Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
4
Replies

PIX randomly blocks remote VPN client IP addresses

fedya
Level 1
Level 1

‎07-03-2008 09:57 AM - edited ‎03-11-2019 06:09 AM

Hello all,

My PIX 515-E (7.2) blocks IP addresses assigned to Remote VPN users. It seems that blocked IP address are chosen randomly and they are accumulating overtime. I didn't pay attention to it until number of blocked IP addresses become significant. The only way to figure out which IP address is blocked is to run packet-tracer.

For example:

10.100.0.100 -- internal address,

10.100.5.167 -- address assigned to Remote VPN client from 10.100.5/24 pool:

PIX# packet-tracer input inside icmp 10.100.0.100 8 0 10.100.5.167 detail

[...]

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b29390, priority=69, domain=ipsec-user, deny=true

hits=210, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.100.5.167, mask=255.255.255.255, port=0

[...]

There are also related messages in logs, when packets are blocked by the ACL.

%PIX-3-106014: Deny inbound icmp src inside:10.100.0.100 dst outside:10.100.5.167 (type 8, code 0)

At the same time, IP address 10.100.5.166 is not blocked, and ACL above is not even mentioned in packet-tracer output. I have about 30 addresses blocked from 255 address pool.

It seems that some hidden dynamic ACL blocks the address. Can anybody explain why this is happening? Is there a way to show such dynamic ACLs, or reset them?

Thank you,

--fedya

Labels:
0 Helpful
4 Replies 4

a.alekseev
Level 7
Level 7

‎07-03-2008 10:39 AM

hi, fedya

show the configuration.

0 Helpful

fedya
Level 1
Level 1
In response to a.alekseev

‎07-03-2008 12:05 PM

Here you are, see attached, some info redacted...

--fedya

Preview file
7 KB
0 Helpful

a.alekseev
Level 7
Level 7
In response to fedya

‎07-03-2008 12:58 PM

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

0 Helpful

fedya
Level 1
Level 1
In response to a.alekseev

‎07-07-2008 05:36 AM

These lines look pretty normal to me. This is where dynamic crypto map gets attached to crypto map with lowest priority, and then crypto map is attached to outside interface. Or am I missing something?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card