Hello,

Machi Ma · ‎07-31-2016

Hello,

Today when I check the shun statistics. It find that some IP already SHUN for long time

Could anyone can advise how can I correct setup shun remove time?

Some current status and config in below for reference:

# show shun statistics

Shun 37.235.64.157 cnt=13, time=(121:32:03)
Shun 192.0.6.11 cnt=0, time=(121:32:10)
Shun 88.247.170.151 cnt=0, time=(121:26:54)
Shun 83.110.192.68 cnt=124, time=(121:27:37)
Shun 115.22.138.133 cnt=47, time=(121:23:44)
Shun 36.233.127.29 cnt=20, time=(121:29:56)

When checking the shun duration it suppose that is 3600 sec

threat-detection scanning-threat shun duration 3600

I tried to check the current connection and did not find those IP is active

#show conn | include 37.235.64.157

Currently the embryonic, half and idle timeout also using default value.

# show configuration | include half
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Thanks!

Sergio Ceron Ramirez · ‎08-01-2016

Hello Machi,

I suspect those IP addresses have been manually shunned as there are no active connections as you mention. Please do a clear shun and monitor the statistics during this day/week.

Also, could you share the ASA version you are running on the device please?

Thanks!

Machi Ma · ‎08-04-2016

Hello,

I have monitor few days and now looks good after clear shun. Thanks!

ASA version I using now is 9.4(2)11

Sergio Ceron Ramirez · ‎08-05-2016

Hello Machi,

I am glad to know this :)

If you think this has been resolved, please mark/rate the answer as useful.

Thanks!

Shun duration setup?