Connection instability behind firewall and with SSL VPN (remote access)

Options
Remo
Remo Posts: 9
First Anniversary Friend Collector First Comment
edited February 2022 in Security

We are experiencing some instabilities with SSL VPN and the internet connection in general for some time now and are trying to narrow down the source of the problem and are wondering if anybody else is experiencing the same thing. Our internet provider did some tests on-site and could not find any abnormalities. We need to proof that the problem is not related to the USG firewalls. Are there any easy analytics tools to test the “stability” of the internet (preferably built in the zyxel devices)? Or do we need to put a device in front of the firewall and do some manual tests?

We do have two locations connected with a site-to-site VPN. This connection seems very stable. However, if we are logging in through SSL VPN (with SecuExtender) we would get disconnected after a short time (sometimes after a few seconds) - the log message is not really helping:

This has not happened in the past and we are trying to fix this for weeks now, without success. Besides some geo-blocking, we did not change any settings.

All the USG Zyxel devices do have latest firmware and we are using the latest version of SecuExtender as well (4.0.4.0).

Here's the log when Client (SecuExtender) gets disconnected:

[ 2022/02/05 21:41:13 ][SecuExtender Helper] Request(92): REMOVE 1006807232/44579661 7 33663168 29927616
[ 2022/02/05 21:41:13 ][SecuExtender Helper] Remove Routing
[ 2022/02/05 21:41:13 ][SecuExtender Helper] Remove prioritize routing
[ 2022/02/05 21:41:13 ][SecuExtender Helper] Succeed to delete prioritize route to ***.***.***.***
[ 2022/02/05 21:41:13 ][SecuExtender Helper] Get netsh path = powershell
[ 2022/02/05 21:41:13 ][SecuExtender Helper] Set-NetIPInterface -InterfaceAlias "Ethernet" -InterfaceMetric 30
[ 2022/02/05 21:41:13 ][SecuExtender Helper] ZyShellExecute start.
[ 2022/02/05 21:41:14 ][SecuExtender Helper] ZyShellExecute WaitForSingleObject() result = 0
[ 2022/02/05 21:41:14 ][SecuExtender Helper] GetExitCodeProcess
[ 2022/02/05 21:41:14 ][SecuExtender Helper] lpszFile = powershell, lpszParam = Set-NetIPInterface -InterfaceAlias "Ethernet" -InterfaceMetric 30, dwExitCode = 0, dwError = 0
[ 2022/02/05 21:41:14 ][SecuExtender Helper] Failed to read from client(2): 109, 0
[ 2022/02/05 21:41:14 ][SecuExtender Helper] Start to Disconnect pipe...
[ 2022/02/05 21:41:14 ][SecuExtender Helper] Shutting down a pipe connection instance...
[ 2022/02/05 21:41:14 ][SecuExtender Helper] ==============================

All Replies

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2022
    Options
    Hi Remo,
    With our USG110 we use a S2S IPSec VPN and different SSL Client VPNs. All works stable as soon as the internet connection is stable. That's why in general it's not a problem with USG.

    But in past we experienced also different instabilities when users have to work from home due to Covid19 pandemic. But every time we experienced problems is was because of the client networks at home. Most of our users are connecting by WLAN from home. But their WLANs are often expanded by WLAN extenders or WLAN repeaters. And this kind of equipment is responsible for such instabilities. In case you are using such devices on SSL VPN client side, remove them and try a "clean" connection to the main WLAN access point, or connect to your router by wire.
  • Remo
    Remo Posts: 9
    First Anniversary Friend Collector First Comment
    edited February 2022
    Options

    Thanks @USG_User, for your reply. 

    The problem remains if the clients use SSL VPN and are connected to the internet through wires. If we use the native Windows Client and L2TP/IPsec, the connection is very stable. 

    As mentioned previously, the S2S connection between our two main offices are stable as well. As if the this type of VPN is more forgiving. We are trying to proof that the internet at one location is not stable but don't know how. Our provider claims that there is no problem with the internet.

    Long story short:

    A, accessing from outside) SSL VPN connections can't be used at the moment because they are not stable. 

    B, working from within the network) We are experiencing unstable internet behind USG20 und USG Flex 200 from that particular location. 


  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2022
    Options
    If you simultaneously experiencing unstable internet from inside your LAN behind USG20 and Flex200, I would take for granted that the internet connection from ISP is responsible for the problems but not the SSL VPN software.
    In case the internet gets lost for very shortly times, without exceeding the max packet TTLs, current TCP connections may be resumed. But VPN connections are less error resistent due to security reasons. But surprisingly your S2S tunnel keeps working.

    I know it's difficult to prove an unstable internet provision to ISP. We got a second redundant line to another ISP and USG is immediately sending an alert log as soon as USG is switching over to second internet line due to failure of the first line. But of course, switching over to a redundant internet line lets collapsing any established VPN tunnels as well.

    From my point of view the USGs don't have any suitable tools for a detailed internet line surveillance. They only observe the port connection for physical death, e.g. between USG WAN port and fiber modem but not the transmission of packets into the internet.

    Maybe another guy has an idea how to implement a ISP internet connection surveillance.
  • Remo
    Remo Posts: 9
    First Anniversary Friend Collector First Comment
    Options
    Thanks again @USG_User. I think we have no choice but putting a client in front of the firewall(s) and check if the instabilities occur 🙃
  • Remo
    Remo Posts: 9
    First Anniversary Friend Collector First Comment
    Options
    Not really a solution but an update: The SSL VPN seems stable as long as there is no traffic from Site-to-Site. However, as soon as we are starting to access servers or services on the other site through S2S VPN, we are getting disconnected.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Can you provide startup-config of the device to us via private message? We’d like to check if there could be configuration related reason.
  • Remo
    Remo Posts: 9
    First Anniversary Friend Collector First Comment
    Options
    We are quite sure now that it must be a problem of the USG firewalls. We connected a client directly to the internet and the problems do not occur. 

Security Highlight