cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2111
Views
0
Helpful
7
Replies

RV320 refusing outbound connections?

dogwood
Level 1
Level 1

The overall problem is that we're having lots of problems with web access in or out of the office.  There was a problem with sporadic packet loss with the ISP which has now been corrected, but still the web problem persists.

In investigating, I am seeing lots of messages like this in my system logs:

Connection Refused - Policy violationIN=eth0 OUT=eth1 SRC=192.168.231.9 DST=157.56.141.102 DMAC=f8:72:ea:94:e0:14 SMAC=f8:2f:a8:d9:5f:a9 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=6071 DF PROTO=TCP SPT=59051 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0

However, I am using the default firewall rules with only additions to let SSH, HTTP, and HTTPS into a few machines on the LAN.  The above source address is not one of these machines.  The hosts affected on the LAN side do not seem consistent.  The destination addresses that experience this do seem to be consistent based on a relatively small sample of log file, but being a small sample, this may be spurious info.

This doesn't seem right - the rules should allow any outbound connections.

Admittedly, most of the traffic in/out is HTTP or HTTPS, but I haven't seen this affect any other service than these.

I have made sure that the content filtering is disabled, I've played with turning SPI on/off with no change.

The above is about the only visible anomaly I've seen, and I'm running out of ideas...

Any help or suggestions welcome, thanks!

7 Replies 7

mpyhala
Level 7
Level 7

David,

Do you have DSL? If so, you may need to lower the MTU on the WAN port of the router to 1492. (From 1500)

Setup-> Network-> WAN Setting Table-> WAN 1

Also, under Setup-> Network, make sure that the IP Mode is IPv4 Only (Unless you are using IPv6)

- Marty

No DSL, am using a Ubee cable modem to Time Warner Business Class service.  This setup has worked for over a decade, but my PIX died and now this is happening on replacement with RV320.

Changed the MTU to no effect, and yes I am using IPv6 with tunnelbroker,net.  I have tried disabling IPv6 but put it back when it did not solve the problem.

I opened up my Google search and found that this is a problem also found on the RV042, but I can't find a resolution.  Cisco has said on the RV042 that it's a broken TCP/IP implementation, but since I get this across Windows 7, Linux, FreeBSD and Android devices and only on HTTP/HTTPS connections (at least so far and we do a lot of FTP, and SSH) and it is a crippling problem, it seems like they may have to address this.

chrebert
Level 4
Level 4

There is a known issue with false positives on some inbound connections on the RV320, however your issue is outbound.  I would suggest giving us a call at 1.866.606.1866 and open a support case and we can see if we can get this resolved.

Christopher Ebert

----

Senior Network Support Engineer - Cisco Small Business Support Center

SamirD
Level 5
Level 5

I'd disable the firewall completely and see what happens.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

dogwood
Level 1
Level 1

I've been working with their suppport group and the issue has been escalated - they have packet traces and configuration files for my setup.  I'll post here when it's resolved.

I guess it wasn't solved!

 

I just noticed my RV320 is doing the same thing.  Only because I happened to turn on the log to look for something else.  It's been in place for months, and no one has had any issues using the Internet.

 

One thing I did notice is that it's only TCP packets tagged ACK FIN or ACK RST.  These might be seen as a kind of a probe (fingerprinting the system based on its response to an unsolicited such packet), and, of course, since it's just my workstations acknowledging the end of a session, it doesn't affect the user experience at all if these are blocked.

 

But, it is pretty lame that we don't have the capability to adjust this aggressive filtering on outbound packets by this device, or more information (such as which policy) in the log.

There's not much you can do about filtering the logs on the unit itself.  But you can do a lot if you just send it to a syslog server.  That's the best solution for in-depth analysis.

 

But what I've learned about these type of messages is to not worry about it unless it's broken.  I've seen similar issues on even Netgear's products.  It seems to be par for the smb router space.
 

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: