ZyWALL SecuExtender and NAT issue
Guru Member
The problem seems to happen randomly but normally within 10-30 minutes and when VPN is idle for the SSLVPN to disconnect have logs and Wireshark of the problem if needed.
edit the SSLVPN was 5130
USG40 V4.71(AALA.0) as SSLVPN port 5130
Zywall 110 V4.71(AAAA.0) as NAT port 5130 to 5130 to USG40
Cut down network Layout
Looking at the Wireshark before packets get to zywall 110 I can see the remote end (by 4G) sending the last packet to USG40 PSH, ACK then USG40 replies with a ACK but the ACK is never sent out the zywall 110 then the remote end sends lots of PSH, ACK that the Zywall 110 never forwards to the USG40 then the remote end sends a SYN, ECN, CWR and traffic flows then the SecuExtender client disconnects
Edit hmm looking more closely something odd is happening the PSH, ACK is sent to the USG40 then I see in the Wireshark after zywall 110 and ACK to the client that the USG40 did not send! then a ACK by the USG40 is sent and goes out zwall 110 then the client sends lots of PSH, ACK that the Zywall 110 never forwards to the USG40
Seems like a NAT stateful issue
edit Think I might know what happening...nope not that...unless the USG40 capture missed it...nope...
So it looks to be for some reason the zywall 110 is sending this extra packet cause this to happen?..in fact the zywall 110 is sending lots of these 60 byte packets along with the USG40 66 byte packets why is that?
Ok think I got it now...the USG40 is getting double packets by way of my real DMZ setup but I feel it should not be happening put simply the SYN is not doubled which is good but the ACK and everything else is sent to the USG40 doubled so OPT to VLAN433 NAT but also WAN to DMZ bridge not sure if this can be fixed or may on fixing it may brake my setup more...Real DMZ with NAT ZyWALL USG — Zyxel Community
So what I have done is ACL drop port 5130 before it gets to the WAN on Zywall 110 so that port 5130 only comes down to OPT of zywall 110 to then NAT to USG40 without double packets.
All Replies
-
So here shows the problem but the problem if you can fix it you may brake traffic that needs to go from WAN to VLAN443 such like if you send traffic from VLAN443 to OPT but the incoming is by WAN to then send down VLAN443 and even from OPT to OPT but receive from WAN to go to OPT . But I have in the mean time put a ACL rule by switch to block port 5130 getting to WAN on the zywall 110.
https://us.v-cdn.net/6029482/uploads/editor/9h/t6w1ttdeooi6.png
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
