Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
951
Views
5
Helpful
5
Replies

Macbook - ASA Shunning

Go to solution
ljohnson7
Level 1
Level 1

‎10-18-2014 12:38 PM

Need some help. We are unable to get any Mac to remain connected via VPN for more than 30 - 60 seconds. After some digging, I discovered that they were being shunned. Any idea why only Macs are being shunned when connected via VPN? Thanks

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ljohnson7

‎10-20-2014 02:34 PM

It appears you have enabled:

threat-detection scanning-threat shun

You can either turn that off altogether or - perhaps a better idea - exclude your VPN pool from shunning. That would look something like (assuming your VPN pool is the /24):

threat-detection scanning-threat shun except ip-address 192.168.195.0 255.255.255.0

Here's a link to the configuration guide section with more details.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ljohnson7

‎10-21-2014 06:18 AM

You can add multiple subnets or hosts on separate lines of the configuration. They will be additive and not otherwise affect each other.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-18-2014 04:08 PM

Typically the only reason we see shunning is that the client exhibits some behavior that triggers a policy in the firewall. What exactly do you see on the ASA when this happens to indicate that shunning is going on? If you capture some syslogs it should give us an indicator of why it's happening.

Also what version of ASA software and what type of VPN (IPsec, SSL full tunnel or SSL clientless) and client software are you using?

Go to solution
ljohnson7
Level 1
Level 1
In response to Marvin Rhoads

‎10-20-2014 02:25 PM

Hi,

 

I'm using version 8.3(1). I'm shunned using both the AnyConnect client and the native Cisco IPSec on the Mac.

 

Here is a quick shot of the syslog:

 

4|Oct 20 2014|17:15:07|401002|||||Shun added: 192.168.195.224 0.0.0.0 0 0
4|Oct 20 2014|17:15:07|733101|||||Host 192.168.195.224 is attacking. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 609
4|Oct 20 2014|17:15:07|733102|||||Threat-detection adds host 192.168.195.224 to shun list
4|Oct 20 2014|17:15:07|733100|||||[   192.168.195.224] drop rate-1 exceeded. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 60

 

Thanks for your help!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ljohnson7

‎10-20-2014 02:34 PM

It appears you have enabled:

threat-detection scanning-threat shun

You can either turn that off altogether or - perhaps a better idea - exclude your VPN pool from shunning. That would look something like (assuming your VPN pool is the /24):

threat-detection scanning-threat shun except ip-address 192.168.195.0 255.255.255.0

Here's a link to the configuration guide section with more details.

0 Helpful

Go to solution
ljohnson7
Level 1
Level 1
In response to Marvin Rhoads

‎10-20-2014 05:31 PM

Oh cool. I've noticed a few ranges that are already excluded from shunning. Will adding this range remote the ones that already there? Just curious.

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ljohnson7

‎10-21-2014 06:18 AM

You can add multiple subnets or hosts on separate lines of the configuration. They will be additive and not otherwise affect each other.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents