Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1922
Views
10
Helpful
5
Replies

RV320 allowing connections that shouldn't be allowed

rogersparks
Level 1
Level 1

‎02-07-2017 09:02 PM

I am trying to figure out I get these connections when I do not have any ports open in my firewall, but the other question is do I need to worry about them?

I have a RV320 with Firmware Version:v1.3.2.02 (2016-09-23, 15:17:06).

2017-02-04, 19:53:49 ALLOW UDP 216.218.206.102:60108 -> XXX.XXX.XXX.130:500 on eth1
2017-02-04, 20:51:33 ALLOW UDP 216.218.206.106:33948 -> XXX.XXX.XXX.224:500 on eth2

Thanks

Roger

6 people had this problem
Labels:
0 Helpful
5 Replies 5

Ami Xiao
Level 1
Level 1

‎02-07-2017 09:54 PM

It seems like 216.x.x.x is trying to connect your wan somehow, however the default ACL(iptables) will drop it if you do not allow it.

0 Helpful

refrainfrombeinglame
Level 1
Level 1

‎02-08-2017 04:41 AM

The RV320 by default listens on port 500 UDP, this is expected behaviour and cannot be changed at this time. A change requests has been made to allow blocking UDP traffic to port 500 using the ACL, at this time it is unknown when this change will be implemented.

Port 500 UDP is used for IPSEC VPN, the traffic you are seeing consists of automated connection attempts and / or port scans carried out by shadowserver.org . If you don' t use IPSEC VPN disabled it or keep-it disabled.

Dan Jeffrey
Level 1
Level 1
In response to refrainfrombeinglame

‎10-26-2017 07:18 AM

Thanks, refrainfrombeinglame.

Can you provide more information?
Cisco just released a firmware update (1.4xxx) and a fix for this was not included. That makes me worry that the issue is not known to Cisco.

0 Helpful

ChrisThompson72383
Level 1
Level 1
In response to Dan Jeffrey

‎09-04-2019 03:46 AM

Has there been any update to this?

 

I am getting the same probes on port 500 from shadowserver.org.

I am also now getting the same problem from some ip's in China and would really like to stop this probing that is now about 10 times a day.

0 Helpful

Dan Jeffrey
Level 1
Level 1
In response to ChrisThompson72383

‎09-04-2019 05:20 AM

No update that I have seen. Ibelieve it is not allowing them through. Otherwise, I believe Cisco would patch it. It seems they would have to - to protect their reputation.

 

But I cannot tell that from the logs or the hacking I have done on the router.So the choice is to buy a Cisco service contract or buy new hardware. I don't mind giving Cisco money for the answer to this, but it's cheaper to buy new hardware -- and it looks like Cisco is not really setup for a home user to buy a single support contract. So I'll probably buy something else.

 

0 Helpful
Customers Also Viewed These Support Documents