Threat detection shuns on ASA

David Niemann · ‎06-14-2012

I have a question about the threat detection on ASA. We use to have a custom script that ran against Pix firewalls that more or less did the same thing as threat detection. We have since discontinued using the script in favor of the built in threat detection. My question is how do I determine why the system was shunned. For example I get these in the logs.

Jun 14 20:46:50 <removed> Jun 14 2012 20:46:50 <removed>: %ASA-4-733100: [ 172.31.0.20] drop rate-1 exceeded. Current burst rate is 16 per second, max configured rate is 16; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1358

Jun 14 20:46:50 <removed> Jun 14 2012 20:46:50 <removed>: %ASA-4-733101: Host 172.31.0.20 is attacking. Current burst rate is 16 per second, max configured rate is 16; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1358

Jun 14 20:46:50 <removed> Jun 14 2012 20:46:50 <removed>: %ASA-4-401002: Shun added: 172.31.0.20 0.0.0.0 0 0

Jun 14 20:46:50 <removed> Jun 14 2012 20:46:50 <removed>: %ASA-4-733102: Threat-detection adds host 172.31.0.20 to shun list

Jun 14 20:46:50 <removed> Jun 14 2012 20:46:50 <removed>: %ASA-4-401004: Shunned packet: 172.31.0.20 ==> 192.168.250.20 on interface <removed>

I understand how the rates are used, but what I can't figure out is the cause of the drops. I see no denies during this time frame from this host.

Kureli Sankar · ‎06-18-2012

Jun 14 20:46:50 Jun 14 2012 20:46:50 : %ASA-4-401004: Shunned packet: 172.31.0.20 ==> 192.168.250.20 on interface

It did shun packet from 172.31.0.20 destined to 192.168.250.20.

Please post the output of 'sh run threat". Also look at "sh threat shun".

-Kureli