cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5682
Views
5
Helpful
10
Replies

RV042G Connection Refused - Policy Violation LAN to WAN

junkycosmos
Level 1
Level 1

This might be a newbie question but my firewall log is full of entries listing policy violations rejections.  These look like traffic from LAN to WAN that is being rejected, right ?   If so why ?

Jul 24 00:15:49 2012    Connection Refused - Policy violation    TCP 192.168.1.150:53668->174.36.2.91:80 on eth1

Jul 24 00:11:55 2012    Connection Refused - Policy violation    TCP 192.168.1.114:49229->17.172.232.196:5223 on eth1

Jul 24 00:09:58 2012    Connection Refused - Policy violation    TCP 192.168.1.109:50606->74.125.142.193:443 on eth1

Jul 23 23:59:45 2012    Connection Refused - Policy violation    TCP 192.168.1.150:53639->174.36.2.91:80 on eth1

Jul 23 23:57:12 2012    Connection Refused - Policy violation    TCP 192.168.1.114:49229->17.172.232.196:5223 on eth1

Jul 23 23:54:58 2012    Connection Refused - Policy violation    TCP 192.168.1.109:50606->74.125.142.193:443 on eth1

Jul 23 23:49:39 2012    Connection Refused - Policy violation    TCP 192.168.1.150:53627->174.36.2.91:80 on eth1

Jul 23 23:45:22 2012    Connection Refused - Policy violation    TCP 192.168.1.109:50605->74.125.142.193:443 on eth1

Jul 23 23:43:39 2012    Connection Refused - Policy violation    TCP 192.168.1.150:53587->174.36.2.91:80 on eth1

Jul 23 23:42:12 2012    Connection Refused - Policy violation    TCP 192.168.1.114:49229->17.172.232.196:5223 on eth1

Jul 23 23:40:08 2012    Connection Refused - Policy violation    TCP 192.168.1.109:50606->74.125.142.193:443 on eth1

Jul 23 23:33:07 2012    Connection Refused - Policy violation    TCP 192.168.1.150:53565->174.36.2.91:80 on eth1

Noted that most of the rejections are in the 40,000-60,000 port range.

new RV042G

WAN 1 set to 10.x

LAN 192.168.1.1

Only has default access rules in place of:

Action Interface SourceInterface Source Destination Time

1. Allow All Traffic [1] LAN Any Any Always

2. Deny All Traffic [1] WAN1 Any Any Always

3. Deny All Traffic [1]  WAN2 Any Any Always

Have tried reflashing firmware to current version (was already on it), disabled SPI, disabling Denial of Service, all no change.

Thanks for any input on why the FW log is fully of these rejections. 

Separate question on logs; is this right ?

Outgoing Log Table is always empty

Incoming Log Table is always empty

Access log is always empty

Also noted another issue with logging; bug?   When the router was brand new out of box and again after firmware flash:

* the "All" dropdown of System Log was BLANK, not logging any entries although other drop downs such as "System Log and Firewall Log were

* email alerts were not being triggered for log entries

* clear log button appears to resolve the issue after which the ALL shows all entries now

Thanks

Jeff

10 Replies 10

junkycosmos
Level 1
Level 1

Would any one here agree that these rejections could be considered "normal" as created by the default rule set?   IF so why does the default rule of "allow all LAN to WAN" traffic not allow all of the above ?

After a few conversations with some solid tech support folks what I have been told multiple times is that "this is a common issue" with the RV series.   In specific that these routers 'consider broken tcp sessions' policy violations and log them as such.  

Everyone who has reviewed TCP session dumps prettymuch agrees these look to be broken TCP sessions (where the destination has closed the connection but the sender (LAN CLIENT) attempts to continue the old session, instead of recognizing that the session is closed and opening a new session.    This does raise a question if there might be a deeper issue with these router not passing session closure messages back to the LAN clients however that is a bit harder to concluded.

In my last conversation I specifically requested that a bug is opened with a request that "broken tcp sessions" or "invalid TCP session requests" are called out as a separate item in the log (via a separate option).    The main problem with broken TCP sessions being logged as policy violations is that their writing to the log as a policy violation effectively triggers email notification and also fills the log.   Due to these persistent entries in the log a reasonable user cannot make use of the "log policy violations" option to keep track of real policy violations.   ie. the static of these false alarms causes the logging feature to be useless.

Thankfully here is the recent update I recieved from support

On Tue, Oct 9, 2012 at 5:28 PM, <

adelano@cisco.com

> wrote:

Greetings,

The following is a case status update courtesy notice.
The issue you reported remains open with Engineering & Development teams.
This issue may be addressed in a forthcoming Maintenance Release firmware, however there is no ETA for this release. We will continue to monitor Engineering & Development team progress and notify you as soon as any updated information becomes available. Please let us know if you have any questions.

Alex XXXXXXXX
Support Engineer
Cisco Systems Inc.
Phone: 949-823-XXXX | Email: XXXX@cisco.com
Hours: 8:00 AM to 5:00 PM (PST), Monday ~ Friday
Cisco Small Business Support contacts: http://www.cisco.com/go/sbsc
Cisco Small Business Support Community: https://supportforums.cisco.com/community/netpro/small-business

We have three of the RV042G and I have recently been having trouble at our main office with intermittant internet connections and found tons of these "Connection Refused - Policy violation" errors in the log. I tried finding a firmware update but all I can find is one link that says "V3 Hardware Required" and our routers are "V01". I am surpised to see how many pages come up when I googled this "Connection Refused" issue for this model. I contacted Cisco support and am waiting for a callback regarding the availability of updated firmware. Hopefully they will have some answers.

Hi Dan, RV042G has only 1 hardware version. The RV042 has v1, v2, v3. The RV042G uses the same firmware as a RV042 v3.

Here's the software link

http://software.cisco.com/download/release.html?mdfid=284170426&catid=268437899&softwareid=282465789&release=4.2.1.02&relind=AVAILABLE&rellifecycle=&reltype=latest

A lot of time the policy violation errors are a result of TCP sessions that do not terminate generating a lot of log messages.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Tom,

Thank you for the link and the clarification. Maybe Cisco will update the description on the download page. It is very confusing when the link says "V3 Hardware Required" and the bottom of my router shows "V01".

As for the TCP sessions not terminating I am not really sure what that means. Nothing has changed in our office lately except that web browsing has been slow and intermittant and I have started seeing lots of these "Connection Refused - Policy violation" errors in the log. Plugging directly into our Comcast gateway eliminates the issue. All of our workstations have static IP's and nothing has been added or changed recently. And I can see from the log that this issue is affecting all of them, not just one. Hopefully upgrading my firmware will help. I think the one on the download page is a few months newer that what is currently installed. I will post back if the issue continues.

Thanks,

Dan

I too have been told the same thing via my support case about TCP clients  attempting to re-use connections that were already closed triggering policy  violations.

What I have specifically  asked for is that the real policy violations be seperated in the logs (as a seperate option)  from the session  warning messages of which we are being told these are. I opened the case in August 2012 and after many hours in Janurary 2013  support asked me for new copy of firmware, settings and password (which they did  not have before) to replicate the issue.   Support has also been sending an  update message example below.

Aside from this I've also  noticed that this router can be flaky about accepting updates to firewall  rules.  In my calls with support they all have suggested restarting the router  after making changes; after some experience I can see why.

---------- Forwarded message ----------

From:

Chandan X

<X@cisco.com>

Date: Wed, Feb 13, 2013 at 1:18 PM

Subject: SR 622533979 -  RV042G [WSU] Logging false positives  for policy violations

To: X

Cc: X@cisco.com

Greetings,

The following is a case status update courtesy notice. The issue you reported remains open with Engineering&Development  teams. This issue may be addressed in a forthcoming Maintenance Release firmware;  however there is no ETA for this release. We will continue to monitor Engineering&    Development team progress and  notify you as soon as any updated information becomes available.

Please let us know if you have any questions.

--
Regards

We've been getting same policy violations, I've spent way too much time tracing IPs etc., the conclusion is that these are legit IPs and no one knows why--inclusing the cisco agents, which confounds me because if this is their device and they wrote the code then they should have an easy explanation of why this happens--if theyknow their code! obviously we can only speculate why then don't tell us or know.  All I know is that after a year's worth of troubleshooting I suspect that the device is intermittently slow, when i remove the device the speed improves sometime big time.

We use the device for its dual wan capability.

junkycosmos wrote:

I too have been told the same thing via my support case about TCP clients  attempting to re-use connections that were already closed triggering policy  violations.

What I have specifically  asked for is that the real policy violations be seperated in the logs (as a seperate option)  from the session  warning messages of which we are being told these are. I opened the case in August 2012 and after many hours in Janurary 2013  support asked me for new copy of firmware, settings and password (which they did  not have before) to replicate the issue.   Support has also been sending an  update message example below.

Aside from this I've also  noticed that this router can be flaky about accepting updates to firewall  rules.  In my calls with support they all have suggested restarting the router  after making changes; after some experience I can see why.

