Solved: Unfortunately, this is pretty

matthew1471 · ‎01-03-2015

Firstly thank you for posting the new firmware and fixing some of the annoying bugs in the last version, the update to newer OpenSSL versions was particularly appreciated :-).

There's a few bugs and feature requests I still have that I'd like to share with you, from discussion with Cisco before it sounds like some of these were planned so perhaps these just didn't make it into the final release?

Recently Discovered :

Bugs:

1. Typos and software age : "Resource Management" under "SSL VPN" when you select "Add" under the "Application Icon" drop-down offers "Microsoft Interment Explorer" (sic). Also Microsoft FrontPage has been discontinued for 10 years and since superseded by 2 products (Microsoft Visual Studio is now the best replacement). The Cisco copyright is also (c) 2013 which all in all in 2015 makes the product feel quite old despite the firmware being released a few days ago.

2. The proposed Cisco "Easy VPN" on the VPN screens is actually End-of-Life (EoL) http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html so I'm not sure what the suggested option is on Windows 8.1

3. Client-To-Gateway settings IKE-with-Certificate expects the client to have a static IP or a DNS record... for a mobile device I'm not sure if it's possible to specify an IP range and the in-built help doesn't suggest anything.. this may however be a lack of VPN knowledge on my part. Group VPN while allowing you to specify other means of authentication also forces pre-shared key (so you cannot use certificates) and has an option referring to Microsoft XP/2000 clients which implies it won't work on newer versions of Windows. Windows XP and 2000 are both End of Life.

4. On the System Statistics page WAN2 is showing as Enabled, despite it being disabled and the system summary stating so. Also nothing is plugged into it and it reports on System Statistics that there have been 4 transmitted packets, 4 total packets and 424 transmitted packet bytes. The interface has been completely disabled from boot-up.

Feature Requests:

1. OpenVPN support.

2. A guide / assistance in the built-in help on how to make this VPN Router work with Android V4 and above clients using the default stock VPN options. The options on Android are "PPTP" (which nobody touches any more for new deployments, Microsoft themselves even recommend you avoid using this), "L2TP/IPSec" (Pre-Shared Key and RSA variants), IPSec Xauth (Pre-Shared Key and RSA variants) and one that allows a mix "IPSec Hybrid RSA".

Carried Over From "RV320 v1.1.1.06 Bugs + Feature Requests":

Bugs:

1. Mirror Port feature allows the device plugged into the port to still interact with the network and mirrored traffic (which is not the behaviour of your small business switches) allowing it to respond to and interact with received traffic. At a minimum the documentation does not warn of this difference in behaviour.

4. Still impossible to set a Daylight Saving rule for the UK. http://en.wikipedia.org/wiki/British_Summer_Time

5. DHCP Status table periodically loses all entries. Particularly after anything that causes the router to reboot. The documentation should explain this is since the router was started and this list is lost when the router is restarted.

8. Help for "System Statistics" and "Processes" is very limited (and not helpful).

9. Clicking "Enabled" or "Disabled" against USB1 or USB2 does not contain a hyperlink to the "USB Failover Settings" tab of the selected interface under Setup->Network where the operation mode can be set to "Disabled" which all the other options do have.

10. Processes like "webBoot" appearing and using port 22088 in the Processes table and "HTTP Server with SSL support" on ports like 5443 and the documentation lists nothing about them.

Feature Request:

1. Ability to choose which port is mirrored (LAN2, LAN3, LAN4, WAN1, WAN2, VLAN1.. etc) and potentially the destination (i.e if we are not using WAN2 why not make it an option to be a mirror port destination?).

2. Tables to be sortable ASCending/DESCending by clicking on the column.

3. "Enable Mirror Port (Port 1)" rename to "Mirror All Traffic (To Port 1)" and/or update documentation to explain a device on Port 1 with this enabled should NOT attempt to reply to the traffic.

4. Web API or Proprietary Telnet API (or even just experimental SSH access) option so we can programmatically add items to the firewall rules table (fail2ban etc) so we can write scripts in Python etc to ban IP addresses on the Firewall.

5. The option to choose what gets syslog'd and what gets written to the non-volatile memory log (worried about device longevity with all the logging turned on). The WAP371 now has this feature.

