09-08-2021 12:54 AM - edited 09-08-2021 12:54 AM
Hello to everybody! We use IPSec Site-to-Site VPN on 2901 series Cisco routers for connection between offices, and there are errors in logs - " Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.". I have read about it on internet, and it says what this restriction applies by USA government to CISCO routers which goes to export. And to avoid this problem you need for HSEC-K9 license. But also it says what that license is not available on 2901 series routers we use. And more, I have read what 85Mb bandwidth is the highest Bandwidth, reachable on routers, which goes to export. That mean, if you live on other country, you accept only 85Mb bandwidth, regardless of model and license. So where is true, and how can I resolve this problem? Is there some decision for 2901 series routers?
Solved! Go to Solution.
09-08-2021 07:04 AM
I find this quite strange. According to documentation HSEC is only supported on 2921 and 2951 routers.
ref. https://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html#pgfId-1168046
09-08-2021 01:09 AM
Yes it seems the HSEC license is not needed or available for the ISR G2 2901 hardware.
See the performance pdf attachment in this post.
https://community.cisco.com/t5/routing/performance-specs-throughput-maximums-for-isr-g2/td-p/2088416
As you are seeing that error, it's likely you are exceeding 85000Kbps, you should consider purchasing newer Cisco ISR 4000 series hardware as the ISR G2 2901 is End of Life. It's also likely that when 85000Kbps is exceeded the router will police the traffic so you'll get poor performance. So you might want to consider using QoS to shape the traffic, example. Ideally you'd replace the hardware.
09-08-2021 04:02 AM
Yes, our traffic is more than 85MB/s, it is video traffic from cameras, so this error happens often. We have about 60-70 routers in our network, and all of these, expects 2-3, is 2901 model, so change it all requires too much resources)
I have run "show license feature" command on my router and it shows HSEC license in list, but it is not enabled. So If HSEC is not available on 2901 series routers, why it shows it in that list?
09-08-2021 05:47 AM - edited 09-08-2021 05:47 AM
It is most likely shown as it would not be cost effective to create a completely different licensing platform for each cisco IOS device. So the license is present but not usable. Might have been more intuitive to change the status to "not supported" (or similar) rather than "disabled". But as Rob has mentioned the device is end of support next year, so might be an idea to start planning for replacement.
09-08-2021 06:49 AM
I need more exact explanation about 2901, because I have to explain it to headquarters. I find some kind of 2901 routers with "VPN ISM module HSEC bundles for 2901 ISR platform", and don't know, is it usable thing or not? :
https://www.router-switch.com/cisco2901-hsec-k9-p-5624.html
If it is, is that mean that HSEC K9 can be use on 2901, and we can do it with our routers? Or its total differrent devices?
09-08-2021 07:04 AM
I find this quite strange. According to documentation HSEC is only supported on 2921 and 2951 routers.
ref. https://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html#pgfId-1168046
09-08-2021 07:15 AM
That table confirms HSEC is supported only on the 2921 and 2951 of the 2900 series model. It does confirm HSEC is supported on 3900, 4300 and 4400 series.
09-08-2021 07:22 AM
Yes, I got it, it is quite enough. So the best way to resolve this problem is change devices? There is no other normal solution? I mean, if it be not 2900, but for example 2951, were there another decision expects for HSEC?
09-08-2021 07:34 AM
The only option to increase VPN throughput in your case is to get another device. The ISR 4000 series devices now support up to 250Mbps without the HSEC license. If you need more than that you would of course need to purchase the HSEC license.
ISR 4000 Datasheet: https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/data_sheet-c78-732542.html
09-08-2021 11:32 PM
Understand, we'll go that way. And the final question about models routers, supported HSEC-K9 license - if we have a link with 1Gb Or 10Gb bandwidth, do we accept this speed , buying HSEC license? Or, may be, it will be restricted on other value? In other words, having 1Gb link and buying HSEC license for 2951 and upper model router, we will accept 1GB speed?
09-09-2021 01:46 AM - edited 09-09-2021 01:47 AM
Regardless of what the uplink speed is, you will be limited to what the router itself can handle and the license level you have purchased. I have been look for a good overview of the IPsec encryption speeds with and without HSEC (which now is called Boost License) but I have been unable to find such an overview. However, the following is what is stated in the ISR 4000 datasheet:
"The Boost License provides a license tier above the Performance License allowing customers to completely remove the ISR4000’s performance limiters. This will make the ISR 4000 platforms perform at entirely new performance levels, allowing for 4+ Gbps of IP Routing (CEF) performance on the 4400 series ISRs. For deployments using encryption, IPSec throughput with AES 256 increases to 250Mbps on the lowest platform up to 10Gbps on the ISR4461."
I strongly suggest reading through the ISR 4000 datasheet before you place your order, and perhaps consult your local Cisco partner as well
09-09-2021 05:01 AM
Thank you a lot!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: