Solved: New threat-detection service: can i specify a shun duration?

joachimj · ‎03-26-2025

Hello,

in ASA Version 9.20(3)7 we tested the new threat-detection service
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/222315-configure-threat-detection-services-for.html

threat-detection service invalid-vpn-access
threat-detection service remote-access-authentication hold-down 10 threshold 20
threat-detection service remote-access-client-initiations hold-down 10 threshold 20

After 20 login-attempts with wrong passwort i see the IP is shunned.
# show shun
shun (Outside) 1.2.3.4 0.0.0.0 0 0 0
Log shows
%ASA-4-401002: Shun added: 1.2.3.4 0.0.0.0 0 0
%ASA-3-733201: Threat-detection: Service[remote-access-authentication] Peer[1.2.3.4]: failure threshold of 20 exceeded: adding shun to interface Outside. WEBVPN: Failed AAA authentication

It seems, the shun is kept forever until we clear it manually.

My Question: is it possible to limit the duration of the shun?

Rob Ingram · ‎03-26-2025

@joachimj no there is no shun specific command to configure to set the duration of the shun. The shun is in place until manually removed or the ASA is reboot.

Perhaps use an EEM script to schedule a removal of the shun at a certain time/day?

View solution in original post

Rob Ingram · ‎03-26-2025

@joachimj no there is no shun specific command to configure to set the duration of the shun. The shun is in place until manually removed or the ASA is reboot.

Perhaps use an EEM script to schedule a removal of the shun at a certain time/day?