I have been having complaints of a "slow connection" from several new remote sites.
The sites are connected via an MPLS L3VPN service into Cisco 2921's, and we are using Cisco GET-VPN to encrypt the traffic between our locations. All locations have either 100Mbps or 1Gbps circuits, so speed should not be an issue.
However, upon conducting iperf tests from one location to a known working location, I found that my bandwidth tops out around 85Mbps.
Further investigation on the 2921's gives many occurrences of the following error message in the logs:
006555: Jan 3 08:19:09.573 EST: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
006556: Jan 3 11:21:37.069 EST: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
I have verified that our older locations using 2821's do not have this issue… is this something to do with IOS 15, the ISR Gen2's or both?
Best Answer
You are running into one of the fun, new, restrictions of the ISR Generation 2.
I assume you have the basic "security" licensing package installed as noted by this part of the message:
However the securityk9 package is Cisco's "unrestricted export" version of that license, and will artificially limit you. You need the hseck9 package. See this white paper for more information. It says in part:
A quick way to check which license you have, is to issue the following command on your router:
This will show you which licenses you have purchased from Cisco and installed on this router. You need to make sure that the hseck9 license is enabled. Otherwise you will be limited to that 85Mbps limit for encrypted traffic. Which on circuits below 100Mbps, might not be an issue, and you could safely ignore this problem. Either way, see this page for more information on installing the new license once you purchase it.
Another handy command for troubleshooting this is:
This will either spit out a list of information about the limits in place, including the failed encrypt/decrypt packet counts, or it will give you the following:
More information on this command here.