Core issue

  The %FW-4-ALERT_ON error message occurs in these scenarios:

• When the number of half-open connections has dropped below the low threshold
  
  
• When the new connection initiation rate has dropped below the low threshold

Resolution

To resolve this problem, perform these steps:

1. Issue these commands on the router:
   
      
   • show ip inspect config
     
     This command displays the current max-incomplete low/high thresholds.
     
     
   • show ip inspect  stat
     
     This command displays the session counts seen so far.
     
      
2. Carefully go through the output of the commands and note these points:
      
   1. An unusually high number of half-open sessions can indicate the occurrence of a denial-of-service attack.
      
      
   2. For TCP, half-open means that the session has not reached the established state. For User Datagram Protocol (UDP), half-open means that the firewall has detected traffic from only one direction.
      
      
   3. When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software deletes half-open sessions as necessary to accommodate new connection requests.The software continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
      
      
   4. View the current max-incomplete low/high thresholds set. If the threshold is low, issue the ip inspect max-incomplete high command in global configuration mode to raise the number of existing half-open sessions.This action causes the software to delete half-open sessions.
      

For more information, refer to the FW Messages section of 12.3 T System Message Guide

Problem Type

Connectivity through the device

Product Family

Routers