Cisco ISR G2 encrypted bandwidth restriction?

  • I have been having complaints of a "slow connection" from several new remote sites.

    The sites are connected via an MPLS L3VPN service into Cisco 2921's, and we are using Cisco GET-VPN to encrypt the traffic between our locations. All locations have either 100Mbps or 1Gbps circuits, so speed should not be an issue.

    However, upon conducting iperf tests from one location to a known working location, I found that my bandwidth tops out around 85Mbps.

    Further investigation on the 2921's gives many occurrences of the following error message in the logs:

    006555: Jan  3 08:19:09.573 EST: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
    006556: Jan  3 11:21:37.069 EST: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

    I have verified that our older locations using 2821's do not have this issue... is this something to do with IOS 15, the ISR Gen2's or both?

  • You are running into one of the fun, new, restrictions of the ISR Generation 2.

    I assume you have the basic "security" licensing package installed as noted by this part of the message:

    securityk9 technology package license

    However the securityk9 package is Cisco's "unrestricted export" version of that license, and will artificially limit you. You need the hseck9 package. See this white paper for more information. It says in part:

    The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E.

    With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.

    The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SEC license pre-installed.

    A quick way to check which license you have, is to issue the following command on your router:

    show license feature

    This will show you which licenses you have purchased from Cisco and installed on this router. You need to make sure that the hseck9 license is enabled. Otherwise you will be limited to that 85Mbps limit for encrypted traffic. Which on circuits below 100Mbps, might not be an issue, and you could safely ignore this problem. Either way, see this page for more information on installing the new license once you purchase it.

    Another handy command for troubleshooting this is:

    show platform cerm-information

    This will either spit out a list of information about the limits in place, including the failed encrypt/decrypt packet counts, or it will give you the following:

    router-1#show platform cerm-information 
    Crypto Export Restrictions Manager(CERM) Information:
     CERM functionality: DISABLED

    More information on this command here.

    Installing the HSEC-K9 licensing package, assumes you are inside the United States. Otherwise, as far as I know, you're stuck with 85Mbps encrypted traffic.

    ... are you answering your own question in second-person narrative?

    Yes… :) This is a question I've run into a few different times, I just copied my answer as I've given it before to people.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM