not such good news
Cisco looks to have released firmware 1.0.01.18 today.
In it there is no mention or change to either:
1. block unknown MAC address not in DHCP reservation table (missing feature that is in the RV320/RV42g).
2. no update to allow more than 100 clients in the source guard table (where you can white list MAC bindings)
This is a real bummer given the amount of requests here and my open SR for last 9 months.
Small good news is that they now allow you to disable IPv6 on WAN interfaces which has helped with max CPU messages on my own setup here. Now that our RV345s are not at max CPU they also have stopped dropping VPN pass through sessions too!
other updates in release notes for 1.0.01.18 as follows
CSCvg55169 RV34x: Router provides DHCP addresses when the DHCP server is disabled.
CSCvg94597 RV34x: S2S VPN status shows up but stops passing traffic.
CSCvf80775 RV34X: Pre-shared key shown in clear text in the router's log.
CSCvf25351 RV34x: VPN doesn't work when the DMZ Host is configured.
CSCvf94125 Wrong MDFID and SWTID in Bonjour for the RV340W and RV345.
CSCvg74957 Allow to disable IPv6 on the WAN interface
CSCvg62258 RV34x: User configuration issues when User Group name has a space in the name. CSCvf45093 RV34x: Can't restrict web access for VLANs
CSCve91854 RV34x: Web filtering doesn't work if the URL has "_" in the address.
CSCve19873 Option82 cause win7/win10 client to send offer continuously.
CSCvd09880 RV34x: Reply to option3 info when option82 is enabled.
CSCve80862 SNMP/syslog does not work over the VPN tunnel if the VPN remote subnet is configured as “Any”. Solution: Configure the VPN remote subnet with a specific subnet. Or, the User can add a specific route under “Routing -> static routing -> IPv4” using the SNMP agent host as the destination network address, mask 255.255.255.255, and “” as the next hop, and the interface as the appropriate LAN interface (such as VLAN1). This route ensures that the reply traffic from the RV34X will be tunneled..
CSCvd39976 A SSID name that included a space character is identified as two SSIDs in the User Group setting page. Solution: Remove the special character from the SSID name.
CSCve55189 RV340W fails to save the running configuration to startup configuration. It becomes abnormal, after creating 10 captive portal profiles with 10 background pictures. Solution: Too many new pictures will occupy the configuration space. Please limit the captive portal profiles to less than 5 if you have to upload new pictures to each profile. Press the reset button for 10 seconds to reset to factory settings if the issue occurred.
CSCvd25865 IPv6 status shows that it is down when the IPv6 WAN type is PPPoE and IPv4 type is DHCP or static. Solution: Ignore the IPv6 status. If both IPv4 and IPv6 are PPPoE, the status is correct.
CSCvd17343 SNMP system uptime value is not the same as the device web GUI. Solution: None
CSCvd34369 Can not connect to the Teleworker VPN Client manually. Solution: Enable the Auto Initiation Retry. It will connect/ reconnect automatically in the backend. Or, choose “Do not Activate the Connection” before applying, then click the connect button. CSCvd34360 Teleworker VPN Client IOT issue with ASA and RV325. Solution: Enable the PFS (Perfect Forward Secrecy) option on the ASA device.
CSCva62803 AC340U sometimes can not dial a connection on the USB1. Solution: Try the USB2 port and unplug and replug the dongle again.
... View more
Thank you for the reply. There are 2 problems with using source guard on the rv345
1. There is a 100 client limit. That puts a real haircut on being able to use this router in a small business or large home setup!
Noted the rv345 also has a 100 client limit on static dhcp reservations.
This limit really is silly given the much older rv42g does not have a limit.
2. Using ip source guard would require manually adding clients into both the dhcp reservation table and the source guard table. Duplicate manual work. Noted both the rv325 and rv42 have an option to “block all other traffic” not listed in static DHCP reservation table.
So overall the 100 client limit is really a problem here.
... View more
Migrating from an RV042 where we have 120+ static IP reservations set by MAC address and the option used to "block traffic from unknown MAC / IP". Called Cisco support who confirms the feature is missing in RV340 RV345. Here is a page that notes where this feature is in the RV325 https://supportforums.cisco.com/t5/small-business-support-documents/manage-ip-and-mac-binding-on-rv320-and-rv325-vpn-routers/ta-p/3170581 anyone have a suggested work around here? requirements: 1. 120+ static DHCP IP reservations based on MAC 2. block MAC/IPs not on that list 3. ability to display MAC/IPs not in that reserved table
... View more
hi Dan Thanks for the info and reply here. I spent a lot of my time here on this three years back and note my posting in the forum here was only after TAC cases really went little distance. Yes indeed after a long time (4 months) the did offer a beta firmware but I noted there were still issues in the logging that persisted. (The unit really should not continue to send alarm mails every X interval when the only new log entry since prior alert mail is 'alert mail sent') . I believe you that case was closed no contact however I would note some inaccuracy there however it was a long time back and not of much value to persue. My last contact with Cisco asking for status on this I was greeted with the message of 'sorry you are past your included support SLA included with purchase and asked if I wanted to pay for further support. After clarifying this included prior issues and referencing my case he was polite and filed it as a presales call but I never heard anything other than presales back. Your reply is still sincerely appreciated and I suppose good value since the firmware version is notable different now. Also I will note that I did remove this unit from main service and put into one of the BCP setups back when I reported this issue and during the massive time spent troubleshooting from lack of confidence on what the unit was doing . However in that capacity the unit has been stable although it does not see much active use. cheers J
... View more
