07-23-2012 11:00 PM
This might be a newbie question but my firewall log is full of entries listing policy violations rejections. These look like traffic from LAN to WAN that is being rejected, right ? If so why ?
Jul 24 00:15:49 2012 Connection Refused - Policy violation TCP 192.168.1.150:53668->174.36.2.91:80 on eth1
Jul 24 00:11:55 2012 Connection Refused - Policy violation TCP 192.168.1.114:49229->17.172.232.196:5223 on eth1
Jul 24 00:09:58 2012 Connection Refused - Policy violation TCP 192.168.1.109:50606->74.125.142.193:443 on eth1
Jul 23 23:59:45 2012 Connection Refused - Policy violation TCP 192.168.1.150:53639->174.36.2.91:80 on eth1
Jul 23 23:57:12 2012 Connection Refused - Policy violation TCP 192.168.1.114:49229->17.172.232.196:5223 on eth1
Jul 23 23:54:58 2012 Connection Refused - Policy violation TCP 192.168.1.109:50606->74.125.142.193:443 on eth1
Jul 23 23:49:39 2012 Connection Refused - Policy violation TCP 192.168.1.150:53627->174.36.2.91:80 on eth1
Jul 23 23:45:22 2012 Connection Refused - Policy violation TCP 192.168.1.109:50605->74.125.142.193:443 on eth1
Jul 23 23:43:39 2012 Connection Refused - Policy violation TCP 192.168.1.150:53587->174.36.2.91:80 on eth1
Jul 23 23:42:12 2012 Connection Refused - Policy violation TCP 192.168.1.114:49229->17.172.232.196:5223 on eth1
Jul 23 23:40:08 2012 Connection Refused - Policy violation TCP 192.168.1.109:50606->74.125.142.193:443 on eth1
Jul 23 23:33:07 2012 Connection Refused - Policy violation TCP 192.168.1.150:53565->174.36.2.91:80 on eth1
Noted that most of the rejections are in the 40,000-60,000 port range.
new RV042G
WAN 1 set to 10.x
LAN 192.168.1.1
Only has default access rules in place of:
Action Interface SourceInterface Source Destination Time
1. Allow All Traffic [1] LAN Any Any Always
2. Deny All Traffic [1] WAN1 Any Any Always
3. Deny All Traffic [1] WAN2 Any Any Always
Have tried reflashing firmware to current version (was already on it), disabled SPI, disabling Denial of Service, all no change.
Thanks for any input on why the FW log is fully of these rejections.
Separate question on logs; is this right ?
Outgoing Log Table is always empty
Incoming Log Table is always empty
Access log is always empty
Also noted another issue with logging; bug? When the router was brand new out of box and again after firmware flash:
* the "All" dropdown of System Log was BLANK, not logging any entries although other drop downs such as "System Log and Firewall Log were
* email alerts were not being triggered for log entries
* clear log button appears to resolve the issue after which the ALL shows all entries now
Thanks
Jeff
08-15-2012 08:19 AM
Would any one here agree that these rejections could be considered "normal" as created by the default rule set? IF so why does the default rule of "allow all LAN to WAN" traffic not allow all of the above ?
10-11-2012 02:02 PM
After a few conversations with some solid tech support folks what I have been told multiple times is that "this is a common issue" with the RV series. In specific that these routers 'consider broken tcp sessions' policy violations and log them as such.
Everyone who has reviewed TCP session dumps prettymuch agrees these look to be broken TCP sessions (where the destination has closed the connection but the sender (LAN CLIENT) attempts to continue the old session, instead of recognizing that the session is closed and opening a new session. This does raise a question if there might be a deeper issue with these router not passing session closure messages back to the LAN clients however that is a bit harder to concluded.
In my last conversation I specifically requested that a bug is opened with a request that "broken tcp sessions" or "invalid TCP session requests" are called out as a separate item in the log (via a separate option). The main problem with broken TCP sessions being logged as policy violations is that their writing to the log as a policy violation effectively triggers email notification and also fills the log. Due to these persistent entries in the log a reasonable user cannot make use of the "log policy violations" option to keep track of real policy violations. ie. the static of these false alarms causes the logging feature to be useless.
Thankfully here is the recent update I recieved from support
On Tue, Oct 9, 2012 at 5:28 PM, <
> wrote:
Greetings,The following is a case status update courtesy notice.
The issue you reported remains open with Engineering & Development teams.
