ZyWALL SecuExtender and NAT issue

PeterUK
PeterUK Posts: 2,705  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2022 in Security

The problem seems to happen randomly but normally within 10-30 minutes and when VPN is idle for the SSLVPN to disconnect have logs and Wireshark of the problem if needed.

edit the SSLVPN was 5130

USG40 V4.71(AALA.0) as SSLVPN port 5130

Zywall 110 V4.71(AAAA.0) as NAT port 5130 to 5130 to USG40

Cut down network Layout


Looking at the Wireshark before packets get to zywall 110 I can see the remote end (by 4G) sending the last packet to USG40 PSH, ACK then USG40 replies with a ACK but the ACK is never sent out the zywall 110 then the remote end sends lots of PSH, ACK that the Zywall 110 never forwards to the USG40 then the remote end sends a SYN, ECN, CWR and traffic flows then the SecuExtender client disconnects

Edit hmm looking more closely something odd is happening the PSH, ACK is sent to the USG40 then I see in the Wireshark after zywall 110 and ACK to the client that the USG40 did not send! then a ACK by the USG40 is sent and goes out zwall 110 then the client sends lots of PSH, ACK that the Zywall 110 never forwards to the USG40 

Seems like a NAT stateful issue

edit Think I might know what happening...nope not that...unless the USG40 capture missed it...nope...

So it looks to be for some reason the zywall 110 is sending this extra packet cause this to happen?..in fact the zywall 110 is sending lots of these 60 byte packets along with the USG40 66 byte packets why is that?  

Ok think I got it now...the USG40 is getting double packets by way of my real DMZ setup but I feel it should not be happening put simply the SYN is not doubled which is good but the ACK and everything else is sent to the USG40 doubled so OPT to VLAN433 NAT but also WAN to DMZ bridge not sure if this can be fixed or may on fixing it may brake my setup more...
Real DMZ with NAT ZyWALL USG — Zyxel Community

So what I have done is ACL drop port 5130 before it gets to the WAN on Zywall 110 so that port 5130 only comes down to OPT of zywall 110 to then NAT to USG40 without double packets. 

All Replies

  • PeterUK
    PeterUK Posts: 2,705  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2022

    So here shows the problem but the problem if you can fix it you may brake traffic that needs to go from WAN to VLAN443 such like if you send traffic from VLAN443 to OPT but the incoming is by WAN to then send down VLAN443 and even from OPT to OPT but receive from WAN to go to OPT . But I have in the mean time put a ACL rule by switch to block port 5130 getting to WAN on the zywall 110.

    https://us.v-cdn.net/6029482/uploads/editor/9h/t6w1ttdeooi6.png


      


Security Highlight