-
Why 2FA auth page not automatically appear when using OpenVPN Connect?
Question: Why 2FA auth page not automatically appear when using OpenVPN Connect? Answer: The automatic display of the 2FA authentication page after a VPN connection is a feature specifically integrated into the Zyxel VPN Client (SecuExtender). Third-party VPN clients, such as OpenVPN Connect, do not have this built-in…
-
What does the log "Delete duplicated CHILD_SA: for the VPN connection" mean?
Question: What does the log "Delete duplicated CHILD_SA: for the VPN connection" mean? Answer: The log entry “Delete duplicated CHILD_SA” does not indicate an error or malfunction on VPN connection. It's more like to be a IPSec VPN operation log. When the firewall detects that multiple CHILD_SAs are created for the same…
-
How to adjust MSS value for VPN tunnel on Zyxel USG FLEX H series devices?
Question: How to adjust MSS value for VPN tunnel on Zyxel USG FLEX H series devices? Answer: For Policy-based VPN tunnels, direct adjustment of the MSS parameter is not supported. For Route-based VPN tunnels (utilizing VTI interfaces), you can adjust the MTU value through the Web GUI instead of MSS. (Navigate to Network >…
-
Why MFA page does not pop out when using Windows built-in VPN?
Question: Why MFA page does not pop out when using Windows built-in VPN? Answer: Windows native Client won't automatically pops out the 2FA auth page, you have to manually access the 2FA page by the interface IP and port you configured. Windows native VPN does not support this feature. Our VPN client (Zyxel IPSec VPN…
-
How to check debug log for VPN?
Question: How to check debug log for VPN? Answer: Please input CLI to enable debug level log for VPN. usgflex200h> cmd diagnostics ike enabled true ike-diagnostics-set-active data result ok .. .. usgflex200h> cmd debug ipsec trace log Jun 22 15:33:29 05[CFG] loaded 0 entries for attr plugin configuration Jun 22 15:33:29…
-
Does Auto-link VPN supports failover?
Question: Does Auto-link VPN supports failover? Answer: No. Auto-Link VPN does not support failover. It's Nebula SD-VPN supports VPN failover
-
How to Create an SSL VPN with OpenVPN on Nebula?
Question: How to Create an SSL VPN with OpenVPN on Zyxel Nebula Answer: To configure an SSL VPN with OpenVPN on Nebula, follow these steps: On Nebula, navigate to Site-wide > Configure > Firewall > Remote access VPN. Enable SSL VPN Server and configure Type, Interface and Sign-on with method. After the configuratio file is…
-
How to Resolve SSL VPN Connection Issues on USG FLEX H firewall?
Question: How to resolve SSL VPN cnnection issues on USG FLEX H firewall? Answer: If you are facing SSL VPN connection issues, such as constant disconnects and reconnects, follow these steps to resolve the problem: Check Two-Factor Authentication (2FA): If 2FA is enabled under “User & Authentication > User Authentication >…
-
Why is the VPN tunnel connected, but only TCP traffic can be transmitted?
Question: Why is the VPN tunnel connected, but only TCP traffic can be transmitted? Answer: Please check whether the protocol in Phase 2 is set to "Any." If a specific protocol, such as TCP, is selected, then other protocols will not pass through the tunnel.
-
How to Set MSS Clamping for VPN on USG FLEX H Series?
Question: How to Set MSS Clamping for VPN Interface on USG FLEX H Series? Answer: The MSS (Maximum Segment Size) clamping setting for VPN interface is not directly configurable via the GUI on the USG FLEX H series. However, this can be performed using CLI commands. Steps to set MSS Clamping via CLI: Access the device's…
-
What is the capacity for SSL VPN Access Profiles?
Question: What is the maximum number of SSL VPN client profile and profile user list? Answer:
-
How to Configure SSL VPN Access Profile
With multiple SSL VPN client profiles, you can create one or more profiles to apply its own settings such as IP pool, DNS and tunnel type to specific users. This example illustrates how to create multiple SSL VPN client profiles for different groups. Note: This feature is supported from firmware version uOS 1.38. Add…
-
Why can't I connect to IPSec VPN with SecuExtender?
Question: Why can't I connect to IPSec VPN with SecuExtender? Answer: If you are facing issues while establishing an IPSec VPN connection via SecuExtender, it could be related to the authentication settings in your VPN configuration. Here's how to resolve it: Log in to USG FLEX H's web interface. Navigate to the VPN >…
-
How to Troubleshoot SSL VPN on USG FLEX H firewall?
Question: Why does the SSL VPN fail to connect? How to troubleshoot SSL VPN on USG FLEX H firewall? Answer: If you're encountering issues with SSL VPN configuration on your USG FLEX H firewall, follow these troubleshooting steps: Steps to Resolve SSL VPN Connection Issues: Ensure you have created a username under SSL VPN >…
-
Why can't I enable 2FA for SSL VPN on USG FLEX H using Google Authenticator?
Question: SSL VPN is working when selecting Nebula Cloud Authentication. Why can't I enable 2FA for SSL VPN on USG FLEX H using Google Authenticator? Answer: 2FA is not supported when "Cloud Authentication" is selected as the Sign-on method for SSL VPN. If you select "Local users" for Sign-on, you can configure Google…
-
Why was the SSL VPN client not receiving DNS IP on USG FLEX H device?
Question: Why was the SSL VPN client not receiving DNS IP on USG FLEX H device? Answer: The issue occurred when the DNS was set to “ZyWALL” or certain other combinations in the global DNS setup for SSL VPN. This configuration caused the SSL VPN client (e.g., OpenVPN or SecuExtender) to miss custom DNS settings. This…
-
Remote access VPN is set up. I can connect, but I cannot ping devices on the LAN. How can I fix this
Question: Remote access VPN is set up. I can connect, but I cannot ping devices on the LAN. How can I fix this? Answer: After the VPN tunnel is established, users should be able to access all required intranet resources. Please check whether the Security Policy is configured correctly. Also check whether the…
-
How can I check whether the SSL VPN server is running by CLI?
Question: On H Series, how can I check whether the SSL VPN server is running? Answer: Use this CLI command: > show state vrf main sslvpn-server If the output shows the SSL VPN server as "enabled true", the SSL VPN server is up.
-
Does Zyxel firewall support WireGuard VPN?
Question: Does Zyxel firewall support WireGuard VPN? Answer: No. Zyxel firewall does not natively support WireGuard VPN. However, Zyxel firewall supports Tailscale VPN as an alternative for secure remote connectivity.
-
How do I configure the Tunnel Traffic Check settings on the SecuExtender VPN client?
Question : How do I configure the Tunnel Traffic Check settings on the SecuExtender VPN client? Answer : The user can navigate to Remote Access VPN > Advanced > Tunnel Traffic Check to configure the destination IP address and the check interval. For example, the user can configure the LAN gateway destination IP 10.1.90.254…