Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
4
Replies

IPS 4240 6.1(1)E2 failing the shun command to a 7.2(4) PIX

dmchugh
Level 1
Level 1

‎06-23-2008 12:06 PM - edited ‎03-10-2019 04:09 AM

Command per the event store: "no shut (outside)" failing at keyword outside, which within the CLI, doesn't work. Keyword outside not within the command.

Labels:
0 Helpful
4 Replies 4

rhermes
Level 7
Level 7

‎06-24-2008 02:03 PM

There are a few possible causes to your problem. One may be the PIX username may not have permission to issue a shun.

To really see what is happening between the sensor and the PIX, have the sensor log into the PIX via telnet. Use Ethereal/Wireshark to capture the session on the wire and then use the "rebuild session" feature in Ethereal/Wireshark. This will show you exactly where things are going wrong.

0 Helpful

dmchugh
Level 1
Level 1
In response to rhermes

‎06-24-2008 02:18 PM

Actually found the answer by testing. Turns out, when I upgraded the IPS, there was an existing SHUN on the PIX. Once it was ugraded, it could not remove it and I believe that was the source of the errors. Only a hypothesis, but at this point, there may have been some change in method for posting and removing shuns. I removed the existing shun manually and all is now well.

0 Helpful

rhermes
Level 7
Level 7
In response to dmchugh

‎06-25-2008 08:34 AM

When you use a sensor to issue shuns on a firewall, the sensor thinks it "owns" all the shuns on the firewall, reguardless of how they were orginally entered (manually or by an IDS). When a sensor reboots (or the shun proces restarts) the sensor will attempt to clear all existing shuns on the firewall. This has caused some problems when there have been manauly entered shuns on the firewall. If you use more than one sensor, its important to make one the Master Block Sensor to prevent shun contention.

0 Helpful

stleary
Cisco Employee
Cisco Employee
In response to rhermes

‎06-25-2008 09:42 AM

This is a known bug: CSCsq22506

Until it is fixed, the workaround is:

clear all the shuns on PIX/firewall/FWSM before sensor connect/reconnect to the device.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card