https://community.cisco.com/t5/network-security/shun-configured-but-not-working/m-p/3676586#M13185 <P>Hello,</P> <P>The shun command&nbsp;is&nbsp;used independently of threat-detection.&nbsp;</P> <P>&nbsp;</P> <P>shuns, when entered manually, are ephemeral and not saved in running-config. So if your shun list has been cleared out, that just means that the&nbsp;<SPAN>ephemeral shun list has been cleared. You would see the same behavior if you rebooted your device.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Typically, the way I understand it, shun was designed&nbsp;to be used in this fashion:</SPAN></P> <P>&nbsp;</P> <P><SPAN>You are seeing malicious traffic from a source IP, let's say 9.9.9.9. I would normally add this IP to a blacklist, deny ACL on my edge, ingress ACL. However adding the IP to the ACL will not stop any EXISTING sessions <EM>previously</EM>&nbsp;made by the bad actor. So in addition to the blacklist, we issue a shun, which clears the tcp connection tables and the NAT translation tables for the offending IP address at 9.9.9.9. This way, any previously successful connections by 9.9.9.9 are immediately&nbsp;dropped by the shun. If there were a reboot of the box, even though shun has been cleared, the bad actor at 9.9.9.9 would still not be able to initiate any new connections because our ACL black-list would prevent any new connections.</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html</A></SPAN></P> <P><EM>"Because the&nbsp;<STRONG class="cBold">shun</STRONG>&nbsp;command is used to block attacks dynamically, it is not displayed in the ASA configuration."</EM></P> <P>&nbsp;</P> <P>Hope that helps!</P> <P>-A</P> Fri, 27 Jul 2018 21:38:49 GMT aaron.hackney 2018-07-27T21:38:49Z https://community.cisco.com/t5/network-security/shun-configured-but-not-working/m-p/3676359#M13181 <P>have had scanning threat enabled for years.&nbsp; New assistant typed "no shun" instead of "clear shun" and now the "show shun" doesn't show anything.&nbsp; Usually have about 100 in a matter of minutes.&nbsp; Have turned on and off via GUI and verified the config via CLI.&nbsp; Attached is screenshot and below is config.&nbsp; Any help appreciated.</P> <P>&nbsp;</P> <P>ciscoasa-1# sh run | begin shun<BR />threat-detection scanning-threat shun except ip-address 10.1.2.0 255.255.255.0<BR />threat-detection scanning-threat shun except ip-address 10.10.10.0 255.255.255.0<BR />threat-detection scanning-threat shun except ip-address 10.17.4.0 255.255.252.0<BR />threat-detection scanning-threat shun except ip-address 10.200.0.0 255.255.0.0<BR />threat-detection scanning-threat shun except ip-address 10.200.31.0 255.255.255.0<BR />threat-detection scanning-threat shun except ip-address 10.33.2.50 255.255.255.255<BR />threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.240.0<BR />threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0</P> Fri, 21 Feb 2020 16:01:47 GMT https://community.cisco.com/t5/network-security/shun-configured-but-not-working/m-p/3676359#M13181 spunner 2020-02-21T16:01:47Z https://community.cisco.com/t5/network-security/shun-configured-but-not-working/m-p/3676586#M13185 <P>Hello,</P> <P>The shun command&nbsp;is&nbsp;used independently of threat-detection.&nbsp;</P> <P>&nbsp;</P> <P>shuns, when entered manually, are ephemeral and not saved in running-config. So if your shun list has been cleared out, that just means that the&nbsp;<SPAN>ephemeral shun list has been cleared. You would see the same behavior if you rebooted your device.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Typically, the way I understand it, shun was designed&nbsp;to be used in this fashion:</SPAN></P> <P>&nbsp;</P> <P><SPAN>You are seeing malicious traffic from a source IP, let's say 9.9.9.9. I would normally add this IP to a blacklist, deny ACL on my edge, ingress ACL. However adding the IP to the ACL will not stop any EXISTING sessions <EM>previously</EM>&nbsp;made by the bad actor. So in addition to the blacklist, we issue a shun, which clears the tcp connection tables and the NAT translation tables for the offending IP address at 9.9.9.9. This way, any previously successful connections by 9.9.9.9 are immediately&nbsp;dropped by the shun. If there were a reboot of the box, even though shun has been cleared, the bad actor at 9.9.9.9 would still not be able to initiate any new connections because our ACL black-list would prevent any new connections.</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html</A></SPAN></P> <P><EM>"Because the&nbsp;<STRONG class="cBold">shun</STRONG>&nbsp;command is used to block attacks dynamically, it is not displayed in the ASA configuration."</EM></P> <P>&nbsp;</P> <P>Hope that helps!</P> <P>-A</P> Fri, 27 Jul 2018 21:38:49 GMT https://community.cisco.com/t5/network-security/shun-configured-but-not-working/m-p/3676586#M13185 aaron.hackney 2018-07-27T21:38:49Z https://community.cisco.com/t5/network-security/shun-configured-but-not-working/m-p/3676605#M13188 I appreciate your explanation. However, I could type "show shun" and it would give me a list of all IP's that are currently being shunned. I type that in now, and there is no list. Tells me nothing is being shunned. I usually get over 100 on the list within the first couple minutes after doing a clear shun command.<BR /> Fri, 27 Jul 2018 23:17:47 GMT https://community.cisco.com/t5/network-security/shun-configured-but-not-working/m-p/3676605#M13188 spunner 2018-07-27T23:17:47Z