This issue may be addressed in a forthcoming Maintenance Release firmware, however there is no ETA for this release. We will continue to monitor Engineering & Development team progress and notify you as soon as any updated information becomes available. Please let us know if you have any questions.Alex XXXXXXXX
Support Engineer
Cisco Systems Inc.
Phone: 949-823-XXXX | Email: XXXX@cisco.com
Hours: 8:00 AM to 5:00 PM (PST), Monday ~ Friday
Cisco Small Business Support contacts: http://www.cisco.com/go/sbsc
Cisco Small Business Support Community: https://supportforums.cisco.com/community/netpro/small-business
02-12-2013 12:15 PM
We have three of the RV042G and I have recently been having trouble at our main office with intermittant internet connections and found tons of these "Connection Refused - Policy violation" errors in the log. I tried finding a firmware update but all I can find is one link that says "V3 Hardware Required" and our routers are "V01". I am surpised to see how many pages come up when I googled this "Connection Refused" issue for this model. I contacted Cisco support and am waiting for a callback regarding the availability of updated firmware. Hopefully they will have some answers.
02-12-2013 12:19 PM
Hi Dan, RV042G has only 1 hardware version. The RV042 has v1, v2, v3. The RV042G uses the same firmware as a RV042 v3.
Here's the software link
A lot of time the policy violation errors are a result of TCP sessions that do not terminate generating a lot of log messages.
-Tom
Please mark answered for helpful posts
02-12-2013 12:43 PM
Tom,
Thank you for the link and the clarification. Maybe Cisco will update the description on the download page. It is very confusing when the link says "V3 Hardware Required" and the bottom of my router shows "V01".
As for the TCP sessions not terminating I am not really sure what that means. Nothing has changed in our office lately except that web browsing has been slow and intermittant and I have started seeing lots of these "Connection Refused - Policy violation" errors in the log. Plugging directly into our Comcast gateway eliminates the issue. All of our workstations have static IP's and nothing has been added or changed recently. And I can see from the log that this issue is affecting all of them, not just one. Hopefully upgrading my firmware will help. I think the one on the download page is a few months newer that what is currently installed. I will post back if the issue continues.
Thanks,
Dan
02-14-2013 06:55 PM
I too have been told the same thing via my support case about TCP clients attempting to re-use connections that were already closed triggering policy violations.
What I have specifically asked for is that the real policy violations be seperated in the logs (as a seperate option) from the session warning messages of which we are being told these are. I opened the case in August 2012 and after many hours in Janurary 2013 support asked me for new copy of firmware, settings and password (which they did not have before) to replicate the issue. Support has also been sending an update message example below.
Aside from this I've also noticed that this router can be flaky about accepting updates to firewall rules. In my calls with support they all have suggested restarting the router after making changes; after some experience I can see why.
---------- Forwarded message ----------
From:
Chandan X
Date: Wed, Feb 13, 2013 at 1:18 PM
Subject: SR 622533979 - RV042G [WSU] Logging false positives for policy violations
To: X
Cc: X@cisco.com
Greetings,
The following is a case status update courtesy notice. The issue you reported remains open with Engineering&Development teams. This issue may be addressed in a forthcoming Maintenance Release firmware; however there is no ETA for this release. We will continue to monitor Engineering& Development team progress and notify you as soon as any updated information becomes available.
Please let us know if you have any questions.
--
Regards
04-23-2013 10:29 AM
We've been getting same policy violations, I've spent way too much time tracing IPs etc., the conclusion is that these are legit IPs and no one knows why--inclusing the cisco agents, which confounds me because if this is their device and they wrote the code then they should have an easy explanation of why this happens--if theyknow their code! obviously we can only speculate why then don't tell us or know. All I know is that after a year's worth of troubleshooting I suspect that the device is intermittently slow, when i remove the device the speed improves sometime big time.
We use the device for its dual wan capability.
junkycosmos wrote:
I too have been told the same thing via my support case about TCP clients attempting to re-use connections that were already closed triggering policy violations.
What I have specifically asked for is that the real policy violations be seperated in the logs (as a seperate option) from the session warning messages of which we are being told these are. I opened the case in August 2012 and after many hours in Janurary 2013 support asked me for new copy of firmware, settings and password (which they did not have before) to replicate the issue. Support has also been sending an update message example below.
Aside from this I've also noticed that this router can be flaky about accepting updates to firewall rules. In my calls with support they all have suggested restarting the router after making changes; after some experience I can see why.
---------- Forwarded message ----------
From:
Chandan X
Date: Wed, Feb 13, 2013 at 1:18 PM
Subject: SR 622533979 - RV042G [WSU] Logging false positives for policy violations
To: X
Cc: X@cisco.com
Greetings,
The following is a case status update courtesy notice. The issue you reported remains open with Engineering&Development teams. This issue may be addressed in a forthcoming Maintenance Release firmware; however there is no ETA for this release. We will continue to monitor Engineering& Development team progress and notify you as soon as any updated information becomes available.
Please let us know if you have any questions.
--
Regards
10-09-2015 03:47 PM
This is usually caused by a packet being sent using a connection that has already been closed.
This device has a stateful firewall that keeps track of syn-synAck-fin-sequence numbers, etc.
If you have a client running a web or java app, the browser closes, or the customer hits the 'close' button one end or the other may send a FIN packet to close the session.
Once the session is closed the other end may also send a fin to close the (already closed) connection. This is not part of a current session, not the start of a new one, so it is dropped with a policy violation. If you look at the end of the message on newer firmware the message might looks like
Wed Oct 07 17:48:03 2015;10.x.x.1; <1>Internet kernel: #warn<4> Connection Refused - Policy violation: IN=eth0 OUT=eth1 SRC=10.x.x..126 DST=x.x.85.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=16202 DF PROTO=TCP SPT=63948 DPT=443 WINDOW=4110 RES=0x00 ACK FIN URGP=0
That seems to be what is going on in the log. Logging on the rv0xx is not very granular, it's really on or off. so I would suggest in your syslogging you might filter these terms
"Connection Refused - Policy violation:" and "ACK FIN"
using GREP or windows find command on the log files. Kiwi syslog will allow filtering of log messages and has many more features.
if you do a packet capture on the lan side when these messages are logged you will probably see one end of the connection close the session with a fin then the response with a fin-ack.
if these errors are a challenge for you, I would suggest update to current firmware.
I looked at the case 622533979 below, and they were provided a beta v4.2.2.07 but the case was closed no response
current firmware today is 4.2.3.06
so the current firmware should have this fix included.
Dan
10-09-2015 07:42 PM
hi Dan
Thanks for the info and reply here. I spent a lot of my time here on this three years back and note my posting in the forum here was only after TAC cases really went little distance. Yes indeed after a long time (4 months) the did offer a beta firmware but I noted there were still issues in the logging that persisted. (The unit really should not continue to send alarm mails every X interval when the only new log entry since prior alert mail is 'alert mail sent') . I believe you that case was closed no contact however I would note some inaccuracy there however it was a long time back and not of much value to persue. My last contact with Cisco asking for status on this I was greeted with the message of 'sorry you are past your included support SLA included with purchase and asked if I wanted to pay for further support. After clarifying this included prior issues and referencing my case he was polite and filed it as a presales call but I never heard anything other than presales back.
Your reply is still sincerely appreciated and I suppose good value since the firmware version is notable different now. Also I will note that I did remove this unit from main service and put into one of the BCP setups back when I reported this issue and during the massive time spent troubleshooting from lack of confidence on what the unit was doing . However in that capacity the unit has been stable although it does not see much active use.
cheers
J
10-12-2015 09:25 AM
These routers rv0xx series are really workhorses. they can do 50 vpn tunnels, dual wan, with load balance, etc. but do have some limitations.
log filtering is definitely one of them. I have not used the email feature much, as most of my sites archive the logs for compliance, etc. I would suggest move the logs to a server using syslog, then filter the logs using tools on the pc.
there are multiple logging resources on the internet to allow you to capture, filter, alert, and react to log messages.
a couple I can think of are
tftpd32, slogd, solarwinds have free syslog collectors
kiwi syslog - allows multiple log queues, with filters and alerts, there is a crippleware version which is fully functioning except for ..., and paid version.
sawmill - as you might expect cuts up logs. this used to be free, but I think it's paid now.
solarwinds, Perl scripts, etc can all be used to limit the log messages, and filter ones that are not interesting.
Cisco has multiple log and event correlation tools also.
https://supportforums.cisco.com/discussion/12037211/best-tool-log-correlation
NCI in any of these (except Cisco who pays my salary :) and yes, they are pretty firm about being under support contract or warranty to get tech support.
that's why there is free support here.
https://supportforums.cisco.com/community/5931/network-management
dlm...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide