Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX randomly blocks remote VPN client IP addresses

Hello all,

My PIX 515-E (7.2) blocks IP addresses assigned to Remote VPN users. It seems that blocked IP address are chosen randomly and they are accumulating overtime. I didn't pay attention to it until number of blocked IP addresses become significant. The only way to figure out which IP address is blocked is to run packet-tracer.

For example:

10.100.0.100 -- internal address,

10.100.5.167 -- address assigned to Remote VPN client from 10.100.5/24 pool:

PIX# packet-tracer input inside icmp 10.100.0.100 8 0 10.100.5.167 detail

[...]

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b29390, priority=69, domain=ipsec-user, deny=true

hits=210, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.100.5.167, mask=255.255.255.255, port=0

[...]

There are also related messages in logs, when packets are blocked by the ACL.

%PIX-3-106014: Deny inbound icmp src inside:10.100.0.100 dst outside:10.100.5.167 (type 8, code 0)

At the same time, IP address 10.100.5.166 is not blocked, and ACL above is not even mentioned in packet-tracer output. I have about 30 addresses blocked from 255 address pool.

It seems that some hidden dynamic ACL blocks the address. Can anybody explain why this is happening? Is there a way to show such dynamic ACLs, or reset them?

Thank you,

--fedya

4 REPLIES

Re: PIX randomly blocks remote VPN client IP addresses

hi, fedya

show the configuration.

Community Member

Re: PIX randomly blocks remote VPN client IP addresses

Here you are, see attached, some info redacted...

--fedya

Re: PIX randomly blocks remote VPN client IP addresses

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

Community Member

Re: PIX randomly blocks remote VPN client IP addresses

These lines look pretty normal to me. This is where dynamic crypto map gets attached to crypto map with lowest priority, and then crypto map is attached to outside interface. Or am I missing something?

199
Views
0
Helpful
4
Replies
CreatePlease to create content