Core issue
A router becomes aggressive when it has more half-open sessions than allowed. By default, the maximum number of half-open sessions (the max-incomplete high value) is 500. Once it reaches that number, the router does not take any more half-open sessions until it reaches the max-incomplete low (or calm down) value, which is 400 by default.
Resolution
As a workaround, increase the max-incomplete high-low values to resolve the issue.
These are the related commands:
- ip inspect max-incomplete high This command specifies the number of existing half-open sessions, and when exceeded, causes the software to delete half-open sessions.
- ip inspect max-incomplete low This command specifies the number of existing half-open sessions that cause the software to stop the deletion of half-open sessions.
In order to calculate the high and low values, multiply the number of local hosts by 10 (XXX). This is the max-incomplete high, and the max-incomplete low is 20 percent below the high value (YYY).
For example, if there are 100 local hosts, this output shows the suggested settings for high and low:
Router(config)#ip inspect max-incomplete high 1000
Router(config)#ip inspect max-incomplete low 800
Problem Type
Troubleshoot software feature
Product Family
Routers
Error
%FW-4-ALERT_ON
Cisco IOS Software Version
12.3
VPN Tunnel End Points
Any end point
Router
VPN Protocols
IPSec