SA540 Firewall Rules Fail when Optional Port Configured to Failover
Today, I configured a client's SA540 for failover. The primary WAN port is FIOS with a static IP address. The optional port is Road Runner cable with a static IP address. The failover tested successfully. However, now the SA540 cannot be accessed on its internal IP address (https://192.168.1.1) and none of the firewall rules work any longer. There are several rules but to name two; remote desktop port forwarding to an internal server, and HTTPS to another internal server. Both rules use IP addresses different than the SA540's WAN IP address. Additional external IP addresses were configured previously and assigned and they worked up to the point were the failover was configured.
Now here is the strange part. If the optional port cable is removed from the port, everything returns to normal, but plug it back in and problems. I even tried disabling failover in the SA540's configuration and it made no difference unless the cable was unplugged.
As you might imagine the client is upset about this. Anyone have any ideas?
The firmware is 2.1.18.
PS. About an hour after I posted this, I tried moving the remote desktop external connection from one of the additional IP addresses configured in the SA540 to the dedicated WAN address and remote desktop sessions were then forwarded into the correct server. Apparently, the additional IP addresses are not working with the two ISP failover configured, or at least it doesn't work in my configuration. Any help on this would be much appreciated. The additional IP addresses are configured in the same subnet as the dedicated (primary) WAN port. Again, this worked until failover with another ISP was configured.
Re: SA540 Firewall Rules Fail when Optional Port Configured to F
It was updated several days ago. If you have the diagnostics data I sent to Quendale, you will see that the router has the updated firmware, MR4 RC1. It did not resolve the problem. There is now an escalated case with Cisco TAC. It seems I turned up a big problem.
SA540 Firewall Rules Fail when Optional Port Configured to Failo
This issue has been resolved. After much testing and discussions with the great guys at Cisco TAC, we determined that Verizon FIOS is doing something on their routers to defeat use of IP aliasing. If you have FIOS and you must have more than one IP address and expect to create an IP alias to direct traffic in a 1 to 1 NAT to a node on your network, FIOS doesn’t work. Contact with Verizon technical support is no help. They are oblivious to the problem and don’t want to be bothered.
Change in ASD Automatic Software Download Feature
Dec 13th, 2019
Cisco RV160, 260, 340, and 345 Series Routers
Due to an API change in Cisco’s software download platform the Automatic Download Feature (ASD) on RV series routers will be temporarily ...
SFP Module Support List for RV160x and RV260x Devices
Small form-factor pluggable (SFP) ports are included on the RV160 and 260 routers to allow the use of optical SFP transceiver modules. SFP’s convert the optical signals to electrical signals. SFP’s al...
Cisco is excited to offer its San Jose customers a unique opportunity to join us at Cisco headquarters for a design thinking workshop. This exclusive gathering, of no more than 20 people, is designed for an immersive interactive one-day session bet...
Welcome and thanks for visiting the Small Business Community Newsletter. This is our first of what we will make a monthly newsletter where you will be provided information on New products and trends, What’s ...
Hello @All ,
I am Bhuvi Chopra, a product manager on the Cisco Business (formerly SBTG) Team.
Cisco Business is excited to offer its San Jose customers a unique opportunity to join us at Cisco headquarters for a design thinki...