Wednesday, February 18, 2015

Error :%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license

This error message is coming in the one of our router's log constantly.

081062: Feb 18 09:24:08.621 EST: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

It is caused by our Security k9 license limitation. Basically if you do not have a HSEC-k9 license installed on your ISR G2 router, you will see this  error message on the console if the traffic exceeds 85-Mbps unidirectional or 170-Mbps bidirectional.

By upgrading to hseck9 license should be able to remove this error messages. Cisco document Cisco ISR G2 SEC and HSEC Licensing explains well what the difference is between them.

"The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E. With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85 -Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps. "

From our Monitoring software PRTG living traffic, it shows between 8:45AM and 9:00AM, there are obviously traffic spike which reached almost 40mbps. The data was collected and averaged by per minute from PRTG software. It seems the traffic might reach 85mbps at a couple of seconds and triggered this error message on the router logs.

To avoid traffic be throttled by this license limitation, following steps will be able to help you:

1. Get PAK number from your vendor who handles purchasing for you.

a. Quotation:

It will cost your company about $674 to remove this limitation on your router

b. Get Product Authorization Key (PAK):

After you order the license, your vendor will e-delivery to your email with this kind of pdf file:

2. Register License at Cisco license Website

3. Install the license:

Router#copy ftp://test:[email protected] flash:
Address or name of remote host []?
Source filename [2.lic]? 2.lic
Destination filename [2.lic]? 2.lic
Accessing ftp://*****:*****@
Loading 2.lic !
[OK - 1153/4096 bytes]
1153 bytes copied in 0.440 secs (2620 bytes/sec)

Router#license install flash:2.lic
Installing licenses from "flash:2.lic"
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install

4. Verify

There is no way to find out hseck9 license has been applied from show version and show license since security k9 license already applied.

But you should be able to get following message from the log:

081111: Feb 18 10:42:19.017 EST: %LICENSE-6-INSTALL: Feature hseck9 1.0 was installed in this device. UDI=C3900-SPE100/K9:FOC17027ZDD; StoreIndex=2:Primary License Storage


1. Cisco ISR G2 SEC and HSEC Licensing 


  1. Is this affect only the IPSec traffic? What about GRE tunnel interfaces without any ipsec?

    1. GRE tunnel is supported byUniversal IOS image and the Base license.