Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
1
Replies

RV320 GW to GW VPN Establishes but HTTPS traffic does not work through VPN

eric.ahernandez
Level 1
Level 1

‎07-20-2016 03:05 PM

Hi everyone, this week I had an implementation of a Cisco Router RV320, configured a VPN to several Remote LAN IP addresses, the remote device is a Palo Alto Firewall. RV320 has Software Version 1.2.1.14

The scenario is like this, local addresses is a subnet 192.168.0.8/29 and the remote addresses are 9 different servers, So I configured each one as a different GW to GW VPN (see attached file), or else it didn't work.

We used AES-256, Diffie-Helman Group 2 and SHA1 for phase 1 and  AES-256, SHA1 for phase 2

VPN status shows as connected (see attached file). Ping and Tracert works both ways.

The customer uses Remote Desktop Connections to some of these servers and it works like a charm, so everything seems to work fine, EXCEPT! HTTPS traffic... 3 of those servers are web servers and they use them with HTTPS using ports 8000 and 8443. These servers when trying to connect to them with the application they use normally it doesn't work, when trying to browse to them with any web browser it doesn't work either, they time out. We even tried Telnet to these servers to ports TCP 8000 and 8443 to check on Layer 4 connectivity and in this case it works!! So it seems to be an application layer problem.

Also, we already checked it's not a problem with the Palo Alto Firewall because right now there is a Cisco 2811 Router we installed temporarily instead of the RV320 with all the same configuration and this one works beautifully.

I'm guessing this problem has to be because of fragmentation, but I haven't found an option on the RV320 to decrease the Message Segment Size like in the other routers with the ip tcp mss-adjust command, I already decreased the MTU for the WAN Interface but it still didn't work.

Anyone know how to solve this or is RV320 not good at all for this type of scenarios?

Thanks in advance.

Labels:
Preview file
216 KB
0 Helpful
1 Reply 1

jonrodr2
Level 1
Level 1

‎07-27-2016 12:46 PM

Hello, my name is Jonathan , and i'm part of the Engineers here at Cisco SBSC, i apologize for the inconvenience with this unit, i would like to test the unit with the latest version of the firmware which is the 1.3.1.12, then is is possible for you to test this behavior with a /24 on both sites. 

Also, i would like to recommend after the upgrade to the latest version a factory reset on the unit to delete any errors that the software might have like corrupted files in it. if you need further assistance please fell free to contact us in order to open a case at 

https://supportforums.cisco.com/community/4626/small-business-service-and-support-country 

Regards.

0 Helpful
Customers Also Viewed These Support Documents