Can you put a sniffer on your line between the 5XP and the ISP router? You can do this by installing a hub (not a switch) inbetween the two and also plugging in another PC with Wireshark software. You can also run snoop on the 5XP itself, though external sniffer is better.
The idea is to determine if in fact the one user is even reaching your firewall. Can also have that user use traceroute to confirm his path. If he is not even reaching the firewall then the problem is outside of your network.
Hope this helps.
-Richard