Hi, I just wanted to see if anyone had found an answer to this issue or not. It appears that some with an ISRG2 router and various 15.2 versions of IOS are getting the below error even though they do not have over 225 tunnels or 85 Mbps crypto traffic.
I found the below bug but the 2951 router we are seeing the error on has 15.2(4)M5 and the bug details suggest that 15.2(4)M5 sees this error fixed. Either the bug is not fixed or this is a different bug.
Unable to form IPSec tunnels due to error:
''RM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.''
Even though the router does not have 225 IPsec SA pairs, error will prevent IPSec from forming. Existing IPSec SAs will not be affected.
Reboot to clear out the leaked counter, or install hsec9 which will disable CERM (Crypto Export Restrictions Manager).
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.8/2.3:
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
Does anyone tried to decrease the interface speed? I explain:
If you are using 1GBps interface, and even inf you have an AVERAGE that is below 85Mbps, any BURST (an usage of 100% of the bandwidth for a few milliseconds) will trigger that event and drop packets.
If you reduce the speed of the interface to 100Mbps (of course, if your link have less than that) that same BURST would take more milliseconds and should last 10 times more to trigger the same event.
Anyone tried that?
Yes, in our situation (4331 router) the CERM message keeps appearing, even with the incoming interface set to 100Mbit. Our average speed does not come above 25Mbit (30 second averaged), yet the log message appears constantly.
I wonder how other vendors implement this CER policy. The same as Cisco, with dropping traffic after only a few milliseconds above 85Mbit?
Another solution that comes into mind is to shape the output traffic. Apply a service-policy on the output interface and shape it to the Internet link speed.