Guest

Preview Tool

Cisco Bug: CSCup41110 - ISR4K: Device stops encrypting due to CERM - OUT_PKT_CERM_DROP

Last Modified

Sep 19, 2020

Products (1)

  • Cisco 4000 Series Integrated Services Routers

Known Affected Releases

15.5(1)S

Description (partial)

Symptom:
After a certain period of throttling VPN traffic bursts [outbound] via CERM, the device will start dropping all outbound ipsec traffic [prior to encryption] - IPSec SA encrypt counters [once cleared] will not increase anymore.

show platform hardware qfp active statistics drop | include IpsecOutput
       IpsecOutput                                  5402                 2070544


show platform hardware qfp active feature ipsec datapath drops | i CERM
      119  OUT_PKT_CERM_DROP                                        5402

The following log will be more frequent - with even a single packet trying to go through an IPSec SA:
%IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:001 TS:00000150893012543875 %CERM_DP-4-DP_TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Conditions:
ISR4K configured as an IPSec VPN [L2L or DMVPN etc] termination device. And the device does not have HSECk9 license not applied i.e CERM enabled:
show platform software cerm

Related Community Discussions

<key>CSCup41110</key> also affects other IOS versions
The bug also affects IOS version 15.4(3)S3 (XE software version 03.13.03.S).
Latest activity: Jun 21, 2017
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.