If you are using version 5.0, then follow the steps below. If you are using version 4.1 skip to step 6. Version 5.0 has additional logging capability that version 4.1 doesn't, so the information in 4.1 won't be as detailed.
1) "configure terminal"
2) "service network-access"
3) "show settings"
4) Look for the "log-all-block-events-and-errors" parameter and ensure it is set to "true". If it is set to "false" then change it to "true".
5) Exit all the way back out to exec mode (apply your changes if necessary).
6) Execute "show events" on the sensor CLI.
7) Connect to IDM as user "cisco"
8) Go to Monitoring / Active Host Blocks
9) Click "Add"
10) Add in the IP Address of a non-existent machine (like 126.96.36.199 for example), and click Apply to start shunning that IP.
11) Now go back to the CLI and check the output of "show events" from step 6.
You need to look for any status or error messages from network-acess-controller or nac.
You should at least see a status message for the IP Address you manually added.
Immediately after that you should see an additional status or error message for each device being managed.
If the shun is not properly applied then there should be something in the message telling you why.
(Version 4.x doesn't have as good error reporting. If the above doesn't work try going through IDM and "disabling" shunning and then re"enable" shunning. This should cause the sensor to try and reconnect to the router and will hopefully provide some additional error messages.)
3) Router not configured to allow access. To test this create a "service" account on the sensor. Login as the "service" account and then from that sensor account try to connect to the router using the same methods as you configured in the sensor.
4) Wrong interface configuration. For routers you need to ensure that the interface you entered in the sensor configuration matches exactly what is seen on the router when doing a "show conf". Some users have tried abbreviations for the interfaces, and some routers don't like the abbreviations.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...