Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

"getting aggressive" and "calming down" messages

I have a Cisco 851 router and have been getting a steady stream of "getting aggressive" and "calming down" messages.  Here are a couple examples:

-ALERT_ON: getting aggressive, count (2/200) current 1-min rate: -1        
Feb 24 20:55:52 cisco_firewall 32902: 032898: *Feb 24 21:33:24.612 PCTime: %FW-4
-ALERT_OFF: calming down, count (2/80) current 1-min rate: 0                   
Feb 24 21:05:15 dlink_firewall EFW: USAGE: conns=1 if0=core ip0= tp0=0.
00 if1=LAN ip1= tp1=0.00 if2=WAN ip2= tp2=0.00 if3=DM
Z ip3= tp3=0.00                                                   

Here are my settings:

one-minute (sampling period) thresholds are [2745 : 3432] connections
max-incomplete sessions thresholds are [80 : 200]                   
max-incomplete tcp connections per host is 50. Block-time 0 minute.

From what I understand I should only get the "aggressive" message if the number of half-open sessions exceeds 200.  Yet there are only 2 and we still get the message.

I suspect the problem may be where it is reporting "current 1-min rate: -1".   Why minus 1?  Is this a bug?

Can anyone shed any light on this?  Anyone know why the software would be reporting this and what it might mean?  Or any ideas on how to set this up so that it is not constantly switching between agressive and calming down?

Ray Peck

Building Industry Credit Association

Hall of Fame Super Gold

Re: "getting aggressive" and "calming down" messages

Are you using a FW configuration? That is not really necessary.

Remove it and end of messages, end of problems.

New Member

Re: "getting aggressive" and "calming down" messages

This router IS the main firewall.  Smallish company.

Hall of Fame Super Gold

Re: "getting aggressive" and "calming down" messages

If you have NAT, that's enough.

IOS FW / inspect do not really do much good beside slowing down things.

New Member

Re: "getting aggressive" and "calming down" messages

Thanks very much for your reply.  We're using two main features of the router:  The ACL rules which block everything incoming except some email access and NAT which seems to be like port forwarding.  Would turning off the "IOS FW / inspect" mean eliminating the ACL rules?  Isn't that the main means we have of blocking all others from entering our network?  Or can this be accomplished solely with NAT commands?  I'm mainly using the graphics tool CCP (Cisco Configuration Professional) though do some updates via telnet.  If there's some other feature than these two that you are recommending I turn off, can you point me to where I might find it in CCP or more data on it so I know better what you're describing?

Thanks, again.

Hall of Fame Super Gold

Re: "getting aggressive" and "calming down" messages

Just leave NAT and ACL, all the rest is superfluous.

Actually since you have NAT even the ACL is unncessary, but details should be checked by a qualified engineer.

You cannot get good results using GUI, must use CLI.

Please remember to rate useful posts clicking on the stars below.

New Member

Re: "getting aggressive" and "calming down" messages

Thanks.  I'll print out the list of commands in there now and see what it's doing in

addition to ACL and NAT.  If I have any questions, I'll let you know.

I appreciate your help.