Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
58785
Views
4
Helpful
21
Replies

Maximum Tunnel bandwidth

Andreas Wittemann
Level 1
Level 1

‎07-25-2011 12:22 PM

Hello,

can someone explain me why Cisco restricts tunnel bandwidths to 85000 Kbps?

And, in addition, is this the complete summarized bandwidth available for _all_ tunnels? Or per single tunnel?

Jul 22 8:00:00.097: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Jul 22 8:00:00.973: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

And yes, i´m quite aware of CPU-intensive jobs like encrypting for a router, but is there a possibility to modifiy this limit?

We are using:

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE250/K9 with 678912K/304128K bytes of memory.

c3900e-universalk9-mz.SPA.151-1.T2.bin

Technology Package License Information for Module:'c3900e'

----------------------------------------------------------------

Technology    Technology-package          Technology-package

              Current       Type          Next reboot 

-----------------------------------------------------------------

ipbase        ipbasek9      Permanent     ipbasek9

security      securityk9    Permanent     securityk9

uc            None          None          None

data          None          None          None

In my opinion a capable Router for terminating 4 tunnels, 2 of them with 100MBit, 2 of them with 5MBit WAN-IF bandwidth.

Thanks for your input!

15 people had this problem
Labels:
Preview file
63 KB
0 Helpful
21 Replies 21

adamtodd16
Level 3
Level 3
In response to Plamen Mladenov

‎08-19-2014 05:11 AM

It's mostly cosmetic.  I  bought the hseck9 licensing to get rid of it, but didn't see any change in performance. 

0 Helpful

YaJun Liu
Level 1
Level 1

‎01-12-2015 01:06 AM

Any one resolve this problem ? Please tell me the solution except upgrade hsec license  ,Thanks.

0 Helpful

CorwynJohnson
Level 1
Level 1
In response to YaJun Liu

‎11-26-2018 12:36 PM

I had the same issue with a ISR 4451 and I rebooted the router which resolved the issue. 

0 Helpful

kyle woodhouse
Level 1
Level 1

‎04-13-2015 10:41 AM

Hi, I just wanted to see if anyone had found an answer to this issue or not.  It appears that some with an ISRG2 router and various 15.2 versions of IOS are getting the below error even though they do not have over 225 tunnels or 85 Mbps crypto traffic.

I found the below bug but the 2951 router we are seeing the error on has 15.2(4)M5 and the bug details suggest that 15.2(4)M5 sees this error fixed.  Either the bug is not fixed or this is a different bug.  

https://tools.cisco.com/bugsearch/bug/CSCua21166

Symptom:
Unable to form IPSec tunnels due to error:
''RM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.''

Conditions:
Even though the router does not have 225 IPsec SA pairs, error will prevent IPSec from forming. Existing IPSec SAs will not be affected.

Workaround:
Reboot to clear out the leaked counter, or install hsec9 which will disable CERM (Crypto Export Restrictions Manager).
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.8/2.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:M/C:N/I:N/A:P/E:U/RL:W/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

0 Helpful

Oseias Paes Goncalves
Level 1
Level 1

‎12-07-2016 02:42 AM

Does anyone tried to decrease the interface speed? I explain:

If you are using 1GBps interface, and even inf you have an AVERAGE that is below 85Mbps, any BURST (an usage of 100% of the bandwidth for a few milliseconds) will trigger that event and drop packets.

If you reduce the speed of the interface to 100Mbps (of course, if your link have less than that) that same BURST would take more milliseconds and should last 10 times more to trigger the same event.

Anyone tried that?

Thanks

Oseias

0 Helpful

joopv
Level 1
Level 1
In response to Oseias Paes Goncalves

‎04-19-2017 01:39 PM

Yes, in our situation (4331 router) the CERM message keeps appearing, even with the incoming interface set to 100Mbit.  Our average speed does not come above 25Mbit (30 second averaged), yet the log message appears constantly.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/118746-technote-isr-00.html

I wonder how other vendors implement this CER policy.  The same as Cisco, with dropping traffic after only a few milliseconds above 85Mbit?

0 Helpful

Oseias Paes Goncalves
Level 1
Level 1

‎05-11-2017 07:18 AM

Another solution that comes into mind is to shape the output traffic. Apply a service-policy on the output interface and shape it to the Internet link speed.

0 Helpful
Customers Also Viewed These Support Documents