Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
6
Replies

Help! Multiple issues with RV340 router security settings

chack
Level 1
Level 1

‎11-01-2021 01:04 PM

Hello,

 

First off, I want to give you a little background on myself so that you know where I'm coming from and what experience level I have in networking and security.  I am the engineering manager at a small company, and as such I wear a lot of hats.  One of them is to deal with the more advanced networking setup/issues within the company.  My formal background is as an Electrical Engineer, with any PC/networking/network security experience coming through dealing with issues in this role, or from my home networking/hobby experience.  I have no formal training on network security protocols, attacks, or anything else in the networking space.  I'm just trying to pick things up as I go along... 

 

My company has an RV340 router and we have subscribed to gain access to the advanced security features on the router (web/content flitering, antivirus, IPsource guard, threat/IPS, etc).  I am having some issues with part of the firewall and some of the more advanced security features.  The router is running the most recent firmware version 1.0.03.22, upgraded 10/15/21.  

 

The first problem I'm having is that when I enable the IPS and set the mode to block attacks with the security level set to connectivity, the network suddenly doesn't allow certain applications like Zoom to connect and any internet traffic becomes extremely laggy.  I know that this could indicate that there is some sort of breach or other nefarious activity, however there is nothing in the logs from the IPS.  Additionally, the problem seems to go away when I leave IPS enabled and change the mode from block attacks to log only.  The logs with IPS related events are still empty, however.  The log settings are set to log IPS events, and due to the fact that I can't get any information out of the logs, the log level is set to debugging to try and provide as much information as possible.  

 

The second problem I'm having is that I'm running into a situation where it appears like enabling the DoS feature of the firewall periodically actually seems to cause a DoS-like symptoms to happen, in that the internet connection becomes laggy and it becomes almost impossible to access any websites or use any video conferencing apps reliably.  An examination of the logs shows that there are a lot of dropped packets (with the "is not associated with an existing connections" tag), as well as a SYN-FLOOD attack detected when the DoS feature is enabled.  Disabling the feature still shows a few dropped packets, but the SYN-FLOOD log entries aren't present, and the network and internet connection operates normally.  I'm still working on trying to figure out what the IP/MAC addresses which are associated with the SYN flood entries are associated with, but the mere fact that we're not experiencing any type of internet disruption when the DoS feature is disabled leads me to believe that we're not actually experiencing an attack, and that what the firewall is blocking as a result of the supposed SYN flood attack is actually legitimate traffic. 

 

The help section accessed from the router's firmware on the Firewall > Basic Settings page includes a description of the DoS attacks blocked when enabling the feature and the following line: "The traffic rate for SYN Flood, Echo Storm, ICMP Flood are configurable. The default values are: 128,15, and 100 respectively."  I have searched through every individual setting on the router and I have not found a location where I can change the configuration settings for the detect traffic rate of the three DoS attacks listed above.  Is there actually a way to do this?  Does it need to be done through some sort of terminal access instead of through the web based UI?

 

My theory is that the so-called SYN flood attack that the firewall thinks it sees when the DoS setting is active is something that's just outside the detect range set in the router and that adjusting this would eliminate both the network disruptions and the firewall detections.  Does this theory hold any water?  Is there anything else that could possibly be causing this type of response to happen?  I find it very odd that enabling DoS protection would actually seem to encourage DoS-like results, and that disabling the protection would allow the network to operate normally, assuming the detected attack is legitimate - unless it's some sort of advanced phishing situation.  

 

Anyway, any and all available help is welcomed and appreciated on this - my CEO is really riding me to get these issues ironed out quickly.

 

Thanks in advance.

0 Helpful
6 Replies 6

CoreyP319
Cisco Employee
Cisco Employee

‎11-02-2021 08:06 AM

Hello Chack,

 

Thanks for providing the details you are encountering. I'm not aware of any Zoom/security related issues with the RV340. There is a newly released firmware (version 1.0.03.24 - release notes). There is a thread here talking about QOS and zoom thread here. Past that, which setting do you have active for 'IPS Security Level' on the page Security > Threat/IPS > IPS?

 

This may be a good cause to reach out to TAC for further assistance as well.

 

Thanks,

Corey

0 Helpful

chack
Level 1
Level 1
In response to CoreyP319

‎11-02-2021 09:09 AM

Corey,

 

Thanks for the reply.  My IPS settings are at IPS: On, Mode: Log Only, IPS Security level: Connectivity.  The signature table is file version 2.4.0.0046, updated 10/19/21.

 

Do you have any thoughts on the DoS firewall issue that I'm seeing?  

 

Thanks,

Chris

0 Helpful

CoreyP319
Cisco Employee
Cisco Employee
In response to chack

‎11-02-2021 01:12 PM

Hi Chris,

 

No problem, I'm not experiencing any similar issue on my network with an RV345. I'm running your situation by the team and will keep you posted. 

 

Best,

Corey

0 Helpful

CoreyP319
Cisco Employee
Cisco Employee
In response to CoreyP319

‎11-02-2021 02:44 PM

Hey Chris,

 

I just spoke with one of our TAC leads and the net suggestion is that you should get in touch with TAC, it sounds like this would be escalated quickly to get you to resolution.

 

That said, the only thing that sticks out to us is that the security features do have an impact on CPU utilization. I'd check the CPU utilization while starting up a zoom call to see if the CPU usage is spiking. I'm sorry there is not an very quick fix here.

 

Best,

Corey

0 Helpful

CoreyP319
Cisco Employee
Cisco Employee

‎11-03-2021 08:01 AM

Hi Chris,

 

I heard back from more of the team and can provide a few more details:

  • It may be a good idea to capture packets from the WAN side of the RV340
  • There are Zoom specific firewall settings ( Article 1, Article 2 )
  • There is another case where similar issues were encountered but was resolved through the ISP (Comcast)

Best,

Corey

0 Helpful

chack
Level 1
Level 1
In response to CoreyP319

‎11-03-2021 11:34 AM

Corey,

 

Thank you again for your reply.  I will look at the articles you posted regarding security features with Zoom calls. 

 

As far as capturing the packets, is there a feature in the router that I can use to do that with or will I have to use a computer on the WAN network and wireshark to do it?

 

The similar case that involved an ISP solution - which issue was it resolving?  The Zoom one or the DoS issue?  Speaking of the DoS firewall issue, does your team have any leads on this yet?

 

Thanks,

Chris

0 Helpful
Customers Also Viewed These Support Documents