Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

inspect half open sessions

I have a 2621xm K9 bundle with 12.2(8)T4 running inspect, nat, vpn, ospf

System was installed and configured and working for 4 hours then stopped. when I look at the inspect sessions all the static nat sessions are shown as half open sessions and I cannot access the smtp server through the static nat.

Also had mrtg monitoring the public interface via snmp and this has stopped although the acl still shows matches. can only access snmp on the private interface now.

Anyone seen this ?

Community Member

Re: inspect half open sessions

I have seen this on routers where the network PCs were infected by viruses.

How many half open sessions do you see? Do you see suspicious target ip addresses? Maybe you also see many half opened sessions to external ip addresses with target ports 137-139? In all that cases you should consider to scan for viruses.

There is a limit of half open sessions, after which the router stops forwarding (300 or 500 half open session by default, I think)

Hope this helps,


Community Member

Re: inspect half open sessions

using the 'ip inspect' commands

or the tcp intercept feature


you can define a limit on the maximum number of half-open tcp connections

router(config)#ip inspect tcp ?

finwait-time Specify timeout for TCP connections after a FIN

idle-time Specify idle timeout for tcp connections

max-incomplete Specify max half-open connection per host

synwait-time Specify timeout for TCP connections after a SYN and no

further data


you can also configured you router to scale back on the attempted connections so that it will be managable again.

'one-minute high'

'one-minute low'


you can also block attempted connections from a specific host if for example, one pc is affected with a virus and keeps trying to open connections


'ip inspect tcp max-incomplete host 100 block-time 1'

after 100 attempted/incomplete tcp sessions from any specific host, the router will block attempted connections for 1 minute

i would use an access-list with the 'log' argument, a syslog server, and 'show ip accounting access-list' cmds to pinpoint the suspect device(s) or services.

CreatePlease to create content