cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
56456
Views
4
Helpful
21
Replies

Maximum Tunnel bandwidth

Hello,

can someone explain me why Cisco restricts tunnel bandwidths to 85000 Kbps?

And, in addition, is this the complete summarized bandwidth available for _all_ tunnels? Or per single tunnel?

Jul 22 8:00:00.097: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Jul 22 8:00:00.973: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

And yes, i´m quite aware of CPU-intensive jobs like encrypting for a router, but is there a possibility to modifiy this limit?

We are using:

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE250/K9 with 678912K/304128K bytes of memory.

c3900e-universalk9-mz.SPA.151-1.T2.bin

Technology Package License Information for Module:'c3900e'

----------------------------------------------------------------

Technology    Technology-package          Technology-package

              Current       Type          Next reboot 

-----------------------------------------------------------------

ipbase        ipbasek9      Permanent     ipbasek9

security      securityk9    Permanent     securityk9

uc            None          None          None

data          None          None          None

In my opinion a capable Router for terminating 4 tunnels, 2 of them with 100MBit, 2 of them with 5MBit WAN-IF bandwidth.

Thanks for your input!

21 Replies 21

It's mostly cosmetic.  I  bought the hseck9 licensing to get rid of it, but didn't see any change in performance. 

YaJun Liu
Level 1
Level 1

Any one resolve this problem ? Please tell me the solution except upgrade hsec license  ,Thanks.

I had the same issue with a ISR 4451 and I rebooted the router which resolved the issue. 

kyle woodhouse
Level 1
Level 1

Hi, I just wanted to see if anyone had found an answer to this issue or not.  It appears that some with an ISRG2 router and various 15.2 versions of IOS are getting the below error even though they do not have over 225 tunnels or 85 Mbps crypto traffic.

I found the below bug but the 2951 router we are seeing the error on has 15.2(4)M5 and the bug details suggest that 15.2(4)M5 sees this error fixed.  Either the bug is not fixed or this is a different bug.  

https://tools.cisco.com/bugsearch/bug/CSCua21166

Symptom:
Unable to form IPSec tunnels due to error:
''RM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.''

Conditions:
Even though the router does not have 225 IPsec SA pairs, error will prevent IPSec from forming. Existing IPSec SAs will not be affected.

Workaround:
Reboot to clear out the leaked counter, or install hsec9 which will disable CERM (Crypto Export Restrictions Manager).
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.8/2.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:M/C:N/I:N/A:P/E:U/RL:W/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Does anyone tried to decrease the interface speed? I explain:

If you are using 1GBps interface, and even inf you have an AVERAGE that is below 85Mbps, any BURST (an usage of 100% of the bandwidth for a few milliseconds) will trigger that event and drop packets.

If you reduce the speed of the interface to 100Mbps (of course, if your link have less than that) that same BURST would take more milliseconds and should last 10 times more to trigger the same event.

Anyone tried that?

Thanks

Oseias

Yes, in our situation (4331 router) the CERM message keeps appearing, even with the incoming interface set to 100Mbit.  Our average speed does not come above 25Mbit (30 second averaged), yet the log message appears constantly.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/118746-technote-isr-00.html

I wonder how other vendors implement this CER policy.  The same as Cisco, with dropping traffic after only a few milliseconds above 85Mbit?

Another solution that comes into mind is to shape the output traffic. Apply a service-policy on the output interface and shape it to the Internet link speed.