Unable to Remote Access Zyxel USG20 VPN Firwall from External IP

RAV_ZYXEL
RAV_ZYXEL Posts: 15  Freshman Member
Friend Collector Third Anniversary
Hi, I have a Zyxel USG20 VPN Firewall with a static WAN IP, which i use time to time to remotely manage from internet. I also have several NAT & SSL VPN configured. Recently my NAT & SSL VPN weren't working. When i checked, the remote access of the firewall (https://wan-ip) also didn't work. 
Note: The Remote Management (Configuration --> System --> WWW --> Https) is enabled for port 443. I have the latest firmware version V5.10(ABAQ.0) updated. 
I'm not sure, what could be wrong. Please provide your valuable solutions. 

Accepted Solution

  • anno_t34
    anno_t34 Posts: 12  Freshman Member
    Friend Collector First Anniversary
    edited November 2021 Answer ✓
    @RAV_ZYXEL:

    Do you have access to the zywall USG20 right now? I understand that the VPN/SSL remote access is not working, but if the physical location is not to far from you, you could check the zywall on-site. If that's not possible, you should ask someone on location, to assist you.

    My hints to narrow down the issue, before you roll out the in-deep troubleshooting process, are:

    1. Try to remember, when was the last time you successfully accessed the gateway using VPN/SSL.

    2. Have you tried to access the zywall with different devices, or only one?
    Just in case, to exclude that something has been changed on your local device used to remotely access the zywall.

    3. Check the date of the Start-Up zywall configuration. If it is newer that the date you remember at point 1 above, install a backup of zywall configuration, IF you have one.

    4. Do you store the zywall logs remotely on a syslog server? If yes, check the logs after the date specified at point 1 above.

    5. Initiate a test VPN/SSL test session. Sniff the traffic on USG20 on Internet interface. You could record the trace results in a pcap file for further analysis. Check the zywall logs.

    6. You also could ask the ISP for support. For example, if they eventually changed something on the infrastructure, after the date at point 1 above.

    Regards,
    A.



«1

All Replies

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Please, provide more info about the way your USG20-VPN connects to internet. Maybe a CPE is "in front" of it and without a Port-Mapping rule you cannot really access...
  • RAV_ZYXEL
    RAV_ZYXEL Posts: 15  Freshman Member
    Friend Collector Third Anniversary
    The USG is connected to the internet directly through the WAN port & there is no CPE in front of it. This was working fine and just stopped working all of a sudden. 
  • RAV_ZYXEL
    RAV_ZYXEL Posts: 15  Freshman Member
    Friend Collector Third Anniversary
    mMontana said:
    Please, provide more info about the way your USG20-VPN connects to internet. Maybe a CPE is "in front" of it and without a Port-Mapping rule you cannot really access...
    The USG is connected to the internet directly through the WAN port & there is no CPE in front of it. This was working fine and just stopped working all of a sudden. 
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Sorry to read that. Anyway...
    After this "bad thing" some settings became a bit more restrictive when accessing from WAN the device.
    IDK if you're using any of the tools (GeoIP, Static IP, firewall rules, whatever) but... IMVHO you might take a slow debug session using the appropriate tool.
    You can also add some rules on top of yours to generate log alerts and find... when the package hit the detour (back and forth) moving the "alert rule" from top to bottom of the security policies.


  • WJS
    WJS Posts: 156  Master Member
    5 Answers First Comment Friend Collector Third Anniversary
    The symptoms (All access from wan didn't work)
    like you have a WAN->Zywall deny(drop) rule in higher priority.

    I think you can check the rule first
  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    Hello RAV_ZYXEL , suggest you gather the IKE and debugging logs for the period in question and attach them for forum members and Zyxel techs to assist.

    Should the VPN connection be received and processed by the appliance, you will definately start to see what the error is.

    Make sure you sed  (edit out/substitute with xxxxx) the unique particulars for your appliance (id) and relevant local details (IPV4's etc) 

    Use the both the Zyxel web UI Configuration/ Logging/System/ VPN / debug  and UI Monitor/ Logging etc.. to set the debugging for VPN and to view or simply log into the router and retrieve them as follows:

    Router# show logging entries category ike begin 1 end ????


