Nagrajk,

Thanks for pointing me to that post, plan to apply the change you suggest (specifically disabling NSD as we only have one internet connection at that site) and monitor over the next few days.

Will update this post with the results (fingers crossed this addresses the issue).

Again, thank you for your guidance.

Hi

1. Yes, keep the NSD(Network Service Detection) disabled completely.

- just to confirm (you may have done it already), after disabling NSD on the wan1 interface, did you do a reboot (after a permanent-save to startup-config)?...

2. As for the wan interface "going down"....no i dont think its going down at all especially not after NSD is disabled).....its my personal opinion based on my understanding of how the wan-interface/configurations work on RV34X routers (i have a few in my network-deployment using DDNS too...so i know something about it i guess

a) the issue with DDNS/dns-resolutions does not mean that its happening becos of "wan1 interface going down"...

- dns/ddns-issues and wan1-interface links are independent

------------------------------------------------------------------------

Lets analyse this by breaking up the network-deployment of your RV345 into 2 parts of your configuration on the RV345

1. The wan1 interface configuration:

>>>The Cable Modem is in Bridge Mode and has a dynamic IP Address

- Can you please confirm as whether the "dynamic-ipaddress" that is assigned to your wan1 interface is via DHCP or have you configured a PPPoE on wan1?

- Can you please confirm that you have NOT configured "wan" interface as a vlan-subinterface on this wan1? (some of the ISPs require that the "wan" is configured on a vlan-subinterface) 

a) Is the "dynamic-ip" address assigned to your wan1 interface a "Public-IPaddress" or does it fall into either of the below private-address-subnets:

10.0.0.0/8 (so it would be something like 10.x.x.x on your wan1 interface, if it is so)

172.16.0.0/12 (so it would be something like 172.16.x.x on your wan1 interface, if it is so)

192.168.0.0/16 (so it would be something like 192.168.x.x on your wan1 interface, if it is so)

b) Now when you configure your wan1 for dynamic-ipaddressing, you also have a choice of configuring the "dns-servers" which would be

- either you will configure the dns-server ipaddresses them explicitly in this wan config

- or you will use whatever is assigned by your ISP (thru DHCP or with your PPPoE connection)

>>>(Did notice we are using Cloudflare DNS servers (1.1.1.1 and 1.0.0.1)

>>>as opposed to the ISPs but doubt that would be causing issues)

- And so as you mentioned in your statement, instead of getting the dns-ipaddresses from your ISP, you have explicitly configured the Cloudfare-DNS servers - 1.1.1.1 and 1.0.0.1. This is absolutely fine and correct

c) And you have also "disabled/unchecked" the NSD service/feature on the wan1 interface under WAN/MultiWAN

d) So as far as the wan configuration is concerned, the above is what that can be done, and your deployment would look something like below:

Notes:

- At this point of time....iam assuming that the DDNS service (that is a separate service further down in the GUI)  is disabled at this time...i suggest that you should do a debug by configuring upto this point and "disable/uncheck" the ddns service, if any, on the wan1 interface

lan-host1---vlan1[RV345]wan1----[modem]----[isp-router]----{internet}---[cloud-fare-dns-servers]---[example-google-8.8.8.8]

- iam assuming that your lan-host is configured as below:

ipaddress: 192.168.1.x/24

default-gateway ipaddress: 192.168.1.1 (which is the ipaddress of the vlan1 interface of RV345)

e) Next for the purpose of debugging, in the "Firewall basic settings page" , uncheck/disable "Block-wan-requests" (this will enable pings to your wan1 ipaddress from wan-hosts, else its disabled by default). Do a apply-and-permanent-save-to-startup-config.

f) So now at this point of debugging, i would suggest you do the below steps:

step-1: reboot the RV345 (after you have ensured that you have done a apply-permanent-save-to-startup-config of above configs)..and wait for about 180-seconds

step-2: Next, after the reboot, try the below

- send 20 pings, as "ping 192.168.1.1 -c 20" ...it will be and it should be successful

- next send 20 pings as "ping 1.1.1.1 -c 20" and/or "ping 1.0.0.1 -c 20".....here the point is that if wan1 interface-config is working correctly, then the pings from the lan-host1 will get correctly routed to the internet upto the cloudfare-dns-servers and the ping-replies will be successfully recieved by the lan-host1. If this is not working...then to double-check further,

- you should also send 20 pings to "ping 8.8.8.8 -c 20" to the always-on-reachable google-dns-server 8.8.8.8

so if the pings from lan-host1 to 8.8.8.8 (or any other internet-hosts) work, then it means your wan1 link(and confgs) are working correctly...

- in case you dont see any ping replies from 1.1.1.1/1.0.0.1, it maybe also becos they have blocked ping-replies

So at this config-stage, i would request that you post the screenshots of your configurations on the RV345

--------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------

2. The second part (independent of wan) is your DDNS service config:

a) Here iam assuming that you have registered to one of the 4 supported ddns-service....

- the RV345 has these 4 DDNS-service-clients supported

b) Now using one of the ddns-client (say dyndns for example), you will be registering your DDNS FQDN (rv345gw.yourdomain.com) to the dyndns-servers on the internet....AND alongwith with your fqdn, the RV345-ddns-client will be sending the active wan1 ipaddress for mapping the fqdn to the ipaddress as below in the dyndns-server records for your account

rv345gw.dyndns.org <your-wan1-ipaddress-assingned-by-your-isp>

c) Check the attached screenshots for reference

d) So please kindly post your DDNS configuration screenshots that you have applied

--------------------------------------------------------------------------

So now some Additional notes:

1. When a remote-wan-host (or from your s2s-vpn peergw) say for example sends a Ping to your ddns-registered fqdn (representing your RV345-wan) for example "rv345gw.dyndns.org" , then this fqdn will be 

- first resolved by the dydns-dns-servers to the registered ipaddress in its records....

- and this ipaddress MUST be a public-ipaddress that is active on the RV345-wan1 interface....

- if the ipaddress is in private-address-space (as mentioned above initially), it cannot be reached or routed from the internet/wan-hosts

PS: I truly hope that iam not conveying anything of the sort of "being Patronizing" to you. Iam truthfully not being patronizing...the above is always the way i go about debugging any issue...however childish or patronizing it may look like...so please dont mind all of the above points/statements....its just to do with debugging in a more focussed manner so that we can eliminate the areas of contention as we go about debugging

thanks

also ensure that the time and date on your RV34X router is set to present date and time...

Hi

some queries from me:

1. Have you enabled and configured the AnyConnect SSL-VPN server on the RV345?

2. If yes, what/which certificate are you using/applied on this sslvpn server?

3. Have you also enabled dhcpv6-server too on the lan/vlanX-interfaces of the RV345?, if yes and if you are not using it, disable the dhcpv6-server(s)

Hi

>>>On this particular device there are only 2 SSL-VPN users and they have no trouble connecting via anyconnect. 

Yes...generally....generally/ideally it is expected to work when the "default" cert is also used to configure the sslvpn-server

>>>That said, neither have attempted to remotely access this device in 2 weeks that is to say, the errors would not be caused by a >>>connection attempt from the users.

- Yes. BUT looking at the sslvpn "errors" logs posted by you...i am trying to eliminate the possibilities to arrive at  some root-cause for this happening on your RV345-router

- so i was thinking if its not much trouble for you, could you do the below steps on the RV345 and do a apply-permanent-save & reboot once, and then observe?

a) Check and confirm that the date & time on the router is set to present date/time in your timezone. 

b) In the Adminsitration/Certificates, generate a new sample "self-signed-certificate" as shown in attached screenshot...you please change it to your country and other details...etc

c) and then go to the VPN/SSLVPN server config page and select this new self-signed-certificate instead of the "default"...and do a apply-and-permanent-save-to-startup....and do a reboot once

d) If all things work fine...fingers-crossed, it is expected that you should not be seeing any of the ssl-vpn errors/logs...especially when there are no users/clients connecting.....

- Now as for the logs showing ddns errors...you need to check and ensure that the dyndns ddns client is connecting and updating to your dyndns-account correctly and properly

- are you capturing the logs on a syslog server in your rv345-lan-network.???...if not...do it....

Hi

>>>On the SSL Certificiate process I outlined above, does that look correct config wise to you?
>>>Not a lot of clear documentation out there on applying a Godaddy SSL Certificate to the RV series router (read AG and bunches of tech notes on Cisco's site) - I >>>am still confused and wondering if that is properly applied.

You mentioned that you had applied the below steps/procedures:

>>>Generated the Certificate with GoDaddy (copy/paste CSR into their platform)

>>>- Generated Signed Cert and Downloaded the Zip file that had 3 files:

>>>1. xxxxxxxxx.crt

>>>2. xxxxxxxxx.pem

>>>3.gd_bundle.crt

>>>CERTNAME_CA | Type: CA Certificat | Signed by Godaddy etc.

>>>(UNCLEAR IF WE NEEDED TO UPLOAD THAT BUNDLE.CRT File and kind of scratching my head why the primary cert is listed as "local" as opposed to "CA" but everything is >>>functioning so can look into that config in detail later)

1. Ok, the very first step i suggest you do is to transfer/copy all of the above 3 cert/files to a Linux-Host (say ubuntu)

2. Now, iam sure you are already aware of it, but i will mention it here again so that we can follow the logical-flow in this discussion

- In your case, the file "xxxxxx.pem" or the "xxxxx.crt" is the "signed-device-cert" (which is tagged as "Local Cert" after its imported into RV-router)

b) Now on the Linux-host, run the below command to see the contents of your "signed-certificate"

openssl x509 -in xxxxx.pem -noout -issuer

root@host#openssl x509 -in xxxxxx.pem -noout -subject
subject= /C=US/ST=NY/L=NYC/O=Cisco Systems/OU=HR/CN=rv345.xxxx.com

root@host#openssl x509 -in xxxxxx.pem -noout -issuer
issuer= /C=US/ST=NY/L=NYC/O=Godaddy Systems/OU=Main/CN=IntermediateCA1

- Now checkout with same commands above with xxxxx.crt file, just to make sure that both the xxxx.pem & xxxx.crt are one and the same

c) Next on the linux host, do a "cat gd_bundle.crt", and if iam right, you will see the contents as below:

-----BEGIN-----
sjhjhjhg
kjdkjkdkfdkfdkfdksfjd
kfhdjfhdsjfdsjfdjfsdjfdjfdjfjdshf
...and so on....
-----END-----
-----BEGIN-----
sfhjfhjfh45ttfgfg45y54regfjdshfjsdhf4u5t5tuvbjkf
jbdshjfgew091277283636452786437463
38238434mdskdjkdjf
....and-so-on
-----END-----

....and so on of the BEGIN-END blocks if there are more than 2

Now here the bundle.crt is a bundle of the CA-certs chain that contains the Intermediate-CA1 that has signed your CSR and generated the signed-cert xxxxx.crt/xxxxx.pem, AND it also has the main-top-level "ROOT-CA" that has signed the "Intermediate-CA1"..
- basically its a Chained-CA certs file

d) i suggest that you select and copy-paste each of the "Begin-End" blocks separately into separate files and name them as CA1.pem, CA2.pem...etc

NOTE: Ensure that when you copy 1 block of BEGIN to END, you also copy all the the hyphens("-") exactly as available in the output of cat command. This is important. You cannot miss even 1 hyphen OR add any extra hyphen (i think its generally 5 hyphens exactly...iam not sure now at this time)

e) Now first, for CA1.pem file, run as below:

openssl x509 -in CA1.pem -noout -subject
openssl x509 -in CA1.pem -noout -issuer

- if this was the CA-cert that had signed your CSR/local-cert, then the subject and issuer names will NOT BE SAME.
- If the issuer and subject are NOT same, then it means this is a Intermediate-CA1 certificate

f) Next with CA2.pem file, do the same steps as below:

openssl x509 -in CA2.pem -noout -subject
openssl x509 -in CA2.pem -noout -issuer

- now here if this certificate had signed the CA1.pem, then the subject-name of this CA2 cert will be the same as "issuer-name" in CA1.pem file
- And if this is the main top-level-CA cert, then both subject and issuer names of this CA2.pem will be the same

g) So now what you need to do is to check/compare whether in the gd_bundle.crt file, the "Begin-End" data-blocks (for CA1.pem and CA2.pem respectively) are as in below order or not:

root# cat gd_bundle.crt

<the begin and end block of CA1.pem intermediate-CA file>
<next the begin and end block of CA2.pem the main-root-CA file>

- the order MUST be as above
- else you need to create a new file and paste the begin-end blocks in the above order, and save it as a separate gd-bundle2.crt

Note: The general order of the "Begin-End" blocks in a bundled-CA-cert file will be as below (depending on how many levels of intermediate-CA are there)

<intermediate-CA1 that has actually signed the device-CSR-cert>
<the next level Intermediate-CA2 that has signed CA1 above>
<the next level Intermediate-CA3 that has signed CA3 above>
....
<the last main top-level ROOT-CA-cert>

3. So once you have confirmed/checked that the gd_bundle.crt is in correct order, OR if not, you have created another bundle2.crt file in correct order, you should import this correct bundle-CA cert file in to the RV-router

NOTE: The bundled-CA certs are NOT supported in the IPsec VPN tunnels (S2S and/or C2S) when imported as bundle-CA-cert. As mentioned above, you have to create those CA1.pem, CA2.pem, etc and import them separately into RV to use in IPsec-VPN tunnels (S2S and/or C2S).

- you can import the bundle-CA file as is and then you can also import again the individual CA1/CA2/etc certs and only then use them in the ipsec-vpn tunnel configs...

hope the above info helps...