6. Bandwidth Management cannot set an IP to have a particular priority. The priority only lists services (with no IP address control) and the Rate Control only lists particular rates (but for specific IPs).. would like to say something like 192.168.1.5 has "High" priority.

7. Some of the columns to be sensibly sorted by default instead of the order they were entered.. for example IP & MAC Binding should be sorted by IP address.

8. A wider range of Dynamic DNS providers supported (1 for Europe/America and 1 for China is not really enough!). Perhaps an API/standard for this too so we can make our own.

9. Ability to route all web traffic via a HTTP proxy (like Squid). Sometimes called a transparent web proxy.

10. Ability to ban an IP after they fail to correctly login x number of times to either the VPN/Web Interface/SSL VPN etc.. to prevent bruteforce attacks succeeding.

11. DNS Local Database - Would be nice if there was an option (i.e. could be disabled) for the DNS server to append the domain name to any queries without a "." so Windows users could enter in "NAS" for example in the DNS Local Database and it behave as expected.

Also as an aside, I've noticed on this site when you type in too many tags into the add discussion page it errors and then trashes the form (including whatever you wrote in this box), which is quite frustrating.

Thank you again for fixing a lot of the bugs in the last release. I look forward to seeing the next one which should make the product even better. If there's a better way to be more involved in testing/reviewing Cisco products please let me know as I would love to help out.

Regards,
Matthew

Rasmus Rask · ‎02-11-2015

Oh for ..... sake!

Since upgrading to 1.1.1.19, I can no longer add or edit port forwarding entries - adding a new, or editing an existing, replaces the chosen service with "[TCP&UDP/~]" (aka. "all traffic") and also leaves the entry disabled.

Not only is this extremely buggy router, once again, an obstruction to my work, but I also now mangled an existing rule and can't revert it due to this bug.

I have effectively DoS'ed myself thanks to this lovely router. Is there no QA on your firmware releases?

When is the next FW release expected?

View solution in original post

dancrichton · ‎01-14-2015

Here are a few things that are on my list of annoyances so far. Still haven't put my RV320 into production due to show stopping issues.

1. Would like to see RADIUS support for PPTP (I know PPTP isn't recommended for VPN connections, but with no L2TP and the SSL VPN being unusable for IE10+ or Windows 7 64-bit it's the only choice when installing client software isn't an option).

2. It would also be handy if usernames weren't limited to 11 characters, in the absence of RADIUS support I'm unable to set my VPN users with the usernames they'd use normally as the 11 character limit is too short.

3. SSL VPN support for IE10+ and Windows 7 64-bit - apparently (I was told this by a Cisco support engineer) this is due in the next MR firmware release hopefully in April. Still outstanding in the current release which I why I've included it here. IE10+ support is a simple tweak to not rely on looking for "MSIE" in the user agent string, and instead to look for "Trident" (the IE rendering engine, and likely will be in the "Spartan" user agent string too). Also the ActiveX components have expired digital certificates so cannot be installed even on Windows 32-bit without registry changes to allow unsigned drivers to be installed.

4. Support for SSL VPN with non-IE browsers. Other vendors support non-IE browsers using Java based plugins, this would be useful too but I guess is dependent upon Cavium making these plugins available to Cisco.

5. Easy VPN summary page - using RADIUS for user authentication the Group VPN Status table shows the Remote Client as the tunnel name, rather than showing the username supplied in the connection. Would be much more useful to show the actual username as otherwise there is no way to determine which connection relates to which user.

6. Access rules limit - when defaulting to deny all outgoing connections and only allow specific ones, the limit of 50 access rules is hit pretty easily. Would be a little easier to manage if there was an option to specific both TCP and UDP in a single service entry - for instance, rather than having to set up DNS as TCP port 53 and UDP port 53, a single service entry as TCP/UDP port 53 would reduce the number of services and the number of access rules. Or a way to specify multiple ports for a single service rather than a range, such as when allowing external email access - a single rule allowing ports 25, 465, 110, 995, 143, 993 would cover unencrypted and SSL/TLS SMTP, POP3, and IMAP in one go.

