Hi,

I am getting recurrent alerts on my firewall which is connected to the Internet.

The inspection is configured on the DMZ inside and internet facing interfaces with max one -minute 3000 and low 2000.

The one minute count is extremely high of order of 4000000000 when it is triggered.

We have access-list controlling incoming and outgoing.

The internet access is used only used for VPN and we have on the incoming access-list contains only esp, isakmp and icmp  with specific host.

I have not found a lot of matches equivalent to these values  on any access-list.

Furthermore, when i do a sh ip inspect sessions during the firewall alert, I can see only 200-300 established sessions.

I have also enable audit-trail. The audit trail appears normal during the same period. CPU and memory very calm too.Bandwidth has also been monitored in real time on all interfaces including internet. No peaks observed. It is below 50% of 2 Mbps on the Internet.

The alert can stay for 4-5 mins and then calms down, during retrigeering.

I have also enabled ip inspect log drop-packets.Again not much there during the alert period.

Is there a way to determine which inspection name (interface) is trigerring the alert.

I am using a 12.4 T Advanced Security. I don't have the exact version which I can give latter.

For me, looks to be a bug as the 4000000000 one minute rate does not make sense since i cannot see these huge number of  sessions, i cannot see the huge number in the access-lists counters.

User experience is being affected as I assume that each time the alert is triggered, the firewall is dropping existing connections.

Can you please help.