cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
5
Helpful
5
Replies

Macbook - ASA Shunning

ljohnson7
Beginner
Beginner

Need some help. We are unable to get any Mac to remain connected via VPN for more than 30 - 60 seconds. After some digging, I discovered that they were being shunned. Any idea why only Macs are being shunned when connected via VPN? Thanks

 

 

2 Accepted Solutions

Accepted Solutions

It appears you have enabled:

threat-detection scanning-threat shun

You can either turn that off altogether or - perhaps a better idea - exclude your VPN pool from shunning. That would look something like (assuming your VPN pool is the /24):

threat-detection scanning-threat shun except ip-address 192.168.195.0 255.255.255.0

Here's a link to the configuration guide section with more details.

View solution in original post

You can add multiple subnets or hosts on separate lines of the configuration. They will be additive and not otherwise affect each other.

View solution in original post

5 Replies 5

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Typically the only reason we see shunning is that the client exhibits some behavior that triggers a policy in the firewall. What exactly do you see on the ASA when this happens to indicate that shunning is going on? If you capture some syslogs it should give us an indicator of why it's happening.

Also what version of ASA software and what type of VPN (IPsec, SSL full tunnel or SSL clientless) and client software are you using?

Hi,

 

I'm using version 8.3(1). I'm shunned using both the AnyConnect client and the native Cisco IPSec on the Mac.

 

Here is a quick shot of the syslog:

 

4|Oct 20 2014|17:15:07|401002|||||Shun added: 192.168.195.224 0.0.0.0 0 0
4|Oct 20 2014|17:15:07|733101|||||Host 192.168.195.224 is attacking. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 609
4|Oct 20 2014|17:15:07|733102|||||Threat-detection adds host 192.168.195.224 to shun list
4|Oct 20 2014|17:15:07|733100|||||[   192.168.195.224] drop rate-1 exceeded. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 60

 

Thanks for your help!

It appears you have enabled:

threat-detection scanning-threat shun

You can either turn that off altogether or - perhaps a better idea - exclude your VPN pool from shunning. That would look something like (assuming your VPN pool is the /24):

threat-detection scanning-threat shun except ip-address 192.168.195.0 255.255.255.0

Here's a link to the configuration guide section with more details.

Oh cool. I've noticed a few ranges that are already excluded from shunning. Will adding this range remote the ones that already there? Just curious.

Thanks

You can add multiple subnets or hosts on separate lines of the configuration. They will be additive and not otherwise affect each other.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers