Cisco ISR G2 encrypted bandwidth restriction

ciscocisco-ios-15cisco-isripsec

I have been having complaints of a "slow connection" from several new remote sites.

The sites are connected via an MPLS L3VPN service into Cisco 2921's, and we are using Cisco GET-VPN to encrypt the traffic between our locations. All locations have either 100Mbps or 1Gbps circuits, so speed should not be an issue.

However, upon conducting iperf tests from one location to a known working location, I found that my bandwidth tops out around 85Mbps.

Further investigation on the 2921's gives many occurrences of the following error message in the logs:

006555: Jan  3 08:19:09.573 EST: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
006556: Jan  3 11:21:37.069 EST: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

I have verified that our older locations using 2821's do not have this issue… is this something to do with IOS 15, the ISR Gen2's or both?

Best Answer

You are running into one of the fun, new, restrictions of the ISR Generation 2.

I assume you have the basic "security" licensing package installed as noted by this part of the message:

securityk9 technology package license

However the securityk9 package is Cisco's "unrestricted export" version of that license, and will artificially limit you. You need the hseck9 package. See this white paper for more information. It says in part:

The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E.

With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.

The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SEC license pre-installed.

A quick way to check which license you have, is to issue the following command on your router:

show license feature

This will show you which licenses you have purchased from Cisco and installed on this router. You need to make sure that the hseck9 license is enabled. Otherwise you will be limited to that 85Mbps limit for encrypted traffic. Which on circuits below 100Mbps, might not be an issue, and you could safely ignore this problem. Either way, see this page for more information on installing the new license once you purchase it.

Another handy command for troubleshooting this is:

show platform cerm-information

This will either spit out a list of information about the limits in place, including the failed encrypt/decrypt packet counts, or it will give you the following:

router-1#show platform cerm-information 
Crypto Export Restrictions Manager(CERM) Information:
 CERM functionality: DISABLED

More information on this command here.

Related Solutions

Cisco – the proper way to config a Site to Site IPSEC VPN and a Remote Access VLAN on the same external interface? Cisco 891 ISR

Taking a shot in the dark here because there are a lot of variables you didn't mention. Please update the question to include the specific technologies you are using, your currnet config, and the error you are getting. But if you are using for instance, DMVPN + EZVPN, you will probably have to use keyrings and multiple ISAKMP profiles. Since you point to phase 1 issues I would check that. The following links give reference configs for DMVPN and EZVPN and L2L+EZVPN. You should be able to modify to suit your needs.

Here's a ISAKMP Profile reference for some lunchtime reading.

Cisco – DNS Doctoring / Reply Modification on Cisco 1900 series ISR

I've attempted many time to setup DNS doctoring but I just cant get it work, I believe because our ISR doesnt have the capability to peform the commands I'm trying

Your first problem is that you're using Cisco ASA commands on a Cisco router; you're also assuming this is a problem with your Cisco router.

In reality, this is a DNS issue that can be solved with your Cisco router; however, it's normally solved with a split-DNS

Is there another way to achieve DNS doctoring or otherwise access our local server using the external address?

Yes... Cisco calls it Network address translation (or nat)... Let's assume you have this topology...

                               +------------+
                        Fa0/0  | Cisco ISR  | Fa0/1
LAN w/ Webhost-----------------|            |-------------------
                        inside |            | outside (To ISP)
                   10.1.1.0/24 +------------+ 192.0.2.1
                                              192.0.2.2 (static translation for the webhost)

interface Fa0/0
 ip address 10.1.1.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
interface Fa0/1
 ip address 192.0.2.1 255.255.255.0
 no ip proxy-arp
 ip nat outside
!
ip nat inside source list INSIDE_ADDRS interface FastEthernet0/1 overload
ip nat inside source static 10.1.1.50 192.0.2.2
!
ip access-list extended INSIDE_ADDRS
 permit ip 10.1.1.0 0.0.0.255 any
 deny   ip any any
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254

Assume your internal Webhost address is 10.1.1.50 and you're using 192.0.2.2 (a second address given by your ISP) for your public A-record.. Thus, when you resolve "ourdomain.com" from google's resolver, you get...

[mpenning@Bucksnort ~]$ dig +short @8.8.8.8 ourdomain.com
10.1.1.50
[mpenning@Bucksnort ~]$

Assuming Bucksnort is 10.1.1.12, if you perform debug ip nat on your router during a DNS query, you see...

Sep 23 23:12:29.132 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.132 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.136 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [628]
Sep 23 23:12:29.140 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.140 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.140 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [629]
Sep 23 23:12:29.144 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.148 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.148 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [630]

Best Answer

Related Solutions

Cisco – the proper way to config a Site to Site IPSEC VPN and a Remote Access VLAN on the same external interface? Cisco 891 ISR

Cisco – DNS Doctoring / Reply Modification on Cisco 1900 series ISR

Related Topic