cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
957
Views
20
Helpful
11
Replies
Chingiz
Beginner

VPN Bandwidth restriction on CISCO routers

Hello to everybody! We use IPSec Site-to-Site VPN on 2901 series Cisco routers for connection between offices, and there are errors in logs - " Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.". I have read about it on internet, and it says what this restriction applies by USA government to CISCO routers which goes to export. And to avoid this problem you need for HSEC-K9 license. But also it says what that license is not available on 2901 series routers we use. And more, I have read what 85Mb bandwidth is the highest Bandwidth, reachable on routers, which goes to export. That mean, if you live on other country, you accept only 85Mb bandwidth, regardless of model and license. So where is true, and how can I resolve this problem? Is there some decision for 2901 series routers?

1 ACCEPTED SOLUTION

Accepted Solutions

I find this quite strange.  According to documentation HSEC is only supported on 2921 and 2951 routers.

ref. https://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html#pgfId-1168046

Screenshot 2021-09-08 at 16.01.07.png

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

11 REPLIES 11
Rob Ingram
VIP Mentor

@Chingiz  

Yes it seems the HSEC license is not needed or available for the ISR G2 2901 hardware.

See the performance pdf attachment in this post.

https://community.cisco.com/t5/routing/performance-specs-throughput-maximums-for-isr-g2/td-p/2088416

 

As you are seeing that error, it's likely you are exceeding 85000Kbps, you should consider purchasing newer Cisco ISR 4000 series hardware as the ISR G2 2901 is End of Life. It's also likely that when 85000Kbps is exceeded the router will police the traffic so you'll get poor performance. So you might want to consider using QoS to shape the traffic, example. Ideally you'd replace the hardware.

 

 

 

      Yes, our traffic is more than 85MB/s, it is video traffic from cameras,  so this error happens often. We have about 60-70 routers in our network, and all of these, expects 2-3, is 2901 model, so change it all requires too much resources) 

       I have run "show license feature" command on my router and it shows HSEC license in list, but it is not enabled. So If HSEC is not available on 2901 series routers, why it shows it in that list? 

It is most likely shown as it would not be cost effective to create a completely different licensing platform for each cisco IOS device.  So the license is present but not usable.  Might have been more intuitive to change the status to "not supported" (or similar) rather than "disabled".   But as Rob has mentioned the device is end of support next year, so might be an idea to start planning for replacement.

--
Please remember to select a correct answer and rate helpful posts

I need more exact explanation about 2901, because I have to explain it to headquarters. I find some kind of 2901 routers with "VPN ISM module HSEC bundles for 2901 ISR platform", and don't know, is it usable thing or not?  :

https://www.router-switch.com/cisco2901-hsec-k9-p-5624.html

If it is, is that mean that HSEC K9 can be use on 2901, and we can do it with our routers? Or its total differrent devices?

I find this quite strange.  According to documentation HSEC is only supported on 2921 and 2951 routers.

ref. https://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html#pgfId-1168046

Screenshot 2021-09-08 at 16.01.07.png

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

That table confirms HSEC is supported only on the 2921 and 2951 of the 2900 series model. It does confirm HSEC is supported on 3900, 4300 and 4400 series.

Yes, I got it, it is quite enough. So the best way to resolve this problem is change devices? There is no other normal solution? I mean, if it be not 2900, but for example 2951, were there another decision expects for HSEC?   

The only option to increase VPN throughput in your case is to get another device.  The ISR 4000 series devices now support up to 250Mbps without the HSEC license.  If you need more than that you would of course need to purchase the HSEC license.

ISR 4000 Datasheet: https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/data_sheet-c78-732542.html

 

--
Please remember to select a correct answer and rate helpful posts

Understand, we'll go that way. And the final question about models routers, supported HSEC-K9 license - if we have a link with 1Gb Or 10Gb bandwidth, do we accept this speed , buying HSEC license? Or, may be, it will be restricted on other value? In other words, having 1Gb link and buying HSEC license for 2951 and upper model router, we will accept 1GB speed?

Regardless of what the uplink speed is, you will be limited to what the router itself can handle and the license level you have purchased.  I have been look for a good overview of the IPsec encryption speeds with and without HSEC (which now is called Boost License) but I have been unable to find such an overview.  However, the following is what is stated in the ISR 4000 datasheet:

"The Boost License provides a license tier above the Performance License allowing customers to completely remove the ISR4000’s performance limiters. This will make the ISR 4000 platforms perform at entirely new performance levels, allowing for 4+ Gbps of IP Routing (CEF) performance on the 4400 series ISRs. For deployments using encryption, IPSec throughput with AES 256 increases to 250Mbps on the lowest platform up to 10Gbps on the ISR4461."

Screenshot 2021-09-09 at 10.18.51.png

I strongly suggest reading through the ISR 4000 datasheet before you place your order, and perhaps consult your local Cisco partner as well

--
Please remember to select a correct answer and rate helpful posts

Thank you a lot!

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad