Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
3
Replies

frequent FW-4-ALERT_ON messages

nmcfadye
Level 1
Level 1

‎07-18-2006 05:10 AM - edited ‎03-09-2019 03:37 PM

I am using a cisco 2621 with fw feature set as a firewall between out department network and the university backbone

Around the end of May there was change in the campus backbone that put a number of vlans into a flat network resulting in large increase of the following messages:

Jul 18 06:12:16 maegateway.mae.carleton.ca 952034: .Jul 18 10:12:16.019 UTC: %FW-4-ALERT_ON: getting aggressive, count (12/600) current 1-min rate: 601

Jul 18 06:12:51 maegateway.mae.carleton.ca 952055: .Jul 18 10:12:50.611 UTC: %FW-4-ALERT_OFF: calming down, count (0/500) current 1-min rate: 445

During the day these occur every few minutes. I increased the low and high values to 500 and 600 respectively but still get the messages. We also experience periodic slow internet connections.

We have used this router in this config for over 1 year without problems, traffic thru it is very small now compared to last term. I am wondering if I should upgrade this router to a 2821 or is there something in the config I can change improve things.

part of config:

!Upstream gateway to internet

!134.x.173.1/24

! |

!134.x.173.10/24 (fastethernet 0/0)

! THIS 2621 ROUTER/FIREWALL

!192.168.1.1/30 (fastethernet 0/1)

! |

!192.168.1.2/30 (gi0/0/1)

! LAYER3 3750 SWITCH routing enabled

! | vlan2 | vlan3 | vlan4

! 134.x.176.1/23 134.x.178.1/24 134.x7.179.1/24

!

!

version 12.2

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname maegateway

!

boot system flash:1:aaa1328.bin

logging buffered 16000 debugging

logging console critical

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

enable secret 5 xxxxxxxxxxxxxxxx

enable password 7 xxxxxxxxxxxxxxxxxxx

!

username xxxxxxx password 7 xxxxxxxxxxx

clock timezone EST -5

clock summer-time EDT recurring

ip subnet-zero

no ip source-route

!

!

ip domain-name mae.carleton.ca

ip name-server 134.x.1.1

!

no ip bootp server

ip inspect max-incomplete low 500

ip inspect max-incomplete high 600

ip inspect one-minute low 500

ip inspect one-minute high 600

ip inspect dns-timeout 15

ip inspect tcp idle-time 300

ip inspect name FW-RULE udp

ip inspect name FW-RULE ftp

ip inspect name FW-RULE h323

ip inspect name FW-RULE realaudio

ip inspect name FW-RULE smtp

ip inspect name FW-RULE streamworks

ip inspect name FW-RULE vdolive

ip inspect name FW-RULE tftp

ip inspect name FW-RULE tcp

! ip inspect audit-trail

! ip inspect name FW-RULE fragment maximum 256 timeout 1

ip audit notify log

ip audit po max-events 100

ip audit smtp spam 100

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2002 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

ip audit name MY-AUDIT info action alarm

ip audit name MY-AUDIT attack action alarm drop reset

ip ssh time-out 120

ip ssh authentication-retries 3

call rsvp-sync

!

!

interface FastEthernet0/0

ip address 134.x.x.10 255.255.255.0

ip access-group 101 in

ip helper-address 134.x.176.14

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mask-reply

ip accounting access-violations

! not sure about this yet

! ip multicast boundary 30

! ip inspect FW-RULE out

! ip audit MY-AUDIT in

speed 100

full-duplex

no cdp enable

!

!

interface FastEthernet0/1

ip address 198.168.1.1 255.255.255.252

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mask-reply

ip accounting access-violations

ip inspect FW-RULE in

!not sure about this yet

! ip multicast boundary 30

duplex auto

speed auto

no cdp enable

Labels:
0 Helpful
3 Replies 3

carlst
Level 1
Level 1

‎07-18-2006 10:21 AM

I have jsut been reading your case, and im seeing the same issues with periodic slow internet connections, during the business day. After hours, when not lot of traffic is going via this firewall router, connection to the internet seems to be fine.

Im using a 7206 VXR IOS 12.3(16) with a G1.Im also seeing the same %FW-4-ALERT_ON: getting aggressive in the loggs.

I dont think upgrading your router to a 2811 will solve your problem.

What version of IOS are you running?

I currently have a TAC case open, but havent come back with anything yet.

0 Helpful

nmcfadye
Level 1
Level 1
In response to carlst

‎07-18-2006 12:12 PM

C2600 Software (C2600-IK9O3S-M), Version 12.2(6)

I see that others solved this by increasing the high and low values but I don't think my router has enough memory to go much higher and I can add any more memory. That's why I though a 2821 would solve it.

0 Helpful

unicmd
Level 1
Level 1

‎07-20-2006 02:19 AM

Try to use these settings :

---

ip inspect max-incomplete high 5000

ip inspect one-minute high 20000

ip inspect dns-timeout 10

ip inspect tcp idle-time 36000

ip inspect tcp finwait-time 3

ip inspect tcp synwait-time 15

ip inspect tcp max-incomplete host 200 block-time 0

---

We use that when these fw alerts keep comming

Martin

DK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents