RVS4000 disabling IPS kills DNS

Background: I recently bought a couple of RVS4000 routers set up a VPN between my home and office. Initial setup went great and I got the VPN working with Dynamic DNS at both ends quite easily. The only problem was that the performance sucked badly; my ISP gives me 45Mb/s and a frequently see this in both directions from both speed test sites and SFTP to other servers, and they are planning to upgrade our building to 100Mb/s next month. With the RVS4000 in place I typically get 12Mb/s download and 7Mb/s down. No problem, I thought. I've read that most of the performance problems come from the Intrusion Prevention System having to look at every packet. So I switched the IPS off...
Problem: The problem I am having is that if I switch the IPS off then DNS breaks on every computer on the network :-( Look-ups go so slowly that my web browsers frequently time out. If I access somewhere by IP address then everything is fine and the throughput of the router is acceptable (I've see 28Mb/s when I've actually managed to get resolve the address of a speed test server). Unfortuantely this doesn't do me much good if I have no DNS. I restored the factory configuration for one router and then ran tests after each step of the configuration. Everything was fine until I switch the IPS off. I then restored to factory state again, confirmed everything was fine and changed nothing else except the IPS; when I disabled IPS the DNS died again!
Question: Is there any work-around for this? I pay for 100M/s wiring between my home and office and with the IPS enabled I'm loosing 90% of the performance. If I disable the IPS the device is essentially useless. HELP! Any suggestions welcome. If I can't fix this soon the routers are going to have to go back for a refund.

Well, after some more investigation I have made a little progress on this, although it is still not actually resolved.
Having attached packet capture tools on both sides of the router and watched the DNS packets going through it seems that there is a bug in the RVS4000 firmware. With the IPS enabled, DNS packets pass through the device with just the source IP address changed (as you would expect due to NAT being enabled) and the checksum values in the IP and UDP headers updated (because the source IP address changed). In this situation everything works fine but the throughput is throttled by the IPS software.  If the IPS is disabled, the router not only changes the source IP address but also changes the source UDP port. Worse, it replaces the randomly chosen, non-privileged port number picked by the client with a sequentially chosen port number, starting at port zero. Thus with IPS disabled the outgoing DNS packets look exactly like the packets that would be used to bounce a DDoS attack off someone else's DNS server and my ISP is deciding that they look bogus and rejecting them.
It's also worth noting that replacing the randomly chosen, non-privileged port number with a sequentially chosen port number, starting at port zero, introduces a serious new security vulnerability. If an exploit is found for a bug in the DNS client software on PCs then the only thing stopping this being as dangerous as the recent bugs in the BIND DNS servers is that it's hard for attackers to know which port to attack. Unfortunately if the client machine is behind an RVS4000 then the attacker doesn't need to know which port is being used because he can just send exploit packets with the source address set the the victim's ISP's DNS server and low, sequentially numbered destination ports and the RVS will conveniently pass the exploit on to the correct port on the victim machine. Thus for this type of exploit, having an RVS with IPS disabled is actually less secure than not having the router there at all.
Re-mapping the source UDP port is unnecessary unless there is a port number collision, and the router manages just fine without re-mapping if IPS is enabled. If the port must be re-mapped it should be replaced with something that is randomly chosen and not a privileged port number, just like a good client would have picked. The current state on the RVS4000 1.2.11 firmware is broken and should be fixed.

Similar Messages

  • RVS4000 Upstream throughput reduced when disabling IPS

    I have a RVS4000 with firmware version 1.3.0.5. Having read that throughput on the RVS4000 is reduced with IPS enabled, I tried disabling it with the following somewhat strange results: the download rates for a speed test done on speakeasy increased substantially as expected, but the upload rates decreased. A test done on whichvoip showed decreases in both upload and download rates.
    To try to have more consistent results, I ran the first speakeasy test, followed by the first VOIP test, then the second speakeasy test and the second VOIP test. Then I disabled the IPS and repeated the tests. Wondering if anyone else has noticed something like this before.
    Speakeasy speedtest http://www.speakeasy.net/speedtest/
    IPS Enabled
    22.09 Down / 6.45 Up
    21.23 / 6.58
    IPS Disabled
    50.35 / 4.50
    57.72 / 2.83
    VOIP speed test http://www.whichvoip.com/voip/speed_test/ppspeed.html
    IPS Enabled
    8.13 / .984
    7.78 / 1.24
    IPS Disabled
    3.85 / .794
    4.23 / .561

