cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2869
Views
0
Helpful
7
Replies

SRP527W Disabling SPI

mschweiger
Level 1
Level 1

Hi,

I have a client that we are troubleshooting and issue with SSH and FTP sessions dropping out. 

I have disabled the SPI Firewall during our debugging, however when we set SPI to disabled, the client looses all internet connectivty from the internal VLAN's

PVC0 is connected, I can connect remotely to the device.

Enabling the SPI feature restores connectivity.

They are running firmware v1.01.19 and have no Internet Access Control rules or web filters that would block traffic.

Has anyone seen this behaviour before ?

Thanks

Mark.

7 Replies 7

Andrew Hickman
Cisco Employee
Cisco Employee

Hi Mark,

I just tried this with my SRP527 over ADSL (firmware is 1.1.19(004) ) and I get a connection to the Internet with or without firewall enabled.

Andy

Jiriteach
Level 1
Level 1

I'm running this similar configuration with SPI disabled and have no problems with my ADSL connection. This is running the latest firmware.

Cheers

mschweiger
Level 1
Level 1

Thanks Andrew and Jithen for checking this out on your configurations.

The client has mulitple VLAN's in place (there are 2 organisations sharing this router/adsl connection).

InterVLAN routing in disabled to prevent the 2 organisations seeing each others networks.

I have done some more investigation and testing and found the following:

- If I disable SPI with InterVLAN routing disabled, no conenctivity.

- If I disable SPI with InterVLAN routing enabled connectivity is ok.

Any chance if you could confirm whether you have multiple vlans and/or intervlan routing enabled/disabled ?

Turning on vlan routing is not really an option for a permanent solution moving forward.

Thanks again  for your input.

Mark.

Hi Mark,

Thanks very much for the feedback.  I can see the same behaviour on my system (no connectivity when both firewall and interVLAN routing are disabled).

I'll raise a defect ticket for this right away.

In the mean time, is it essential that you have the firewall disabled for your application? (I'm assuming that you have NAT enabled)

Regards,

Andy

Thanks Andy,

That's great news (I'm not going crazy)

NAT is enabled so I can do without the firewall for the moment.  I have disabled it to see if it is causing some issues with ssh and sftp connections dropping/timing out.

I do need to have InterVLAN routing enabled though as there are 2 clients on this site sharing the internet connection, It has been nice to keep their network separated (although they are friendly and do work together).  The more important thing is that their is a 3rd vlan for guest wireless access for when their clients come onsite for presentations etc. I have had to disable this vlan while intervlan routing is disabled. (Hope this makes sense)

If there is anything I can help with, collecting more data/logs for the incident, please let me know

Mark.

Thanks Mark,

This is great feedback.  Could you provide any additional information of the inbound connection failures?

Andy

Hi Andrew,

Below is the description of the issue as provided by the client:

"If I have a ssh connection open to an external server (any server) the connection will stall and or drop after approx 5 minutes.
We also have the same problem with ftp connections - when there is data flow it stays connected but as soon as the data flow stops the connection will be dropped. This is both inbound and outbound ftp and ssh connections.

We are all experiencing this on multiple machines and it doesnt matter if you are connected via wireless or wired."

I had suspected the SPI connection pool perhaps filling up or timing out hence attemptingto disable it to debug.

Thanks

Mark.