My PIX 515-E (7.2) blocks IP addresses assigned to Remote VPN users. It seems that blocked IP address are chosen randomly and they are accumulating overtime. I didn't pay attention to it until number of blocked IP addresses become significant. The only way to figure out which IP address is blocked is to run packet-tracer.
10.100.0.100 -- internal address,
10.100.5.167 -- address assigned to Remote VPN client from 10.100.5/24 pool:
PIX# packet-tracer input inside icmp 10.100.0.100 8 0 10.100.5.167 detail
Forward Flow based lookup yields rule:
out id=0x2b29390, priority=69, domain=ipsec-user, deny=true
hits=210, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.100.5.167, mask=255.255.255.255, port=0
There are also related messages in logs, when packets are blocked by the ACL.
%PIX-3-106014: Deny inbound icmp src inside:10.100.0.100 dst outside:10.100.5.167 (type 8, code 0)
At the same time, IP address 10.100.5.166 is not blocked, and ACL above is not even mentioned in packet-tracer output. I have about 30 addresses blocked from 255 address pool.
It seems that some hidden dynamic ACL blocks the address. Can anybody explain why this is happening? Is there a way to show such dynamic ACLs, or reset them?