PIX randomly blocks remote VPN client IP addresses

Unanswered Question

Hello all,

My PIX 515-E (7.2) blocks IP addresses assigned to Remote VPN users. It seems that blocked IP address are chosen randomly and they are accumulating overtime. I didn't pay attention to it until number of blocked IP addresses become significant. The only way to figure out which IP address is blocked is to run packet-tracer.

For example: -- internal address, -- address assigned to Remote VPN client from 10.100.5/24 pool:

PIX# packet-tracer input inside icmp 8 0 detail


Phase: 9


Subtype: ipsec-user

Result: DROP


Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b29390, priority=69, domain=ipsec-user, deny=true

hits=210, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=, mask=, port=0

dst ip=, mask=, port=0


There are also related messages in logs, when packets are blocked by the ACL.

%PIX-3-106014: Deny inbound icmp src inside: dst outside: (type 8, code 0)

At the same time, IP address is not blocked, and ACL above is not even mentioned in packet-tracer output. I have about 30 addresses blocked from 255 address pool.

It seems that some hidden dynamic ACL blocks the address. Can anybody explain why this is happening? Is there a way to show such dynamic ACLs, or reset them?

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.alekseev Thu, 07/03/2008 - 10:39
User Badges:
  • Gold, 750 points or more

hi, fedya

show the configuration.

a.alekseev Thu, 07/03/2008 - 12:58
User Badges:
  • Gold, 750 points or more

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside


This Discussion