cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

6068
Views
45
Helpful
25
Replies
dancrichton
Beginner

RV320 SSL VPN ActiveX and Virtual Passage driver on Windows 7 64-bit

Hi,

My company has just purchased a new RV320 router and only afterwards found out from the release notes that there are issues with the SSL VPN in this unit and other small business routers. Is there any news on when these issues will be fixed?

 

1) ActiveX controls have expired certificate dated 24/9/14 - this prevents them from running unless without changing IE security settings to prompt or allow unsigned controls, which is a big security risk.

 

2) ActiveX controls do not work on Windows 64-bit. Release notes state Windows 7 IE10 and Windows 8.1 IE11, however they also fail on Windows 7 IE11. Even adding router to Trusted Sites to force 32-bit mode results in error message stating that IE is required for the controls.

 

3) Virtual Passage driver will not install - crashes IE10/IE11 with a BEX violation.  From a dig around the web it appears that the Netgear SRX5308 uses the same Cavium chipset and a Virtual Passage driver that works with Windows 7 64-bit, and installs fine using IE10/11 (and if you install the Netgear driver it works with the Cisco RV routers too, proving that the driver is fully compatible...) - if Netgear can get this working, why can't Cisco?

 

I've only just started setting us this router and show stopper issues like this might end up with an RMA being requested as it appears to be unsuitable for purpose, already run into other issues with I've posted about. :(

 

 

 

EDIT: Got (2) sort of working on IE11 - seems that the Cisco interface is specifically looking for old style IE user agent strings, so using developer tools to set the user agent to IE9, and changing security settings in Trusted Sites to prompt for unsigned controls (due to issue (1)), allows the controls to install and load. These issues are pretty simple to fix, requiring just a string check change and updated signed controls. Fingers crossed these are fixed in the new firmware due soon, awaiting response from Cisco support to my open ticket.

 

Looks like (3) is prevented from working by (1), and also because the certificate has expired it is treated as software without a valid publisher which cannot be installed in Windows 7 without fiddling in the registry. Releasing an updated version with a certificate that isn't expired should solve that issue too.

 

These are ridiculously simple fixes to push out, I can't believe a major hardware vendor like Cisco hasn't already solved these issues.

25 REPLIES 25

Got a reply from support yesterday stating that after discussions with a "higher level engineer" that SSL VPN does not work on IE10 or higher, and cannot work on Windows 8. It also states that this limitation applies to all vendors, not just Cisco.

I almost spat my tea out over my keyboard reading this.

I've replied pointing out that this would mean that the firmware release notes are a joke, as they state Win7 64-bit and Win8 are supported. I've also pointed out that we work with other companies who have SSL VPNs from other vendors that work fine with IE10 and IE11 (albeit much more expensive solutions which is why my company didn't look into purchasing a similar system, but it's proof that the engineer's response is blatantly false).

Looks like the RV320 is going to be the last piece of Cisco kit I will ever be involved in purchasing. It's a shame as I've always used Cisco kit in the past and recommended it to others, but if this is the sort of level of support that Cisco is providing then it's clear that they have no idea what they are doing any more. The RV series are clearly not fit for their advertised purpose.

Dan

I have received another update from Cisco support, this time stating that they have been able to get this working in their lab and sent me a PDF of steps to take in IE to get it working. With the help of that, which includes more information than the firmware release notes, and another step that they didn't include, I now have this working on my Windows 7 64-bit PC :)

 

To get the Virtual Passage installed for the first time, you need to do the following:

 

1) Add the router URL for the SSL VPN connection to the Trusted Sites zone in IE.

2) Change the security settings in the Trusted Sites zone so that Download Unsigned Controls is set to Prompt rather than disabled.

3) Run IE using "Run as administrator"

4) Log into the router SSL VPN page, then go to the virtual passage page and click "Connect using virtual passage"

5) Say yes to the popup prompt to install the unknown activex control (this is the virtual passage driver installer)

6) You should then see a confirmation that the virtual passage driver has been installed.

