06-23-2011 01:16 AM - edited 03-07-2019 12:56 AM
We are having sometimes problems that our internet access is very slow. I have checked the log of the router and I see the following errors:
574859: Jun 22 08:53:39.112 CETDST: %FW-4-ALERT_ON: getting aggressive, count (23/500) current 1-min rate: 501
574861: Jun 22 08:55:03.793 CETDST: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 365
574862: Jun 22 08:55:56.484 CETDST: %FW-4-ALERT_ON: getting aggressive, count (24/500) current 1-min rate: 1001
574863: Jun 22 08:57:06.690 CETDST: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 214
574905: Jun 22 10:05:03.863 CETDST: %FW-4-ALERT_ON: getting aggressive, count (19/500) current 1-min rate: 501
574926: Jun 22 10:06:02.480 CETDST: %FW-4-ALERT_OFF: calming down, count (1/400) current 1-min rate: 375
574927: Jun 22 10:06:05.448 CETDST: %FW-4-ALERT_ON: getting aggressive, count (34/500) current 1-min rate: 501
575373: Jun 22 10:16:47.879 CETDST: %FW-4-ALERT_OFF: calming down, count (3/400) current 1-min rate: 399
575374: Jun 22 10:16:53.783 CETDST: %FW-4-ALERT_ON: getting aggressive, count (4/500) current 1-min rate: 501
575494: Jun 22 12:32:11.592 CETDST: %FW-4-ALERT_ON: getting aggressive, count (5/500) current 1-min rate: 501
575513: Jun 22 12:33:02.945 CETDST: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 321
575534: Jun 22 13:06:03.011 CETDST: %FW-4-ALERT_ON: getting aggressive, count (22/500) current 1-min rate: 501
575570: Jun 22 13:07:07.292 CETDST: %FW-4-ALERT_OFF: calming down, count (3/400) current 1-min rate: 390
575571: Jun 22 13:07:09.208 CETDST: %FW-4-ALERT_ON: getting aggressive, count (14/500) current 1-min rate: 501
575694: Jun 22 13:09:56.310 CETDST: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 399
575696: Jun 22 13:09:59.250 CETDST: %FW-4-ALERT_ON: getting aggressive, count (13/500) current 1-min rate: 501
576106: Jun 22 13:18:23.437 CETDST: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 337
576192: Jun 22 14:41:52.099 CETDST: %FW-4-ALERT_ON: getting aggressive, count (3/500) current 1-min rate: 501
576196: Jun 22 14:42:08.316 CETDST: %FW-4-ALERT_OFF: calming down, count (3/400) current 1-min rate: 328
576481: Jun 22 22:19:23.756 CETDST: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up
576519: Jun 22 23:35:59.240 CETDST: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to down
577547: Jun 23 08:25:31.407 CETDST: %FW-4-ALERT_ON: getting aggressive, count (20/500) current 1-min rate: 501
577571: Jun 23 08:26:19.304 CETDST: %FW-4-ALERT_OFF: calming down, count (3/400) current 1-min rate: 372
577572: Jun 23 08:26:22.144 CETDST: %FW-4-ALERT_ON: getting aggressive, count (14/500) current 1-min rate: 501
577831: Jun 23 08:32:22.065 CETDST: %FW-3-RESPONDER_WND_SCALE_INI_NO_SCALE: Dropping packet - Invalid Window Scale option for session 192.168.10.134:49279 to 95.101.248.124:80 (Initiator scale 0 Responder scale 5)
578082: Jun 23 08:37:35.425 CETDST: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 397
578083: Jun 23 08:37:41.829 CETDST: %FW-4-ALERT_ON: getting aggressive, count (4/500) current 1-min rate: 501
578107: Jun 23 08:47:17.844 CETDST: %FW-4-ALERT_ON: getting aggressive, count (3/500) current 1-min rate: 501
578111: Jun 23 08:47:35.161 CETDST: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 396
578113: Jun 23 08:50:19.919 CETDST: %FW-4-ALERT_ON: getting aggressive, count (7/500) current 1-min rate: 501
578115: Jun 23 08:50:24.219 CETDST: %FW-4-ALERT_OFF: calming down, count (1/400) current 1-min rate: 367
The errors may indicate a possible attack (DDoS attack). I have now experience with this but is there something I can do or must our service provider do something?
