Cisco RV340 - dropping syn/ack from website

CrazyEggHead · ‎01-08-2021

Hello All,

I currently have a 1GB symmetric internet connection through my ISP which uses a PPPoE login for its connection. I am using a Cisco RV340 as my router / PPPoE dialer and am running 1.0.03.20 firmware. I have a problem when I go to web URL https://admin.mailroute.net (IP 199.89.0.117). The main website https://mailroute.net works fine, but as soon as you click login you get redirected to the above. Topology is very basic:

ISP > Cisco RV340 > Client

The setup on the router is fairly basic right now, just have the PPPoE setup on the WAN, and not much else.

I have tried:

-Dropping MTU to 1400 (just in case it was MTU issue with PPPoE overhead)

-create static access rule to permit all (default canned is also set to permit all traffic)

-If I switch to a different vendor router with PPPoE this URL works fine.

-Downgraded to a firmware about 2 years old and tried the latest firmware within the past few months was released, same issue.

-Factory reset cisco router and performed basic setup again, same issue.

I'm at a loss, any input appreciated.

EggHead

Georg Pauwen · ‎01-08-2021

Hello,

is that a problem with just that one website ? I am wondering if that is PC specific...do you also get the redirect when you access the site from a different computer ?

CrazyEggHead · ‎01-08-2021

Hello,

So far it's just this one website that I've found. I have tested on multiple PC's, mostly windows 10, and also on a Windows 7 VM. Most windows 10 machines are on 2004/2009 update. I'm 99% sure it's not a PC issue. I did a port mirror on the uplink WAN port, and also a port mirror on the LAN side where a pc connected and found:
1. PC sends SYN up to website

2. Website responds with SYN/ACK

3. Firewall WAN port receives the SYN/ACK

4. Lan port never forwards back down the SYN/ACK to the client

Georg Pauwen · ‎01-08-2021

Hello,

what if (in case it is enabled) you turn the firewall on the RV340 off, and the Windows firewall as well?

CrazyEggHead · ‎01-08-2021

Hello,

With windows firewall + Cisco RV340 firewall disabled, still having the same issue. I should also note I do not have any additional licensing for the RV340 so all the additional IPS / Web Filtering features are disabled.

russellsherr · ‎01-14-2021

I have a similar issue

I have several URLs where SSL is very slow or never replies.

RV340 PPPoE -> 550Mbps line

Interestingly, the site that doesn't load on a windows device does load on an iOS device!!

tried adjusting MTU and turning firewall off etc...still no joy. it is weird the site loads on an iphone but not on a PC - will try OSX when i get a moment

Do you find the same?

Russell

CrazyEggHead · ‎01-14-2021

Hi Russell,

I've kind of noticed some sites will hang while loading and I have to refresh to get them to actually load. I have tried the https://admin.mailroute.net on my iphone 8 but it still won't load on that. Haven't found any other sites that will not load so far other than that specific one. I've had this router for about a month now.

I've see some other treads mentioning the RV340 will not allow through asynchronous traffic such as if you're using dual WAN and a packet goes out WAN1 and returns on WAN2, but that's definitely not the case with my setup as I'm only using WAN1 port.

CrazyEggHead

russellsherr · ‎01-14-2021

Hi CrazyEggHead,

OK - so get the same issue here

That page https://admin.mailroute.net does not load behind my RV340 but loads fine elsewhere, also page doesnt load on iPhone XR so there is clearly something chopping or messing the SSL response.

Single WAN link, no dual links configured etc...

GOing to dump the output to syslog and see if anything stands out

Really need to be able to raise with Cisco directly

Thanks

Russell

CrazyEggHead · ‎01-14-2021

Russel,

I took wireshark captures on both WAN and LAN ports with inline 3rd party switch with port mirroring. See attached. SYN from client to server work, server responds with SYN/ACK, RV340 never forwards it back down to client.

CrazyEggHead

russellsherr · ‎01-14-2021

interesting as this is what I am seeing in the logs

FIREWALL: DROP PACKET is not associated with an existing connectionsIN=eth3.100 OUT=ppoe-wan1p DST_MAC=10:f9:20:13:a9:3a SRC_MAC=:c4:9d:ed:1e:7e:1d src=192.168.2.105 DST=3.10.95.11 LEN=41 TOS=0x00 PREC=0x00 TTL=127 ID=61417 DF PROTO=TCP SPT=9227 DPT=443 WINDOW=510 RES=0x00 ACK URGP=0 MARK=0x100

it seems to suggest the session is being dropped or lost by the firewall or NAT before the reply comes back

CrazyEggHead · ‎01-14-2021

That dest IP of 3.10.95.11 looks to be solarwinds. I thought I had picked up the mailroute drop packet messages but after checking the destination IP I never saw any drop packet messages from the mailroute IP address.

russellsherr · ‎01-14-2021

That is one of many! I get for google DNS 8.8.4.4 for example

Its always TCP 443 sessions that are getting dropped or broken in this way nothing else it seems!

russellsherr · ‎01-14-2021

OK - I have raised a case with Cisco TAC - going to see what they say on the matter and let you know if we get anywhere

CrazyEggHead · ‎01-14-2021

Awesome, thanks so much. Will be interested to see what they come back with.

CrazyEggHead · ‎02-16-2021

Russell,

I decided to get rid of the Cisco RV340. I just wanted things to work without hassle. Went with another Vendor router and all my issues are gone. Hopefully you can make some headway with Cisco so the firmware eventually gets patched to fix this behavior for the sake of you and others.

CrazyEggHead