    I have a RVS4000 with firmware version 1.3.0.5. Having read that throughput on the RVS4000 is reduced with IPS enabled, I tried disabling it with the following somewhat strange results: the download rates for a speed test done on speakeasy increased substantially as expected, but the upload rates decreased. A test done on whichvoip showed decreases in both upload and download rates.
    To try to have more consistent results, I ran the first speakeasy test, followed by the first VOIP test, then the second speakeasy test and the second VOIP test. Then I disabled the IPS and repeated the tests. Wondering if anyone else has noticed something like this before.
    Speakeasy speedtest http://www.speakeasy.net/speedtest/
    IPS Enabled
    22.09 Down / 6.45 Up
    21.23 / 6.58
    IPS Disabled
    50.35 / 4.50
    57.72 / 2.83
    VOIP speed test http://www.whichvoip.com/voip/speed_test/ppspeed.html
    IPS Enabled
    8.13 / .984
    7.78 / 1.24
    IPS Disabled
    3.85 / .794
    4.23 / .561

  • Disable an open dns

    I currently have a Netware 6.5 sp8 dns server and an OES11 DNS server. As I am migrating way from Netware (tough to do because it simply works!) I have moved all of my dhcp and dns over to the OES11 box with the Netware box as a backup. I need to shut down this open dns for obvious reasons. But when I turn recursion to off, my workstations loose dns.
    I would like to set my network up to use the OES11 box as a primary dns and the Netware box to secondary. I have a few questions.
    Disable recursion
    what settings do I configure the SLES network card dns to? Do I point them to my isp DNS or does sles need to be pointed to itself?
    when I set recursion to "no" how do I allow my workstations, on multiple vlans use the server for DNS?
    Does there need to be a forwarder?
    Suggestions

    Originally Posted by dholland
    I currently have a Netware 6.5 sp8 dns server and an OES11 DNS server. As I am migrating way from Netware (tough to do because it simply works!) I have moved all of my dhcp and dns over to the OES11 box with the Netware box as a backup. I need to shut down this open dns for obvious reasons. But when I turn recursion to off, my workstations loose dns.
    I would like to set my network up to use the OES11 box as a primary dns and the Netware box to secondary. I have a few questions.
    Disable recursion
    what settings do I configure the SLES network card dns to? Do I point them to my isp DNS or does sles need to be pointed to itself?
    when I set recursion to "no" how do I allow my workstations, on multiple vlans use the server for DNS?
    Does there need to be a forwarder?
    Suggestions
    Disabling recursion on OES is a matter of editing the /etc/named.conf. It isn't done on the network card. See the man page for the specifics.
    Where you point to is a matter of what you want to resolve. I ALWAYS point to my ISP, but if my server is handling specific zones, I also point to it.
    If you are disabling all recursion, then you disable forwarding. They will need to be able to query someone. I would add the my ISP's dns servers.
    You can allow recursion from some clients/subnets if you wish, you don't have to disable it for every one.

  • How can I disable the internet ( DNS server ) contact for an executable generated in LV?

    I write and sell stand alone LV generated executables to people for Optical design purposes.  We recentely upgraded to version 8.2 from LV6.1 and love many of the new features, but now my firewall notifies me when I fire up a stand alone.  I do not want to field calls from customers about whether or not my program is a form of spyware.....
    How do I disable this DNS server connection attempt?
    I see an old thread for this, but no resolution.
    Thanks

    A DNS lookup does not mean much. Do you know if it generates any real traffic afterwards, e.g. contacting the server it just tried to resolve? What server? What port?
    Does the DNS query also happen if you run the code in the development system?
    LabVIEW Champion . Do more with less code and in less time .

