Hi,

What is the debug command for shun ? I have searched a lot over internet, but counldn't find anything.

Thanks a lot in advance

Regards

Dipak

Hi Dipak,

Can u explain what is the purpose for it, what information are you trying to see??

Varun

Hi Varun,

As suggested by Mr. Padatta, i am trying to do debug level logging for the shunned server. It's creating a lot of problem when the server are getting shunned and i have to remove it manually. Is there is any other way to solve this issue ? Please help me.

Thanks a lot in advance.

Regards

Dipak

Hi Dipak,

There is no debug command for shun, wat he suggested wasd takong logs friom the ASA at debug level:

To enable it you need the command:

logging buffered 7

logging monitor 7

or

logging trap 7

level 7 is for debugging

here is a doc:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/system/message/logsevp.html

and

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

Hope this helps

Thanks,

Varun

Hi Varun,

I have enabled debugging on ASA. It's only showing the below mentioned message :

Shunned packet: 172.21.x.x ==> 10.40.x.x on interface DMZ

Please suggest.

Hi Dipak,

If you want to see what all Ip addresses are getting shunned on the firewall, use the command "show shun", now the IP addresses that should not be shunned, add a "no" in front of them and save the changes, those ip's would be removed from the shun list.

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/s8.html#wp1525925

Hope this helps

Thanks,

Varun

Hi,

I have tried with "no shun ip address" command with saving the changes, but after sometime it's again getting shunned.

Is there any other way ? Please suggest.

Regards

Dipak

Hi Dipak,

I am a bit confused about your issue here:

Are you not able to access a server and the reason taht you see in the logs is because it has been shunned ?? You have tried removing the shun command but after sometime does comeback on the firewall????

I am asking you this because the access to the server could be blocked due to someother reason as well, do you always see the ip of the server in the shunned list.

provide me the following outputs:

ip of the server

show shun

the logs that you get when you access the server.

Thanks,

Varun

Hi,

We are able to access and ping the server, before shun. As soon as it get shunned, we are neither able to ping nor access to the server. After removing with no shun command, then we are able to access and ping the server. After sometime the server ip automatically get shun. Yes, the server ip is always get shunned. The server is our dns server.

IP of the server : 172.21.10.13

Show shun : shun (DMZ) 172.21.10.13 0.0.0.0 0 0 0

The logs that you get when you access the server: Built outbound TCP connection 197491880 for DMZ:172.21.10.13/22 (172.15.22/22) to INSIDE:172.21.15.12 (172.21.15.12/1122)

Regards

Dipak

Hi,

Please help me to solve this issue.

Thanks a lot in advance.

Regards

Dipak

Hi Dipak,

Automatic shunning can happen on ASAs because of 2 reasons:

1) You have scanning threat-detection enabled iwth shunning on the ASA.

2) There is an IPS device configured on your network for blocking which adds this shun on the ASA.

So my questions are:

1) Please post the output of show run all threat-detection from the ASA.

2) Do you have a Cisco IPS in your network?

Regards,

Prapanch

Hi,

sh run all threat-detection (output)

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800

threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640

threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200

threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

threat-detection scanning-threat shun duration 3600

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

Yes, we have Cisco IPS in our network.

Please suggest.

Thanks a lot in advance.

Regards

Dipak