Dan

Rasmus Rask · ‎01-26-2015

I appreciate your knowledge, patience and persistence, Dan.

Looking forward to news about SSL VPN on any modern Windows OS.

As a side-note, the support forums here themselves often seems extremely sluggish and buggy.

matthew1471 · ‎02-01-2015

I've found copying and pasting my response periodically is a necessity on this site. There's just too many ways to lose your post while you're composing it!

Rasmus Rask · ‎01-26-2015

Thanks, Matthew.

My two cents:

Bug: Port forwarding seems to bypass firewall rules, preventing you from restricting access to forwarded ports from certain IP addresses
(https://supportforums.cisco.com/discussion/12370196/port-forwarding-rv320-bypasses-firewall-rules)
Feature request (though I would almost consider this a bug): No support for VPN hashing algos beyond SHA1, which has been considered insecure since 2005 - long before RV320 entered the market
(https://supportforums.cisco.com/discussion/12370176/rv320-only-supports-insecure-deprecated-hashing-algo-sha-1)

matthew1471 · ‎02-01-2015

Rasmus,

I hadn't noticed those! (I haven't felt comfortable putting the router as the edge firewall until some of the other things are addressed).

Thanks for your post and suggestions too :-).

Hopefully this should give Cisco plenty of ideas when they develop the next firmware (unless the RV320 goes EoL).

Kind regards,

Matthew

Rasmus Rask · ‎02-11-2015

Oh for ..... sake!

Since upgrading to 1.1.1.19, I can no longer add or edit port forwarding entries - adding a new, or editing an existing, replaces the chosen service with "[TCP&UDP/~]" (aka. "all traffic") and also leaves the entry disabled.

Not only is this extremely buggy router, once again, an obstruction to my work, but I also now mangled an existing rule and can't revert it due to this bug.

I have effectively DoS'ed myself thanks to this lovely router. Is there no QA on your firmware releases?

When is the next FW release expected?

josecesp · ‎02-12-2015

Hi,

My name is Ricardo from the Cisco technical department and I first I would like to apologies for the inconvenience and extend our support.

Now, we don't have a estimated date for new firmware release, but I encourage you to open a case wit us , just give us a call at 866 606 1866, and any of our co-workers will be glad to work with you, gather the information and work on a workaround and all your feedback will be highly appreciated.

J. Ricardo.

werner · ‎02-13-2015

I just have found one inconvenience with v1.1.1.19 (Rv325 in my case). EasyVPN works stable, however on IOS and OS X connections fail in 9 out of 10 times. EasyVPN works fine with Windows and Android ad clients. Since EasyVPN works reliably with my employers ASA and OS X/IOS I assume both Cisco and Apple are the root cause of this. What puzzles me is, if I get a connection then it runs reliably, but there seems to be some weird timing issue at work which prevents the connection way to often.

werner · ‎02-13-2015

Works for me here reliably on a RV325. I had to forward several ports and block others due to not letting some UPNP devices out.

Have you flushed your configuration after the update via a router reset? If not then do it and setup your setup again manually. Often the root cause of such problems are old config files which are still around after a firmware upgrade.

Rasmus Rask · ‎02-13-2015

Flush configuration and reconfigure manually? No offense, but that's a horrible solution! I don't want to have to redo my configuration every time I do an upgrade!

Sometimes I have to do upgrades remotely (remote control and internal PC), so this is simply not an option and certainly not something I would expect to be needed on a Cisco box.

SamirD · ‎02-24-2015

Unfortunately, this is pretty much required in any smb router. The saving and restoring of configurations can cause issues on most manufacturer's routers. Your easyist way to save yourself some pain (and get this rv working the way you want), is to factory default it and reconfig.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

t_scholem · ‎04-21-2015

+1 Feature Request:

Ability to create Gateway-to-Gateway with both sides using Dynamic IP. That used to be supported on RV042, but it's not present on RV320. Makes me wonder why!

guillaumelavaud · ‎04-22-2015

+1 Feature

Support iphone in thetered mode in usb Modem list

matthew1471 · ‎06-25-2015

There is a new firmware now out for the RV320, V1.2.1.13.

RV320 v1.1.1.19 Bugs + Feature Requests