Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Macbook - ASA Shunning

Need some help. We are unable to get any Mac to remain connected via VPN for more than 30 - 60 seconds. After some digging, I discovered that they were being shunned. Any idea why only Macs are being shunned when connected via VPN? Thanks

 

 

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

It appears you have enabled:

It appears you have enabled:

threat-detection scanning-threat shun

You can either turn that off altogether or - perhaps a better idea - exclude your VPN pool from shunning. That would look something like (assuming your VPN pool is the /24):

threat-detection scanning-threat shun except ip-address 192.168.195.0 255.255.255.0

Here's a link to the configuration guide section with more details.

Hall of Fame Super Silver

You can add multiple subnets

You can add multiple subnets or hosts on separate lines of the configuration. They will be additive and not otherwise affect each other.

5 REPLIES
Hall of Fame Super Silver

Typically the only reason we

Typically the only reason we see shunning is that the client exhibits some behavior that triggers a policy in the firewall. What exactly do you see on the ASA when this happens to indicate that shunning is going on? If you capture some syslogs it should give us an indicator of why it's happening.

Also what version of ASA software and what type of VPN (IPsec, SSL full tunnel or SSL clientless) and client software are you using?

New Member

Hi, I'm using version 8.3(1).

Hi,

 

I'm using version 8.3(1). I'm shunned using both the AnyConnect client and the native Cisco IPSec on the Mac.

 

Here is a quick shot of the syslog:

 

4|Oct 20 2014|17:15:07|401002|||||Shun added: 192.168.195.224 0.0.0.0 0 0
4|Oct 20 2014|17:15:07|733101|||||Host 192.168.195.224 is attacking. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 609
4|Oct 20 2014|17:15:07|733102|||||Threat-detection adds host 192.168.195.224 to shun list
4|Oct 20 2014|17:15:07|733100|||||[   192.168.195.224] drop rate-1 exceeded. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 60

 

Thanks for your help!

Hall of Fame Super Silver

It appears you have enabled:

It appears you have enabled:

threat-detection scanning-threat shun

You can either turn that off altogether or - perhaps a better idea - exclude your VPN pool from shunning. That would look something like (assuming your VPN pool is the /24):

threat-detection scanning-threat shun except ip-address 192.168.195.0 255.255.255.0

Here's a link to the configuration guide section with more details.

New Member

Oh cool. I've noticed a few

Oh cool. I've noticed a few ranges that are already excluded from shunning. Will adding this range remote the ones that already there? Just curious.

Thanks

Hall of Fame Super Silver

You can add multiple subnets

You can add multiple subnets or hosts on separate lines of the configuration. They will be additive and not otherwise affect each other.

182
Views
5
Helpful
5
Replies