@Rob Ingram Excellent! I'll upgrade the OS over the weekend.

Do you know if this "Threat Detection for Remote Access VPN Services" feature uses the same shun settings as the scanning threat detection (below), i.e. do I need to have these configured for the threat detection services for VPN to work?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html#:~:text=In%20order%20to%20allow%20the,%2Ddetection%20scanning%2Dthreat%20command.&text=This%20allows%20Scanning%20Threat%....

The document you posted states "When you enable these services, the Secure Firewall automatically shuns the host (IP address) that exceeds the configured thresholds", so I'm leaning toward this NOT using the same settings as the scanning threat detection and just working independently -- do you agree?

@rschember1 yes I agree.

The link I previously posted is threat detection specific for VPN attacks, use those settings to restrict VPN attacks.

I'll follow up on Monday with the results. Thank you for the info.

@Rob Ingram - No luck unfortunately. I'm thinking it's not triggering the VPN attack detection because the connection attempt isn't making it past the ACL, so it's not actually initiating a VPN connection. It's good to know this protection is available though, and I will definitely enable it across the board on all of my ASA devices.

@rschember1 is it being dropped by the interface ACL, inbound on the outside interface? That ACL would only effect traffic "through" the ASA, not "to" the ASA (SSL-VPN).

@Rob Ingram Yes, it appears to be getting dropped by the outside interface ACL. Maybe it's because I don't have SSL-VPN enabled? I only allow AnyConnect with IKEv2, so SSL-VPN is disabled on the outside interface. So maybe this isn't being considered a VPN connection attempt since the SSL service is disabled on that interface?

@rschember1 ok that might make sense then if SSL is not used.