Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
980
Views
0
Helpful
10
Replies

Cisco RV 260 is getting "stuck" on configurations

Go to solution
cquiroz
Level 1
Level 1

‎09-22-2021 09:45 AM

Good day community!!!

 

I am having this issue with my rv260. The thing is that I have a VPN and Port forwarding configured on the device. After a while (can be days) the configuration stops working even though it is still configured. The only way I have found to solve the issue is to disable and enable the port forwarding, same with the VPN. 

 

I have upgraded the router to the latest firmware, nonetheless it is still happening the issue. Can someone point me into the right direction?

industriagrey2.PNG

industriagrey.PNG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nagrajk1969
Spotlight
Spotlight

‎09-22-2021 06:02 PM - edited ‎09-22-2021 06:23 PM

Hi 

 

Thank you so much for your clarifications on each of the points. Its very much more clearer now

 

1. Iam for sake of example assuming that say the ISP has alloted the public-ipaddress 40.40.40.44 static-nated to the wan-ipaddress of RV260 which is 192.168.1.254

 

2. So that would mean that

 

a: The openvpn clients in the internet will be actually connecting to 40.40.40.44 and this will be (due to the static-nat/dnat) translated at the isp-routed and simply forwarded up to the 192.168.1.254 the wan-interface of RV260

 

b) the same will be the case for softvpn ipsec clients, they will be connecting to 40.40.40.44 which will be dnated to 192.168.1.254 at the isp-router and forwarded upto the 192.168.1.254 wan-ipaddr of RV260

 

c) Now the case of the port-forwarding rules applied on RV260 -   the wan-side-hosts on the internet  will connect to 40.40.40.44 say for example udp-port-9000 and this will be first translated 1:1 at ip level on the ISP router to 192.168.1.254:9000-udp and forwarded to the RV260 wan-interface where the port-forward-rule for udp-9000 will be hit and this packet will be further/again dnated to 192.168.10.x and routed on the vlan1 interface of RV260

- the same behavior for the other port-forwading rules on RV260

 

3. I will do some further checks on this scenario/deployment in my network using RV260....

 

Meanwhile, can you do the below 

 

a). In the Firewall section on the RV260, in basic-settings, uncheck/disable the settings "Block Wan Requests" and apply and do a permanent-save

 

b). Under WAN, there is a section named "MutltiWAN" and in this page click on Adv-config for "WAN" interface and edit the properties. In the "Network Service Detection" page for WAN interface, "disable/uncheck" this NSD settings completely and do a permanent save too....AND PLEASE REBOOT JUST ONCE

 

and go about using the RV260 as earlier...

 

c). You can also offload the logs generated by RV260 to a external syslog-server in the lan-side (preferably a linux-host with ipaddr 192.168.10.xxx". check the sample configs attached here for reference

- On the Linux-syslog server, you can see the logs being generated by RV260 using the command "tail -f /var/log/syslog"

 

 

 

Iam thinking that the disable of Network Service Detection in point 3b should mostly solve your issue...but we will anyways check on other things too ofcourse in case

 

   

  

View solution in original post

Preview file
67 KB
Preview file
80 KB
Preview file
60 KB
Preview file
67 KB
Preview file
67 KB
0 Helpful
10 Replies 10

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-22-2021 11:25 AM

See if you have any latest Firmware upgrade and test it.

 

or some troubleshoot tips :

 

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb5857-troubleshooting-on-rv160x-and-rv260x.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
cquiroz
Level 1
Level 1
In response to balaji.bandi

‎09-22-2021 01:54 PM

Hello! Yes, I have the latest version of the router. 

 

I was running some logs on the router to see why is this traffic being dropped but I haven't got luck to find the root cause. 

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎09-22-2021 12:48 PM - edited ‎09-22-2021 12:51 PM

Hi

 

1. KIndly provide more detailed and complete config info of 

- your VPN tunnel(s) on this router

- and what are the actual ports you have used in the port-forwarding rules...instead of showing the "symbolic" names that only you will understand...

- and except for your public-wan ipaddresses, please dont hide the internal ipaddresses that you have configured on your routers or network

 becos all of us use the RFC-1918 standard private-addresseses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) in our network and they are NOT routable over internet and not a security risk if we know what subnets/networks you are using on your routers

 

- more information helps us in understanding your issue and helps us in providing some possible solutions/help

 

 

2. Please elaborate on your statement "After a while (can be days) the configuration stops working even though it is still configured...."...what configuration stops? and what exacty is the issue happening?

 

3. Also it would be of some help, if you also provide info on what type of wan-interface configurations applied on this RV34X router

- and also what is the remote vpn-peergw? would it be possible to mention what is ipsec-policy applied on it?

- it would be of tremendous help if you can post the screenshots of your S2S tunnel config pages (the basic-settings and advanced-settings tab)

 

 

0 Helpful

Go to solution
cquiroz
Level 1
Level 1
In response to nagrajk1969

‎09-22-2021 01:51 PM

Hello! Sure! Let me be as detailed as possible. 

At the moment, the router is configured as Client-to-site VPN using OpenVPN. We do not have any Site-to-Site VPNs configured at the moment. This router provides internet access to some users on the site. 

 

The port-forwarding rules configured on the router are as follow: (I'll upload again the configuration)

HUELLERO TCP/UDP 5010

LOREX OFICINA TCP/UDP 9000

WO RDP TCP/UDP 23419

 

These IP addresses are mapped with internal services of the company, hosts, biometrics and servers. These services, are exposed to internet (customer is aware of this). So, the problem that we are having is, after a certain amount of time (can be hours, days, minutes, weeks) configuration breaks. Meaning that even though the configuration remains (VPN Client-to-site and Port forwarding) we cannot access them. If I tried to access my router using OpenVPN during this breakdown, router will not let me in, so all my client's users will be disconnected from the router. Same goes for the Port-forward, we cannot access any service during this breakdown. Again, configurations are in place and the router is not being configured or modified. However, I can access the router from a browser.

 

We have found 3 methods to resolve this issue: 

1. We have to disable and re-enable port-forward to get it working again.

2. We have to disable and re-enable OpenVPN option to get it working again. 

3. Reboot the device. 

 

The version that is currently running on this router is the 1.0.01.04 (latest)

Model: RV 260

 

Is there any way to confirm via logs or debugs why is this traffic being dropped? 

 

I am attaching the configuration requested as well as additional information: 

 

industriagrey3.PNG

industriagrey4.PNG

industriagrey5.PNG

industriagrey6.PNG

industriagrey8.PNG

industriagrey9.PNG

portforwardindustriasgrey.PNG

      

 

0 Helpful

Go to solution
cquiroz
Level 1
Level 1
In response to cquiroz

‎09-22-2021 01:57 PM

Forgot to mention, 

 

Client-to-Site limit session is 20. And when the issue happens, I still have some room to fill with the session so it is not an issue regarding the amount of session that the router is holding.

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎09-22-2021 03:14 PM - edited ‎09-22-2021 03:16 PM

Hi

 

Thanks for the additional info posted by you.

 

Looking at the info provided by you, some queries arise:

 

1. First and foremost, there is a ACL rules added in Firewall (rule-1) permiting everything from wan to vlan1....DELETE IT FIRST...WHY DID YOU ADD IT? IF you are pemitting everything from wan to vlan1...what is the use of port-forward rules?...DELETE THIS ACL FIRST...IF NOTHING ELSE, ITS A BIG SECURITY RISK...

 

2. Is your RV260 wan-interface ipaddress 192.168.1.254?

a) If yes, is it connected behind another router(with NAT enabled and also dhcp-server running on it)?

b) Is the RV260 wan configured as DHCP-client? and does the above router mentioned (in point-1a) assign the ipaddresses?

- please post details of your network connection topology - how is the RV260 connected to internet?...and what is wan-type configured and is it a public-ipaddr on wan or is it 192.168.1.254?

 

is your RV260 connected like below?

 

lan-hosts(192.168.10.2)----10.1(vlan1)[RV260]wan(192.168.1.254)-----192.168.1.1[ISP-Router]nat----Internet---(vpn-clients/wan-hosts)

 

 

3. The screenshots posted by you show a Client-to-Site server config for a IPsec-VPN-Server....but you mention that you are using OpenVPN. 

a) so if "OpenVPN" server is also enabled, please post the screenshots of its config pages

 

4. To eliminate the cause of the issues,  suggest that 

first confirm here as to which vpn-tunneling are you using? Ipsec-VPN or OpenVPN (which is a SSL-VPN tunneling method and different from the Ipsec-vpn)

 

and then next, 

a) if you are NOT using the ipsec-vpn-server (in ipsec\client-to-site), then please delete it and then do a apply and permanent save

b) else, if you are NOT using OpenVPN, please go to OpenVPN page and "disable/uncheck" the entire service, and then also apply and do a permanent-save

 

Please dont go into doing multiple configs and try to analyze in multiple areas.....my sincere suggestion is to do it one step at a time...one feature at a time...and then everything will fall into place as expected

 

 

 

0 Helpful

Go to solution
cquiroz
Level 1
Level 1
In response to nagrajk1969

‎09-22-2021 04:10 PM

Hello! thanks for the reply! I'll answer your questions in order but first, here is the topology of the network:

 

So we are behind a router that is provided by the ISP. In the ISP router, it is configured a static NAT rule that is attached to a specific IP. That IP is 192.168.1.254 (the one that you see on the interface).

 

lan-hosts(192.168.10.2)----10.1(vlan1)[RV260]wan(192.168.1.254)-----192.168.1.1[ISP-Router]nat----Internet---(vpn-clients/wan-hosts) (This is the topology as you mentioned)

 

1. That rule was applied when the issue appeared. I was trying to force all traffic from the WAN interface to the LAN. That didn't work so I just took it away. Thanks for the reminder! 

 

2. We do not have the WAN interface to take an IP address dynamically. It is configured statically with the IP address mentioned before (192.168.1.254). ISP router provides internet access to my router. 

 

3. We have two types of VPNs Client-to site. We are using OpenVPN (SSL VPN) and SoftVPN (IPSec). I'm sending the configuration of the OpenVPN.

We did this because the customer has an application that is really sensitive regarding the latency. So OpenVPN is used for that specific application and SoftVPN is used by all other users. 

 

4. We are using both of them.

 

NOTE: Encryption on OpenVPN is setup as 3DES. I know that this is not recommended since the encryption is not strong enough. This was meant for the application so it can have some sort of "protection". We tried with AES-128 but the communication started to disrupt. So, we went with 3DES. 

industriagrey10.PNG

 

 

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎09-22-2021 06:02 PM - edited ‎09-22-2021 06:23 PM

Hi 

 

Thank you so much for your clarifications on each of the points. Its very much more clearer now

 

1. Iam for sake of example assuming that say the ISP has alloted the public-ipaddress 40.40.40.44 static-nated to the wan-ipaddress of RV260 which is 192.168.1.254

 

2. So that would mean that

 

a: The openvpn clients in the internet will be actually connecting to 40.40.40.44 and this will be (due to the static-nat/dnat) translated at the isp-routed and simply forwarded up to the 192.168.1.254 the wan-interface of RV260

 

b) the same will be the case for softvpn ipsec clients, they will be connecting to 40.40.40.44 which will be dnated to 192.168.1.254 at the isp-router and forwarded upto the 192.168.1.254 wan-ipaddr of RV260

 

c) Now the case of the port-forwarding rules applied on RV260 -   the wan-side-hosts on the internet  will connect to 40.40.40.44 say for example udp-port-9000 and this will be first translated 1:1 at ip level on the ISP router to 192.168.1.254:9000-udp and forwarded to the RV260 wan-interface where the port-forward-rule for udp-9000 will be hit and this packet will be further/again dnated to 192.168.10.x and routed on the vlan1 interface of RV260

- the same behavior for the other port-forwading rules on RV260

 

3. I will do some further checks on this scenario/deployment in my network using RV260....

 

Meanwhile, can you do the below 

 

a). In the Firewall section on the RV260, in basic-settings, uncheck/disable the settings "Block Wan Requests" and apply and do a permanent-save

 

b). Under WAN, there is a section named "MutltiWAN" and in this page click on Adv-config for "WAN" interface and edit the properties. In the "Network Service Detection" page for WAN interface, "disable/uncheck" this NSD settings completely and do a permanent save too....AND PLEASE REBOOT JUST ONCE

 

and go about using the RV260 as earlier...

 

c). You can also offload the logs generated by RV260 to a external syslog-server in the lan-side (preferably a linux-host with ipaddr 192.168.10.xxx". check the sample configs attached here for reference

- On the Linux-syslog server, you can see the logs being generated by RV260 using the command "tail -f /var/log/syslog"

 

 

 

Iam thinking that the disable of Network Service Detection in point 3b should mostly solve your issue...but we will anyways check on other things too ofcourse in case

 

   

  

Preview file
67 KB
Preview file
80 KB
Preview file
60 KB
Preview file
67 KB
Preview file
67 KB
0 Helpful

Go to solution
cquiroz
Level 1
Level 1
In response to nagrajk1969

‎09-24-2021 10:11 AM

Good day! sorry for the delay. Been quit busy these days. 

 

I applied the suggested changes. We are monitoring the network and will keep an eye on this through the weekend. 

 

Sir, thank you very much!!! I will update the topic by Monday with, hopefully, really good news. 

 

 

0 Helpful

Go to solution
cquiroz
Level 1
Level 1
In response to nagrajk1969

‎09-28-2021 08:42 AM

Good day!!! 

 

Thank you very much for all you help, it's been a while and it is working now. We even reboot the system (another way to trigger the problem) and everything is fine. 

 

Thanks a lot!!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents