USG40 firmware update breaks VPN

Putting this out here to try and help those that may run into this issue.  I support 15 Zyxel firewalls, and after the firmware update this weekend to 4.63, I had the 2 USG40s drop traffic to their VPN tunnels.  Internet was still functional, but VPNs were all showing online, but no traffic, no ping.  VPNs had been online and fine for months prior to the update.  Tried rebuilding the tunnels from scratch, sent a note to Zyxel for help, but couldn't wait anymore.  Ending up flashing the firmware back to 4.62, but that didn't correct the original issue.

Turns out there was an added entry under Network - Routing - Policy Route that was not there prior (or at least not active) causing it to ignore all traffic over the VPNs and send it out the default route.  By Inactivating and applying that rule, everything working again.  I cannot be sure this fixes the problem under 4.63, as I had moved them already to 4.62, but I would certainly try that first.

All Replies

  • SimplyRem
    SimplyRem Posts: 4
    First Comment Friend Collector Second Anniversary
    @twscannon, this seems like a compromise on zyxel routers, please remove unknown user accounts and ssl vpn settings and change all password. This has happened to a couple of our customers routers. Zyxel needs to patch this ASAP!
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited June 2021

    We’re aware of the situation and have been working our best to investigate and resolve it.

    In the interim, here’s a list of currently known to be the most effective ways to mitigate the impact:”

     

    Scenario#1

    If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.

    1.    Add IP address object(s) to trusted addresses or trusted countries.

    (Configuration > Object > Address/GeoIP)


    2.    Allow trusted IP addresses and Deny others traffic from Internet

    (Configuration > Security Policy > Policy Control)

    #1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.

    #2. Deny other IP addresses that you do not trust to access your WebGUI.

     

    3.    Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.

    (Configuration > System > WWW)

    Change HTTPS connection port. e.g 17443


    After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.



    Scenario#2

    If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.

    (Allowed services are for IPSec VPN/VRRP/GRE)

    Make sure there is no HTTP/HTTPS WebGUI service port in service group.


    We also suggest to change the admin password.

    In addition, you can refer to our latest document “Best Practice to Secure a Distributed Network Infrastructure” to design and secure your network.

  • zigandzag
    zigandzag Posts: 6  Freshman Member
    First Comment Third Anniversary
    edited July 2021
    @tswcannon,@SimplyRem

    Thank you both for the info.  Not being sure what I was looking at, I called t/s and a zyxel tech quickly remoted in and removed the ssl route and removed ts and manage user accounts.  What I don't get though is both of my customer networks have been in operation over a year and no firmware updates have been done for at least 6 months.  But, since this past weekend the tunnels quit passing data.  The one is a myriad of routes and would be very difficult to know if something new was added.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited July 2021

    Hi @ zigandzag 

    You can check if there is un-trusted user exist in your USG first.

    If yes, please remove the user account and related rules on your device.

    And we recommend to change password on all of admin-type users immediately.

    Here is default user list on USG

     

    We also recommend upgrade your device to 4.65 first.

    And follow the FAQ to check your configuration to mitigation attack from Internet.

     

    For SSL VPN tunnel traffic, you can make sure policy route is configured correctly.

    Or you can send your configuration to me by private message, I can help to check if it is correct.



Security Highlight