SSL VPN Not Working Post ATP200/800 Firmware Upgrade

NEP
NEP Posts: 19
First Comment Friend Collector
 Freshman Member
edited August 14 in Security
This morning I was logged into our ATP800 via SSL VPN and then RDPed into my PC to run server updates. They were mostly completed, so I moved on to updating the firmware on our routers.

I started with a remote site (ATP200) and the upgrade went fine. All devices there were accessible afterwards. Moved on to the local site (ATP800, VPNed into this router all morning). It took a little while to restart, but I finally was able to hit the login page. That page is always visible but login is blocked if your public IP isn't added to the router. Anyway, I tried to VPN in but it wouldn't work. It just quickly disconnected. Checked the logs and it shows the following.

[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL]  SSL session is created
...
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL]  Can't get authentication token(1)
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2022/08/13 22:11:31 ][SecuExtender Agent][ERROR]   user login device failed (0x0)
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL]  Connection ends.

I don't know what could have happened, so I'm looking for a little guidance. It was working, then 10 minutes later, it wasn't. No config changes, aside from the upgrade. Anyway, I haven't attempted to roll back to the old firmware, but it's seeming like that is what I'll have to do. I read the release notes beforehand (didn't notice any gotchas) and then made a config backup before the upgrade. Thankfully we have a third site which I hadn't upgraded yet. I can VPN there and then get to my computer.

As a little more info, the ATP800 upgrade was from "5.30(ABIQ.0)" to "5.31(ABIQ.0)" and the ATP200 was from "5.30(ABFW.0)" to "5.31(ABFW.0)". Neither being a major upgrade, at least in my mind :-)

This isn't my first Zyxel router upgrade, but it certainly is the first time I've had "major" trouble. Hopefully there is a simple fix. Let me know if you need any other info and thank you for your time!
«1

All Replies

  • I faced a similar issue. Looking forward to getting help.  :/
  • NEP
    NEP Posts: 19
    First Comment Friend Collector
     Freshman Member
    I hadn't tried restarting the router before the initial post, but did so now to be thorough. It didn't help!
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 338
    25 Answers First Comment Friend Collector First Anniversary
     Master Member

    Hi @NEP,

    What SSL VPN SecuExtender software version and PC OS you are using?

    Could you check if the MTU size is 1370(as the below)?

     


    While this symptom occurring, are there any logs on the Monitor log page(Web GUI path: Monitor > Log > View Log) that could be observed?

    Could you provide the current device config file of ATP800 and ATP200 to us via private message? 

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 338
    25 Answers First Comment Friend Collector First Anniversary
     Master Member
    Hi @NEP

    Moreover, could you update V5.31 WK31 firmware to your ATP800 and ATP200 then to see if it is working? We fixed some SSL VPN issues in the firmware. Thanks.

  • NEP
    NEP Posts: 19
    First Comment Friend Collector
     Freshman Member
    Hi @Zyxel_Jeff. I'll try the new firmware on those devices after hours (~7PM ET).

    I must say that your first post was rather stock. The only change made was the updated firmware (5.30 to 5.31). No config change or SSL VPN software updates. Can't imagine that there would have been a breaking change between minor builds that would not have been documented in the Release Notes.

    At any rate, I have tested multiple computers. A mix of 4.0.4.0 and 4.0.3.0, but all are showing MTU 1370.

    I'll let you know how the update goes this evening. Thanks!
  • NEP
    NEP Posts: 19
    First Comment Friend Collector
     Freshman Member
    edited August 17
    The updated firmware did not work on the ATP200. Same issue. Immediate cancellation of the connection. Same errors in the SecuExtender logs as well. Rolled back to 5.30 and the VPN immediately connected.

    I looked at the Web GUI logs and didn't see anything there either. Did not try the ATP800 as it didn't seem necessary.
  • PeterUK
    PeterUK Posts: 1,444
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member
    Can make another user with simple password for testing and set for the SSL VPN with just that user and see if that works. 
  • NEP
    NEP Posts: 19
    First Comment Friend Collector
     Freshman Member
    I just created a brand new user and added it to the SSL VPN group, but still no change.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 338
    25 Answers First Comment Friend Collector First Anniversary
     Master Member
    edited August 19
    Hi @NEP

    I applied your ATP200 config file and could establish SSL VPN connection on our lab site with 5.31 firmware version, as below:

    I found that Selected User/Group Objects are null, so I created a brand new user "zyxel_test" to verify it. 







    Could you provide your SSL VPN information(URL/account/password) and let Zyxel HQ try to establish SSL VPN connection to your ATP200 and ATP800 sites to see if it is working?

  • NEP
    NEP Posts: 19
    First Comment Friend Collector
     Freshman Member
    edited August 17
    I redacted a bunch of information in the ATP200 config, which was seemingly irrelevant to the issue at hand. This included our users and hashed passwords. I'll send you the details for the test user that you asked me to create earlier via DM. Let's just start with the ATP200 for now.

Security Highlight