  • Cisco VPN Client (4.8) killing DNS on dual core Macs?

    When I connect to my company's network using Cisco's VPN (4.8) I cannot connect to resources unless I use IP addresses, all domain names fail (i.e., http://www.yahoo.com fails but http://66.94.230.32 works). This applies to destinations both inside and outside the firewall so I don't believe it's an issue with my company's VPN system as others with Macs connect without problems. And I am getting the correct IPs entered into my /etc/resolv.conf upon a successful connection so I'm pretty sure that's not it.
    I have read of others experiencing DNS issues on a dual core Macs with the Cisco VPN, which makes me wonder if it isn't something specific to my machine? No idea. It's driving me insane.
    There is some discussion of it here:
    http://www.macwindows.com/tiger.html#060205

    ...
    trying the same (without the "Internet Config.app" / VPN PPTP) using VPN Tracker works fine. But I don´t want to spend Euro 79.-...
    Roland

  • Clustering, Ips and DNS

    Hi
              According to BEA docs, access to clustered weblogic instances should be done through DNS. This is fine if you have single instances per ip address. I have 2 instances per box (4 processor) and so have the same ip address - just a different port. Can I use the port number in the DNS lookup? and if so how do I do it. I've tried 111.111.111.111:7001,111.111.111.111:8001 myserver.com as an entry and it doesn't work.
              Do I need a virtual IP address?
              Any ideas would be appreciated.

    Matt Simmerson <[email protected]> writes:
              You don't have to use DNS, you can just specify a cluster URL in your
              client. I don't think you can use DNS to distinguish ports.
              andy
              > Hi
              >
              > According to BEA docs, access to clustered weblogic instances should be done through DNS. This is fine if you have single instances per ip address. I have 2 instances per box (4 processor) and so have the same ip address - just a different port. Can I use the port number in the DNS lookup? and if so how do I do it. I've tried 111.111.111.111:7001,111.111.111.111:8001 myserver.com as an entry and it doesn't work.
              >
              > Do I need a virtual IP address?
              >
              > Any ideas would be appreciated.
              

  • VLAN on RVS4000 disables access to Remote Web Workplace, Outlook Web Access

    I have an RVS4000 setup with a VLAN to a wireless "guest" network, guest network is 192.168.1.x, internal network is 10.0.0.x both have Internet access, and cannot see each other, exactly what I wanted. The only problem is that either from the internal network or the guest network I can no longer access the Remote Web Workplace - https://mail.mydomain.com/remote or Outlook Web Access https://mail.mydomain.com/exchange fails with page not found. Internally I can access via \\server\remote and \\server\exchange but of course this does not work for the guest network. We have Small Business Server 2003. External access if fine. I'm assuming this is some kind of routing issue but not sure how to fix. Thanks.

    These forums are dedicated to Residential products and services offered by Verizon.
    For help on Verizon Wireless issues, please post your topic on the Verizon Wireless community.
    Thank you
    If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer that solved your issue as the accepted solution.

  • I cant download new iphone update. i have turned off firewalls disabled security cleared dns cache and still nothing. i get this message err = _3259.

    i get this as a pop up message also
    There was a problem downloading the software for the iphone xxxx. The network connection timed out.
    Make sure your network settings are correct and your network connection is active, or try again later.
    im stil on O.S. 4.3.2 as this was the last one i have been able to update to. Please help=)

    try taking Thunderbird offline File menu (Alt+F) > offline > workoffline
    Close Thunderbird
    reboot your computer
    Restart Thunderbird and try compacting while Thunderbird is still offline.

  • RVS4000 & IPS with a 100Mb/s connection

    Hello,
    I use a 100Mb connection with a RVS4000 Giga.
    Enabling IPS reduces the speed to 20Mb.Useless feature…!!!
    Anyway, if I disable IPS I reach the 100Mb for a while but somehow within the next 24 hours the router is doing something so that the speed is set back to 20Mb even though the IPS is disable.
    If I click on "Save"on the IPS control panel,I get full speed again for 24 hours.
    Has anybody seen this behaviour?
    Is there a solution, workaround to that?
    firmware v 1.3.1.0
    Thanks

    Same here on both of my WRVS4400Nv2 routers!  Already running the latest firmware: V2.0.0.8-ETSI.
    I don't need IPS so have disabled it. However, exactly 24 hours after disabling IPS (or rebooting for that matter), the speed always drops to IPS-like values and will keep at that level!  How strange is that?
    It doesn't seem to affect all types of traffic, for instance HTTP is affected but FTP still keeps working at the maximum speed.
    I would very much like to have it fixed!
    To Cisco: it must be easy to reproduce for you, could you please try this on a RVS4000 or WRVS4400N?
    By the way, no need to toggle the IPS function: you only have to press the Save button once on the IPS page to get the full speed back, but only for the next 24 hours!

  • HELP! Disabling reverse DNS lookups on client

    Is there a property that can be set to disable the reverse DNS
    lookup for client requests? I read that if reverse lookups are
    no working then client requests can take an extra 15-30 seconds.
    In our environment reverse lookups are not something we can
    count on so we would like to disable them completely. Please let
    me know which property can be set it if any to accomplish this.
    Regards,
    Robert

    Don't we all ;)
    WL 5.1 sp3
    Sol 2.6
    J2 1.2.1_04
    Rich Nill wrote in message <[email protected]>...
    Paul,
    What version of Weblogic are you running? I want to make sure we don'tsuffer
    from the same problem.
    Thanks,
    Rich
    Paul Iter wrote:
    Would this patch have any impact on the problem I described in
    "performance
    degradation PROBLEM"?
    Thanks,
    Paul
    Mark Griffith wrote:
    There is another issue here though, when we print out server ID's we
    call
    java.net.InetAddress.toString() which ends up in a DNS call.
    Contact support they have a one-off patch.
    cheers
    mbg
    In article <[email protected]>, [email protected]
    says...
    Is there a property that can be set to disable the reverse DNS
    lookup for client requests? I read that if reverse lookups are
    no working then client requests can take an extra 15-30 seconds.
    In our environment reverse lookups are not something we can
    count on so we would like to disable them completely. Please let
    me know which property can be set it if any to accomplish this.
    Regards,
    Robert
    ==================================================
    NewsGroup Rant
    ==================================================
    Rant 1.
    The less info you provide about your problem means
    the less we can help you. Try to look at the
    problem from an external perspective and provide
    all the data necessary to put your problem in
    perspective.

  • WAN port speed on RVS4000

    I have an RVS4000 with the following:
    Firmware Version:
    V1.3.3.5
    CPU:
    STAR 9202
    I believe it's a v1 of the RVS4000 as I've tried to put the 2.x.x firmware and I couldn't.
    My ISP upgraded me to a 100Mb/20Mb down/up plan (Quantum 100 here: https://www.highlandsfibernetwork.com/internet). However, through my RVS4000, I get the following speeds:
    Download Speed 18498 kbps (2312.3 KB/sec transfer rate)
    Upload Speed 19098 kbps (2387.3 KB/sec transfer rate)
    Latency 7 ms
    Client Time December 4, 2011 11:06 AM
    Server Time December 4, 2011 11:06 AM PST
    When I connect directly to the switch rather than through my RVS4000 I get:
    Download Speed 45818 kbps (5727.3 KB/sec transfer rate)
    Upload Speed 6240 kbps (780 KB/sec transfer rate)
    Latency 5 ms
    Client Time December 4, 2011 10:59 AM
    Server Time December 4, 2011 10:58 AM PST
    Clearly there's something wrong here, where I'm getting less than half the download speed through the RVS4000 than I do without it. From the datasheet, it states that the RVS4000's WAN port is a 10/100/1000 port, so I don't see why I should have the limitation on speed.
    Can someone help resolve this?
    Robert.