I too have been told the same thing via my support case about TCP clients attempting to re-use connections that were already closed triggering policy violations. What I have specifically asked for is that the real policy violations be seperated in the logs (as a seperate option) from the session warning messages of which we are being told these are. I opened the case in August 2012 and after many hours in Janurary 2013 support asked me for new copy of firmware, settings and password (which they did not have before) to replicate the issue. Support has also been sending an update message example below. Aside from this I've also noticed that this router can be flaky about accepting updates to firewall rules. In my calls with support they all have suggested restarting the router after making changes; after some experience I can see why. ---------- Forwarded message ---------- From: Chandan X < X@cisco.com > Date: Wed, Feb 13, 2013 at 1:18 PM Subject: SR 622533979 - RV042G [WSU] Logging false positives for policy violations To: X Cc: X@cisco.com Greetings, The following is a case status update courtesy notice. The issue you reported remains open with Engineering&Development teams. This issue may be addressed in a forthcoming Maintenance Release firmware; however there is no ETA for this release. We will continue to monitor Engineering& Development team progress and notify you as soon as any updated information becomes available. Please let us know if you have any questions. -- Regards
... View more
After a few conversations with some solid tech support folks what I have been told multiple times is that "this is a common issue" with the RV series. In specific that these routers 'consider broken tcp sessions' policy violations and log them as such. Everyone who has reviewed TCP session dumps prettymuch agrees these look to be broken TCP sessions (where the destination has closed the connection but the sender (LAN CLIENT) attempts to continue the old session, instead of recognizing that the session is closed and opening a new session. This does raise a question if there might be a deeper issue with these router not passing session closure messages back to the LAN clients however that is a bit harder to concluded. In my last conversation I specifically requested that a bug is opened with a request that "broken tcp sessions" or "invalid TCP session requests" are called out as a separate item in the log (via a separate option). The main problem with broken TCP sessions being logged as policy violations is that their writing to the log as a policy violation effectively triggers email notification and also fills the log. Due to these persistent entries in the log a reasonable user cannot make use of the "log policy violations" option to keep track of real policy violations. ie. the static of these false alarms causes the logging feature to be useless. Thankfully here is the recent update I recieved from support On Tue, Oct 9, 2012 at 5:28 PM, < email@example.com > wrote: Greetings, The following is a case status update courtesy notice. The issue you reported remains open with Engineering & Development teams. This issue may be addressed in a forthcoming Maintenance Release firmware, however there is no ETA for this release. We will continue to monitor Engineering & Development team progress and notify you as soon as any updated information becomes available. Please let us know if you have any questions. Alex XXXXXXXX Support Engineer Cisco Systems Inc. Phone: 949-823-XXXX | Email: XXXX@cisco.com Hours: 8:00 AM to 5:00 PM (PST), Monday ~ Friday Cisco Small Business Support contacts: http://www.cisco.com/go/sbsc Cisco Small Business Support Community: https://supportforums.cisco.com/community/netpro/small-business
... View more
Would any one here agree that these rejections could be considered "normal" as created by the default rule set? IF so why does the default rule of "allow all LAN to WAN" traffic not allow all of the above ?
... View more
This might be a newbie question but my firewall log is full of entries listing policy violations rejections. These look like traffic from LAN to WAN that is being rejected, right ? If so why ? Jul 24 00:15:49 2012 Connection Refused - Policy violation TCP 192.168.1.150:53668->18.104.22.168:80 on eth1 Jul 24 00:11:55 2012 Connection Refused - Policy violation TCP 192.168.1.114:49229->22.214.171.124:5223 on eth1 Jul 24 00:09:58 2012 Connection Refused - Policy violation TCP 192.168.1.109:50606->126.96.36.199:443 on eth1 Jul 23 23:59:45 2012 Connection Refused - Policy violation TCP 192.168.1.150:53639->188.8.131.52:80 on eth1 Jul 23 23:57:12 2012 Connection Refused - Policy violation TCP 192.168.1.114:49229->184.108.40.206:5223 on eth1 Jul 23 23:54:58 2012 Connection Refused - Policy violation TCP 192.168.1.109:50606->220.127.116.11:443 on eth1 Jul 23 23:49:39 2012 Connection Refused - Policy violation TCP 192.168.1.150:53627->18.104.22.168:80 on eth1 Jul 23 23:45:22 2012 Connection Refused - Policy violation TCP 192.168.1.109:50605->22.214.171.124:443 on eth1 Jul 23 23:43:39 2012 Connection Refused - Policy violation TCP 192.168.1.150:53587->126.96.36.199:80 on eth1 Jul 23 23:42:12 2012 Connection Refused - Policy violation TCP 192.168.1.114:49229->188.8.131.52:5223 on eth1 Jul 23 23:40:08 2012 Connection Refused - Policy violation TCP 192.168.1.109:50606->184.108.40.206:443 on eth1 Jul 23 23:33:07 2012 Connection Refused - Policy violation TCP 192.168.1.150:53565->220.127.116.11:80 on eth1 Noted that most of the rejections are in the 40,000-60,000 port range. new RV042G WAN 1 set to 10.x LAN 192.168.1.1 Only has default access rules in place of: Action Interface SourceInterface Source Destination Time 1. Allow All Traffic  LAN Any Any Always 2. Deny All Traffic  WAN1 Any Any Always 3. Deny All Traffic  WAN2 Any Any Always Have tried reflashing firmware to current version (was already on it), disabled SPI, disabling Denial of Service, all no change. Thanks for any input on why the FW log is fully of these rejections. Separate question on logs; is this right ? Outgoing Log Table is always empty Incoming Log Table is always empty Access log is always empty Also noted another issue with logging; bug? When the router was brand new out of box and again after firmware flash: * the "All" dropdown of System Log was BLANK, not logging any entries although other drop downs such as "System Log and Firewall Log were * email alerts were not being triggered for log entries * clear log button appears to resolve the issue after which the ALL shows all entries now Thanks Jeff
... View more