SSL VPN problem

StefanoP
StefanoP Posts: 2  Freshman Member
First Comment Fifth Anniversary
edited April 2021 in Security
Hi, I have the SSL VPN that does not work well. It works 1 time out of 10.
The firewall is the latest version (4.31) as well as the client secuextender (4.0.2). Access is via an AD account. I tried however also with local accounts with the same result, so I would exclude a problem of access to active directory. This is the LOG:
[ 2018/06/30 09:59:38 ][SecuExtender Agent][DETAIL]  Checking service (first) ...
[ 2018/06/30 09:59:38 ][SecuExtender Agent][DETAIL]  SecuExtender Helper is running
[ 2018/06/30 09:59:38 ][SecuExtender Agent][DETAIL]  Try to connect to SecuExtender Helper
[ 2018/06/30 09:59:38 ][SecuExtender Agent][DETAIL]  SecuExtender Helper is connected
[ 2018/06/30 09:59:38 ][SecuExtender Agent][INFO]    [ascii] try to login ssl.polgroup.it:443
[ 2018/06/30 09:59:38 ][SecuExtender Agent][INFO]    Connect to 3167836914:443
[ 2018/06/30 09:59:38 ][SecuExtender Agent][INFO]    Local address is 3231842421
[ 2018/06/30 09:59:38 ][SecuExtender Agent][DEBUG]   Connect success.
[ 2018/06/30 09:59:38 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 0
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  1791 bytes of handshake data received
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x90312
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Send 126 bytes of handshake data
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 1
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  274 bytes of handshake data received
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x0
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  SSL Handshake is successful
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  STREAM_SIZE: Header: 13	Trailer: 16, MaxMessage: 16384
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Protocol: TLS1.2
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Cipher: AES256
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Cipher strength: 256
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Hash: SHA384
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Hash strength: 0
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Key exchange: 0xae06
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  Key exchange strength: 256
[ 2018/06/30 09:59:39 ][SecuExtender Agent][INFO]    Server subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.polgroup.it
[ 2018/06/30 09:59:39 ][SecuExtender Agent][INFO]    Server issuer: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
[ 2018/06/30 09:59:39 ][SecuExtender Agent][DETAIL]  SSL session is created
[ 2018/06/30 10:00:40 ][SecuExtender Agent][WARN]    The device is going to close the connection.
[ 2018/06/30 10:00:40 ][SecuExtender Agent][DETAIL]  Can't get authentication token(1)
[ 2018/06/30 10:00:40 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2018/06/30 10:00:40 ][SecuExtender Agent][ERROR]   user login device failed (0x0)
[ 2018/06/30 10:00:40 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2018/06/30 10:00:40 ][SecuExtender Agent][DETAIL]  Connection ends.

the account Ascii log successful but at 10:00:40 I received the errore "Can't get authentication token" ! What's is authentication token ?
the strange thing is that maybe after one day everything works regularly, tested even for 10 consecutive hours of open and working tunnel. Then just close the ssl vpn and retentive, I constantly receive this error.
«13

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @StefanoP,
    We fixed this issue at latest firmware.  What is your device model?
    I will send you the firmware via private message.
  • StefanoP
    StefanoP Posts: 2  Freshman Member
    First Comment Fifth Anniversary
    Hi, three model in the same situation : USG 310, USG 210 and USG 110
    Thank !!!
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @StefanoP,
    I sent you firmware via private message, please have a check.


  • Enrico
    Enrico Posts: 2  Freshman Member
    First Comment
    Hi,

      I'm experiencing the same issue on a ZyWall USG 20 firmware 3.30 BDQ8.
    Will the upgrade to 3.30(BDQ9)C0 solve this problem?

     Thanks in advance.

    Enrico

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Enrico

    Can you describe more detail about what issue had you met? Also SSL VPN establish problem?


  • Enrico
    Enrico Posts: 2  Freshman Member
    First Comment
    The behavior is the same as the one mentioned above by StefanoP; I'll attach a log for you to check, just in case.
    The newest firmware available didn't solve the issue.

