Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
10
Helpful
1
Replies

PIX Shuns entire host when "Shun Connection" selected.

bbenton
Level 1
Level 1

‎10-13-2003 03:01 PM - edited ‎02-20-2020 11:02 PM

When selecting "Shun Connection" on the sensor, v4.1, the pix blocks the entire host...regardless of what ports or protocols are used. Anyone see this?

Pix V6.3(1). The pix config shows the shun line the same for both shun host and shun connection. Both lines have the ports appended to them as only the "shun connection" should have.

0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎10-13-2003 04:15 PM

The Pix and the IDS are both functioning properly.

What users may not understand is that the Pix ONLY supports Shun Host and does not support Shun Connection.

The connection information you see is not used by the Pix to shun that single connection.

Instead the Pix will Always shun all packets from the Source Ip Address whether or not the additional information is added.

The additional connection information is just to help the Pix remove the current connection from it's connection table.

If the connection were not removed from the connection table, then techincally the Pix still thinks the connections is active (Note: the packets from the source address are shunned so no packets are going through, but the Pix still sees the connection as active)

It would be technically possible that the user could continue the connection after the shun times out (especially when shun times are short like just a minute or 2).

SO the extra information is not making it a Connection Shun, instead it is still just a Host Shun for the Source IP Address that in addition ensures that the connection is removed from the Pix's connection table.

This was implemented as part of the Pix shun command before the IDS began supporting connection shuns. So the IDS is limited to what the Pix supports.

This is somewhat explained in the documentation for the shun command on the Pix:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#1026366

(Look at the Usage Guidelines and Example)

So shunning a single connection on the Pix is not currently supported. You could try contacting the TAC and ask for an enhancement request to the Pix to support single connection shunning and then a second enhancement request for the IDS sensor to support the corresponding change to the Pix.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card