Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLAN Problem 871W with ip inspect name half-open

Hello everybody,

i have a new Cisco 871W-G-E-K9 for home office.

Everything is running on LAN side, but WLAN has no internet connect.

a) Working with Ethernet on VLAN1 is fine with NAT, VPN, internet connect etc......

b) Working with the Dot11Radio does work to LAN side but does not to WAN side.

> Configuration Firewall from WLAN via BVI and connect PC on VLAN1 ist fine.

> RADIUS auth works also

> WLAN and internet works ONLY if i remove the ip inspect from the WAN interface FastE4 and modify access-list to allow ip ack or remove the access-list from WAN.

i tried days long with different configs; using Bridge or direct dot11radio ..... and i can not see my mistake. Give me your view. Tried all IOS now - Version 12.4(4)T.

The config is long so i attached it as TXT file. sh runn and sh vers.

"sh ip nat tr" show me NAT is working.

"sh ip inspect sess" show me the sessions in half-open mode ???

Thank's Robert


Re: WLAN Problem 871W with ip inspect name half-open

To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. Use the no form of this command to reset the threshold to the default of 500 half-open sessions.

ip inspect max-incomplete high number

no ip inspect max-incomplete high

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number). The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

New Member

Re: WLAN Problem 871W with ip inspect name half-open


i have the following solution in the meantime.

give the WLAN PC his own public ip (nat). And removing the from NO-NAT list


ip nat inside source route-map NAT-RMAP interface FastEthernet4 overload

ip nat inside source static 83.y.y.y1

ip nat inside source static 83.y.y.y2

ip nat inside source static 83.y.y.y3


ip access-list extended NO-NAT

remark SDM_ACL Category=2

deny ip

deny ip

permit ip any


route-map NAT-RMAP permit 10

match ip address NO-NAT


but normaly it should also work with the route-map on the interface FastE4 when it is in NO-NAT see'n at attached config.

This workaroung now works only for one WLAN Host.

regards Robert