Core issue
The %FW-4-ALERT_ON error message occurs in these scenarios:
- When the number of half-open connections has dropped below the low threshold
- When the new connection initiation rate has dropped below the low threshold
Resolution
To resolve this problem, perform these steps:
Issue these commands on the router:
- Carefully go through the output of the commands and note these points:
- An unusually high number of half-open sessions can indicate the occurrence of a denial-of-service attack.
- For TCP, half-open means that the session has not reached the established state. For User Datagram Protocol (UDP), half-open means that the firewall has detected traffic from only one direction.
- When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software deletes half-open sessions as necessary to accommodate new connection requests.The software continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
- View the current max-incomplete low/high thresholds set. If the threshold is low, issue the ip inspect max-incomplete high command in global configuration mode to raise the number of existing half-open sessions.This action causes the software to delete half-open sessions.
For more information, refer to the FW Messages section of 12.3 T System Message Guide
Problem Type
Connectivity through the device
Product Family
Routers