ASR and ISR error log ： Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

May 13 10:42:56.436 UTC: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
May 13 10:43:56.852 UTC: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
May 13 10:44:58.466 UTC: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
May 13 10:46:01.679 UTC: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
May 13 10:47:22.114 UTC: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

I understand that you are seeing CERM Maximum Tx bandwidth messages.  If you are seeing these messages, it means you running into these two scenarios:

  1.  You are hitting the limitation of the k9 license.  The k9 license has an 85Mbps limitation where it only allows you to pass 85Mbps of traffic at one time.  Any crypto traffic that goes over the limitation will get dropped.  The only way to remove that limitation is to purchase the HSEC license and then enable it on your ISR.

  2.  You are running into he 30 week bug.  All ISR 4k devices are susceptible  to this bug.  If you were running into this, it would stop passing all crypto traffic and you would be in a network down state.  The only work around for this bug is to reload the router.  Then you would need to upgrade to a fixed version of code.

I looked at the show tech you attached to the case and I see that the router has only been up for 2 days so you are not hitting the 30 week bug.

So in this case you are hitting the k9 limitation. 

By nature crypto traffic is bursty.  So what is happening is you are sending and receiving enough crypto traffic at the same time that make you go over the k9 limitation of 85Mbps.The 85Mbps limitation includes traffic being sent and received.  If you are sending 50Mbps of encrypted traffic and receiving 35Mbps of encrypted traffic, then any traffic (being sen tor received) will be dropped because you will go over the 85Mbps limitation.