ASA Shunning IP

Scott Pazelt · ‎07-13-2010

We have an ASA 5510 and have it set to enable Threat Detection and "Shun hosts detected by scanning threat". I attached a screenshot of the ASDM. Once a month we send out a video to our member firms and one firm will continually get shunned. It happened again yesterday (2 weeks after the video was sent out) and I checked the web server logs - it was only accessed once by this firm. I did a test from a remote location and saw the same things in the web logs yet I did not get shunned. We don't have a syslog server, but is there a way to identify why this one location gets shunned when accessing our site?

Thanks,

Scott

Nagaraja Thanthry · ‎07-13-2010

Hello,

You can use the command "show threat-detection scanning-threat target" to see which of your servers is being attacked as per the firewall. Also, you can use the command "show threat-detection statistics host " to see what kind of traffic that host was sending. That could give you a fair idea why the firewall is shunning the hosts. But typically, the firewall will classify a host as an attacker when it sees too many half open connections for that host. So, in your case, if the remote site host tries to open connection to your WEB server and tries it multiple times (sometimes it happens if they are using a proxy), then the firewall could classify that host as an attacker.

Hope this helps.

Regards,

NT