Had an issue recently were the CBAC firewall on a Cisco 1811 was slowing down/blocking internet traffic. My inspect policy was doing basic inspection (tcp, icmp – not http,https). The log showed: %FW-4-ALERT_ON: getting aggressive, cound (501/500) current 1-min rate: 216.
Cisco explains this as the “router becomes aggressive when it has more half-open sessions than allowed.” They recommend increasing the “ip inspect max-incomplete high 1000” and “ip inspect max-incomplete low 800”, linked here.
Unfortunately this did not resolve my problem, and I used “ip inspect one-minute high 2000” and “ip inspect one-minute low 1800” which brought everything back to normal. If you want to increase all session thresholds in the hope of fixing your issue, here they are:
ip inspect max-incomplete high 5000
ip inspect max-incomplete low 4800
ip inspect one-minute high 5000
ip inspect one-minute low 4800
ip inspect udp idle-time 60
ip inspect tcp idle-time 43200
ip inspect tcp synwait-time 60
ip inspect tcp max-incomplete host 200 block-time 0
To get logging details, you can use “ip inspect audit-trail”