10-18-2014 12:38 PM
Need some help. We are unable to get any Mac to remain connected via VPN for more than 30 - 60 seconds. After some digging, I discovered that they were being shunned. Any idea why only Macs are being shunned when connected via VPN? Thanks
Solved! Go to Solution.
10-20-2014 02:34 PM
It appears you have enabled:
threat-detection scanning-threat shun
You can either turn that off altogether or - perhaps a better idea - exclude your VPN pool from shunning. That would look something like (assuming your VPN pool is the /24):
threat-detection scanning-threat shun except ip-address 192.168.195.0 255.255.255.0
Here's a link to the configuration guide section with more details.
10-21-2014 06:18 AM
You can add multiple subnets or hosts on separate lines of the configuration. They will be additive and not otherwise affect each other.
10-18-2014 04:08 PM
Typically the only reason we see shunning is that the client exhibits some behavior that triggers a policy in the firewall. What exactly do you see on the ASA when this happens to indicate that shunning is going on? If you capture some syslogs it should give us an indicator of why it's happening.
Also what version of ASA software and what type of VPN (IPsec, SSL full tunnel or SSL clientless) and client software are you using?
10-20-2014 02:25 PM
Hi,
I'm using version 8.3(1). I'm shunned using both the AnyConnect client and the native Cisco IPSec on the Mac.
Here is a quick shot of the syslog:
4|Oct 20 2014|17:15:07|401002|||||Shun added: 192.168.195.224 0.0.0.0 0 0
4|Oct 20 2014|17:15:07|733101|||||Host 192.168.195.224 is attacking. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 609
4|Oct 20 2014|17:15:07|733102|||||Threat-detection adds host 192.168.195.224 to shun list
4|Oct 20 2014|17:15:07|733100|||||[ 192.168.195.224] drop rate-1 exceeded. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 60
Thanks for your help!
10-20-2014 02:34 PM
It appears you have enabled:
threat-detection scanning-threat shun
You can either turn that off altogether or - perhaps a better idea - exclude your VPN pool from shunning. That would look something like (assuming your VPN pool is the /24):
threat-detection scanning-threat shun except ip-address 192.168.195.0 255.255.255.0
Here's a link to the configuration guide section with more details.
10-20-2014 05:31 PM
Oh cool. I've noticed a few ranges that are already excluded from shunning. Will adding this range remote the ones that already there? Just curious.
Thanks
10-21-2014 06:18 AM
You can add multiple subnets or hosts on separate lines of the configuration. They will be additive and not otherwise affect each other.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide