cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
782
Views
4
Helpful
6
Replies

"getting aggressive" and "calming down" messages

RayYamiPeck
Level 1
Level 1

I have a Cisco 851 router and have been getting a steady stream of "getting aggressive" and "calming down" messages.  Here are a couple examples:

-ALERT_ON: getting aggressive, count (2/200) current 1-min rate: -1        
Feb 24 20:55:52 cisco_firewall 32902: 032898: *Feb 24 21:33:24.612 PCTime: %FW-4
-ALERT_OFF: calming down, count (2/80) current 1-min rate: 0                   
Feb 24 21:05:15 dlink_firewall EFW: USAGE: conns=1 if0=core ip0=127.0.0.1 tp0=0.
00 if1=LAN ip1=192.168.9.199 tp1=0.00 if2=WAN ip2=74.212.145.255 tp2=0.00 if3=DM
Z ip3=10.0.0.5 tp3=0.00                                                   

Here are my settings:

one-minute (sampling period) thresholds are [2745 : 3432] connections
max-incomplete sessions thresholds are [80 : 200]                   
max-incomplete tcp connections per host is 50. Block-time 0 minute.

From what I understand I should only get the "aggressive" message if the number of half-open sessions exceeds 200.  Yet there are only 2 and we still get the message.

I suspect the problem may be where it is reporting "current 1-min rate: -1".   Why minus 1?  Is this a bug?

Can anyone shed any light on this?  Anyone know why the software would be reporting this and what it might mean?  Or any ideas on how to set this up so that it is not constantly switching between agressive and calming down?

Ray Peck

Building Industry Credit Association

6 Replies 6

paolo bevilacqua
Hall of Fame
Hall of Fame

Are you using a FW configuration? That is not really necessary.

Remove it and end of messages, end of problems.

This router IS the main firewall.  Smallish company.

If you have NAT, that's enough.

IOS FW / inspect do not really do much good beside slowing down things.

Thanks very much for your reply.  We're using two main features of the router:  The ACL rules which block everything incoming except some email access and NAT which seems to be like port forwarding.  Would turning off the "IOS FW / inspect" mean eliminating the ACL rules?  Isn't that the main means we have of blocking all others from entering our network?  Or can this be accomplished solely with NAT commands?  I'm mainly using the graphics tool CCP (Cisco Configuration Professional) though do some updates via telnet.  If there's some other feature than these two that you are recommending I turn off, can you point me to where I might find it in CCP or more data on it so I know better what you're describing?

Thanks, again.

Just leave NAT and ACL, all the rest is superfluous.

Actually since you have NAT even the ACL is unncessary, but details should be checked by a qualified engineer.

You cannot get good results using GUI, must use CLI.

Please remember to rate useful posts clicking on the stars below.

Thanks.  I'll print out the list of commands in there now and see what it's doing in

addition to ACL and NAT.  If I have any questions, I'll let you know.

I appreciate your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco