Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
1
Helpful
3
Replies

Cisco 1941 securityk9 license traffic

Chin Chang
Level 1
Level 1

‎01-18-2024 09:59 PM

I have a model 1941 router, version 15.7(3)M5. I noticed it record much log recently that is「%CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.」
However, show interface [inside] & show interface [outside]. I think those traffic are small.
And then, I'm remeber hsec license can resolve log issue, but hsec can not work on 1941 router? I'm not sure this.
I have provide related info, I should upgrade license? or upgrade model? expect some reply, thanks!
===================================
Technology Package License Information for Module:'c1900'

------------------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data None None None
===================================
(outside is g0/1, inside is g0/0 & vlan 1)
1941R#show ip int brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 192.168.168.90 YES NVRAM up up
GigabitEthernet0/1 (public IP) YES NVRAM up up
GigabitEthernet0/0/0 unassigned YES unset up up
GigabitEthernet0/0/1 unassigned YES unset down down
GigabitEthernet0/0/2 unassigned YES unset down down
GigabitEthernet0/0/3 unassigned YES unset down down
Loopback201 192.168.201.10 YES NVRAM up up
NVI0 192.168.168.90 YES unset up up
Tunnel1921682021 192.168.202.10 YES NVRAM up up
Tunnel1921682031 192.168.203.10 YES NVRAM up up
Tunnel1921682041 192.168.204.10 YES NVRAM up up
Vlan1 10.4.21.251 YES NVRAM up up
Vlan11 unassigned YES unset down down
===================================
1941R#show int vlan1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 885a.9209.2143 (bia 885a.9209.2143)
Internet address is 10.4.21.251
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 288000 bits/sec, 165 packets/sec
30 second output rate 972000 bits/sec, 193 packets/sec
7773027 packets input, 1393989326 bytes, 0 no buffer
Received 164933 broadcasts (56 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
10871780 packets output, 2145835775 bytes, 0 underruns
0 output errors, 1 interface resets
91186 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
1941R#show int g0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 885a.9209.2140 (bia 885a.9209.2140)
Description: Connect to CHT Hlink FTTB 20M/5M 43-YV001394
Internet address is 192.168.168.90
MTU 1500 bytes, BW 20480 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 2/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:10, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5245
Queueing strategy: Class-based queueing
Output queue: 0/1000/5245 (size/max total/drops)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 221000 bits/sec, 127 packets/sec
9046 packets input, 625179 bytes, 0 no buffer
Received 67 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
4081766 packets output, 748726001 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
1941R#show int g0/1
GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 885a.9209.2141 (bia 885a.9209.2141)
Description: Connect to CHT site-to-site vpn (internet) 100/40M 43Y175819
Internet address is (public IP)
MTU 1500 bytes, BW 20000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 14/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/140 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/1000/0 (size/max total/drops)
30 second input rate 1133000 bits/sec, 208 packets/sec
30 second output rate 98000 bits/sec, 42 packets/sec
11026544 packets input, 3064397185 bytes, 0 no buffer
Received 65971 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
3642921 packets output, 846161501 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
40713 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 170376 pause output
0 output buffer failures, 0 output buffers swapped out
===================================
interface GigabitEthernet0/0
description Connect to CHT Hlink FTTB 20M/5M 43-YV001394
ip address 192.168.168.90 255.255.255.252
!
interface GigabitEthernet0/1
description Connect to CHT site-to-site vpn (internet) 100/40M 43Y175819
ip address (public IP) 255.255.255.0
!
interface Vlan1
ip address 10.4.21.251 255.255.255.0
ip helper-address 10.3.137.44
ip helper-address 10.3.137.45
===================================
Jan 18 22:25:56: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=(g0/1 IP), prot=50, spi=0x78629A0F(2019727887), srcaddr=167.94.C.D, input interface=GigabitEthernet0/1
Jan 18 23:23:40: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=(g0/1 IP), prot=50, spi=0x30303030(808464432), srcaddr=71.6.C.D, input interface=GigabitEthernet0/1
Jan 19 02:52:29: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=(g0/1 IP), prot=50, spi=0x3127FCB0(824704176), srcaddr=39.100.C.D, input interface=GigabitEthernet0/1
Jan 19 05:39:59: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=(g0/1 IP), prot=50, spi=0x30303030(808464432), srcaddr=185.165.C.D, input interface=GigabitEthernet0/1
Jan 19 07:56:23: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Jan 19 07:57:36: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Jan 19 10:01:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=(g0/1 IP), prot=50, spi=0x4D658221(1298498081), srcaddr=162.142.C.D, input interface=GigabitEthernet0/1
Jan 19 10:19:44: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Jan 19 10:22:06: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Jan 19 10:23:45: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Jan 19 10:29:46: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Jan 19 10:35:05: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Labels:
3 Replies 3

MHM Cisco World
VIP
VIP

‎01-19-2024 01:50 AM

I think this is bug 
show crypto engine statistics detail 

MHM

0 Helpful

Chin Chang
Level 1
Level 1
In response to MHM Cisco World

‎01-19-2024 03:24 AM

show content maybe on nextweek, i will try your suggestion, thanks!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-19-2024 03:56 AM

Other than logs do you see any performance issue ?

as you mentioned you never go high B/w line 85Meg ?

Since these models are end of Life - rather buying new License - Try upgrading to new models are router repalcement package.

#show version
#show platform cerm-information

Looks for below replacement router :

https://www.cisco.com/c/en/us/products/collateral/routers/1900-series-integrated-services-routers-isr/eos-eol-notice-c51-740520.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents