06-07-2014 03:07 AM
Hello everybody,
My RV325 contains 4 VLAN, each one with a DHCP server, and most of the clients with a reserved IP.
What does mean these log issues?
It seems that I have many of them when I set up my RV325 dual wan mode on "Load balance (auto mode)": it seems also, but I'm not sure, that when I have these log traces, I cannot connect on the internet.
Kind regards
David
01-06-2015 04:28 PM
It can become a nightmare somedays!
01-07-2015 02:05 PM
Hello,
Please update to the latest 1.1.1.19 firmware: https://software.cisco.com/download/release.html?mdfid=284005929&flowid=43302&softwareid=282465789&release=1.1.1.19&relind=AVAILABLE&rellifecycle=&reltype=latest
Hopefully this new f/w will resolve your issue that you are experiencing.
Thanks,
Cindy
01-08-2015 08:18 AM
That did not seem to fix the problem.
It appears to be related to making changes to the router.
Jan 8 09:42:11 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:42:12 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:42:29 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:42:30 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:42:52 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:42:53 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:43:10 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:43:11 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:43:35 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:43:36 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:43:55 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:43:57 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:44:13 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:44:14 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:44:29 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:44:30 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:44:45 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:44:46 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:44:58 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:44:59 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:45:15 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:45:16 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:45:29 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:45:30 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:45:42 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:45:43 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:45:56 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:45:57 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:46:11 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:46:13 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:46:27 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:46:29 2015 cisco kernel: wrong ip[0],not_list[0]
Jan 8 09:46:45 2015 cisco User Log: edit_access_rules.htm is changed.
Jan 8 09:46:46 2015 cisco kernel: wrong ip[0],not_list[0]
01-08-2015 08:23 AM
I found that blocking Class B networks where "Changer Servers" doing port scans can help to stop the disruption of services to an extent.
Here is a group that claims to be fighting the "hackers" doing the port scans.
https://www.shadowserver.org/wiki/pmwiki.php
I track them down to an Network Provider that give me their information. China is the worst with Eastern Europe following a close second. Would be nice if we could just shut down all these changer servers, I was amazed at how many of them out there with the US leading the pack.
03-31-2016 11:21 PM
I followed robert's advice added firewall rule to block all source ip's from 172.16.0.0 - 172.31.255.255
upgraded firmware.....
Still see the same error....
2016-03-31, 22:16:38 | User Log | edit_access_rules.htm is changed. |
2016-03-31, 22:16:38 | Kernel | kernel: wrong ip[0],not_list[0] |
Im in agreement with roberts second... the error seems to show up after every change made by the user...
relatively rediculous that cisco hasn't caught and fixed this one...
this is affecting a brand new RV320 btw...
06-29-2016 09:24 AM
2016-06-29, 12:12:53 |
User Log | adv_forwarding.htm is changed. |
2016-06-29, 12:12:54 | Kernel | kernel: wrong ip[0],not_list[0] |
2016-06-29, 12:13:00 | ALLOW | TCP 155.133.82.77:53089 -> 24.97.220.202:5905 on eth1 |
2016-06-29, 12:13:00 | BLOCK | TCP 155.133.82.77:53089 -> 192.168.123.108:5905 on eth1 |
2016-06-29, 12:13:02 | ALLOW | TCP 155.133.82.77:53489 -> 24.97.220.202:5904 on eth1 |
2016-06-29, 12:13:02 | BLOCK | TCP 155.133.82.77:53489 -> 192.168.123.104:5904 on eth1 |
2016-06-29, 12:13:03 | ALLOW | TCP 155.133.82.77:53089 -> 24.97.220.202:5905 on eth1 |
2016-06-29, 12:13:03 | BLOCK | TCP 155.133.82.77:53089 -> 192.168.123.108:5905 on eth1 |
My issue is similar, while experiencing brute-force attacks from (china,poland,etc..) my email is full of
logs from my cisco rv325.
Firewall rules related to this issue:
Deny | All Traffic [1] | * | 155.133.82.0 ~ 155.133.82.255 | 24.97.220.202 ~ 24.97.220.202 | Always | ||
Deny | All Traffic [1] | * | 155.133.82.0 ~ 155.133.82.255 | Any | Always | ||
Port forwarding related to this issue:
VNC4[TCP/5904~5904] | 192.168.123.104 | Enabled | ||
VNC5[TCP/5905~5905] | 192.168.123.108 | Enabled | ||
VNC0[TCP/5900~5900] | 192.168.123.130 | Disabled | ||
VNC3[TCP/5903~5903] | 192.168.123.106 | Enabled | ||
VNCJ3[TCP/5803~5803] | 192.168.123.106 | Enabled | ||
Even with logging disabled I still have logs of the port forwarding from the public ip to private ip.
Funny how I get an ALLOW log entry even when the firewall is denying access.
Maybe the forwarding is somehow bypassing firewall rules? Is this the correct way to handle it?
I am running the latest firmware. There is a bug here somewhere please fix it or provide a workaround.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide