09-05-2019 11:23 AM - edited 02-21-2020 09:27 AM
Looking to identify why an ASA would hand out a shunned IP address to remote users attempting to access the VPN via Anyconnect from the client's IP pool. Not sure why it would not just grab and use the next IP from the IP pool specified for a specific tunnel group. Any ideas?
Brief overview of situation:
ASA version 9.8(4)8
Remote VPN users use Anyconnect clients and specific profiles for ipsec vpn. We perform posture checks via ISE & the posture module. Basic threat detection and scanning threat detection are enabled. User lost VPN connectivity after ASA shunned his IP. Seems to be due to updates.
Thanks in advance!
Solved! Go to Solution.
09-12-2019 06:42 AM
AFAIK, there is no correlation between the threat detection feature and VPN pool assignment. If I recall correctly, the ASA puts the unassigned IP address back to the top of the queue to be assigned next, irrespective of it being shunned or not.
But your situation could be remedied by adding a re-use delay for the VPN pool address assignment.
This way, the ASA does not use the IP address for a certain period after re-assigned back to the pool. You can align this with the shun duration period if you wanted to.
09-09-2019 09:07 AM
@Marvin Rhoads Any thoughts?
09-12-2019 05:52 AM
I haven't come across this behavior.
Perhaps @Rahul Govindan might know.
09-12-2019 06:42 AM
AFAIK, there is no correlation between the threat detection feature and VPN pool assignment. If I recall correctly, the ASA puts the unassigned IP address back to the top of the queue to be assigned next, irrespective of it being shunned or not.
But your situation could be remedied by adding a re-use delay for the VPN pool address assignment.
This way, the ASA does not use the IP address for a certain period after re-assigned back to the pool. You can align this with the shun duration period if you wanted to.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: