Does the ASA have a maximum number IPs it can shun?

skelian · ‎01-10-2025

I've enabled the following command "threat-detection service remote-access-authentication ... " on our Cisco ASA 5508X and it feels like it's only shun a maximum of 125 IPs. Is this possible? Does the ASA have a limit in number of IPs it can simultaneously block or shun? You can see below 125 blocked yet I'm still seeing brute force attempts and that 125 number is not growing.

Here's my config:

threat-detection basic-threat
threat-detection scanning-threat shun duration 86400
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
threat-detection service invalid-vpn-access
threat-detection service remote-access-authentication hold-down 30 threshold 4
threat-detection service remote-access-client-initiations hold-down 10 threshold 7

and for sh threat-detection service details: you can see only 125 blocked.

Name: remote-access-authentication
State : Enabled
Hold-down : 30 minutes
Threshold : 4
Stats:
failed : 0
blocking : 125
recording : 2042
unsupported : 0
disabled : 393
Total entries: 121

Thanks in advance.

teresa32yon · ‎01-10-2025

It seems like your Cisco ASA 5508X might have a practical limit on the number of IPs it can simultaneously block or shun due to memory constraints. Despite enabling the `threat-detection service remote-access-authentication` command, you observe that only 125 IPs are being blocked while still experiencing brute force attempts. To address this, consider increasing the hold-down time, adjusting thresholds, and regularly monitoring and removing IPs that are no longer a threat. Additionally, ensure your ASA firmware is up to date for any improvements or fixes related to threat detection.

SummitHealth PatientPortal

manriquej · ‎01-13-2025

Can you explain the disabled:393 portion of your output?