Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
5
Helpful
4
Replies

Traffic Policing to avoid log message %CERM-4-RX_BW_LIMIT: Maximum Rx

quadrabe
Level 1
Level 1

‎12-02-2022 04:59 AM - edited ‎12-02-2022 05:01 AM

Hi

We're trying to implement traffic policing to avoid following log message:

 

 

%CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

 

Following the whitepages https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/118746-technote-isr-00.html#anc4 and this https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/19645-policevsshape.html

However we still get the log message, does anyone know what we did wrong?
This is our config.

 

interface GigabitEthernet0/0
 description UPLINK WAN
 ip address dhcp
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map CRYPTO_MAP
 service-policy input PM-Policing
Policy Map PM-Policing
    Class CL-Policing
     police rate 80000000 
       conform-action transmit 
       exceed-action drop 

Class Map match-all CL-Policing (id 1)
   Match any 
sh policy-map interface gi0/0
 GigabitEthernet0/0 

  Service-policy input: PM-Policing

    Class-map: CL-Policing (match-all)  
      870906 packets, 1119424862 bytes
      5 minute offered rate 63000 bps, drop rate 0000 bps
      Match: any 
      police:
          rate 80000000 bps, burst 2500000 bytes
        conformed 869659 packets, 1040884091 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          drop 
        conformed 49000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any

 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎12-02-2022 05:12 AM

@quadrabe use shaping, here is an example of the exact same scenario. You'd probably want to purchase the HSEC license, rather than rely on this workaround.

quadrabe
Level 1
Level 1
In response to Rob Ingram

‎12-02-2022 05:25 AM

Hi

For the location this issue is happening the business will not invest in the HSEC license.

It's a good article but not valid for us as we have to apply an input service-policy. Shaping is only possible with output policies.
It is not possible for us the apply an output policy on the other side as it is ISP material.

0 Helpful

tvotna
Spotlight
Spotlight

‎12-06-2022 07:00 AM

It appears that you're using old IOS or an old platform, because in IOS-XE versions the CERM limit was changed to 250Mbps many years ago. The problem with CERM is that its measurement interval is very small, e.g. 1 sec or so. There can be microbursts and the 85Kbps limit is hit. Did you check show platform cerm-information?

0 Helpful
Customers Also Viewed These Support Documents