SSL VPN Disconnect due to invalid packet size

itxnc
itxnc Posts: 98  Ally Member
First Comment Friend Collector Sixth Anniversary
We ran into a weird issue with a user today - not sure how to get around it.

User is on Windows 11. SSL VPN v4.0.4. They connect no problem. Get their 2FA prompt, then when they tap authorize, they get disconnected. The USG40 (recently upgraded to v4.70) logs show this:



it's 100% reproducible. And yet... here's where it gets weird.

If I logged into my own Zyxel router from her computer (we have an ATP200 v5.10) - it worked fine. Same setup - 2FA Auth, etc. No problem. So sort of rules out some weird WIn11 MTU issue. If I logged into her router from my computer (Windows 10, SSL VPN v4.0.4, 2FA), it worked fine. Didn't expect that...

I didn't get a chance to try another USG40 that wasn't on 4.70. She needed to get work done, so I just ate an IPSec license fee and switched her over to IPSec, which worked like a champ.

Anyone else seeing this kind of behavior? Ideas?

Side note - anyone have trouble getting 2FA to work with IPSec tunnels? The bulk of our users use SSL w/2FA and it works great. But even though IPSec is checked under the Two Factor config screen and the user's 2FA tab, they always connect and never get a 2FA prompt. Is there some other config needed for X-Auth to trigger 2FA?

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @itxnc,
    We use USG40W with firmware 4.70 and configure SSL VPN with 2FA authentication. 
    Window 11 is able to establish SSL VPN with 2FA successfully.
    Here is the system information of Windows 11 and test result for your reference. 
    Is it possible to send the web GUI access of your USG40 to me in private message to check the symptom remotely?


    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @itxnc,
    Can you send me the following items via private message for analysis.
    C:\SecuExtenderHelper.log
    C:\Users\[windows account]\SecuExtender.log
  • lalaland
    lalaland Posts: 91  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary
    Did you enable phase2 mode config in IPSec VPN tunnel?
  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary
    Hi @itxnc,
    Can you send me the following items via private message for analysis.
    C:\SecuExtenderHelper.log
    C:\Users\[windows account]\SecuExtender.log
    Sent - if you need anything else, just let me know!

Security Highlight