Cisco CBAC Firewall – FW-4-ALERT_ON: getting aggressive

Had an issue recently were the CBAC firewall on a Cisco 1811 was slowing down/blocking internet traffic.  My inspect policy was doing basic inspection (tcp, icmp – not http,https). The log showed: %FW-4-ALERT_ON: getting aggressive, cound (501/500) current 1-min rate: 216.

Cisco explains this as the “router becomes aggressive when it has more half-open sessions than allowed.”  They recommend increasing the “ip inspect max-incomplete high 1000” and “ip inspect max-incomplete low 800”, linked here.

Unfortunately this did not resolve my problem, and I used “ip inspect one-minute high 2000” and “ip inspect one-minute low 1800” which brought everything back to normal.  If you want to increase all session thresholds in the hope of fixing your issue, here they are:

ip inspect max-incomplete high 5000
ip inspect max-incomplete low 4800
ip inspect one-minute high 5000
ip inspect one-minute low 4800
ip inspect udp idle-time 60
ip inspect tcp idle-time 43200
ip inspect tcp synwait-time 60
ip inspect tcp max-incomplete host 200 block-time 0

To get logging details, you can use “ip inspect audit-trail”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s