Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange issue on 3925

Hi ,

Strange situation on 3925 ,  there is no 85Mbps traffic on the router and message apears .

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

IOS: flash0:c3900-universalk9-mz.SPA.153-2.T.bin"

There is 13 tunnels like this one

ip tcp adjust-mss 1240
tunnel source FastEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile xxxxx

Any solution?

Regards,

Vladimir

1 ACCEPTED SOLUTION

Accepted Solutions

Strange issue on 3925

But there is no 80Mbps at all , in one direction, so what triggered that log message ?

There is 85M (not 80M )in one direction.

Please check your interfaces for crypto maps and VTIs for tunnel protection.

4 REPLIES

Strange issue on 3925

Hello.

If you do not have a HSEC-k9 license installed on your ISR G2 router, you will see the following error message

on the console if the traffic exceeds 85-Mbps unidirectional or 170-Mbps bidirectional.

Please refer to https://www.cisco.com/en/US/prod/collateral/routers/ps10536/qa_c67_606268.pdf for details.

New Member

Strange issue on 3925

But there is no 80Mbps at all , in one direction, so what triggered that log message ?

I know about that HSECk9 , but Cisco said only if there is above 80Mbps .

feauture set.

ipbasek9                 no           no          no             yes      no        

securityk9               yes          yes         no             yes      yes       

uck9                     yes          yes         no             yes      yes       

datak9                   yes          yes         no             no       yes       

gatekeeper               yes          yes         no             no       yes       

LI                       yes          no          no             no       no        

SSL_VPN                  yes          yes         no             no       yes       

ios-ips-update           yes          yes         yes            no       yes       

SNASw                    yes          yes         no             no       yes       

hseck9                   yes          no          no             no       no        

cme-srst                 yes          yes         no             no       yes       

WAAS_Express             yes          yes         no             no       yes       

UCVideo                  yes          yes         no             no       yes       

and

*Oct 24 10:53:56.151: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:00:00.376: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 11:07:35.044: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

*Oct 24 13:31:19: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=0006E8F5

*Oct 24 13:40:01: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=00098060

*Oct 24 14:01:57: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=5585, sequence number=422523 *Oct 24 10:53:56.151: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:00:00.376: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:02:59.632: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 11:07:35.044: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
*Oct 24 13:31:19: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=0006E8F5
*Oct 24 13:40:01: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5571 spi=5598C7CB seqno=00098060
*Oct 24 14:01:57: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=5585, sequence number=422523

Regards,

Strange issue on 3925

But there is no 80Mbps at all , in one direction, so what triggered that log message ?

There is 85M (not 80M )in one direction.

Please check your interfaces for crypto maps and VTIs for tunnel protection.

New Member

I got this answer from TAC on

I got this answer from TAC on the same message received on a 4331:

"The securityK9 license you are running has a limit of 85000 Kbps unidirectional or 170000 Kbps bi-directional of crypto traffic.  This doesn’t reflect the traffic allowed across the link but the amount of traffic the router will encrypt and is measured in microseconds, so short bursts of traffic could trigger this issue."

621
Views
0
Helpful
4
Replies