Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with shun on PIX 6.2

Is anyone else having issues with a 4210 sensor 3.1(2)S23 using shun command on pix 515 version 6.2.(1)? Worked fine until pix OS was upgraded.

Anything diffrent that needs to be done?



Cisco Employee

Re: Problem with shun on PIX 6.2

This is a known problem (See DDTS CSCdx55215).

Here is the release note:

Symptom: managed is no longer able to shun on a pix after loading 6.2(1).

Condition: Loaded version 6.2(1) on a pix. Managing the pix in telnet mode.

Work Around: Use SSH to managed the pix. This works fine.

New Member

Re: Problem with shun on PIX 6.2

Ok, I'll give it a try.


New Member

Re: Problem with shun on PIX 6.2

We have the same problem with a 4210 trying to shun a pix 520 [ 6.2(2)].

Using Telnet it doesn't work.

Using SSH we saw from the Deb Packet of the traffic between the IDS and the Pix that the IDS it's trying to execute this file /usr/libexec/ssh-askpass.

But it doesn't exist in that directory of the IDS (we have four 4210 and one 4230, and no one have this file).

Obviously nothinh happens on the Pix (no shun).

We use CSPM 2.3.3i - IDS are up to date (3.1(s28)).

What's the clue?

Cisco Employee

Re: Problem with shun on PIX 6.2

I think the problem described in CSCdx55215 only applies to IDS

sensors that use telnet to connect to a 6.2 PIX.

Telnet will not work unless the sensor is on the inside network,

with regards to the PIX.

SSH should always work if the sensor and the PIX have been

configured correctly.

If you are still not able to shun on the PIX, please provide more

details, or open a TAC case and ask for me as the DE.

A common cause of inability to shun on the PIX is if the user

forgets to manually execute the ssh client on the sensor to

connect to the PIX, in order to perform the initial key exchange.

Another common problem is if the PIX only has a DES license

installed. Sensors require the PIX to have a 3DES license.

Users who want to continue using telnet to connect to a

6.2 PIX can obtain a Beta version of nr.managed which supports

this. Please open a TAC case if you want to do this.

Here is a link which may help with configuration issues:

New Member

Re: Problem with shun on PIX 6.2

There are a couple of bug numbers below, that maybe related to your issue.

I found them in the release notes for S(23).

CSCdx53199: PIX version 6.2 code does not create shun lists

CSCdx55215: managed shunning does not work with pix running 6.2.1

Hope this helps,