Need some help. We are unable to get any Mac to remain connected via VPN for more than 30 - 60 seconds. After some digging, I discovered that they were being shunned. Any idea why only Macs are being shunned when connected via VPN? Thanks
Typically the only reason we see shunning is that the client exhibits some behavior that triggers a policy in the firewall. What exactly do you see on the ASA when this happens to indicate that shunning is going on? If you capture some syslogs it should give us an indicator of why it's happening.
Also what version of ASA software and what type of VPN (IPsec, SSL full tunnel or SSL clientless) and client software are you using?
I'm using version 8.3(1). I'm shunned using both the AnyConnect client and the native Cisco IPSec on the Mac.
Here is a quick shot of the syslog:
4|Oct 20 2014|17:15:07|401002|||||Shun added: 192.168.195.224 0.0.0.0 0 0 4|Oct 20 2014|17:15:07|733101|||||Host 192.168.195.224 is attacking. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 609 4|Oct 20 2014|17:15:07|733102|||||Threat-detection adds host 192.168.195.224 to shun list 4|Oct 20 2014|17:15:07|733100|||||[ 192.168.195.224] drop rate-1 exceeded. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 60
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...