I can`t remember anything, so I’m recording

Maximum Tx Bandwidth limit of 85000 Kbps, ISR gen2 and 4000 series (thanks to cisco for this adventure)

Feb 12 12:49:34.104: %IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:003 TS:00009483658467823679 %CERM_DP-4-DP_TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

And that’s it…No more encrypted traffic can flow through your ISR 4000 series.

isr4000series#show platform software cerm-information
Crypto Export Restrictions Manager(CERM) Information:
CERM functionality: ENABLED

Resource Maximum Limit Available
Number of tunnels 225 211
Number of TLS sessions 1000 1000

Resource reservation information:
D – Dynamic
Client Tunnels TLS Sessions

Statistics information:
Failed tunnels : 0
Failed sessions : 0


NO information about bandwidth limit!



The best solution for users with a permanent securityk9 license that encounter this issue is to purchase the HSEC-K9 license. For information on these licenses, refer to Cisco ISR G2 SEC and HSEC Licensing

Or you can implement a traffic shaper on the neighboring devices on both sides in order to smooth out any traffic bursts. The queue depth might have to be tuned based on the burstiness of the traffic in order for this to be effective.

Unfortunately this workaround is not applicable in all deployment scenarios, and often does not work well with microbursts, which are traffic bursts that occur in very short time intervals.


God bless installation will be without reboot!

Leave a Reply

Your e-mail address will not be published. Required fields are marked *