Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IDS shunning - IDS can't blocking via Cisco Router

Hello all.

I've configured IDS to shun with cisco router. I think all of setting fine, but IDS can't configure acl on the router via telnet.

Here is the output from ids using sh statistics networkAccess.

if you see the output, the state is Inactive.

Could you please let me know why the state is falling down inactive..



IDS# sh statistics networkAccess

Current Configuration

AllowSensorShun = false

ShunMaxEntries = 250


Type = Cisco

IP =

NATAddr =

Communications = telnet


InterfaceName = serial0/0

InterfaceDirection = in


ShunEnable = true


IP =

AclSupport = uses Named ACLs

State = Inactive <-- why???


Cisco Employee

Re: IDS shunning - IDS can't blocking via Cisco Router

This means the sensor had a problem either connecting to or reconfiguring the router.

What to do:

Configure network access to Disable Shunning and apply the changed config.

Now configure network access to Enable Shunning again and apply the changd config.

This will cause the network access controller to disconnect from the router and try to connect again.

Check the network access statistic and see if it is still inactive.

If it is then execute "show events past 00:10:00 to see all events in the past 10 minutes. Find the status event where you applied the change to Enable Shunning again, and start looking at the later events. Search for error or status events that might show what errors the network access controller was running in to.

Typical causes: Wrong username or password. Sensor is not able to telnet to the router because either the router is not reachable from the sensor IP, or the router does not have telnet enabled, or the router's access list prevents the sensor from connecting.

Other things you can check:

Create a service account on the sensor.

Login through the service account.

From the service account try to telnet to the router using the same username and password configured in the network access controller configuration on the sensor.

And see if you can get into the router.

You might also try running a sniffer between the router and sensor and monitor the connection. You can look for any error message coming back from the router, or at least see where in the connection the sensor is stopping.

CreatePlease to create content