07-18-2006 05:10 AM - edited 03-09-2019 03:37 PM
I am using a cisco 2621 with fw feature set as a firewall between out department network and the university backbone
Around the end of May there was change in the campus backbone that put a number of vlans into a flat network resulting in large increase of the following messages:
Jul 18 06:12:16 maegateway.mae.carleton.ca 952034: .Jul 18 10:12:16.019 UTC: %FW-4-ALERT_ON: getting aggressive, count (12/600) current 1-min rate: 601
Jul 18 06:12:51 maegateway.mae.carleton.ca 952055: .Jul 18 10:12:50.611 UTC: %FW-4-ALERT_OFF: calming down, count (0/500) current 1-min rate: 445
During the day these occur every few minutes. I increased the low and high values to 500 and 600 respectively but still get the messages. We also experience periodic slow internet connections.
We have used this router in this config for over 1 year without problems, traffic thru it is very small now compared to last term. I am wondering if I should upgrade this router to a 2821 or is there something in the config I can change improve things.
part of config:
!Upstream gateway to internet
!134.x.173.1/24
! |
!134.x.173.10/24 (fastethernet 0/0)
! THIS 2621 ROUTER/FIREWALL
!192.168.1.1/30 (fastethernet 0/1)
! |
!192.168.1.2/30 (gi0/0/1)
! LAYER3 3750 SWITCH routing enabled
! | vlan2 | vlan3 | vlan4
! 134.x.176.1/23 134.x.178.1/24 134.x7.179.1/24
!
!
version 12.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maegateway
!
boot system flash:1:aaa1328.bin
logging buffered 16000 debugging
logging console critical
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
enable secret 5 xxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxx
!
username xxxxxxx password 7 xxxxxxxxxxx
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
!
!
ip domain-name mae.carleton.ca
ip name-server 134.x.1.1
!
no ip bootp server
ip inspect max-incomplete low 500
ip inspect max-incomplete high 600
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect dns-timeout 15
ip inspect tcp idle-time 300
ip inspect name FW-RULE udp
ip inspect name FW-RULE ftp
ip inspect name FW-RULE h323
ip inspect name FW-RULE realaudio
ip inspect name FW-RULE smtp
ip inspect name FW-RULE streamworks
ip inspect name FW-RULE vdolive
ip inspect name FW-RULE tftp
ip inspect name FW-RULE tcp
! ip inspect audit-trail
! ip inspect name FW-RULE fragment maximum 256 timeout 1
ip audit notify log
ip audit po max-events 100
ip audit smtp spam 100
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit name MY-AUDIT info action alarm
ip audit name MY-AUDIT attack action alarm drop reset
ip ssh time-out 120
ip ssh authentication-retries 3
call rsvp-sync
!
!
interface FastEthernet0/0
ip address 134.x.x.10 255.255.255.0
ip access-group 101 in
ip helper-address 134.x.176.14
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mask-reply
ip accounting access-violations
! not sure about this yet
! ip multicast boundary 30
! ip inspect FW-RULE out
! ip audit MY-AUDIT in
speed 100
full-duplex
no cdp enable
!
!
interface FastEthernet0/1
ip address 198.168.1.1 255.255.255.252
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mask-reply
ip accounting access-violations
ip inspect FW-RULE in
!not sure about this yet
! ip multicast boundary 30
duplex auto
speed auto
no cdp enable
07-18-2006 10:21 AM
I have jsut been reading your case, and im seeing the same issues with periodic slow internet connections, during the business day. After hours, when not lot of traffic is going via this firewall router, connection to the internet seems to be fine.
Im using a 7206 VXR IOS 12.3(16) with a G1.Im also seeing the same %FW-4-ALERT_ON: getting aggressive in the loggs.
I dont think upgrading your router to a 2811 will solve your problem.
What version of IOS are you running?
I currently have a TAC case open, but havent come back with anything yet.
07-18-2006 12:12 PM
C2600 Software (C2600-IK9O3S-M), Version 12.2(6)
I see that others solved this by increasing the high and low values but I don't think my router has enough memory to go much higher and I can add any more memory. That's why I though a 2821 would solve it.
07-20-2006 02:19 AM
Try to use these settings :
---
ip inspect max-incomplete high 5000
ip inspect one-minute high 20000
ip inspect dns-timeout 10
ip inspect tcp idle-time 36000
ip inspect tcp finwait-time 3
ip inspect tcp synwait-time 15
ip inspect tcp max-incomplete host 200 block-time 0
---
We use that when these fw alerts keep comming
Martin
DK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide