Solved: Re: inside servers shunned

lcaruso · ‎03-02-2011

Hi,

A client suffered an outage with their isp today with a ASA5505 running 8.4(1).The connection bounced for about an hour or so.

It would appear a side effect of the outage is the ASA shunned two inside servers. The configuration was set to detect scanning threats and shun them, but it did not specify to exclude this network which is not directly connected but is on the inside.

I'm curious if the outage actually caused this but don't understand any conditions in which these servers would be scanning the ASA.

Can anyone shed some light on this? Thanks.

PAUL GILBERT ARIAS · ‎03-02-2011

with the command "sh threat-detection shun" you can tell if they are being shunned. A syslog message would be generated in that case.

If that happens again should be able to check the result of the command and the logs.

View solution in original post

PAUL GILBERT ARIAS · ‎03-02-2011

with the command "sh threat-detection shun" you can tell if they are being shunned. A syslog message would be generated in that case.

If that happens again should be able to check the result of the command and the logs.

lcaruso · ‎03-02-2011

I did a sh shun and it listed them.

We do save the logs on this ASA so it will be a matter of going through them, but I'm still curious what others have to say.

lcaruso · ‎03-02-2011

opened a tac case earlier in the day. I'll let you know if they come up with anything worth posting.