[c-nsp] ASA shun 'bug' acknowledged
Christian Zeng
christian at zengl.net
Thu May 4 02:54:21 EDT 2006
Hi,
* Jeff Kell <jeff-kell at utc.edu> wrote:
>If you issue a 'shun x.x.x.x' for an outside IP address, any existing
>[TCP] connections with that IP are not affected. Traffic to and from
>the IP continues to pass through the device. No *new* connections are
>allowed with that IP as a source.
>
>The bug ID is CSCse10714.
I do not understand why Cisco acknowledged this as a bug, because the
behavior of the ASA is documented.
Only a full qualified shun, including destination information etc., will
drop existing connection. Subsequent connections to/from the shunned IP
will be dropped, regardless if additional information are given to the
shun command. Or did you see a different behavior?
Of course, the shun approach of the ASA is not perfect; I'd expect that
shunning an IP address results in a drop of all existing connections
without additional configuration.
Christian
More information about the cisco-nsp
mailing list