How can we help?

Known issue with Cisco ASA shunning Auvik collector

Follow

If your Auvik collector is intermittently disconnecting from our servers or losing Internet connectivity altogether and you have a Cisco ASA on your network’s perimeter, the ASA may be shunning the Auvik collector as a result of aggressive threat detection.

Using Cisco ASDM, you can test if Auvik is losing upstream connectivity to your WAN because of shunning. If it is, there are a couple of commands you can run to whitelist the Auvik collector from the ASA’s threat detection engine.

Prerequisites:

  1. You have Cisco ASDM installed and configured (with administrative rights) on a workstation.
  2. You’re performing this troubleshooting during a period of connectivity loss.
  3. You have the IP address of your Auvik collector handy.

From Cisco ASDM

  1. From the Tools menu, select Packet Tracer.
  2. From the Interface drop-down, select the interface that points towards your Auvik collector. (This is typically your inside or management interface.)
  3. In the Source field, enter the IP address of your Auvik collector.
  4. In the Destination field, select FQDN. Enter amazonaws.com.
  5. For Source Port and Destination Port, enter 443, which is the port for HTTPS traffic.
  6. Click the Start button to begin the trace.

The trace will begin as indicated by the animation.

If your trace comes back with no errors (i.e., all green check marks), then shunning is not the issue. Contact our support team for help with additional troubleshooting.

If your trace contains an error message that says RESULT - The packet is dropped, collapse the plus sign to view additional diagnostic info. Under Info, you should see (shunned) Packet shunned. This confirms that the ASA is shunning the Auvik collector. Proceed to the next section.

How to stop shunning

Run the following commands on your Cisco ASA in privileged exec mode: 

configure terminal
no shun <Auvik collector IP Address>
threat-detection scanning-threat shun except <Auvik collector IP Address>
end
write memory

In the above code, replace <Auvik collector IP Address> with the IP address of your Auvik collector. Depending on the firmware version running on your ASA, you may find that a mask needs to be added to the above command. If this is the case, add 255.255.255.255 after the <Auvik collector IP Address>.

Now reboot your Auvik collector and observe whether it comes back online. If shunning was the culprit, the issue should now be solved. If this fix doesn’t correct the problem, contact our support team for help with additional troubleshooting.

Have more questions? Submit a request

Comments

Powered by Zendesk