Re: PIX Shuns entire host when "Shun Connection" selected.
The Pix and the IDS are both functioning properly.
What users may not understand is that the Pix ONLY supports Shun Host and does not support Shun Connection.
The connection information you see is not used by the Pix to shun that single connection.
Instead the Pix will Always shun all packets from the Source Ip Address whether or not the additional information is added.
The additional connection information is just to help the Pix remove the current connection from it's connection table.
If the connection were not removed from the connection table, then techincally the Pix still thinks the connections is active (Note: the packets from the source address are shunned so no packets are going through, but the Pix still sees the connection as active)
It would be technically possible that the user could continue the connection after the shun times out (especially when shun times are short like just a minute or 2).
SO the extra information is not making it a Connection Shun, instead it is still just a Host Shun for the Source IP Address that in addition ensures that the connection is removed from the Pix's connection table.
This was implemented as part of the Pix shun command before the IDS began supporting connection shuns. So the IDS is limited to what the Pix supports.
This is somewhat explained in the documentation for the shun command on the Pix:
So shunning a single connection on the Pix is not currently supported. You could try contacting the TAC and ask for an enhancement request to the Pix to support single connection shunning and then a second enhancement request for the IDS sensor to support the corresponding change to the Pix.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :