"getting aggressive" and "calming down" messages

Unanswered Question
Jun 8th, 2010

I have a Cisco 851 router and have been getting a steady stream of "getting aggressive" and "calming down" messages.  Here are a couple examples:

-ALERT_ON: getting aggressive, count (2/200) current 1-min rate: -1        
Feb 24 20:55:52 cisco_firewall 32902: 032898: *Feb 24 21:33:24.612 PCTime: %FW-4
-ALERT_OFF: calming down, count (2/80) current 1-min rate: 0                   
Feb 24 21:05:15 dlink_firewall EFW: USAGE: conns=1 if0=core ip0=127.0.0.1 tp0=0.
00 if1=LAN ip1=192.168.9.199 tp1=0.00 if2=WAN ip2=74.212.145.255 tp2=0.00 if3=DM
Z ip3=10.0.0.5 tp3=0.00                                                   

Here are my settings:

one-minute (sampling period) thresholds are [2745 : 3432] connections
max-incomplete sessions thresholds are [80 : 200]                   
max-incomplete tcp connections per host is 50. Block-time 0 minute.

From what I understand I should only get the "aggressive" message if the number of half-open sessions exceeds 200.  Yet there are only 2 and we still get the message.

I suspect the problem may be where it is reporting "current 1-min rate: -1".   Why minus 1?  Is this a bug?

Can anyone shed any light on this?  Anyone know why the software would be reporting this and what it might mean?  Or any ideas on how to set this up so that it is not constantly switching between agressive and calming down?

Ray Peck

Building Industry Credit Association

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Paolo Bevilacqua Tue, 06/08/2010 - 18:17

Are you using a FW configuration? That is not really necessary.

Remove it and end of messages, end of problems.

Paolo Bevilacqua Wed, 06/09/2010 - 13:56

If you have NAT, that's enough.

IOS FW / inspect do not really do much good beside slowing down things.

RayYamiPeck Wed, 06/09/2010 - 15:29

Thanks very much for your reply.  We're using two main features of the router:  The ACL rules which block everything incoming except some email access and NAT which seems to be like port forwarding.  Would turning off the "IOS FW / inspect" mean eliminating the ACL rules?  Isn't that the main means we have of blocking all others from entering our network?  Or can this be accomplished solely with NAT commands?  I'm mainly using the graphics tool CCP (Cisco Configuration Professional) though do some updates via telnet.  If there's some other feature than these two that you are recommending I turn off, can you point me to where I might find it in CCP or more data on it so I know better what you're describing?

Thanks, again.

Paolo Bevilacqua Wed, 06/09/2010 - 15:49

Just leave NAT and ACL, all the rest is superfluous.

Actually since you have NAT even the ACL is unncessary, but details should be checked by a qualified engineer.

You cannot get good results using GUI, must use CLI.

Please remember to rate useful posts clicking on the stars below.

RayYamiPeck Wed, 06/09/2010 - 16:21

Thanks.  I'll print out the list of commands in there now and see what it's doing in

addition to ACL and NAT.  If I have any questions, I'll let you know.

I appreciate your help.

Actions

This Discussion