 

Once this is completed you can connect using the virtual passage without IE in administrator mode, you only need to run it as administrator for the initial driver install.

Now I can finally start testing this router to prepare for putting it into production.

 

Dan

I tried steps from dancrichton, with the latest firmware, and still get no success with virtual passage.

Code still has an IE browser version that throws an error stating IE 5.0 is required, when I am running IE11.  Cisco, remove browser version checks, and instead use feature detection.

Cisco, properly sign Active X controls.

Cisco, please provide a real client install that can be installed like any normal application in Windows, instead of having users run IE as an administrator to install activeX controls.

SSL in the rv320/325 is not a no-client-install "feature".  Some aspects require you to have java installed, other require ActiveX controls installed.

Try turning on Compatibility View - this will force IE11 to send the user agent string for IE9.

 

I've got an open support incident for the controls being expired, haven't heard anything since it was raised to L2 support. Will post up responses as I get them.

 

Dan

I upgraded to the last firmware (1.2.1.13) and I was able to connect using Windows 8.1 and IE11 with the steps listed above and with compatibility mode turned on. However, I have a couple users who have upgrade to Windows 10 that are unable to use virtual passage. The IE11 security settings are the same but when they click on the virtual passage link, nothing happens. Has anyone had any luck getting virtual passage to work with Windows 10? Cisco, do you have any support documentation we can follow as the admin guide doesn't include any client settings.

The firmware finally came :D, i am gonna wake up my RV320 again to see if i can use it as a http vpn server.

I tried Firmware Version 1.2.1.13.

Win 7 64-bit, IE 11. Pops up says:
Virtual Passage requires IE 5 or higher
:)

Same on Win8.1 IE11, which is supposedly fixed in this version. If you check the javascript in the page there's a check to see if the user agent contains "msie" or "rv:11", which are the two simple checks for IE10 or earlier, or IE11. But the next piece of code only allows the virtual passage driver page load if "msie" exists in the string, otherwise you get the message you see. So there's no way for it to work on IE11 unless you use Developer Tools (F12) to change the emulation to IE10 or lower, or use a plugin like UAPicker to change the user agent string to look like IE10. But the virtual passage driver still won't install even then, as Windows won't allow a driver to be installed that has an expired certificate without changing a registry setting to allow unsigned drivers, and that's a massive security hole to open.

 

Dan

Mehdi Boukraa
Cisco Employee

Hi , 

 

I was trying from Windows 7 64 Bit with IE 10 and Windows 8 64 Bit IE 11 and it works fine, please follow those steps : 

 

0. Before any change in the Internet Explorer: make sure that you uncheck ActiveX Filtering

 

 

1. If you have this error message:

 

Then :  go to internet option --> under security --> Internet --> custom level --> make sure that you have enable or Prompt in Download unsigned ActiveX Controls

 

 

2. if you have this error message :

OR : 

 

Then : Please add the Public IP to trusted site https://x.x.x.x

 

3. If doesn't Work and you still have this error message : 

 

Then : Please try this workaround change the Time on the Workstation (SSL PC Client) to be in the date of the certificate  but please before that click on View Certificate and you can see the Valid Date From : dd/mm/yyyy

 

 

VERIFICATION : 

 

 

 

Please rate this post or marked as answered to help other Cisco Customers

 

Thanks

Mehdi

NOT WORK !!!!!

For me, a very important function SSL VPN. It is very funny

     Then : Please try this workaround change the Time on the Workstation (SSL PC Client) to be in the date of the certificate  but please before that click on View Certificate and you can see the Valid Date From : dd/mm/yyyy

!!!!!!!!!!!!!!!!!!!!!!!!!!

awful

 

 

 

OK amazingly this is working.  We shelved this router for almost 2 years finally looking like it might be useful again.  Last thing we need to work is internal dns to resolve.  I added our server to the DNS local database we use windows server for dhcp and allow ssl vpn to handout 10 address's.  This router is so close to being able to do what we need just need this last part.

Thanks for your help,

Alex