×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX randomly blocks remote VPN client IP addresses

Unanswered Question
Jul 3rd, 2008
User Badges:

Hello all,


My PIX 515-E (7.2) blocks IP addresses assigned to Remote VPN users. It seems that blocked IP address are chosen randomly and they are accumulating overtime. I didn't pay attention to it until number of blocked IP addresses become significant. The only way to figure out which IP address is blocked is to run packet-tracer.


For example:

10.100.0.100 -- internal address,

10.100.5.167 -- address assigned to Remote VPN client from 10.100.5/24 pool:


PIX# packet-tracer input inside icmp 10.100.0.100 8 0 10.100.5.167 detail

[...]

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b29390, priority=69, domain=ipsec-user, deny=true

hits=210, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.100.5.167, mask=255.255.255.255, port=0

[...]


There are also related messages in logs, when packets are blocked by the ACL.


%PIX-3-106014: Deny inbound icmp src inside:10.100.0.100 dst outside:10.100.5.167 (type 8, code 0)



At the same time, IP address 10.100.5.166 is not blocked, and ACL above is not even mentioned in packet-tracer output. I have about 30 addresses blocked from 255 address pool.


It seems that some hidden dynamic ACL blocks the address. Can anybody explain why this is happening? Is there a way to show such dynamic ACLs, or reset them?


Thank you,

--fedya

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Thu, 07/03/2008 - 10:39
User Badges:
  • Gold, 750 points or more

hi, fedya

show the configuration.

a.alekseev Thu, 07/03/2008 - 12:58
User Badges:
  • Gold, 750 points or more

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

fedya@ispol.com Mon, 07/07/2008 - 05:36
User Badges:

These lines look pretty normal to me. This is where dynamic crypto map gets attached to crypto map with lowest priority, and then crypto map is attached to outside interface. Or am I missing something?

Actions

This Discussion