Thanks for your help.

With ssh the blocking is working. But now, the shunned IP never is un-shunned from the firewall.

I have configured “ICMP echo request” signature to block for 3 minutes. When the ping starts the source IP is blocked, 3 minutes later the manual blocking page shows when the block ends and the IP disappears from the blocked IPs, but in the PIX it is still shunned, I can see this using “show shun statistics” command in the firewall.

When the test is made with manual blocking of IDS-DM it works fine.

The IDS version is 3.1(3)S43, PIX version 6.2(2).

Thanks.

When the next shun happens, are they both listed using "show shun statistics"? So basically the shun list keeps increasing. Can you unshun them manually on the pix with the unshun command?

Check in your nr.managed errors file for recent errors. This is the

file /usr/nr/var/errors.managed.(pid). The only reason I know of

for a shun to fail to be removed is if the sensor loses contact with

the pix. That problem, and any other problems should be reported

in the errors log. Contact can be lost due to transient network

conditions. But eventually when contact is reestablished, the

shun shun be removed. Also, edit the files /usr/nr/etc/managed.conf.

If it contains any entries for permant shuns, you can delete them

from the file, and then restart the sensor.

The /usr/nr/var/errors.managed.(pid) file doesn't show errors related with the IP address that should be unshunned. Also, there aren't lines in /usr/nr/etc/managed.conf containing entries related with time.

In the file /usr/nr/var/log.200305150934 there is a message reporting the shunning of the IP and a message reporting the unshun of the ip.

Yes they are both listed. And the only way to unblock is typing "clear shun" in the pix.