Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12763
Views
0
Helpful
23
Replies

RV042 does not permit VPN pass-thru...

jrhelgeson
Level 1
Level 1

‎11-12-2009 03:14 PM

Firmware ver: 1.3.12.19

I have the RV042 protecting my home network.  I do not have any VPN configured on the device yet.


With my laptop, I cannot establish a VPN connection to a remote site, using my Cisco VPN client v5.0.06.0100 (most recent)

Connected behind the RV042, no vpn connection can be made.

- error message -

Secure VPN Connection terminated locally by the Client.

Reason 412: The remote peer is no longer responding.

Connection terminated on: Nov 12, 2009 16:00:00     Durration: 0 day(s), 00:00.00

If I connect to the internet anywhere else, I connect just fine.

Now, I know why this happens.  The RV042 is listening on UDP port 500 on the external interface for IPSec ISAKMP, however, the external interface is also used for NAT translation, and when the VPN gateway I'm trying to connect to tries to respond to MY UDP/500 port... but the ROUTER answers that query rather than passing it back to me.

I've dealt with this on the PIX firewalls (I'm an old Cisco networking guy) and those commands are not available on the RV042.

I"ve checked the settings, IPSec VPN Pass-through is ENABLED, as are all of the other pass-through settings.

How can I stop this stupid router from answering/listening on port 500?

2 people had this problem
Labels:
0 Helpful
23 Replies 23

Brian Bergin
Level 4
Level 4
In response to jrhelgeson

‎03-24-2010 02:18 PM

I know this doesn't help, but I'm able to connect to ASA5510's and ASA5505s as well as a PIX515u and a PIX506e using the build of the VPN client you are behind our RV082 and our spare RV042 (I have an SA520 here but have not tried that yet) so I can tell you with great confidence that the RV0x2's will allow this.  My wife also can connect to her office (Fortune 40 company) from my office through our RV082 and RV042 with no issues.  They are using the same Cisco VPN client v5 that I use.

The other thing here is we run multiple site-to-site VPN tunnels through our RV0x2's at the same time with no problems.  We even have the PPTP server setup on the RV082 for inbound VPNs so I don't have to fool with QuickVPN.

Assuming you're on the latest firmware (if not I would first upgrade to the most recent), may I suggest that you backup your config and do a hard factory reset (the manual states to press and hold the reset button for 30 seconds and when it reboots it'll have a factory config and will be on 192.168.1.1 with admin/admin as the username/password), setup just enough to get online and see if that allows a connection without any other changes to the router.  At least with a backup if nothing changes you can simply restore the config and be right back to where you are now.

Brian

0 Helpful

David Hornstein
Level 7
Level 7
In response to Brian Bergin

‎03-24-2010 11:07 PM

Thanks Brian B  Good suggestion.

0 Helpful

Alejandro Gallego
Cisco Employee
Cisco Employee
In response to jrhelgeson

‎03-25-2010 05:09 AM

sorry for the late reply, been busy on other project.

since i originally posted, i have since been able to reproduce this issue some what in a random event. i still do not know why we do not see a response from the ASA but thats for another day.

first, stop all port forwards, bindings, etc. just make sure VPN passthrough is enabled. on the WAN set the MTU to 1472 and save settings.

to find the proper MTU for your ISP run the following command from cmd:

ping -l 1472 google.com -f

if you get a reply, increment by two up until you do not get a reply

H:\>ping -l 1472 google.com -f

Pinging google.com [72.14.204.103] with 1472 bytes of data:

Reply from 72.14.204.103: bytes=64 (sent 1472) time=23ms TTL=58
Reply from 72.14.204.103: bytes=64 (sent 1472) time=25ms TTL=58
Reply from 72.14.204.103: bytes=64 (sent 1472) time=25ms TTL=58
Reply from 72.14.204.103: bytes=64 (sent 1472) time=23ms TTL=58

Ping statistics for 72.14.204.103:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 25ms, Average = 24ms

H:\>ping -l 1474 google.com -f

Pinging google.com [72.14.204.103] with 1474 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 72.14.204.103:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

give that a go and let us know.

