Solved: Shunned - Page 2

dipak jaiswal · ‎04-07-2011

Hi,

I have a server having ip address 172.21.X.X, and it is always getting shunned. I have to manually clear the shuna everytime. Why the server is getting blocked at shun, i am unable to understand ? I can bypass the server adress at shun, but that's not solution. The server contains linux OS. Can anyone please help on this ?

Thanks in advance

Dipak

dipak jaiswal · ‎07-15-2011

Hi,

When the server is getting blocked, it is showing at shun on ASA but it's not showing at IPS under Active host block. As suggested by you if i configure threat-detection scanning-threat shun except ip-address 172.21.10.13 255.255.255.255 command, then the server is not getting shunned or blocked.

How can i verify with server ip address at IPS whether any signature is getting tuned for this server ? Is threat-detection scanning-threat shun except ip-address 172.21.10.13 255.255.255.255 is the best way to configure ?

IPS is configured in inline mode.

Please suggest.

Thanks a lot in advance.

Regards

Dipak

varrao · ‎07-15-2011

Hi Dipak,

Yes you can check it, but in IME, go to IME ---------> Event Monitoring and then filter tab, filter by attacker ip first, if it doesnt help, filter by victim ip and search, this hsould work for you.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

dipak jaiswal · ‎07-15-2011

Hi,

Event Monitoring option is not showing. Is there any option to enable it. I have searched at internet but couldn't find anything. Please find the screenshot of what options are available at IPS.

Please suggest.

Thanks a lot in advance.

Regards

Dipak

varrao · ‎07-15-2011

Hi Dipak,

I was talking about the Cisco IME, please find the screenshot attached

Thanks,

Varun

Thanks,
Varun Rao

dipak jaiswal · ‎07-15-2011

Hi,

I have installed Cisco IME 7.1.1. While trying to add IPS device, it's giving the below mentioned error:

IOException when try to get certificate: java.security.cert.Certificate expired exception : Not After Mon Jun 13 05:51:27 GMT +5:30 2011

I think certificate has got expired, but which certificate has got expired i am unable to understand.

When i tried to add IDSM device, the following error has occured:

IOException when try to get certificate: Read timed out.

Please suggest.

Thanks a lot in advance.

Regards

Dipak

varrao · ‎07-15-2011

Hi Dipak,

 Is your Java plug-in configured to use a proxy?

Control Panel>Java

General>Network Settings...

Please set it to "Direct connection".

  You may need to reboot the system to force Java to update this setting.

  Try to add the device again.

Thanks,

Varun

Thanks,
Varun Rao

dipak jaiswal · ‎07-15-2011

Hi,

After changing Java settings, the following error has occured while trying to add IDSM:

IOException when try to get certificate: java.security.cert.Certificate expired exception : Not After Wed Jun 08 15:06:21 GMT +5:30 2011

While trying to add IPS device also same has occurred. Please find the screenshot for the same.

While opening IME, RSS feed error has occurred. Please find the screenshot for the same.

Please suggest.

Thanks a lot in advance.

Regards

Dipak

varrao · ‎07-15-2011

Hi Dipak,

Login to the device, and issue the command:

tls generate-key

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_qanda_item09186a008025c533.shtml

this would genrate new key.

Thanks,

Varun

Thanks,
Varun Rao

dipak jaiswal · ‎07-15-2011

Hi,

The devices are in the production enviroment, Is there would be any impact while generating certificates ?

Please suggest.

Regards

Dipak

varrao · ‎07-15-2011

There would not be any impact with this.

But if you want, you can carry this in off-production hours.

Thanks,

Varun

Thanks,
Varun Rao

dipak jaiswal · ‎07-16-2011

Hi,

It's working now, after re-generating certificate. It's got generating any event monitoring at event views and also at reporting.

Do i have to configured anything for event monitoring and reports ? I have selected Basic view and realtime options and click on apply, but nothing showing. Even if I specify IP address, then also nothing is showing.

Please suggest.

Regards

Dipak

varrao · ‎07-16-2011

Hi Dipak,

These docs would help you great deal in configuring IPS with IME:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_event_monitoring.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801c0e3c.shtml

If you face any configuration issues, raise a TAC ticket and involve an engineer on it.

Thanks,

Varun

Thanks,
Varun Rao

dipak jaiswal · ‎07-19-2011

Hi,

Thanks a lot. It's working now.

Regards

Dipak

varrao · ‎07-19-2011

Hey thats good !! all the best....

-Varun

Thanks,
Varun Rao

juanesdemarcos85 · ‎02-26-2021

one example

FW-ODA#show shun

FW-ODA#shun (INSIDE) 172.16.10.19 0.0.0.0 0 0 0

(config)# no shun 172.16.10.19

FW-ODA# show shun
FW-ODA#