topic Shunned in Network Security

Shunned

dipak jaiswal — Mon, 11 Mar 2019 20:18:00 GMT

Hi,

I have a server having ip address 172.21.X.X, and it is always getting shunned. I have to manually clear the shuna everytime. Why the server is getting blocked at shun, i am unable to understand ? I can bypass the server adress at shun, but that's not solution. The server contains linux OS. Can anyone please help on this ?

Thanks in advance

Dipak

Re: Shunned

padatta — Thu, 07 Apr 2011 09:51:46 GMT

Hi,

The best way to find out would be to enable debug level logging and wait for the server to be shunned again.

The logs should give more insight.

Paps

Shunned

dipak jaiswal — Mon, 11 Jul 2011 15:57:25 GMT

Hi,

What is the debug command for shun ? I have searched a lot over internet, but counldn't find anything.

Thanks a lot in advance

Regards

Dipak

Shunned

varrao — Mon, 11 Jul 2011 16:37:40 GMT

Hi Dipak,

Can u explain what is the purpose for it, what information are you trying to see??

Varun

Shunned

dipak jaiswal — Tue, 12 Jul 2011 03:23:39 GMT

Hi Varun,

As suggested by Mr. Padatta, i am trying to do debug level logging for the shunned server. It's creating a lot of problem when the server are getting shunned and i have to remove it manually. Is there is any other way to solve this issue ? Please help me.

Thanks a lot in advance.

Regards

Dipak

Shunned

varrao — Tue, 12 Jul 2011 03:37:38 GMT

Hi Dipak,

There is no debug command for shun, wat he suggested wasd takong logs friom the ASA at debug level:

To enable it you need the command:

logging buffered 7

logging monitor 7

logging trap 7

level 7 is for debugging

here is a doc:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/system/message/logsevp.html

and

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

Hope this helps

Thanks,

Varun

Shunned

dipak jaiswal — Tue, 12 Jul 2011 05:30:11 GMT

Hi Varun,

I have enabled debugging on ASA. It's only showing the below mentioned message :

Shunned packet: 172.21.x.x ==> 10.40.x.x on interface DMZ

Please suggest.

Shunned

varrao — Tue, 12 Jul 2011 06:00:00 GMT

Hi Dipak,

If you want to see what all Ip addresses are getting shunned on the firewall, use the command "show shun", now the IP addresses that should not be shunned, add a "no" in front of them and save the changes, those ip's would be removed from the shun list.

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/s8.html#wp1525925

Hope this helps

Thanks,

Varun

Shunned

dipak jaiswal — Wed, 13 Jul 2011 05:54:30 GMT

Hi,

I have tried with "no shun ip address" command with saving the changes, but after sometime it's again getting shunned.

Is there any other way ? Please suggest.

Regards

Dipak

Shunned

varrao — Wed, 13 Jul 2011 07:08:33 GMT

Hi Dipak,

I am a bit confused about your issue here:

Are you not able to access a server and the reason taht you see in the logs is because it has been shunned ?? You have tried removing the shun command but after sometime does comeback on the firewall????

I am asking you this because the access to the server could be blocked due to someother reason as well, do you always see the ip of the server in the shunned list.

provide me the following outputs:

ip of the server

show shun

the logs that you get when you access the server.

Thanks,

Varun

Re: Shunned

dipak jaiswal — Wed, 13 Jul 2011 08:55:06 GMT

Hi,

We are able to access and ping the server, before shun. As soon as it get shunned, we are neither able to ping nor access to the server. After removing with no shun command, then we are able to access and ping the server. After sometime the server ip automatically get shun. Yes, the server ip is always get shunned. The server is our dns server.

