×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

RV320 refusing outbound connections?

Unanswered Question
Jan 31st, 2014
User Badges:

The overall problem is that we're having lots of problems with web access in or out of the office.  There was a problem with sporadic packet loss with the ISP which has now been corrected, but still the web problem persists.


In investigating, I am seeing lots of messages like this in my system logs:


Connection Refused - Policy violationIN=eth0 OUT=eth1 SRC=192.168.231.9 DST=157.56.141.102 DMAC=f8:72:ea:94:e0:14 SMAC=f8:2f:a8:d9:5f:a9 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=6071 DF PROTO=TCP SPT=59051 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0



However, I am using the default firewall rules with only additions to let SSH, HTTP, and HTTPS into a few machines on the LAN.  The above source address is not one of these machines.  The hosts affected on the LAN side do not seem consistent.  The destination addresses that experience this do seem to be consistent based on a relatively small sample of log file, but being a small sample, this may be spurious info.


This doesn't seem right - the rules should allow any outbound connections.


Admittedly, most of the traffic in/out is HTTP or HTTPS, but I haven't seen this affect any other service than these.


I have made sure that the content filtering is disabled, I've played with turning SPI on/off with no change.


The above is about the only visible anomaly I've seen, and I'm running out of ideas...


Any help or suggestions welcome, thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mpyhala Mon, 02/03/2014 - 09:11
User Badges:
  • Gold, 750 points or more

David,


Do you have DSL? If so, you may need to lower the MTU on the WAN port of the router to 1492. (From 1500)


Setup-> Network-> WAN Setting Table-> WAN 1


Also, under Setup-> Network, make sure that the IP Mode is IPv4 Only (Unless you are using IPv6)



- Marty

dogwood Mon, 02/03/2014 - 10:48
User Badges:

No DSL, am using a Ubee cable modem to Time Warner Business Class service.  This setup has worked for over a decade, but my PIX died and now this is happening on replacement with RV320.


Changed the MTU to no effect, and yes I am using IPv6 with tunnelbroker,net.  I have tried disabling IPv6 but put it back when it did not solve the problem.


I opened up my Google search and found that this is a problem also found on the RV042, but I can't find a resolution.  Cisco has said on the RV042 that it's a broken TCP/IP implementation, but since I get this across Windows 7, Linux, FreeBSD and Android devices and only on HTTP/HTTPS connections (at least so far and we do a lot of FTP, and SSH) and it is a crippling problem, it seems like they may have to address this.

chrebert Mon, 02/03/2014 - 13:11
User Badges:
  • Silver, 250 points or more

There is a known issue with false positives on some inbound connections on the RV320, however your issue is outbound.  I would suggest giving us a call at 1.866.606.1866 and open a support case and we can see if we can get this resolved.


Christopher Ebert

----

Senior Network Support Engineer - Cisco Small Business Support Center

Samir Darji Tue, 02/11/2014 - 19:35
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Small Business, February 2015

I'd disable the firewall completely and see what happens.



Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

dogwood Wed, 02/12/2014 - 15:22
User Badges:

I've been working with their suppport group and the issue has been escalated - they have packet traces and configuration files for my setup.  I'll post here when it's resolved.

jdfoxmicro Mon, 04/28/2014 - 13:37
User Badges:

I guess it wasn't solved!

 

I just noticed my RV320 is doing the same thing.  Only because I happened to turn on the log to look for something else.  It's been in place for months, and no one has had any issues using the Internet.

 

One thing I did notice is that it's only TCP packets tagged ACK FIN or ACK RST.  These might be seen as a kind of a probe (fingerprinting the system based on its response to an unsolicited such packet), and, of course, since it's just my workstations acknowledging the end of a session, it doesn't affect the user experience at all if these are blocked.

 

But, it is pretty lame that we don't have the capability to adjust this aggressive filtering on outbound packets by this device, or more information (such as which policy) in the log.

Samir Darji Thu, 05/22/2014 - 01:56
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Small Business, February 2015

There's not much you can do about filtering the logs on the unit itself.  But you can do a lot if you just send it to a syslog server.  That's the best solution for in-depth analysis.

 

But what I've learned about these type of messages is to not worry about it unless it's broken.  I've seen similar issues on even Netgear's products.  It seems to be par for the smb router space.
 

Actions

This Discussion