Unable to Remote Access Zyxel USG20 VPN Firwall from External IP

2»

All Replies

  • warwickt said:
    Hello RAV_ZYXEL , suggest you gather the IKE and debugging logs for the period in question and attach them for forum members and Zyxel techs to assist.

    Should the VPN connection be received and processed by the appliance, you will definately start to see what the error is.

    Make sure you sed  (edit out/substitute with xxxxx) the unique particulars for your appliance (id) and relevant local details (IPV4's etc) 

    Use the both the Zyxel web UI Configuration/ Logging/System/ VPN / debug  and UI Monitor/ Logging etc.. to set the debugging for VPN and to view or simply log into the router and retrieve them as follows:

    show logging entries category ike begin 1 end ???? Router# 


    A good basic start to VPN troubleshooting is to check appliance logs for:

    1.  for IKE (and IPSec & L2TP if you're using that)  - check for Phase 1 (Gateway) failures or then Phase 2 failures (VPN Connection) .. the detail is 99% in the zyxel logs... 
    2.  Should the tunnel be built, then subsequently  look for  'Security" category for any deny's on the policies that permit IPSEC-LANx rules .... 

    As forum members will tell you it's likely a configration error.... check the logs and it can be rectified.

    HTH

    Warwick

    Hong Kong



    Thanks, i will collect the logs and post them for debugging. Not using any IPSec or L2TP for now. SSL VPN is configured, but it gets dropped everytime when tried to connect.
  • warwickt said:
    Hello RAV_ZYXEL , suggest you gather the IKE and debugging logs for the period in question and attach them for forum members and Zyxel techs to assist.

    Should the VPN connection be received and processed by the appliance, you will definately start to see what the error is.

    Make sure you sed  (edit out/substitute with xxxxx) the unique particulars for your appliance (id) and relevant local details (IPV4's etc) 

    Use the both the Zyxel web UI Configuration/ Logging/System/ VPN / debug  and UI Monitor/ Logging etc.. to set the debugging for VPN and to view or simply log into the router and retrieve them as follows:

    show logging entries category ike begin 1 end ???? Router# 


    A good basic start to VPN troubleshooting is to check appliance logs for:

    1.  for IKE (and IPSec & L2TP if you're using that)  - check for Phase 1 (Gateway) failures or then Phase 2 failures (VPN Connection) .. the detail is 99% in the zyxel logs... 
    2.  Should the tunnel be built, then subsequently  look for  'Security" category for any deny's on the policies that permit IPSEC-LANx rules .... 

    As forum members will tell you it's likely a configration error.... check the logs and it can be rectified.

    HTH

    Warwick

    Hong Kong



    Thanks, i will collect the logs and post them for debugging. Not using any IPSec or L2TP for now. SSL VPN is configured, but it gets dropped everytime when tried to connect.
    anno_t34 said:
    @RAV_ZYXEL:

    Do you have access to the zywall USG20 right now? I understand that the VPN/SSL remote access is not working, but if the physical location is not to far from you, you could check the zywall on-site. If that's not possible, you should ask someone on location, to assist you.

    My hints to narrow down the issue, before you roll out the in-deep troubleshooting process, are:

    1. Try to remember, when was the last time you successfully accessed the gateway using VPN/SSL.

    2. Have you tried to access the zywall with different devices, or only one?
    Just in case, to exclude that something has been changed on your local device used to remotely access the zywall.

    3. Check the date of the Start-Up zywall configuration. If it is newer that the date you remember at point 1 above, install a backup of zywall configuration, IF you have one.

    4. Do you store the zywall logs remotely on a syslog server? If yes, check the logs after the date specified at point 1 above.

    5. Initiate a test VPN/SSL test session. Sniff the traffic on USG20 on Internet interface. You could record the trace results in a pcap file for further analysis. Check the zywall logs.

    6. You also could ask the ISP for support. For example, if they eventually changed something on the infrastructure, after the date at point 1 above.

    Regards,
    A.




    Hello again, i tried everything and the last resort was checking with the ISP. After so many followups and tiresome calls, it seems they have made some drastic changes in the Static IP Assigned and messed up. Didn't update us on the changes. Your point #6 is what happened. Thanks again for the response.

Security Highlight