    Hello Abudef,
    I disabled IPS and verified that QOS is disabled. Now with the speed test, I get a large improvement, basically bringing me up to the speed without the RVS4000 involved:
    Download Speed 41811 kbps (5226.4 KB/sec transfer rate)
    Upload Speed 20550 kbps (2568.8 KB/sec transfer rate)
    Latency 5 ms
    Client Time December 4, 2011 07:47 PM
    Server Time December 4, 2011 07:46 PM PST
    Thank you so much for your help!
    Robert.

  • RVS4000 router reliability

    Hello!
    I have recently acquired a Cisco RVS 4000 router which was intended to serve my private network, but sice I installed i noticed some issues in the sense that after some time of use (can also be depended to higher traffic on internet) it becomes unresponsive (no more trafic in the network possibe).
    When this happen the only possibility to make it working again is reset the power.
    Now after i wrote my issue I think I have to describe what has been done here.
    Before RVS4000 i had installed a WRT110 router as a gateway and wireless.
    Now i configured RVS4000 as DHCP server and as my pppoe gateway. The DHCP server on WRT 110 was disabled (I want to use it as a access point) and set a static ip which is also included in RVS 4000 reservations with the MAC address.
    I did all theese to make RVS 4000 to handle the IP's inside the cable network and also to the wireless network.
    I tryed what I believed it helps: disable IPS, set the router DHCP to allocate IP's only after the both routers IP's.
    I also tryed to reflash the router with the same firmware, but still, after one night of continuous traffic it hangs....
    Please give me an advice what should I do next! Thank you in advance!

    Hi Cristian,
    If you purchased this unit 3 weeks ago from a Cisco Partner, please call the SBSC (Small Business Support Center) for warranty support.
    http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
    Regards,
    Cindy Toy
    Cisco Small Business Community Manager
    for Cisco Small Business Products
    www.cisco.com/go/smallbizsupport
    twitter: CiscoSBsupport

  • IPS V7 Global Correlation

    Dear all,
    IPS Correlation update will be done through the Management interface right? So I should confirm the ability of the IPS Management IP address to be able to access internet right?
    I did so, but still not able to have global correlation update, what I am having each time I enable global correlation is a boost of traffic generated from the IPS and directed to the outside that is consuming the total internet link bandwidth.
    What could be the reason behind this boost, and how may I troubleshoot the reason why the correlation is not being updated.
    Regards,

    Hi,
    I had the exact same problem that I solved to day.
    Full connectivity but still the error:
    # sh statistics global-correlation
    Network Participation:
       Counters:
          Total Connection Attempts = 0
          Total Connection Failures = 0
          Connection Failures Since Last Success = 0
       Connection History:
    Updates:
       Status Of Last Update Attempt = Failed
       Time Since Last Successful Update = 3826 minutes
       Counters:
          Update Failures Since Last Success = 764
          Total Update Attempts = 22747
          Total Update Failures = 806
       Update Interval In Seconds = 300
       Update Server = update-manifests.ironport.com
       Update Server Address = 204.15.82.17
       Current Versions:
          config = 1236210407
          drop = 1312830724
          ip = 1312830846
          rule = 1312744926
    # sh events error error warning past 12:00
    evError: eventId=1304592381890230981 severity=error vendor=Cisco
      originator:
        hostId: xxxxxxxx
        appName: collaborationApp
        appInstanceId: 458
      time: 2011/08/11 00:38:28 2011/08/11 02:38:28 GMT+01:00
      errorMessage: name=errUnclassified A global correlation update failed: Failed download of ibrs/1.1/drop/default/1313021562 :
      URI does not contain a valid ip address
    Messages, like this one, in the category - Reputation update failure - were logged 49 times in the last 14699 seconds.
    I found a tip when searching that worked for me :
    Issue the: dns-secondary-server disable to flush DNS wait for GC to update again.
    Thanks to: http://doublef.org/archives/cisco-ips-global-correlation-update-failures 
    HTH
    Edit: I see a difference in our output, you don't have the ip address in update server field:
    Update Server Address = Unknown
    Might not bee the same problem.

  • RVS4000 restricting high speed cable internet.

    I have a RVS 4000 with a Charter Internet That is 5 MB up and 60 MB Down. the RVS4000 seems to be restricting my speed on the up to 3.6 and down to around 21 MB.
    With a workstation directly connected my speeds are 4.5 and 46 MB respectively, but when i plug the router in I lose speed.
    I have the firewall turned off.
    Any ideas.

    Hi David,
    Thank you for posting. Try going to IPS -> Configuration and disable IPS Function. This should help with your internet speed.

  • RVS4000 V2 locks up every 1 - 2 days

    Hello everybody! My brand new RVS4000 V2 replaced old USR8003 router in the same home network. The USR8003 did not require any user intervention for years. Running RVS4000 in the same network and with the same LAN IP address (192.168.123.254) requires power cycling every day or two. The router is connected to Motorola SB6120 cable modem. The local network includes a few PCs (WinXP SP3), two LinkSys APs, Roku, DirecTV receiver and a few WiFi devices. The router runs in Gateway mode with DHCP server enabled. Most of the devices have static IP addresses within DHCP address range. When the router locks up, it looks like a normal situation because the LEDs are lit the same way as usual indicationg ports activities. When it is locked, the RESET button has no effect as well as web and telnet interfaces. The only option is to power cycle the router, which restores the working condition until another lock up. The following actions have been taken:
    upgraded firmware to V2.0.3.2
    Restored factory defaults
    Disabled IPS, QoS, most of Firewall optional functions
    Moved statis IP addresses in the DHCP address range
    It does not look like a harware issue, but rather a software bug. Right now I am running the Syslog server to correlate lock ups with the modem reboots (Yes, it happens from time to time, but did not afect USR8003). I cannot find any information from Cisco documentation about static IP addreses on the LAN and if they have to be outside the DHCP adderss range. Any help is appreciated.

    Hi Tom,
    Thank you for your comments. I will move static clients out of the DHCP range and see what happens. So far, that was the biggest change I made since the last lock up. The RVS4000 ran for 2 days, 20:54:41 hours already. During this time there were three modem reboots, therefore, I do not think lock ups are related to the modem. When you said "upsteam", did you mean WAN or something else? The thing is that LinkSys WAPs have two MACs addresses associated with the same IP.address. Does this count as an IP conflict within the LAN? The WAPs have statis IP addresses.
    Thank you,
    Boris.

Maybe you are looking for

  • Logic 7.1.1 and MIDEX8 USB MIDI Interface

    Anyone had experience using the Yamaha/Steinberg MIDEX8 USB MIDI Interface with Logic? I've just moved from the PC to Logic on the Mac and since I already own the MIDEX8 I wanted to check first to see that it worked well with Logic before trying to i

  • Problem trying to batch resize images from bridge.

    I am trying to batch resize images from bridge. I am on windows 7 desktop and using CC, I select the images in bridge, tool bar>tools>photoshop>image processor. After doing this, photoshop CC opens but no images open.

  • URL is redirecting

    My Mac keeps getting into this strange scenario.  I'll use Facebook, then maybe let it sit for a while.  Then I'll check my Yahoo mail.  It seems if I let it sit, it gets "stuck" on Yahoo.  I'll try to go to Facebook, but it takes me to Yahoo instead

  • Repeated crashes, disk utility says disk is fine

    My Macbook Pro (2007-era?), running Snow Leopard, has been suffering frequent crashes for the past several months.  There appears to be no consistent trigger, but I will suddenly get the down-from-the-top screen of death that tells me I need to press

  • 8127: Cannot create ACTIVE STANDBY PAIR scheme because another replication

    Hi All, I am trying to define ACTIVE STANDBY PAIR replication scheme on the Datastore which have already bidirectional replication is defined on few tables , Datastore1 ,Datastore2 are with Bidirectional replication defined on few tables , i want to