The %FW-4-ALERT_ON: getting aggressive, count(501/500) current 1-min rate: 126 warning message is displayed in the logs of the router running Cisco IOS software version 12.3

Document

Wed, 07/22/2009 - 19:36
Jun 18th, 2009

Core issue

A router becomes aggressive when it has more half-open sessions than allowed. By default, the maximum number of half-open sessions (the max-incomplete high value) is 500. Once it reaches that number, the router does not take any more half-open sessions until it reaches the max-incomplete low (or calm down) value, which is 400 by default.

Resolution

As a workaround, increase the max-incomplete high-low values to resolve the issue.

These are the related commands:

  • ip inspect max-incomplete high This command specifies the number of existing half-open sessions, and when exceeded, causes the software to delete half-open sessions.

  • ip inspect max-incomplete low This command specifies the number of existing half-open sessions that cause the software to stop the deletion of half-open sessions.

In order to calculate the high and low values, multiply the number of local hosts by 10 (XXX). This is the max-incomplete high, and the max-incomplete low is 20 percent below the high value (YYY).

For example, if there are 100 local hosts, this output shows the suggested settings for high and low:

Router(config)#ip inspect max-incomplete high 1000
Router(config)#ip inspect max-incomplete low 800

Problem Type

Troubleshoot software feature

Product Family

Routers

Error

%FW-4-ALERT_ON

Cisco IOS Software Version

12.3

VPN Tunnel End Points

Any end point

Router

VPN Protocols

IPSec

Loading.

Actions

This Document

Related Content