PIX randomly blocks remote VPN client IP addresses

Unanswered Question

Hello all,


My PIX 515-E (7.2) blocks IP addresses assigned to Remote VPN users. It seems that blocked IP address are chosen randomly and they are accumulating overtime. I didn't pay attention to it until number of blocked IP addresses become significant. The only way to figure out which IP address is blocked is to run packet-tracer.


For example:

10.100.0.100 -- internal address,

10.100.5.167 -- address assigned to Remote VPN client from 10.100.5/24 pool:


PIX# packet-tracer input inside icmp 10.100.0.100 8 0 10.100.5.167 detail

[...]

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b29390, priority=69, domain=ipsec-user, deny=true

hits=210, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.100.5.167, mask=255.255.255.255, port=0

[...]


There are also related messages in logs, when packets are blocked by the ACL.


%PIX-3-106014: Deny inbound icmp src inside:10.100.0.100 dst outside:10.100.5.167 (type 8, code 0)



At the same time, IP address 10.100.5.166 is not blocked, and ACL above is not even mentioned in packet-tracer output. I have about 30 addresses blocked from 255 address pool.


It seems that some hidden dynamic ACL blocks the address. Can anybody explain why this is happening? Is there a way to show such dynamic ACLs, or reset them?


Thank you,

--fedya

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Thu, 07/03/2008 - 10:39
User Badges:
  • Gold, 750 points or more

hi, fedya

show the configuration.

a.alekseev Thu, 07/03/2008 - 12:58
User Badges:
  • Gold, 750 points or more

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

Actions

This Discussion