    A good basic start to VPN troubleshooting is to check appliance logs for:

    1.  for IKE (and IPSec & L2TP if you're using that)  - check for Phase 1 (Gateway) failures or then Phase 2 failures (VPN Connection) .. the detail is 99% in the zyxel logs... 
    2.  Should the tunnel be built, then subsequently  look for  'Security" category for any deny's on the policies that permit IPSEC-LANx rules .... 

    As forum members will tell you it's likely a configration error.... check the logs and it can be rectified.

    HTH

    Warwick

    Hong Kong



  • anno_t34
    anno_t34 Posts: 12  Freshman Member
    Friend Collector First Anniversary
    edited November 2021 Answer ✓
    @RAV_ZYXEL:

    Do you have access to the zywall USG20 right now? I understand that the VPN/SSL remote access is not working, but if the physical location is not to far from you, you could check the zywall on-site. If that's not possible, you should ask someone on location, to assist you.

    My hints to narrow down the issue, before you roll out the in-deep troubleshooting process, are:

    1. Try to remember, when was the last time you successfully accessed the gateway using VPN/SSL.

    2. Have you tried to access the zywall with different devices, or only one?
    Just in case, to exclude that something has been changed on your local device used to remotely access the zywall.

    3. Check the date of the Start-Up zywall configuration. If it is newer that the date you remember at point 1 above, install a backup of zywall configuration, IF you have one.

    4. Do you store the zywall logs remotely on a syslog server? If yes, check the logs after the date specified at point 1 above.

    5. Initiate a test VPN/SSL test session. Sniff the traffic on USG20 on Internet interface. You could record the trace results in a pcap file for further analysis. Check the zywall logs.

    6. You also could ask the ISP for support. For example, if they eventually changed something on the infrastructure, after the date at point 1 above.

    Regards,
    A.



  • RAV_ZYXEL
    RAV_ZYXEL Posts: 15  Freshman Member
    Friend Collector Third Anniversary
    mMontana said:
    Sorry to read that. Anyway...
    After this "bad thing" some settings became a bit more restrictive when accessing from WAN the device.
    IDK if you're using any of the tools (GeoIP, Static IP, firewall rules, whatever) but... IMVHO you might take a slow debug session using the appropriate tool.
    You can also add some rules on top of yours to generate log alerts and find... when the package hit the detour (back and forth) moving the "alert rule" from top to bottom of the security policies.


    Yeah, i'm troubleshooting the rules & checking the logs. Will comment if something comes up.
  • RAV_ZYXEL
    RAV_ZYXEL Posts: 15  Freshman Member
    Friend Collector Third Anniversary
    WJS said:
    The symptoms (All access from wan didn't work)
    like you have a WAN->Zywall deny(drop) rule in higher priority.

    I think you can check the rule first
    We do have the default rule to block any source to the device, but then we also have other rules that override the deny rule to allow access to the device. I'm still looking at other rules as of now.
  • RAV_ZYXEL
    RAV_ZYXEL Posts: 15  Freshman Member
    Friend Collector Third Anniversary
    anno_t34 said:
    @RAV_ZYXEL:

    Do you have access to the zywall USG20 right now? I understand that the VPN/SSL remote access is not working, but if the physical location is not to far from you, you could check the zywall on-site. If that's not possible, you should ask someone on location, to assist you.

    My hints to narrow down the issue, before you roll out the in-deep troubleshooting process, are:

    1. Try to remember, when was the last time you successfully accessed the gateway using VPN/SSL.

    2. Have you tried to access the zywall with different devices, or only one?
    Just in case, to exclude that something has been changed on your local device used to remotely access the zywall.

    3. Check the date of the Start-Up zywall configuration. If it is newer that the date you remember at point 1 above, install a backup of zywall configuration, IF you have one.

    4. Do you store the zywall logs remotely on a syslog server? If yes, check the logs after the date specified at point 1 above.

    5. Initiate a test VPN/SSL test session. Sniff the traffic on USG20 on Internet interface. You could record the trace results in a pcap file for further analysis. Check the zywall logs.

    6. You also could ask the ISP for support. For example, if they eventually changed something on the infrastructure, after the date at point 1 above.

    Regards,
    A.



    Hi, i tried to recollect the last successful connection and attempted to restore to an earlier config to see if that works, but it didnt. I tried accessing from several devices, but it all gets dropped. Yes i am checking the logs as of now and using debugging tools to trace the packet loss. And also like you mentioned in #6, i am working with the ISP to find out if there is anything going on their end. Thanks for the tips, will get back to comments when i have more information.

Security Highlight