WRV200+IPSec Tunnel=Web Gui Stops Working

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Walrus78, Sep 19, 2007.

  1. Walrus78

    Walrus78 LI Guru Member

    I can replicate this on 1.0.32, 1.0.33, and 1.0.34. I haven't tried going to an older version yet. Basically, even after multiple factory resets, if I have an IPSec Tunnel connected on my WRV200, the web gui completely is unresponsive. It works nearly flawless until i have that tunnel connected. If I reboot the router and don't have the internet connection plugged in and therefore don't establish the tunnel, it works fine in terms of the gui. I can actually pinpoint the time the gui fails to function to the exact time the tunnel is establish b/c as soon as pings respond from clients on the other side, it the gui dies.

    Anyone else seen anything like this? I'll go back to 1.0.28 soon and see if the problem happens again, and i'll certainly test this on another wrv200, but it kind of stinks the gui just stops working completely.
  2. Sfor

    Sfor Network Guru Member

    I'm using two WRV200 (1.0.34 and 1.0.33). They always have the IPSec tunnel enabled and working. The GUI seems to be a pretty solid one (when compared to the older firmware revisions).

    Have you tried accessing the router from another computer, if the GUI fails? There were some reports about strange behavior of the router switch.

    Did you do a hardware factory defaults reset, after each firmware change?

    What sort of connection (cable or wireless) the computer you are accessing the router from is connected by?
  3. Walrus78

    Walrus78 LI Guru Member

    Ok, I think i've figured out what is happening, and i've got a workaround, but this is most certainly a change in how the firmware handles ipsec vpn tunnels.

    My local secure group is a subnet -

    Remote secure group is a subnet -

    So basically, I want to tunnel anything in the 192.168.x.x range through that tunnel, which works fine no matter what. The problem is that starting somewhere around 1.0.32 of the firmware, it made the web gui inaccessible once the tunnel has been established. It is like it think address of the route is on the other side of the tunnel - FOR THE WEB GUI ONLY. I can still ping my router no matter what.

    If I turn remote access on, and put in the public ip address and port, I can log in no problem. If I change the remote secure group to a instead, the problem goes away.

    I'd consider this to be a pretty big bug, as that can't be that uncommon of a setup. Has anyone else seen this or been able to reproduce this? If we upgrade the firmware on the number of WRV200s that we have, they will be inaccessible locally if we don't know the public ip address.
  4. Sfor

    Sfor Network Guru Member

    The rule is to not to use the same IP ranges in the local and the remote networks.

    So, the problem is not related to the firmware, and it is not a bug.

    The only thing that could be considered a bug is the fact the router let you to enter this kind of settings.
  5. Walrus78

    Walrus78 LI Guru Member


    I disagree. I understand what you are saying, but its not exactly like I'm trying to do something crazy here. When you've got a hub and spoke topology these kinds of settings actually make sense. Lets say that you've got a subnet in the hub office, say 192.168.5.x/24. All the remote offices you want to talk to each other through that hub office. All the remote office have a subnet of 192.168.x.x/24. In order to have all of the offices (the spokes) automatically talk to each other through the hub, you have to do this. I'd like to set a subnet setup done differently in a hub and spoke setup.

    It isn't like i'm new to the WRV200 - I've got 40+ of them deployed in a business production environment with these settings, and before 1.0.32, this was not an issue. My point is that something changed in the firmware that is make this change. It isn't a routing issue b/c I can obviously still ping the gateway address. The rest of the endpoints are Cisco Pix 501s, or ASA 5505s and they all have the exact same kind of configuration with no issues.

    So I challenge in saying it actually is a problem with the firmware, as i'm not trying to make the remote side of the tunnel the same as local side, AND in general when going through routing tables tcp/ip is supposed to go from the order of most specific, to the least specific, allowing this to work. Yes, technically 192.168.250.x/24 would be a subnet that falls under the scope of, but it shouldn't create a problem since technically the router should know this more specific network is on the local side of the router.

    Something changed in the firmware, it worked in prior revisions all the way back to 1.0.9.
  6. Walrus78

    Walrus78 LI Guru Member

    I found a workaround for it. By turning on remote administration and accessing the external ip and port, I can still manage the GUI which is very stable. I know Sfor disagrees with me, which is his right, but does anyone else have any other thoughts on this? Should I try opening a case with Linksys?
  7. Sfor

    Sfor Network Guru Member

    Recently, I've noticed the IPSec passthrough setting has something to do with the WEB GUI access through a IPSec VPN tunnel.

    Perhaps, it can change something in your case, as well.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice