SSL VPN Disconnect due to invalid packet size

itxnc
itxnc Posts: 98  Ally Member
First Anniversary 10 Comments Friend Collector
We ran into a weird issue with a user today - not sure how to get around it.

User is on Windows 11. SSL VPN v4.0.4. They connect no problem. Get their 2FA prompt, then when they tap authorize, they get disconnected. The USG40 (recently upgraded to v4.70) logs show this:



it's 100% reproducible. And yet... here's where it gets weird.

If I logged into my own Zyxel router from her computer (we have an ATP200 v5.10) - it worked fine. Same setup - 2FA Auth, etc. No problem. So sort of rules out some weird WIn11 MTU issue. If I logged into her router from my computer (Windows 10, SSL VPN v4.0.4, 2FA), it worked fine. Didn't expect that...

I didn't get a chance to try another USG40 that wasn't on 4.70. She needed to get work done, so I just ate an IPSec license fee and switched her over to IPSec, which worked like a champ.

Anyone else seeing this kind of behavior? Ideas?

Side note - anyone have trouble getting 2FA to work with IPSec tunnels? The bulk of our users use SSL w/2FA and it works great. But even though IPSec is checked under the Two Factor config screen and the user's 2FA tab, they always connect and never get a 2FA prompt. Is there some other config needed for X-Auth to trigger 2FA?

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @itxnc,
    We use USG40W with firmware 4.70 and configure SSL VPN with 2FA authentication. 
    Window 11 is able to establish SSL VPN with 2FA successfully.
    Here is the system information of Windows 11 and test result for your reference. 
    Is it possible to send the web GUI access of your USG40 to me in private message to check the symptom remotely?


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,444  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @itxnc,
    Can you send me the following items via private message for analysis.
    C:\SecuExtenderHelper.log
    C:\Users\[windows account]\SecuExtender.log
  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Did you enable phase2 mode config in IPSec VPN tunnel?
  • itxnc
    itxnc Posts: 98  Ally Member
    First Anniversary 10 Comments Friend Collector
    Hi @itxnc,
    Can you send me the following items via private message for analysis.
    C:\SecuExtenderHelper.log
    C:\Users\[windows account]\SecuExtender.log
    Sent - if you need anything else, just let me know!

Security Highlight