0 Helpful

jean-eric
Level 1
Level 1
In response to Alejandro Gallego

‎03-25-2010 04:15 PM

Hello everybody,

I have an RV082.

I am not using the RV082 to set up VPN tunnel.

I am using RV082 as a firewall.

I am connecting to my company VPN server with my laptop through the RV082.

The VPN PAssthrough option is enable for the 3 types of VPNs

189.122.154.191 is my public address of my RV082

192.54.144.181 is my company VPN serveur

HEre are the Access Rules

To make it work I need to port forward UDP 34000-49000 to my PC. Is it normal?

Here is a log from my RV082:

Mar 25 20:04:36 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:40 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:42 2010   Connection Accepted   UDP 192.168.1.2:45088->192.54.144.181:500 on ixp1
Mar 25 20:04:42 2010   Connection Accepted   UDP 192.168.1.2:45088->192.54.144.181:500 on ixp1
Mar 25 20:04:43 2010   Connection Accepted   ICMP type 8 code 0 189.122.154.191->189.122.128.1 on ixp1
Mar 25 20:04:43 2010   Connection Accepted   ICMP type 8 code 0 189.122.154.191->189.122.128.1 on ixp1
Mar 25 20:04:44 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:44 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:45 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:45 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:47 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:47 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:48 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:48 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:49 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:49 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:49 2010   Connection Accepted   UDP 10.101.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:49 2010   Connection Accepted   UDP 10.101.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:51 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:51 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:52 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:52 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:53 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:53 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:53 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:53 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:55 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:55 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:57 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:57 2010   Connection Refused - Policy violation   UDP 192.54.144.181:500->189.122.154.191:45088 on ixp1
Mar 25 20:04:58 2010   Connection Accepted   UDP 10.101.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:58 2010   Connection Accepted   UDP 10.101.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:59 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:04:59 2010   Connection Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 25 20:05:01 2010   Connecti


0 Helpful

Alejandro Gallego
Cisco Employee
Cisco Employee
In response to jean-eric

‎03-25-2010 08:18 PM

no you do not need to port forward anything for the VPN connection, would like some more information though. are you connecting to a router VPN end point using IPSec? what is your IPSec client?

also, not really sure who 10.0.11.1 is and why are we accepting DHCP through the WAN? is this a DSL connection?

Mar 25 20:04:36 2010   Connection  Accepted   UDP 10.11.0.1:67->255.255.255.255:68 on  ixp1

the most likely reason this is being blocked is due to the port forwards

Mar 25 20:04:47 2010   Connection  Refused - Policy violation   UDP  192.54.144.181:500->189.122.154.191:45088 on ixp1

remove any rules, port forwards, etc. you have set up for the VPN connection and just leave passthrough enabled and try again. if it still does not work post again and let us know your client software, VPN server etc.

0 Helpful

jean-eric
Level 1
Level 1
In response to Alejandro Gallego

‎03-27-2010 01:31 PM

Dear Alegalle,

Thank you for taking into account my request.

I have return my RV082 to default factory and change only the admin password.

VPN passthrough is enable by default for the three types of protocols.

I have a cable ISP (Net.com.br in Rio de Janeiro). They provided me with a Cable Modem Motorola SBV5121.

The motorola SBV5121 provide the RV082 with a dynamic Public IP address: 189.122.154.191 at the time of the test.

The default DHCP option of the RV082 provide my PC with 192.168.1.101.

The VPN Client is the THALES VPN IP Mistral (I suppose the serveur as well)

If I replace the RV082 with my Airport Extreme from apple it is working fine. In fact it is the first time since i am using this VPN client for the last two years that I have such an issue. I traveling extensively and using my pc in thousands of different places.

Best Regards

Jean-Eric


System Log
Current Time:    Sat Mar 27 12:15:23 2010

Time   
Event-Type    Message
Mar 27 12:14:43 2010        Connection Accepted        UDP 10.92.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:14:43 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:14:43 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:43 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:44 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:14:45 2010        Connection Accepted        UDP 10.92.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:14:46 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:47 2010        Connection Accepted        UDP 192.168.1.101:60041->17.17.1.1:53 on ixp1
Mar 27 12:14:47 2010        Connection Accepted        UDP 192.168.1.101:60041->17.17.1.1:53 on ixp1
Mar 27 12:14:47 2010        Connection Accepted        UDP 192.168.1.101:60041->10.33.46.2:53 on ixp1
Mar 27 12:14:47 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:47 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:49 2010        Connection Accepted        UDP 192.168.1.101:53274->17.17.1.1:53 on ixp1
Mar 27 12:14:50 2010        Connection Accepted        UDP 192.168.1.101:53274->10.33.46.2:53 on ixp1
Mar 27 12:14:51 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:51 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:55 2010        Connection Refused - Policy violation        TCP 79.95.38.4:51936->189.122.154.191:6881 on ixp1
Mar 27 12:14:55 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:55 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:58 2010        Connection Refused - Policy violation        TCP 87.231.146.54:62614->189.122.154.191:6881 on ixp1
Mar 27 12:14:58 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:14:58 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:14:58 2010        Connection Accepted        UDP 192.168.1.102:2004->192.54.144.181:500 on ixp1
Mar 27 12:14:58 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:58 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:14:58 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:14:58 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:14:59 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:14:59 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:00 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:01 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:01 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:01 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:01 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:02 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:03 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:03 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:04 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:04 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:04 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:04 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:05 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:05 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:06 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:06 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:06 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:08 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:08 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:08 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:10 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:10 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:11 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:11 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:13 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:13 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:13 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:14 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:14 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:16 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:16 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:16 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:17 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:17 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:17 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:18 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:18 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:18 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:19 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:15:19 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:19 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:20 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:21 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:21 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:21 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:22 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:22 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin
Mar 27 12:15:23 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:15:23 2010         Authentication Success        HTTP Basic authentication succeeded for user: admin

Preview file
216 KB
0 Helpful

Alejandro Gallego
Cisco Employee
Cisco Employee
In response to jean-eric

‎03-28-2010 09:33 PM

This is the part that I find interesting

Mar 27 12:14:58 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:14:58 2010        Connection Accepted        UDP 10.11.0.1:67->255.255.255.255:68 on ixp1
Mar 27 12:14:58 2010        Connection Accepted        UDP 192.168.1.102:2004->192.54.144.181:500 on ixp1

from the looks of it, I would bet that your client first calls the server on 192.54.144.181 but requests a configuration or just an IP address first. This happens before the authentication between your client application and the remote server begins. At this point you receive an IP address of 10.11.0.x and now the client begins to authenticate on 10.11.0.x; which the router denies.

Mar 27 12:14:58 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:14:58 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:14:59 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1
Mar 27 12:14:59 2010        Connection Refused - Policy violation        UDP 192.54.144.181:500->189.122.154.191:2004 on ixp1

Which is why our destination is now the WAN interface. I am trying to put this conversation together from the log but I may not be follwing it correctly, so please let me know if I am in left field.

The RV0x routers are also firewalls and inspect traffic more so than the Airport Extreme and most consumer appliances so it is not surprising that the AEBS has no problems. One thing to note, is there any other device (AEBS, router, etc.) connected in between you and the RV042? Also, when you are connecting via your VPN client are you heading out the Ethernet port or Airport? Make sure you have the services configured so the proper priority is given to the correct interface. Continuing on that note, does the VPN client create an interface on your Mac?

Check System Preferences > Network. If it did create an interface, make sure it has the highest priority.

0 Helpful

Vladimir Barmin
Level 1
Level 1

‎01-28-2014 12:18 PM

It turned out that once you disable UPNP finction on the router the problem disappears. This works for me as I do not need upnp but IPSec VPN back to the office is ceritical.

0 Helpful

napaul511
Level 1
Level 1

‎02-01-2014 04:44 PM

I have problem tooo,.........

CISCO RV042G V3 lastest firmware

v4.2.2.08

but Old device LINKSYS rv042  have same config     Computer behind router can use Cisco vpn client  normally.

1.3.13.02-tm

0 Helpful
Customers Also Viewed These Support Documents