SSL VPN Not Working Post ATP200/800 Firmware Upgrade

NEP
NEP Posts: 74  Ally Member
First Comment Friend Collector Second Anniversary
edited August 2022 in Security
This morning I was logged into our ATP800 via SSL VPN and then RDPed into my PC to run server updates. They were mostly completed, so I moved on to updating the firmware on our routers.

I started with a remote site (ATP200) and the upgrade went fine. All devices there were accessible afterwards. Moved on to the local site (ATP800, VPNed into this router all morning). It took a little while to restart, but I finally was able to hit the login page. That page is always visible but login is blocked if your public IP isn't added to the router. Anyway, I tried to VPN in but it wouldn't work. It just quickly disconnected. Checked the logs and it shows the following.

[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL]  SSL session is created
...
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL]  Can't get authentication token(1)
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2022/08/13 22:11:31 ][SecuExtender Agent][ERROR]   user login device failed (0x0)
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL]  Connection ends.

I don't know what could have happened, so I'm looking for a little guidance. It was working, then 10 minutes later, it wasn't. No config changes, aside from the upgrade. Anyway, I haven't attempted to roll back to the old firmware, but it's seeming like that is what I'll have to do. I read the release notes beforehand (didn't notice any gotchas) and then made a config backup before the upgrade. Thankfully we have a third site which I hadn't upgraded yet. I can VPN there and then get to my computer.

As a little more info, the ATP800 upgrade was from "5.30(ABIQ.0)" to "5.31(ABIQ.0)" and the ATP200 was from "5.30(ABFW.0)" to "5.31(ABFW.0)". Neither being a major upgrade, at least in my mind :-)

This isn't my first Zyxel router upgrade, but it certainly is the first time I've had "major" trouble. Hopefully there is a simple fix. Let me know if you need any other info and thank you for your time!

Best Answers

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    Answer ✓
    Using a limited-admin user is definitely not the solution. If you look under User/Group you'll notice that we have two admins and the rest are simply users. The limited-admin was created special for you guys to access the portal. Also, we don't use the admin users to connect with the VPN. That was disabled when you guys rolled out v5.00 I believe.

    That said, based on your screenshot, I was able to get connected. The issue being that I was using 9999 instead of 9998. However, this is not a solution either because prior to the upgrade to v5.31 and v5.32, port 9999 connected as expected. Why is it now broken with these updates? Is it not standard practice to use the same port? This is how the outside networking firm originally hooked it up.

    Again, this would seem related to "[Bug Fix] eITS#220701020 - SSL VPN client for macOS is not connected if HTTPS port and SSL VPN server port are not identical."
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓
    Hi @NEP

    It is the same symptom on eITS#220701020, on v.5.30 firmware you can establish an SSL VPN connection via the device Web-GUI port and SSL VPN server port as well. Once you update to v.5.32 firmware, only can use the SSL VPN server port to establish SSL VPN, such as the below specific port 9998.


    The default port is still 443 in v.5.32 firmware.


    Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓
    NEP said:
    @Zyxel_Jeff Or is that what "[Bug Fix] eITS#220500690 a. Fix: SSLVPN service port keeps using the original port after manually customized it" indicates?
    Yes, you are correct. We fixed it on V.5.31 firmware, the purpose is to differentiate SSL VPN and HPPTs web-GUI port. Besides, we encourage our customers to differentiate those two ports for better security protection. Please refer to this guide - Best Practices to Secure a Distributed Network Infrastructure.


    Thanks B) .


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

«13

All Replies

  • I faced a similar issue. Looking forward to getting help.  :/
  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    I hadn't tried restarting the router before the initial post, but did so now to be thorough. It didn't help!
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @NEP,

    What SSL VPN SecuExtender software version and PC OS you are using?

    Could you check if the MTU size is 1370(as the below)?

     


    While this symptom occurring, are there any logs on the Monitor log page(Web GUI path: Monitor > Log > View Log) that could be observed?

    Could you provide the current device config file of ATP800 and ATP200 to us via private message? 


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Hi @NEP

    Moreover, could you update V5.31 WK31 firmware to your ATP800 and ATP200 then to see if it is working? We fixed some SSL VPN issues in the firmware. Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    Hi @Zyxel_Jeff. I'll try the new firmware on those devices after hours (~7PM ET).

    I must say that your first post was rather stock. The only change made was the updated firmware (5.30 to 5.31). No config change or SSL VPN software updates. Can't imagine that there would have been a breaking change between minor builds that would not have been documented in the Release Notes.

    At any rate, I have tested multiple computers. A mix of 4.0.4.0 and 4.0.3.0, but all are showing MTU 1370.

    I'll let you know how the update goes this evening. Thanks!
  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    edited August 2022
    The updated firmware did not work on the ATP200. Same issue. Immediate cancellation of the connection. Same errors in the SecuExtender logs as well. Rolled back to 5.30 and the VPN immediately connected.

    I looked at the Web GUI logs and didn't see anything there either. Did not try the ATP800 as it didn't seem necessary.
  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Can make another user with simple password for testing and set for the SSL VPN with just that user and see if that works. 
  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    I just created a brand new user and added it to the SSL VPN group, but still no change.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    edited August 2022
    Hi @NEP

    I applied your ATP200 config file and could establish SSL VPN connection on our lab site with 5.31 firmware version, as below:

    I found that Selected User/Group Objects are null, so I created a brand new user "zyxel_test" to verify it. 







    Could you provide your SSL VPN information(URL/account/password) and let Zyxel HQ try to establish SSL VPN connection to your ATP200 and ATP800 sites to see if it is working?


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    edited August 2022
    I redacted a bunch of information in the ATP200 config, which was seemingly irrelevant to the issue at hand. This included our users and hashed passwords. I'll send you the details for the test user that you asked me to create earlier via DM. Let's just start with the ATP200 for now.

Security Highlight