Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RVS4000 V1 tracks some VLAN to VLAN connections backwards

Firmware         V1.3.3.5

Operation Mode:        Gateway

VLANs:             4, one per LAN subnet

Inter-VLAN Routing:     Enabled

I've got all of the management interfaces of the infrastructure devices

(switches, UPS,WAPs) on the default VLAN 1 that is configured on as untagged on

all relevant ports. I've noticed that the router will track most of the routed

connections from the non-default VLANs to devices on the devices on the default

VLAN backwards, where the destination is listed as the source and vice versa,

often with the SYN_SENT state instead of ESTABLISHED as reported by the source


I get this information from the IP Conntrack view launched from the

Status/Gateway screen. This is how a telnet connection from a computer on the

guest VLAN 3, subnet to the default mgmt VLAN 1, subnet looks in IP Conntrack

Basic Information                 Original Direction                             Reply Direction

Protocol     Life Time     State         Source IP     Source Port     Destination IP     Destination Port     Source IP     Source Port    Destination IP     Destination Port

TCP         44         SYN_SENT     23     50196        50196     23

Also, there are corresponding entries in the router's access log. 

Jan 29 22:26:00 - [Access Log]I TCP Packet - -->

Notice that it  is incoming as expected as opposed to outgoing (to the WAN port).

I know that these are routed connections, for when I turn off Inter-VLAN

Routing, I cannot make any connections from on VLAN subnet to another.

This reversed connection tracking anomaly is causing the firewall ACLs that I have

implemented to block traffic from the guest VLAN (3) to the default

(infrastructure) VLAN to not work, since ACLs are defined based on source IP

and destination IP. Connections to other VLANs other than the default appear as expected

in the access log and the IP Conntrack view.

Is this a known bug with the RVS4000 V1?

Everyone's tags (4)
CreatePlease login to create content