SSL VPN Disconnect due to invalid packet size
Ally Member
We ran into a weird issue with a user today - not sure how to get around it.
User is on Windows 11. SSL VPN v4.0.4. They connect no problem. Get their 2FA prompt, then when they tap authorize, they get disconnected. The USG40 (recently upgraded to v4.70) logs show this:
it's 100% reproducible. And yet... here's where it gets weird.
If I logged into my own Zyxel router from her computer (we have an ATP200 v5.10) - it worked fine. Same setup - 2FA Auth, etc. No problem. So sort of rules out some weird WIn11 MTU issue. If I logged into her router from my computer (Windows 10, SSL VPN v4.0.4, 2FA), it worked fine. Didn't expect that...
I didn't get a chance to try another USG40 that wasn't on 4.70. She needed to get work done, so I just ate an IPSec license fee and switched her over to IPSec, which worked like a champ.
Anyone else seeing this kind of behavior? Ideas?
Side note - anyone have trouble getting 2FA to work with IPSec tunnels? The bulk of our users use SSL w/2FA and it works great. But even though IPSec is checked under the Two Factor config screen and the user's 2FA tab, they always connect and never get a 2FA prompt. Is there some other config needed for X-Auth to trigger 2FA?
User is on Windows 11. SSL VPN v4.0.4. They connect no problem. Get their 2FA prompt, then when they tap authorize, they get disconnected. The USG40 (recently upgraded to v4.70) logs show this:
it's 100% reproducible. And yet... here's where it gets weird.
If I logged into my own Zyxel router from her computer (we have an ATP200 v5.10) - it worked fine. Same setup - 2FA Auth, etc. No problem. So sort of rules out some weird WIn11 MTU issue. If I logged into her router from my computer (Windows 10, SSL VPN v4.0.4, 2FA), it worked fine. Didn't expect that...
I didn't get a chance to try another USG40 that wasn't on 4.70. She needed to get work done, so I just ate an IPSec license fee and switched her over to IPSec, which worked like a champ.
Anyone else seeing this kind of behavior? Ideas?
Side note - anyone have trouble getting 2FA to work with IPSec tunnels? The bulk of our users use SSL w/2FA and it works great. But even though IPSec is checked under the Two Factor config screen and the user's 2FA tab, they always connect and never get a 2FA prompt. Is there some other config needed for X-Auth to trigger 2FA?
0
All Replies
-
Hi @itxnc,We use USG40W with firmware 4.70 and configure SSL VPN with 2FA authentication.Window 11 is able to establish SSL VPN with 2FA successfully.Here is the system information of Windows 11 and test result for your reference.
Is it possible to send the web GUI access of your USG40 to me in private message to check the symptom remotely?
0 -
Hi @itxnc,Can you send me the following items via private message for analysis.C:\SecuExtenderHelper.logC:\Users\[windows account]\SecuExtender.log1
-
Did you enable phase2 mode config in IPSec VPN tunnel?0
-
Sent - if you need anything else, just let me know!Zyxel_Cooldia said:Hi @itxnc,Can you send me the following items via private message for analysis.C:\SecuExtenderHelper.logC:\Users\[windows account]\SecuExtender.log0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