---------- Forwarded message ----------

From:

Chandan X

<X@cisco.com>

Date: Wed, Feb 13, 2013 at 1:18 PM

Subject: SR 622533979 -  RV042G [WSU] Logging false positives  for policy violations

To: X

Cc: X@cisco.com

Greetings,

The following is a case status update courtesy notice. The issue you reported remains open with Engineering&Development  teams. This issue may be addressed in a forthcoming Maintenance Release firmware;  however there is no ETA for this release. We will continue to monitor Engineering&    Development team progress and  notify you as soon as any updated information becomes available.

Please let us know if you have any questions.

--
Regards

Dan Miley
Level 3
Level 3

This is usually caused by a packet being sent using a connection that has already been closed.

This device has a stateful firewall that keeps track of syn-synAck-fin-sequence numbers, etc.

If you have a client running a  web or java app, the browser closes, or the customer hits the 'close' button one end or the other may send a FIN packet to close the session. 

Once the session is closed the other end may also send a fin to close the (already closed) connection.  This is not part of a current session, not the start of a new one, so it is dropped with a policy violation.  If you look at the end of the message on newer firmware the message might looks like

Wed Oct 07 17:48:03 2015;10.x.x.1; <1>Internet kernel: #warn<4>  Connection Refused - Policy violation: IN=eth0 OUT=eth1 SRC=10.x.x..126 DST=x.x.85.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=16202 DF PROTO=TCP SPT=63948 DPT=443 WINDOW=4110 RES=0x00 ACK FIN URGP=0

 

That seems to be what is going on in the log.  Logging on the rv0xx is not very granular, it's really on or off.  so I would suggest in your syslogging you might filter these terms

 

"Connection Refused - Policy violation:"  and "ACK FIN"

 

 using GREP or windows find command on the log files.  Kiwi syslog will allow filtering of log messages and has many more features.

 

if you do a packet capture on the lan side when these messages are logged you will probably see one end of the connection close the session with a fin then the response with a fin-ack.

 

if these errors are a challenge for you, I would suggest update to current firmware.

I looked at the case 622533979  below, and they were provided a beta v4.2.2.07 but the case was closed no response

 

current firmware today is 4.2.3.06 

so the current firmware should have this fix included.

 

Dan

hi Dan

Thanks for the info and reply here.  I spent a lot of my time here on this three years back and note my posting in the forum here was only after TAC cases really went little distance.   Yes indeed after a long time (4 months) the did offer a beta firmware but I noted there were still issues in the logging that persisted.  (The unit really should not continue to send alarm mails every X interval when the only new log entry since prior alert mail is 'alert mail sent') .  I believe you that case was closed no contact however I would note some inaccuracy there however it was a long time back and not of much value to persue.    My last contact with Cisco asking for status on this I was greeted with the message of 'sorry you are past your included support SLA included with purchase and asked if I wanted to pay for further support.   After clarifying this included prior issues and referencing my case he was polite and filed it as a presales call but I never heard anything other than presales back.

 

Your reply is still sincerely appreciated and I suppose good value since the firmware version is notable different now.    Also I will note that I did remove this unit from main service and put into one of the BCP setups back when I reported this issue and during the massive time spent troubleshooting from lack of confidence on what the unit was doing .   However in that capacity the unit has been stable although it does not see much active use.

 

cheers

J

These routers rv0xx series are really workhorses.  they can do 50 vpn tunnels, dual wan, with load balance,  etc.  but do have some limitations. 

log filtering is definitely one of them.  I have not used the email feature much, as most of my sites archive the logs for compliance, etc.  I would suggest move the logs to a server using syslog, then filter the logs using tools on the pc.

 

there are multiple logging resources on the internet to allow you to capture, filter, alert, and react to log messages.

 

a couple I can think of are

tftpd32, slogd, solarwinds have free syslog collectors

kiwi syslog - allows multiple log queues, with filters and alerts, there is a crippleware version which is fully functioning except for ..., and paid version.

sawmill - as you might expect cuts up logs.  this used to be free, but I think it's paid now.

solarwinds, Perl scripts, etc can all be used to limit the log messages, and filter ones that are not interesting. 

Cisco has multiple log and event correlation tools also. 

https://supportforums.cisco.com/discussion/12037211/best-tool-log-correlation

 

NCI in any of these (except Cisco who pays my salary :)  and yes, they are pretty firm about being under support contract or warranty to get tech support.

that's why there is free support here. 

https://supportforums.cisco.com/community/5931/network-management

 

dlm...

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: