cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


356
Views
0
Helpful
3
Replies
Highlighted
Rising star

ASA VPN handing out shunned IP

Looking to identify why an ASA would hand out a shunned IP address to remote users attempting to access the VPN via Anyconnect from the client's IP pool.  Not sure why it would not just grab and use the next IP from the IP pool specified for a specific tunnel group.  Any ideas?

Brief overview of situation:

ASA version 9.8(4)8

Remote VPN users use Anyconnect clients and specific profiles for ipsec vpn.  We perform posture checks via ISE & the posture module.  Basic threat detection and scanning threat detection are enabled.  User lost VPN connectivity after ASA shunned his IP.  Seems to be due to updates.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: ASA VPN handing out shunned IP

@Mike.Cifelli 

AFAIK, there is no correlation between the threat detection feature and VPN pool assignment. If I recall correctly, the ASA puts the unassigned IP address back to the top of the queue to be assigned next, irrespective of it being shunned or not. 

 

But your situation could be remedied by adding a re-use delay for the VPN pool address assignment.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_addresses.html#18588

 

This way, the ASA does not use the IP address for a certain period after re-assigned back to the pool. You can align this with the shun duration period if you wanted to. 

 

 

3 REPLIES 3
Rising star

Re: ASA VPN handing out shunned IP

@Marvin Rhoads Any thoughts?

Hall of Fame Master

Re: ASA VPN handing out shunned IP

I haven't come across this behavior.

Perhaps @Rahul Govindan might know.

VIP Advocate

Re: ASA VPN handing out shunned IP

@Mike.Cifelli 

AFAIK, there is no correlation between the threat detection feature and VPN pool assignment. If I recall correctly, the ASA puts the unassigned IP address back to the top of the queue to be assigned next, irrespective of it being shunned or not. 

 

But your situation could be remedied by adding a re-use delay for the VPN pool address assignment.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_addresses.html#18588

 

This way, the ASA does not use the IP address for a certain period after re-assigned back to the pool. You can align this with the shun duration period if you wanted to.