Всем привет.
Есть сеть. На фронтенде стоит ISR 3825 (C3825-ADVIPSERVICESK9-M), Version 12.4(23), RELEASE SOFTWARE (fc1). На ней настроен CBAC. ACL большие приводить не буду.
Настройки ip inspect такие:
router#sh ip inspect conf
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [4000 : 5000] connections
max-incomplete sessions thresholds are [4000 : 5000]
max-incomplete tcp connections per host is 500. Block-time 1 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 1800 sec -- udp idle-time is 30 sec
dns-timeout is 20 sec
Inspection Rule Configuration
Inspection name Standart
    tcp alert is on audit-trail is off timeout 1800
    icmp alert is on audit-trail is off timeout 10
    udp alert is on audit-trail is off timeout 30
Inspection name DMZ
    tcp alert is on audit-trail is off timeout 1800
    udp alert is on audit-trail is off timeout 30
    icmp alert is on audit-trail is off timeout 10
----
router#sh ip inspect statistics
Packet inspection statistics [process switch:fast switch]
  tcp packets: [196648142:3737246967]
  udp packets: [2995756:959738358]
   packets: [345046:155409]
Interfaces configured for inspection 3
Session creations since subsystem startup or last reset 167687253
Current session counts (estab/half-open/terminating) [2173:30:1]
Maxever session counts (estab/half-open/terminating) [6513:523:244]
Last session created 00:00:00
Last statistic reset 20w3d
Last session creation rate 1996
Maxever session creation rate 13272
Last half-open session total 30
----
Меня пугает несоответствие half-open = 30 и Last session creation rate 1996
Если уменьшаю значения max-incomplete sessions, то роутер начинает дропить коннекты.
Почему такая большая скорость создание новых сессий при небольшом количестве полуоткрытых?
Это прочитал http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps...
ответа не нашёл, только ещё больше вопросов...