Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

The %FW-4-ALERT_ON: getting aggressive, count(501/500) current 1-min rate: 126 warning message is displayed in the logs of the router running Cisco IOS software version 12.3

Core issue

A router becomes aggressive when it has more half-open sessions than allowed. By default, the maximum number of half-open sessions (the max-incomplete high value) is 500. Once it reaches that number, the router does not take any more half-open sessions until it reaches the max-incomplete low (or calm down) value, which is 400 by default.


As a workaround, increase the max-incomplete high-low values to resolve the issue.

These are the related commands:

  • ip inspect max-incomplete high This command specifies the number of existing half-open sessions, and when exceeded, causes the software to delete half-open sessions.

  • ip inspect max-incomplete low This command specifies the number of existing half-open sessions that cause the software to stop the deletion of half-open sessions.

In order to calculate the high and low values, multiply the number of local hosts by 10 (XXX). This is the max-incomplete high, and the max-incomplete low is 20 percent below the high value (YYY).

For example, if there are 100 local hosts, this output shows the suggested settings for high and low:

Router(config)#ip inspect max-incomplete high 1000
Router(config)#ip inspect max-incomplete low 800

Problem Type

Troubleshoot software feature

Product Family




Cisco IOS Software Version


VPN Tunnel End Points

Any end point


VPN Protocols


Version history
Revision #:
1 of 1
Last update:
‎06-18-2009 03:51 PM
Updated by:
Labels (1)