IP of the server : 172.21.10.13

Show shun : shun (DMZ) 172.21.10.13 0.0.0.0 0 0 0

The logs that you get when you access the server: Built outbound TCP connection 197491880 for DMZ:172.21.10.13/22 (172.15.22/22) to INSIDE:172.21.15.12 (172.21.15.12/1122)

Regards

Dipak

Shunned

dipak jaiswal — Thu, 14 Jul 2011 15:40:40 GMT

Hi,

Please help me to solve this issue.

Thanks a lot in advance.

Regards

Dipak

Shunned

praprama — Thu, 14 Jul 2011 16:09:10 GMT

Hi Dipak,

Automatic shunning can happen on ASAs because of 2 reasons:

1) You have scanning threat-detection enabled iwth shunning on the ASA.

2) There is an IPS device configured on your network for blocking which adds this shun on the ASA.

So my questions are:

1) Please post the output of show run all threat-detection from the ASA.

2) Do you have a Cisco IPS in your network?

Regards,

Prapanch

Shunned

dipak jaiswal — Fri, 15 Jul 2011 07:06:28 GMT

Hi,

sh run all threat-detection (output)

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800

threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640

threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200

threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

threat-detection scanning-threat shun duration 3600

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

Yes, we have Cisco IPS in our network.

Please suggest.

Thanks a lot in advance.

Regards

Dipak

Re: Shunned

varrao — Fri, 15 Jul 2011 07:33:45 GMT

Hi Dipak,

We would need to verify it on the IPS as well as threat-detection as well:

For threat-detection you can use the "except" keyword to exclude your server.

threat-detection scanning-threat shun except ip-address 172.21.10.13 255.255.255.255

To check on IP, login to the IDM, and on the top go to monitoring------> Active hosts Block--------> There you can see if this server is being blocked by the IPS server.

If it is blocked by IPS, go to Configuration ----------> Blocking Properties -----------> Never block IP's.

Screenshot are attached.

Hope this helps.

Thanks,

Varun

Shunned

dipak jaiswal — Fri, 15 Jul 2011 08:28:41 GMT

Hi,

When the server is getting blocked, it is showing at shun on ASA but it's not showing at IPS under Active host block. As suggested by you if i configure threat-detection scanning-threat shun except ip-address 172.21.10.13 255.255.255.255 command, then the server is not getting shunned or blocked.

How can i verify with server ip address at IPS whether any signature is getting tuned for this server ? Is threat-detection scanning-threat shun except ip-address 172.21.10.13 255.255.255.255 is the best way to configure ?

IPS is configured in inline mode.

Please suggest.

Thanks a lot in advance.

Regards

Dipak

Shunned

varrao — Fri, 15 Jul 2011 09:33:46 GMT

Hi Dipak,

Yes you can check it, but in IME, go to IME ---------> Event Monitoring and then filter tab, filter by attacker ip first, if it doesnt help, filter by victim ip and search, this hsould work for you.

Hope this helps.

Thanks,

Varun

Shunned

dipak jaiswal — Fri, 15 Jul 2011 11:36:03 GMT

Hi,

Event Monitoring option is not showing. Is there any option to enable it. I have searched at internet but couldn't find anything. Please find the screenshot of what options are available at IPS.

Please suggest.

Thanks a lot in advance.

Regards

Dipak

Re: Shunned

varrao — Fri, 15 Jul 2011 11:54:44 GMT

Hi Dipak,

I was talking about the Cisco IME, please find the screenshot attached

Thanks,

Varun

Re: Shunned

dipak jaiswal — Fri, 15 Jul 2011 18:02:54 GMT

Hi,

I have installed Cisco IME 7.1.1. While trying to add IPS device, it's giving the below mentioned error:

IOException when try to get certificate: java.security.cert.Certificate expired exception : Not After Mon Jun 13 05:51:27 GMT +5:30 2011

I think certificate has got expired, but which certificate has got expired i am unable to understand.

When i tried to add IDSM device, the following error has occured:

IOException when try to get certificate: Read timed out.

Please suggest.

Thanks a lot in advance.

Regards

Dipak