    ################################################################################################<br>[ 2018/08/28 09:02:51 ][SecuExtender Agent][DETAIL]  Build Datetime: Dec 22 2016/15:25:36<br>[ 2018/08/28 09:02:51 ][SecuExtender Agent][DEBUG]   SecuExtender.log: C:\Users\enric\SecuExtender.log<br>[ 2018/08/28 09:02:51 ][SecuExtender Agent][DEBUG]   osvi.dwPlatformId = 2, osvi.dwMajorVersion = 6, osvi.dwMinorVersion = 2<br>[ 2018/08/28 09:02:51 ][SecuExtender Agent][DEBUG]   interface guid: {38E0BB58-BF16-4717-B151-B75FE0818F7B}, idx: 19<br>[ 2018/08/28 09:02:51 ][SecuExtender Agent][DEBUG]   tBuf : (\DEVICE\TCPIP_{38E0BB58-BF16-4717-B151-B75FE0818F7B})<br>[ 2018/08/28 09:02:51 ][SecuExtender Agent][DEBUG]   network name got, idx: 4<br>[ 2018/08/28 09:04:02 ][SecuExtender Agent][DETAIL]  Checking service (first) ...<br>[ 2018/08/28 09:04:02 ][SecuExtender Agent][DETAIL]  SecuExtender Helper is running<br>[ 2018/08/28 09:04:02 ][SecuExtender Agent][DETAIL]  Try to connect to SecuExtender Helper<br>[ 2018/08/28 09:04:02 ][SecuExtender Agent][DETAIL]  SecuExtender Helper is connected<br>[ 2018/08/28 09:04:02 ][SecuExtender Agent][INFO]    [***********] try to login ************<br>[ 2018/08/28 09:04:03 ][SecuExtender Agent][INFO]    Connect to *****************<br>[ 2018/08/28 09:04:03 ][SecuExtender Agent][INFO]    Local address is 2886755499<br>[ 2018/08/28 09:04:03 ][SecuExtender Agent][DEBUG]   Connect success.<br>[ 2018/08/28 09:04:03 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 0<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  994 bytes of handshake data received<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x90312<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  Send 190 bytes of handshake data<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 1<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  258 bytes of handshake data received<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x0<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  SSL Handshake is successful<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  STREAM_SIZE: Header: 13	Trailer: 16, MaxMessage: 16384<br>[ 2018/08/28 09:04:04 ][SecuExtender Agent][DETAIL]  Protocol: TLS1.2<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][DETAIL]  Cipher: AES256<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][DETAIL]  Cipher strength: 256<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][DETAIL]  Hash: SHA384<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][DETAIL]  Hash strength: 0<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][DETAIL]  Key exchange: DH Ephemeral<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][DETAIL]  Key exchange strength: 1024<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][INFO]    Server subject: CN=usg20_107BEF32BCF1<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][INFO]    Server issuer: CN=usg20_107BEF32BCF1<br>[ 2018/08/28 09:04:05 ][SecuExtender Agent][ERROR]   **** Error 0x800b0109 authenticating server credentials! (0x0)<br>[ 2018/08/28 09:04:07 ][SecuExtender Agent][DETAIL]  SSL session is created<br>[ 2018/08/28 09:04:07 ][SecuExtender Agent][DETAIL]  Can't get authentication token(1)<br>[ 2018/08/28 09:04:07 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed<br>[ 2018/08/28 09:04:07 ][SecuExtender Agent][ERROR]   user login device failed (0x0)<br>[ 2018/08/28 09:04:07 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed<br>[ 2018/08/28 09:04:07 ][SecuExtender Agent][DETAIL]  Connection ends.


  • bcorning
    bcorning Posts: 3  Freshman Member
    First Comment
    I am having a very similar problem. I can connect when I'm on the same network, but not from an external network. Zyxel USG20W-VPN Firmware V4.32(ABAR.0)

  • bcorning
    bcorning Posts: 3  Freshman Member
    First Comment
    2018-10-23 18:08:20: Viscosity Mac 1.1.7 (1291)
    2018-10-23 18:08:20: Viscosity ZyXEL SSL Engine Started
    2018-10-23 18:08:20: Running on Mac OS X 10.11.6
    2018-10-23 18:08:20: ---------
    2018-10-23 18:08:20: State changed to Connecting
    2018-10-23 18:08:20: Checking reachability status of connection...
    2018-10-23 18:08:20: Connection is reachable. Starting connection attempt.
    2018-10-23 18:08:21: Attempting to resolve server address XX.XXX.XX.XXX
    2018-10-23 18:08:21: Server address resolved to IPv4 address XX.XXX.XX.XXX
    2018-10-23 18:08:21: Requesting authentication token from client
    2018-10-23 18:08:21: No authentication token present, requesting authentication details
    2018-10-23 18:08:21: Requesting authentication token from server
    2018-10-23 18:08:21: Requesting token from XX.XXX.XX.XXX
    2018-10-23 18:08:21: Attempting to establish a connection to the remote server XX.XXX.XX.XXX:443
    2018-10-23 18:08:51: Connection timed out. Remote server did not respond.
    2018-10-23 18:08:51: Authentication attempt aborted
    2018-10-23 18:08:51: State changed to Disconnected
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Since you create a new post, let's follow up the issue in the new thread. 
  • CDS
    CDS Posts: 16  Freshman Member
    First Comment Fourth Anniversary
    Well, the new Thread seems to cover a different issue.
    I have the "Can't get authentication token" problem an my USG210 running on 4.32(AAPI.0)ITS-WK48-r86397 .
    It there anything newer which fixes this?

Security Highlight