Unable to Remote Access Zyxel USG20 VPN Firwall from External IP
Hi, I have a Zyxel USG20 VPN Firewall with a static WAN IP, which i use time to time to remotely manage from internet. I also have several NAT & SSL VPN configured. Recently my NAT & SSL VPN weren't working. When i checked, the remote access of the firewall (https://wan-ip) also didn't work.
Note: The Remote Management (Configuration --> System --> WWW --> Https) is enabled for port 443. I have the latest firmware version V5.10(ABAQ.0) updated.
I'm not sure, what could be wrong. Please provide your valuable solutions.
Note: The Remote Management (Configuration --> System --> WWW --> Https) is enabled for port 443. I have the latest firmware version V5.10(ABAQ.0) updated.
I'm not sure, what could be wrong. Please provide your valuable solutions.
0
Accepted Solution
-
@RAV_ZYXEL:
Do you have access to the zywall USG20 right now? I understand that the VPN/SSL remote access is not working, but if the physical location is not to far from you, you could check the zywall on-site. If that's not possible, you should ask someone on location, to assist you.
My hints to narrow down the issue, before you roll out the in-deep troubleshooting process, are:
1. Try to remember, when was the last time you successfully accessed the gateway using VPN/SSL.
2. Have you tried to access the zywall with different devices, or only one?
Just in case, to exclude that something has been changed on your local device used to remotely access the zywall.
3. Check the date of the Start-Up zywall configuration. If it is newer that the date you remember at point 1 above, install a backup of zywall configuration, IF you have one.
4. Do you store the zywall logs remotely on a syslog server? If yes, check the logs after the date specified at point 1 above.
5. Initiate a test VPN/SSL test session. Sniff the traffic on USG20 on Internet interface. You could record the trace results in a pcap file for further analysis. Check the zywall logs.
6. You also could ask the ISP for support. For example, if they eventually changed something on the infrastructure, after the date at point 1 above.
Regards,
A.
1
All Replies
-
Please, provide more info about the way your USG20-VPN connects to internet. Maybe a CPE is "in front" of it and without a Port-Mapping rule you cannot really access...1
-
The USG is connected to the internet directly through the WAN port & there is no CPE in front of it. This was working fine and just stopped working all of a sudden.0
-
mMontana said:Please, provide more info about the way your USG20-VPN connects to internet. Maybe a CPE is "in front" of it and without a Port-Mapping rule you cannot really access...
0 -
Sorry to read that. Anyway...After this "bad thing" some settings became a bit more restrictive when accessing from WAN the device.IDK if you're using any of the tools (GeoIP, Static IP, firewall rules, whatever) but... IMVHO you might take a slow debug session using the appropriate tool.You can also add some rules on top of yours to generate log alerts and find... when the package hit the detour (back and forth) moving the "alert rule" from top to bottom of the security policies.
0 -
The symptoms (All access from wan didn't work)
like you have a WAN->Zywall deny(drop) rule in higher priority.I think you can check the rule first0 -
Hello RAV_ZYXEL , suggest you gather the IKE and debugging logs for the period in question and attach them for forum members and Zyxel techs to assist.
Should the VPN connection be received and processed by the appliance, you will definately start to see what the error is.
Make sure you sed (edit out/substitute with xxxxx) the unique particulars for your appliance (id) and relevant local details (IPV4's etc)
Use the both the Zyxel web UI Configuration/ Logging/System/ VPN / debug and UI Monitor/ Logging etc.. to set the debugging for VPN and to view or simply log into the router and retrieve them as follows:Router#
show logging entries category ike begin 1 end ????A good basic start to VPN troubleshooting is to check appliance logs for:
- for IKE (and IPSec & L2TP if you're using that) - check for Phase 1 (Gateway) failures or then Phase 2 failures (VPN Connection) .. the detail is 99% in the zyxel logs...
- Should the tunnel be built, then subsequently look for 'Security" category for any deny's on the policies that permit IPSEC-LANx rules ....
As forum members will tell you it's likely a configration error.... check the logs and it can be rectified.
HTH
Warwick
Hong Kong
0 -
@RAV_ZYXEL:
Do you have access to the zywall USG20 right now? I understand that the VPN/SSL remote access is not working, but if the physical location is not to far from you, you could check the zywall on-site. If that's not possible, you should ask someone on location, to assist you.
My hints to narrow down the issue, before you roll out the in-deep troubleshooting process, are:
1. Try to remember, when was the last time you successfully accessed the gateway using VPN/SSL.
2. Have you tried to access the zywall with different devices, or only one?
Just in case, to exclude that something has been changed on your local device used to remotely access the zywall.
3. Check the date of the Start-Up zywall configuration. If it is newer that the date you remember at point 1 above, install a backup of zywall configuration, IF you have one.
4. Do you store the zywall logs remotely on a syslog server? If yes, check the logs after the date specified at point 1 above.
5. Initiate a test VPN/SSL test session. Sniff the traffic on USG20 on Internet interface. You could record the trace results in a pcap file for further analysis. Check the zywall logs.
6. You also could ask the ISP for support. For example, if they eventually changed something on the infrastructure, after the date at point 1 above.
Regards,
A.
1 -
mMontana said:Sorry to read that. Anyway...After this "bad thing" some settings became a bit more restrictive when accessing from WAN the device.IDK if you're using any of the tools (GeoIP, Static IP, firewall rules, whatever) but... IMVHO you might take a slow debug session using the appropriate tool.You can also add some rules on top of yours to generate log alerts and find... when the package hit the detour (back and forth) moving the "alert rule" from top to bottom of the security policies.0
-
WJS said:The symptoms (All access from wan didn't work)
like you have a WAN->Zywall deny(drop) rule in higher priority.I think you can check the rule first0 -
anno_t34 said:@RAV_ZYXEL:
Do you have access to the zywall USG20 right now? I understand that the VPN/SSL remote access is not working, but if the physical location is not to far from you, you could check the zywall on-site. If that's not possible, you should ask someone on location, to assist you.
My hints to narrow down the issue, before you roll out the in-deep troubleshooting process, are:
1. Try to remember, when was the last time you successfully accessed the gateway using VPN/SSL.
2. Have you tried to access the zywall with different devices, or only one?
Just in case, to exclude that something has been changed on your local device used to remotely access the zywall.
3. Check the date of the Start-Up zywall configuration. If it is newer that the date you remember at point 1 above, install a backup of zywall configuration, IF you have one.
4. Do you store the zywall logs remotely on a syslog server? If yes, check the logs after the date specified at point 1 above.
5. Initiate a test VPN/SSL test session. Sniff the traffic on USG20 on Internet interface. You could record the trace results in a pcap file for further analysis. Check the zywall logs.
6. You also could ask the ISP for support. For example, if they eventually changed something on the infrastructure, after the date at point 1 above.
Regards,
A.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight