbps crypto traffic.

I found the below bug but the 2951 router we are seeing the error on has 15.2(4)M5 and the bug details suggest that 15.2(4)M5 sees this error fixed.  Either the bug is not fixed or this is a different bug.  

https://tools.cisco.com/bugsearch/bug/CSCua21166

Symptom:
Unable to form IPSec tunnels due to error:
''RM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.''

Conditions:
Even though the router does not have 225 IPsec SA pairs, error will prevent IPSec from forming. Existing IPSec SAs will not be affected.

Workaround:
Reboot to clear out the leaked counter, or install hsec9 which will disable CERM (Crypto Export Restrictions Manager).
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.8/2.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:M/C:N/I:N/A:P/E:U/RL:W/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Highlighted

Does anyone tried to decrease

Does anyone tried to decrease the interface speed? I explain:

If you are using 1GBps interface, and even inf you have an AVERAGE that is below 85Mbps, any BURST (an usage of 100% of the bandwidth for a few milliseconds) will trigger that event and drop packets.

If you reduce the speed of the interface to 100Mbps (of course, if your link have less than that) that same BURST would take more milliseconds and should last 10 times more to trigger the same event.

Anyone tried that?

Thanks

Oseias

Highlighted
Beginner

Yes, in our situation (4331

Yes, in our situation (4331 router) the CERM message keeps appearing, even with the incoming interface set to 100Mbit.  Our average speed does not come above 25Mbit (30 second averaged), yet the log message appears constantly.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/118746-technote-isr-00.html

I wonder how other vendors implement this CER policy.  The same as Cisco, with dropping traffic after only a few milliseconds above 85Mbit?

Highlighted

Another solution that comes

Another solution that comes into mind is to shape the output traffic. Apply a service-policy on the output interface and shape it to the Internet link speed.