cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10905
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core issue

A router becomes aggressive when it has more half-open sessions than allowed. By default, the maximum number of half-open sessions (the max-incomplete high value) is 500. Once it reaches that number, the router does not take any more half-open sessions until it reaches the max-incomplete low (or calm down) value, which is 400 by default.

Resolution

As a workaround, increase the max-incomplete high-low values to resolve the issue.

These are the related commands:

  • ip inspect max-incomplete high This command specifies the number of existing half-open sessions, and when exceeded, causes the software to delete half-open sessions.

  • ip inspect max-incomplete low This command specifies the number of existing half-open sessions that cause the software to stop the deletion of half-open sessions.

In order to calculate the high and low values, multiply the number of local hosts by 10 (XXX). This is the max-incomplete high, and the max-incomplete low is 20 percent below the high value (YYY).

For example, if there are 100 local hosts, this output shows the suggested settings for high and low:

Router(config)#ip inspect max-incomplete high 1000
Router(config)#ip inspect max-incomplete low 800

Problem Type

Troubleshoot software feature

Product Family

Routers

Error

%FW-4-ALERT_ON

Cisco IOS Software Version

12.3

VPN Tunnel End Points

Any end point

Router

VPN Protocols

IPSec

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: