zywall 110 2fa stops working web interface hangs

I setup 2FA using SMS via ClickSend on a zywall 110. Firmware 4.70(AAAA.0) (latest).
It appeared to work well initially but as we rolled it out to more users it has failed twice in the last two weeks.
Symptoms are a failure to send the 2FA email and users are unable to authorize there connections and a non-functioning web interface. Normal routing functions continue. Existing VPN tunnels are not affected.
First failure was as described.  Second failure the web interface was functional when the problem was initially reported. The Authentication Log showed entries that emails were being sent but the emails were, in fact, not sent (I was able to verify that the router was making no actual attempt to connect to the given mail server).  After a short period of time the web interface froze, as in the first incident.
Function was restored by power cycling the device
Normal usage pattern is 10 simultaneous SSL VPN users and 50 2fa authorizations a day.
When the web interfaces is frozen it is possible to connect to the device via ssh but it responds very slowly and connection attempts often time out.  When successfully connected the session reports unable to connect to the zysh daemon. Consistent with this report.

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 752  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Shady,

    Could you kindly provide configuration in Private Messages ?

    Kevin
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 752  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2022
    Hi @Shady ,
    Thanks your information. Please kindly check and test following:
    1) The UserGroup used SMS belong to AD User, Please check the there is correct mobile in the field 

    2)Please set following from "ra.vmal.com" to "wan1"
    two-factor-auth server user-defined xxx.com

    3)Does the Mail Server use TLS ? if not, Please inactive
     smtp-tls activate
     smtp-auth activate
     smtp-address XX.xx.xx.xx
     smtp-port 25
     mail-from XX@xxx.xxx

    Last,Could you capture the packet when connect to VPN (if SMTP no encrypt)

    Kevin

  • Shady
    Shady Posts: 2
    Thank you for helping out with this.
    Unfortunately I think the reply missed the point of my problem.  The 2FA system works and is used 50-80 times a day.
    Occasionally the router loses it's mind, stops sending emails, and stops responding on the web gui interface.
    Recovery is by rebooting the router which is disruptive to business operations (since the router is still functioning as a basic router).
    Directly responding to your questions
    1) Mobile phone numbers, in AD, are setup and working.  On a normal day there are 50-80 successful 2FA authentications which involve the router sending an email to clicksend. Clicksend sending an SMS to the user, the user following the link in the SMS back to the router to authorize the connection.
    2) Changing the Authorize Link URL Address from User-Defined:<host-name> to From Interface:WAN1 will change the URL in the SMS from a host name to an IP address.  We need it to be a host name to match the SSL certificate on the interface. And again, this works up until the router loses it's mind and has to be reset.
    3) I can't disable TLS in the email configuration.  The connection to the email server has to be an authenticated connection which requires TLS.  And again, this works up until the router loses it's mind and has to be reset.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 752  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Shady ,
    Thanks your reply,  Please kindly find the weekly firmeware in your PM.
    Also, If the issue occure again, Please do the steps which mentioned in PM.
    Kevin

Security Highlight