How to check reason why shun the IP.

Machi Ma · ‎10-19-2016

Hello,

With log I also see the IP already list into shun database like.

Oct 20 13:06:24 192.168.10.2 Oct 20 2016 13:06:24: %ASA-4-401004: Shunned packet: 111.222.333.444 ==> 555.666.777.888 on interface outside

But I'm no idea why it shun at the beginning until search syslog database.

Does any method I can know to reason quickly?

Thanks!

Pulkit Saxena · ‎10-20-2016

Hi Machi,

If you have CLI access you can check few commands which will tell you about this :

show threat-detection shun --> Displays the hosts that are currently shunned.

If you want to read more about it and few more commands, that can be checked at :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/protect_threat.html#wp1072953

-

Pulkit

Machi Ma · ‎10-23-2016

Hello Pulkit,

It looks could not provide me fully details. I can check via

# show threat-detection scanning-threat | grep 111.222.333.444
111.222.333.444 (outside)

But it cannot let me know details reason why it listed in shun list.

Currently I need to search back syslog for example the reason is %201013 or %313005. That is what I want to have quick result.

Pulkit Saxena · ‎10-24-2016

Machi,

The kind of details that you are looking for can be seen in syslogs only.

As shun related commands only give the IP addresses and counters.

-

Pulkit