Here is my configuration:
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router00
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
logging console critical
enable secret 5 ***********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization console
aaa authorization exec default local
aaa authorization network default group radius local
!
aaa session-id common
!
resource policy
!
clock timezone CETDST 1
clock summer-time CETDST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
ip cef
!
!
ip domain name ***********.local
ip name-server 213.75.63.36
ip name-server 213.75.63.70
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
ip inspect name PACKETFILTER cuseeme
ip inspect name PACKETFILTER ftp
ip inspect name PACKETFILTER h323
ip inspect name PACKETFILTER netshow
ip inspect name PACKETFILTER rcmd
ip inspect name PACKETFILTER realaudio
ip inspect name PACKETFILTER rtsp
ip inspect name PACKETFILTER smtp
ip inspect name PACKETFILTER sqlnet
ip inspect name PACKETFILTER streamworks
ip inspect name PACKETFILTER tftp
ip inspect name PACKETFILTER tcp
ip inspect name PACKETFILTER udp
ip inspect name PACKETFILTER vdolive
ip inspect name PACKETFILTER icmp
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
username *********** privilege 15 secret 5 ***********
archive
log config
hidekeys
!
!
policy-map pppoe_out_default_shaper
class class-default
shape average 9400000
!
!
!
!
!
!
interface FastEthernet0
description Link to EVPN CPE
no ip address
ip nat outside
ip inspect PACKETFILTER out
ip virtual-reassembly
load-interval 30
speed 100
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
service-policy output pppoe_out_default_shaper
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool VPN_IPpool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
description LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Vlan2
description LAN
ip address 192.168.2.5 255.255.255.0
ip helper-address 192.168.10.2
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
description Customer Traffic PPPoE Connection
mtu 1492
ip address *********** ***********
ip access-group outside_access_in in
ip verify unicast reverse-path
ip nat outside
ip inspect PACKETFILTER out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username *********** password 7 ***********
ppp ipcp mask request
ppp ipcp address accept
!
ip local pool VPN_IPpool 192.168.10.190 192.168.10.199
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.10.2 *** *********** *** extendable
ip nat inside source static tcp 192.168.10.4 *** *********** *** extendable
ip nat inside source static tcp 192.168.10.4 *** *********** *** extendable
ip nat inside source static tcp 192.168.10.210 *** *********** *** extendable
ip nat inside source static tcp 192.168.10.4 *** *********** *** extendable
ip nat inside source static tcp 192.168.10.210 *** *********** *** extendable
ip nat inside source static tcp 192.168.10.4 *** *********** *** extendable
ip nat inside source static tcp 192.168.10.4 *** *********** *** extendable
ip nat inside source static tcp 192.168.10.2 *** *********** *** extendable
!
ip access-list extended inside_access_in
permit tcp host 192.168.10.2 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended outside_access_in
deny ip host *********** any
deny ip host *********** any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any host 255.255.255.255
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit gre any any
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit tcp any any eq ***
permit udp any any eq ***
permit udp any any eq ***
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any administratively-prohibited
permit icmp any any echo
deny ip any any log
!
logging trap debugging
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 105
!
!
!
radius-server host 192.168.10.2 auth-port 1645 acct-port 1646
radius-server key 7 ***********
!
control-plane
!
!
line con 0
exec-timeout 15 0
transport output all
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 15 0
transport output all
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
transport input ssh
transport output all
!
scheduler max-task-time 5000
ntp clock-period 17180093
ntp server 91.198.174.204
ntp server 195.43.138.169
ntp server 145.24.129.5
ntp server 91.198.174.197
ntp server 85.234.224.216
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
06-29-2011 03:55 PM
Hi Martijn,
If this happens a lot, my guess is that it is not a DoS attack but just the box running out of resources. You can try to increase the "ip inspect max-incomplete" values to allow more half-open sessions to see if that improves performance.
See also https://supportforums.cisco.com/docs/DOC-1939
Hope it helps
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide