Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3024
Views
0
Helpful
4
Replies

Cisco 1941 hitting crypto speed limit

Go to solution
Nick Cutting
Level 1
Level 1

‎09-29-2014 01:11 AM

I have read the documentation regarding the 85Meg / 170 Meg limits on the ISR G2s

 

As far as I am aware - this does NOT apply to the 1941.

 

I have a 1941 with a sec-k9 license, you cannot buy a h-sec license for this device.

"

The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E.

With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.

The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SEC license pre-installed."

 

I took this to mean that the "1941, 2901, and 2911" should go faster than this ?  It appears they are hard limited to 85Mbit !

 

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

 

Can anyone confirm if they have got more than 85 Mbit out of one of the above devices? FYI I am not nat'ing anything - this device is purely doing static VTI.  Ive routed packets using iPerf through this device @ 500 +Mbit.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Nick Cutting

‎09-29-2014 05:04 AM

Well, you could contact Cisco and tell them your concern about the wording of this.  It would probably help out others in the future also.

As for that website selling the 1941 with hsec k9 license, I think is either a typo or they do not know the product.

As per this document the 1941 only has the regular SEC K9 license available for it.

1900 

CISCO1941-SEC/K9

Cisco 1941 Security Bundle w/SEC license PAK, 256MB DRAM

 

CISCO1941W-SEC/K9

Cisco 1941W Security Bundle w/SEC license PAK, 802.11a/b/g/n

 

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎09-29-2014 02:17 AM

The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits.

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001377

As per this document it looks like the 1941 already has the maximum encryption capacity.  Based on this, I would say the output you are seeing is correct.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Nick Cutting
Level 1
Level 1
In response to Marius Gunnerud

‎09-29-2014 02:49 AM

Yes, you repeated exactly what I posted.  

The documentation should read we have limited these devices to 225 tunnels and 85meg. And that you cannot buy a license to extend this.  The bidirectional 170 Meg figure is useless to me.  So is this sentence "already have maximum encryption capacities"  within export limits , i.e they mean that they imagine people will not reach the 85meg Limit as they expect them to be running services like nat /zone based.   How about saying they are policing the capacity, and there is nothing you can do about it.

I think that sentence is just worded terribly.  Starting it with "already" it leans towards the tone of not requiring an h-sec lisence beacuse it is unrestricted.

 

 

show platform cerm-information

Crypto Export Restrictions Manager(CERM) Information:

CERM functionality: ENABLED

 

----------------------------------------------------------------

Resource                       Maximum Limit           Available

----------------------------------------------------------------

Tx Bandwidth(in kbps)          85000                   85000

Rx Bandwidth(in kbps)          85000                   85000

Number of tunnels              225                     221

Number of TLS sessions         1000                    1000

0 Helpful

Go to solution
Nick Cutting
Level 1
Level 1
In response to Nick Cutting

‎09-29-2014 02:59 AM

But these guys are selling it !

 

http://www.router-switch.com/cisco1941-hsec+-k9-p-5016.html

 

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Nick Cutting

‎09-29-2014 05:04 AM

Well, you could contact Cisco and tell them your concern about the wording of this.  It would probably help out others in the future also.

As for that website selling the 1941 with hsec k9 license, I think is either a typo or they do not know the product.

As per this document the 1941 only has the regular SEC K9 license available for it.

1900 

CISCO1941-SEC/K9

Cisco 1941 Security Bundle w/SEC license PAK, 256MB DRAM

 

CISCO1941W-SEC/K9

Cisco 1941W Security Bundle w/SEC license PAK, 802.11a/b/g/n

 

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents