cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

6011
Views
45
Helpful
25
Replies
dancrichton
Beginner

RV320 SSL VPN ActiveX and Virtual Passage driver on Windows 7 64-bit

Hi,

My company has just purchased a new RV320 router and only afterwards found out from the release notes that there are issues with the SSL VPN in this unit and other small business routers. Is there any news on when these issues will be fixed?

 

1) ActiveX controls have expired certificate dated 24/9/14 - this prevents them from running unless without changing IE security settings to prompt or allow unsigned controls, which is a big security risk.

 

2) ActiveX controls do not work on Windows 64-bit. Release notes state Windows 7 IE10 and Windows 8.1 IE11, however they also fail on Windows 7 IE11. Even adding router to Trusted Sites to force 32-bit mode results in error message stating that IE is required for the controls.

 

3) Virtual Passage driver will not install - crashes IE10/IE11 with a BEX violation.  From a dig around the web it appears that the Netgear SRX5308 uses the same Cavium chipset and a Virtual Passage driver that works with Windows 7 64-bit, and installs fine using IE10/11 (and if you install the Netgear driver it works with the Cisco RV routers too, proving that the driver is fully compatible...) - if Netgear can get this working, why can't Cisco?

 

I've only just started setting us this router and show stopper issues like this might end up with an RMA being requested as it appears to be unsuitable for purpose, already run into other issues with I've posted about. :(

 

 

 

EDIT: Got (2) sort of working on IE11 - seems that the Cisco interface is specifically looking for old style IE user agent strings, so using developer tools to set the user agent to IE9, and changing security settings in Trusted Sites to prompt for unsigned controls (due to issue (1)), allows the controls to install and load. These issues are pretty simple to fix, requiring just a string check change and updated signed controls. Fingers crossed these are fixed in the new firmware due soon, awaiting response from Cisco support to my open ticket.

 

Looks like (3) is prevented from working by (1), and also because the certificate has expired it is treated as software without a valid publisher which cannot be installed in Windows 7 without fiddling in the registry. Releasing an updated version with a certificate that isn't expired should solve that issue too.

 

These are ridiculously simple fixes to push out, I can't believe a major hardware vendor like Cisco hasn't already solved these issues.

25 REPLIES 25
dancrichton
Beginner

I've had a reply from Cisco support regarding this issue, and it's a bleak outlook. This is a copy from the email I received:

 

"Engineering has no plans to support SSL VPN on RV32x due to chipset limitations. Pretty much, it will work for old XP and Win7 32-bits."

 

So Cisco are falsely advertising that the RV320 has SSL VPN capabilities when there are no plans to update it so that it works with 64-bit Windows (which is now the major install base for Windows as most new systems are 64-bit based), and as the certificates have expired in the SSL VPN components they are not even useable on 32-bit systems without overriding a number of security settings.

 

Dan

Another day, another reply. Somewhat more encouraging this time:

 

"Engineering have decided to add SSL VPN for RV320 in the roadmap for next MR (MR3) - tentatively scheduled for April. Thanks for your patience and cooperation."

 

I won't hold my breath, but at least it's better than the reply from yesterday.

 

Dan

Thanks for the heads-up, Dan.  I eagerly await the April update.  :D

But if there is a chipset limitation, I hope their solution doesn't break something in the process.  doh!

Hi

I am also try to use the SSL-VPN Feature on a RV320 for my friend, and Virtual Passage is not working anyway, firefox, IE... active x not trusted.. nothing to work for endusers...

I am eagerly waiting as well!

Good job I didn't hold my breath, April has passed quietly with no updates from Cisco, and it looks like I'm going to have to look for a different manufacturer for a workable solution.

 

Dan

There was some info from Cisco in this thread https://supportforums.cisco.com/discussion/12495521/rv325-ddns-options that the update was close but who knows what close means :D, maybe they are doing the final finetuning and testing.

I emailed Cisco support on Friday for an update, on Saturday I received this:

 

Engineering has informed that the tentative release of MR3 with support for SSL VPN will be end of May.

 

 

So with a bit of luck it should only be a few weeks away. I'll hold out for a bit longer, the kit we were going to replace is still running ok but getting a bit long in the tooth now.

 

Dan

Thanks for the info, ipsec works but getting SSL VPN working on 64-bit would be really really nice :D.

Looks like Cisco missed the end of may tentative release with support for SSL VPN :D.

I bought a Ubiquiti EdgeRouter, the RV320 has actually has worked quite well for me except for the ssl vpn feature (which was why i bought it in the first place) goes into my desktop drawer for now.

If Cisco ever get the ssl vpn working on a modern x64 OS (W7, W8, W10) it will come back as a http ssl vpn server and extra switch.

I really must learn to do more research before i buy stuff even from the big dragons like Cisco :D.

Release Notes for Cisco RV320/RV325 Firmware Version 1.2.1.13. Updated in June 2015:

Support SSL VPN virtual passage for Win7(64bit) IE10 and Win8.1 IE11.

Does it really works? Has anybody checked it?

 

Peter

Tried it this morning, didn't work with either Win7 64-bit IE10 or Win8.1 IE11. Have sent an email to Cisco support. At this point I just want to get a refund and change to a different vendor, this RV320 has been sat on my desk doing nothing for months now and is not fit for purpose.

Looks like IE11 support was added and then partially commented out in the javascript check for IE, to the point that it doesn't work and pops up saying that IE is required. The virtual passage driver can't be installed due to it's signed certificate having expired, and the caveat note in the release notes about setting IE to allow download of unsigned controls doesn't work around the issue that Windows itself won't allow unsigned drivers to install without changing registry settings that are in place to help keep malicious code out.

 

Dan

Decided to have another crack at this today, reset the router and rebuilt the configuration from scratch. Again, virtual passage failed, even though I'm using IE11 with compatibility view set (which changes useragent to one that the router recognised as IE) and with download unsigned control enabled. Tried to download the XTunnel_WOW64.cab file direct from the router too see if I could install the drivers manually, and was greeted with a screen full of binary data. Tried with other browsers, same thing. Ended up running a HTTP proxy debugger and can see that the router sets the "Content-type" header for the .cab file to "text/html" instead of the correct "application/vnd.ms-cab-compressed" or even the default binary one of "application/octet-stream".

 

Managed to download the cab file via the debugging proxy, checked the certificate on it and it expired 5th April 2015. Does anyone involved in sorting out these issues ever check a calendar?

And to top it off, the "AddTunnel.exe" and "devcon.exe" executables inside the XTunnel_WOW64.cab files are 16-bit applications, so cannot run on Windows 7/8 64-bit. So much for the supposed 64-bit support in the release notes, if these executables are required to actually create the SSL VPN tunnels then there's no chance of it working. Seeing as how most systems released in the past few years are Windows 64-bit based, why on earth would any company be shipping 16-bit applications???

 

Still no response from support regarding this, and I've still got an expensive paperweight on my desk.

 

Dan