RV042 Tunnels dropping

Unanswered Question
Jan 19th, 2012

Hey

We've been using the RV042 routers for years now and have been happy with the gateway to gateway functionality.  We typically create 1 to 5 tunnels for our supported customers, all small businesses.  Since the new version of RV042 came out several  months ago, we've been having tunnel disconnection problems.  Then, the tunnels re-negotiate and reconnect.

We've tweked the settings the best we could but the tunnels with the new RV042s drop. 

We have proven that these are not line drops and have this issue at at least three locations, all with the new RV042.

We have upgraded to the latest firmware available, RV0XX-v4.1.0.02-tm.bin, to no avail.

I've read other posts like this and have heard that there may be a beta firmware rev that can fix this ?

Please help.

Thanks

JOR

Has anyone seen a fix for this tunnel dropping issue ? The latest firmware version,  v4.1.1.01-sp (Dec 6 2011 20:03:18) Does not correct the issue. dor

Joe So, who did you call to get this fixed ?

I still have no resolution and am investigating other vendor products.

Message was edited by: John O'Rourke

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Te-Kai Liu Thu, 01/19/2012 - 12:36

Firmware 4.1.1.01 should appear soon. The firmware fixed a G2G tunnel issue, which has prevented a tunnel from reconnecting automatically after a power cycle on the router. I'm not sure if the fimrware will address your issue, but feel free to contact the Small Business Support Center to get the firmware (currently in beta stage) if needed.

SOZAI1111 Mon, 01/30/2012 - 23:44

Seem 4.1.1.01 still have not slove the connection drop problem.

Telnet and database idle connection dropd around 30 mins. If I disable the SPI firewall function, all connection fine.

SOZAI1111 Thu, 03/08/2012 - 17:14

I had Contact with cisco eng'r, they manual change the router setting(not show in web based,only cisco can change this).

then my drop connection problem sloved.

They reply the next version FW will fix this.

but release date not confirm.

emil.neufeld Wed, 04/25/2012 - 15:08

Can you tell me exactly where to call and/or who/what to ask for?

Thanks in advance.

SOZAI1111 Thu, 04/26/2012 - 20:06

I had conact with cisco online support and they send me a email follow up.

they help me change the router setting and I tested work fine.

I replied them asking the new version FW release date.

but not yet received reply.

Nagaraja Thanthry Thu, 04/26/2012 - 21:57

Hello Joe,

The connection drop issue you have reported is not an issue with the device rather it is a security feature on the firewall. Typically, every firewall closes the idle TCP connections after a set time (TCP idle timeout value) to prevent TCP based attacks. This will also help in freeing up the resources at the router (This is a normal Stateful Packet Inspection firewall functionality). When SPI is disabled, the firewall stops monitoring the connections thereby allowing long TCP connections even when the connection is idle. However, that opens up the firewall for attacks from the internet.

At this time, we do not have any knowledge of a firmware that would change this behavior. If you would like any further details, please feel free to contact the SBSC and have them elaborate on this topic. If need be, please feel free to request them to escalate the Service Request so one of our L2 Engineers can provide further explanation.

Hope this helps.

Regards,

Nagaraja

SOZAI1111 Fri, 04/27/2012 - 02:34

Dear Nagaraja

Thanks your reply.

As the Engineer contacted with me.

He help change the TCP time out value on my routers, and let me test the result.

But we have many RV042 V1, do not have the drop connection report.

Only happens on V3 hardware. we must to fix this, I think any connection through VPN shuold be like local network connection, right?

Rgds

Joe

jornetworks Fri, 04/27/2012 - 04:37

Hey NagaraJa

You are incorrect.  I think we all understand SPI in this thread.

If you read my original post, you'll see that the problem arose with the new V3 boxes.

I have about 20 or more of the older model maintaining gateway to gateway tunnels with SPI turned on.  These tunnels don't drop unless there is a line outage on one side or the other.

Upon further testing, we see that the tunnels will drop between 58 and 59 minutes of inactivity or low activity.

You must mean then, that SPI never worked on the older models right ?

This makes this product unusable for gateway to gateway tunneling.

Please don't add meaningless posts to the thread.  We need a fix from Cisco on this.

Nagaraja Thanthry Fri, 04/27/2012 - 07:28

Hello Jor,

If you read my response, I was addressing Joe's question about idle connections dropping out through the VPN tunnel. That is due to the SPI functionality. The tunnel dropping after inactivity is a different issue and Te-Kai has attempted to answer that question earlier. If that issue is still unresolved, please feel free to contact SBSC and request assistance.

Hope this helps.

Regards,

Nagaraja

SOZAI1111 Mon, 04/30/2012 - 01:26

Is it normal the SPI firewall Inspect connection through VPN, and drop idle session?

How comes a safety private network connection can be drop?

emil.neufeld Mon, 04/30/2012 - 15:14

You wrote in an earlier post that a Cisco engineer fixed the problem for you.  Can you give me a name or a technical support reference noumber?  I think I need the same fix, but my SBSC contact does not seem to be able to track down this patch.  Thank you.

SOZAI1111 Tue, 05/01/2012 - 06:45

That only a temporary fix on the router.after u factory reset the router still same.

they have not create a case for check my case reported.

I have no idea why a SMB devices can wrong inspect connection session allowed by firewall, and make it drop.

Nagaraja Thanthry Mon, 04/30/2012 - 17:30

Hello Joe,

The SPI applies to all traffic going through the firewall. The VPN policies kick in after the traffic goes through the SPI.

Hope this helps.

Regards,

Nagaraja

emil.neufeld Wed, 05/09/2012 - 10:11

I have been working on what sounds like the same problem for a couple of weeks.  Finally I got a suggested solution from adelano@cisco.com:

"To change the timeout value for TCP/UDP session on the RV042, you may access the hidden interface via the following URL:

https:///f_general_hidden.htm "

Log into your router as normal.  Then enter (or copy/paste) f_general_hidden.htm following the routr IP address.  This accesses TCP and UDP timeout paramenters that are not accessible from the regular General menu.

I set the TCP timeout @ 86400 (24 hrs) and the UDP to the maximum allowable value (300).  Based on several hours of testing, this seems to solve the problem.

originalcris Thu, 08/09/2012 - 06:19

Hi everybody!!

the solution is:

https:///f_general_hidden.htm

Change 1800 seconds (30 minutes)  to 28800 seconds (8 hour).

Good Luck

Actions

Login or Register to take actions

This Discussion

Posted January 19, 2012 at 11:37 AM
Stats:
Replies:19 Avg. Rating:
Views:3975 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard