When an attempt is made to access the Internet through the Cisco 3825 router, the "%FW-4-ALERT_ON" error message appears


Wed, 11/18/2009 - 18:23
Jun 22nd, 2009

Core issue

  The %FW-4-ALERT_ON error message occurs in these scenarios:

  • When the number of half-open connections has dropped below the low threshold

  • When the new connection initiation rate has dropped below the low threshold


To resolve this problem, perform these steps:

  1. Issue these commands on the router:
  2. Carefully go through the output of the commands and note these points:
    1. An unusually high number of half-open sessions can indicate the occurrence of a denial-of-service attack.

    2. For TCP, half-open means that the session has not reached the established state. For User Datagram Protocol (UDP), half-open means that the firewall has detected traffic from only one direction.

    3. When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software deletes half-open sessions as necessary to accommodate new connection requests.The software continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

    4. View the current max-incomplete low/high thresholds set. If the threshold is low, issue the ip inspect max-incomplete high command in global configuration mode to raise the number of existing half-open sessions.This action causes the software to delete half-open sessions.

For more information, refer to the FW Messages section of 12.3 T System Message Guide

Problem Type

Connectivity through the device

Product Family



This Document

Related Content