browse
Overview
The Cisco ASA includes a threat detection component which performs packet inspection on DNS and other protocols. Umbrella support recommend the following ASA configuration changes to prevent this feature from conflicting with our Virtual Appliance:
- Exempt the Virtual Appliance from the Threat Detection 'shun' feature. More details below.
- Exempt the Virtual Appliance from DNS packet inspection to allow our DNS encryption (DNScrypt). This is covered in a different article: Cisco ASA Firewall blocks DNScrypt
Threat Detection 'Shun' feature
When the 'Shun' feature is enabled the ASA can completely block a source IP address address that is triggering threat detection rules. More details are in the Cisco article: ASA Threat Detection Functionality and Configuration
The Virtual Appliance will normally send a very high number of DNS queries to Umbrella DNS resolvers. In cases where there is a local problem connecting to the resolvers (such as a temporary network outage/latency) these queries can fail. Due to the sheer volume of queries we are sending even a small percentage failing will cause the ASA to shun the Virtual Appliance; leading to a complete DNS outage for a period of time.
Exempting the Virtual Appliance
Please note that the below commands are noted for guidance only and it is recommended that a Cisco expert be consulted prior to making any changes to a production environment.
Via CLI:
- To exempt the Appliance IP from being shunned, run the following command: no shun <src_ip>
Via ASDM interface:
- Choose the Configuration > Firewall > Threat Detection pane
- To exempt the Appliance IP address from being shunned, enter an address in the 'Networks excluded from shun' field. You can enter multiple addresses or subnets separated by commas.
Determine if the Appliance has been 'shunned'
If the above steps have not been followed the appliance could become 'shunned' in some circumstances, leading to a DNS outage.
When the Virtual Appliance has no external connectivity, it's console will appear as follows:
The Cisco ASA will log the event as follows:
4|Jun 06 2014 14:00:42|401004: Shunned packet: 192.168.1.3 ==> 208.67.222.222 on interface inside
4|Jun 06 2014 14:00:42|401004: Shunned packet: 192.168.1.3 ==> 208.67.222.222 on interface inside
To see a list of currently shunned IP addresses, run the following command (on the ASA): show shun
To immediately clear the currently shunned IP addresses, run the following command (on the ASA): clear shun