Feb 12 12:49:34.104: %IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:003 TS:00009483658467823679 %CERM_DP-4-DP_TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
And that’s it…No more encrypted traffic can flow through your ISR 4000 series.
isr4000series#show platform software cerm-information
Crypto Export Restrictions Manager(CERM) Information:
CERM functionality: ENABLED
Resource Maximum Limit Available
Number of tunnels 225 211
Number of TLS sessions 1000 1000
Resource reservation information:
D – Dynamic
Client Tunnels TLS Sessions
VOICE 0 0
IPSEC 14 N/A
SSLVPN 0 N/A
Failed tunnels : 0
Failed sessions : 0
NO information about bandwidth limit!
The best solution for users with a permanent securityk9 license that encounter this issue is to purchase the HSEC-K9 license. For information on these licenses, refer to Cisco ISR G2 SEC and HSEC Licensing
Or you can implement a traffic shaper on the neighboring devices on both sides in order to smooth out any traffic bursts. The queue depth might have to be tuned based on the burstiness of the traffic in order for this to be effective.
Unfortunately this workaround is not applicable in all deployment scenarios, and often does not work well with microbursts, which are traffic bursts that occur in very short time intervals.
God bless installation will be without reboot!