Packets losses & high ping using SSL VPN

Options
ICLUB
ICLUB Posts: 8
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hello,

(I apologize for my English, it's not my native language)

I'm a independant IT selling Zyxel products for years.

Since a few months, one of my customers was complaining about a very degraded experience using RDP trough Secuextender SSL VPN.
After investigating, I've noticed the ping (to the RDP server) was anormaly high (something about 60ms, while my customer and I are using an optical fiber), and when I start to use the RDP about 15% (!) of packets are lost.
I looked around the internet for solutions, nothing. I've contacted the Zyxel support, it was getting nowhere, with strange demands.
As the time passes, the customer is more and more impacted. I've setted up an OpenVPN so he can work (on a Synology NAS, it's a shame), ~1ms ping, no packet loss.

Before you ask, the customer have an USG 40, firware is up to date, I've resetted it and even put a brand new one, same problem. There was absolutely no change of the configuration (no ISP change, no new PC, no new SSL user, etc..)

I was about to forgot this incident when and second customer called me, then a third, then a fourth... with the exact same problem. I havent checked all USG of my customers, of course some of them might be with an "old" firmware, but as I said, there wasn't any change on the LAN. Everything was working fine and now as the time passes, more and more of my customers are impacted.

I'm really desperated and I hope I'm not the only one in this situation.
«1

All Replies

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Options
    Hi @ICLUB,

    I've tested this in our labs. RDP connection works fine.
    Ping to RDP server is around 8-10ms.

    Can you please share some information with me;

    1- What's the topology for this RDP through SSL VPN connection?
    In lab I tested like the following topology;
    PC - Wi-fi - SSL VPN to RDP's gateway - LAN1 - RDP Server

    2- How do you check the packet loss?

    3- Do you mean with USG40's SSL VPN ping's time is around 60ms, but with OpenVPN is around 1ms?


    1ms, sounds really hard to believe that's a SSL VPN performance.

    Best regards.
  • ICLUB
    ICLUB Posts: 8
    First Anniversary Friend Collector First Comment
    Options
    Hello,

    Thanks for your reply.

    1- My topology is the same as yours
    PC with SecuExtender client > Wifi or ethernet > Distant modem > Local modem > Zywall > LAN with RDP server

    2- I'm running a ping -t on the RDP server from my connected SecuExtender client

    3- Yes exactly. If I ping the RDP server trough SecuExtender there are ~15% of packet losses and an anormaly high ping, but if I connect with an OpenVPN client, my ping to the RDP server is around 1ms and more than negligible packet losses (1 over 500 on average)
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Options

    Hi @ICLUB,

     

    I created a VPN connection with OpenVPN. But I didn’t see the same symptom here.

     

    Can you please share some information with us;

     

    1- What VPN profile you use for OpenVPN?

    2- Where did you download your OpenVPN profiles?

    3- How do you access RDP Server after you connecting with OpenVPN?

     

    Best regards.


  • ICLUB
    ICLUB Posts: 8
    First Anniversary Friend Collector First Comment
    Options
    Hello,

    Sorry for the delay, I am quite overwhelmed

    I downloaded the OpenVPN profile from the Synology NAS, and then I connect with the same RDP shorcut
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    edited March 2021
    Options

    Hi @ICLUB,

     

    Supposedly 15% packet lose is not reasonable.

     

    Can you please try following options for this case;

     

    1-    Change MTU value and adjust it to optimal value.

     

    (Configuration > Network > Interface > Ethernet > wan1 > Interface Parameters > Advance > MTU)



    2-    Try L2TP VPN connection for this environment and observe if there's packet lose or any connectivity issue.

    3-  Can you try to disable BWM if it's enabled and check the performance?


    Best regards.

  • ICLUB
    ICLUB Posts: 8
    First Anniversary Friend Collector First Comment
    Options
    Sorry for the "delay". As I have other customers to take care I took me a lot of time to test multiple MTU. I doesn't changed a thing.

    Is it possible that my customers where under the attack you recently patched ?

    Best regards
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Options
    Hi @ICLUB,

    Thank you for your feedback.

    Can you please help to try L2TP VPN for RDP connection and see if the symptom still exists?

    Regarding to your second question, yes it is a kind of possibility if someone attacked your device. You can refer to the following link in order to mitigate the possible risk:
    https://community.zyxel.com/en/discussion/10912/how-to-mitigate-the-threat-of-the-security-incident#latest


  • Lukas1234
    Options
    Hi,

    did anyone has a solution. I have the same problems. 3 Customers have the ATP100 and same problems.

    Ping to the VPN Firewall 30ms on a coax cable modem. SSL VPN Rdp packet loss. 

    This Problem exists only with the Secure Extender. 

    Regards
  • ICLUB
    ICLUB Posts: 8
    First Anniversary Friend Collector First Comment
    Options

    Unfortunately, I still have no solution.

    We are ditching Zyxel products for customers in need for a remote access and we are now using OpenVPN or Wireguard..

    We've been using zyxel for years but we're done. I can't even remember how many USG bricked themselves, reset themselves in the past years. Now this, nope we're out.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2021
    Options
    hi @Lukas1234

    We would like to conduct a lab test based on your configuration file.
    Can you send me device startup configuration file in PM?

Security Highlight