I have a Cisco 851 router and have been getting a steady stream of "getting aggressive" and "calming down" messages. Here are a couple examples:
-ALERT_ON: getting aggressive, count (2/200) current 1-min rate: -1
Feb 24 20:55:52 cisco_firewall 32902: 032898: *Feb 24 21:33:24.612 PCTime: %FW-4
-ALERT_OFF: calming down, count (2/80) current 1-min rate: 0
Feb 24 21:05:15 dlink_firewall EFW: USAGE: conns=1 if0=core ip0=127.0.0.1 tp0=0.
00 if1=LAN ip1=192.168.9.199 tp1=0.00 if2=WAN ip2=18.104.22.168 tp2=0.00 if3=DM
Z ip3=10.0.0.5 tp3=0.00
Here are my settings:
one-minute (sampling period) thresholds are [2745 : 3432] connections
max-incomplete sessions thresholds are [80 : 200]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
From what little I understand I should only get the "aggressive" message if the number of half-open sessions exceeds 200. Yet there are only 2 and we still get the message.
Can anyone shed any light on this?
Building Industry Credit Association