Re: Firewall blocking traffic to static route on RV340

Fred Johnson · ‎05-02-2017

Hello friends,

We purchased an RV340 to replace an aging router. The switch was mostly painless except for one issue. Traffic to/from our openvpn service is being interrupted. Our setup is similar to the bottom of this page, we are using a static route to route traffic to 10.8.0.0/24 to a machine on VLAN1 (192.168.0.5). Machines on VLAN1 can ping vpn clients (10.8.0.5) but not the other way around. UDP seems to work both ways fine, but TCP does not. When trying to SSH from inside, I get this message in the logs on the router:

kernel: [87023.255407] FIREWALL:PACKET DROP IN=eth3.1 OUT=eth3.1 MAC=ec:fd:1d:44:8a:21 9c:f6:54:af:e8:a0 08:00:45:01:01:5d src=192.168.0.136 DST=10.8.0.7 LEN=93 TOS=0x00 PREC=0x00 TTL=63 ID=5207 DF PROTO=TCP SPT=34696 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0 MARK=0xff00

I've tried adding firewall access rules for 10.8.0.0 with no change. Even disabling the firewall did not seem to help. Does anything stand out to anyone or is there any advice on what to try next?

Thanks for reading!

UPDATE: It's been a little over a year and after spending some time checking today, the seems to be fixed. My setup hasn't changed much but I have upgraded the firmware on the router twice. Presumably this has fixed what ever the issue was.

Fred Johnson · ‎05-04-2017

A workaround seems to be configuring the static route on each machine so the traffic can avoid going "to" the router and straight to the gateway (192.168.0.5). It's strange this would be a problem when it wasn't with our old router.

ferdinando.alde · ‎12-07-2017

Good workaround .... but is'nt the solution. In my opinion is a bug of RV345 and I hope that Cisco would make something to correct the firmware.

itsmerowe · ‎02-20-2018

I have this same issue with a RV340W router. I can add a route using the PC but the static route in the router is getting blocked by the firewall.

ictmanager · ‎05-15-2018

Same problem for me. We need a patch to solve this problem. This behaviour is unsustainable. Please, may Cisco let us know when this serious bug would be fixed?

ferdinando.alde · ‎05-15-2018

By now it seems sure that Cisco is not interested in Small System Routers. It does not seem to me a behavior worthy of a serious company.

itsmerowe · ‎06-06-2018

We're on our 4th Engineer trying to get the RV340W to stop freezing on us (and generating about 80K error packets a day when the switches attached have no errors).

He said static routing won't work without a VLAN stub. Kinda defeats the purpose.

rogernotnap · ‎06-06-2018

What is a VLAN stub and why would you need it for fixed IP addresses

itsmerowe · ‎06-06-2018

They way the engineer described it was setting up a VLAN without "inter-VLAN routing" and then using that new VLAN IP in your static route.

I was still confused as he tried to explain it, but he said that's the only way static routing will work on these routers. He could not clarify why we would do this and NOT check "inter-VLAN routing" vs. enabling that and not using a static route.

I have not tried that yet and probably won't. I don't see the purpose. I wanted routing without VLANs because using VLANs creates 80K error packets a day in my router and it eventually freezes.

Sorry I couldn't offer a better explanation.

viningele · ‎08-05-2018

I’ve been getting this and a few other errors too. Some errors were resolved by adding the offending client to the static IP table but I still get these drop packets. The router had been locking up too requiring a reboot to make the network work again. I bought an RV325 just in case I need to swap out this RV345 in order to keep the customer happy. This lack of support from Cisco is discouraging and makes no sense. Why develope a product that deosn’t work properly and continue to allow problems that tarnishes the entire brand.

ictmanager · ‎08-06-2018

I've figured out that in the first seconds I reboot the router, static routes worked for me but after then they were blocked again. It seems like an active component blocking them.
Please Cisco may you provide a fix ?

Bigmalloy · ‎10-25-2018

I have these same messages note mac addresses have been edited for privacy.

My setup is almost completely stock on

Firmware Version:

1.0.01.18

just a bridged modem on wan1 simple LAN and some QOS rules. Changed the default ip address. I have set every ip address on a Static DHCP this reduced the number of warnings.

kernel: [401846.403769] FIREWALL:PACKET DROPIN=eth3.1 OUT=eth2 MAC=ec:bd:1d:44:d7:xx:9c:5c:f9:20:xx:4c:08:00:45:00:xx:17 src=192.168.20.93 DST=23.194.132.165 LEN=279

Elcondor1 · ‎12-14-2018

Hi !

I have the same issues with my RV340...

kernel: [82162.434738] FIREWALL:PACKET DROPIN=eth3.11 OUT=eth2 MAC=ec:bd:1d:44:89:6a:70:48:0f:90:17:b0:08:00:45:02:00:89 src=10.50.11.30 DST=188.165.185.33 LEN=137

The difference is that I do not try to do inter vlan but just out on the internet ...
The navigation is fine but I have a lot of packet error on the LAN interface and its firewall error.

Users sometimes complain about a long internet. In searching I fall on this topic. I find this unacceptable by Cisco. On the RV340 I do not even stop to make the ipsec between RV320 and R340.
If I can not find a solution I change my router

JakobReuther46331 · ‎12-12-2020

Does anyone has a solution? Still not able to get my static vpn connections working with a RV340.

itsmerowe · ‎12-14-2020

I was told the static routes will never work as-is like you may have been used to. You have to set vlans.

Do both your networks plug directly into the router?