SSL VPN Not Working Post ATP200/800 Firmware Upgrade
Ally Member
This morning I was logged into our ATP800 via SSL VPN and then RDPed into my PC to run server updates. They were mostly completed, so I moved on to updating the firmware on our routers.
I started with a remote site (ATP200) and the upgrade went fine. All devices there were accessible afterwards. Moved on to the local site (ATP800, VPNed into this router all morning). It took a little while to restart, but I finally was able to hit the login page. That page is always visible but login is blocked if your public IP isn't added to the router. Anyway, I tried to VPN in but it wouldn't work. It just quickly disconnected. Checked the logs and it shows the following.
I don't know what could have happened, so I'm looking for a little guidance. It was working, then 10 minutes later, it wasn't. No config changes, aside from the upgrade. Anyway, I haven't attempted to roll back to the old firmware, but it's seeming like that is what I'll have to do. I read the release notes beforehand (didn't notice any gotchas) and then made a config backup before the upgrade. Thankfully we have a third site which I hadn't upgraded yet. I can VPN there and then get to my computer.
As a little more info, the ATP800 upgrade was from "5.30(ABIQ.0)" to "5.31(ABIQ.0)" and the ATP200 was from "5.30(ABFW.0)" to "5.31(ABFW.0)". Neither being a major upgrade, at least in my mind :-)
This isn't my first Zyxel router upgrade, but it certainly is the first time I've had "major" trouble. Hopefully there is a simple fix. Let me know if you need any other info and thank you for your time!
I started with a remote site (ATP200) and the upgrade went fine. All devices there were accessible afterwards. Moved on to the local site (ATP800, VPNed into this router all morning). It took a little while to restart, but I finally was able to hit the login page. That page is always visible but login is blocked if your public IP isn't added to the router. Anyway, I tried to VPN in but it wouldn't work. It just quickly disconnected. Checked the logs and it shows the following.
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL] SSL session is created
...
...
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL] Can't get authentication token(1)
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DEBUG] SSL Connection is going to be closed
[ 2022/08/13 22:11:31 ][SecuExtender Agent][ERROR] user login device failed (0x0)
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DEBUG] SSL Connection is going to be closed
[ 2022/08/13 22:11:31 ][SecuExtender Agent][DETAIL] Connection ends.
I don't know what could have happened, so I'm looking for a little guidance. It was working, then 10 minutes later, it wasn't. No config changes, aside from the upgrade. Anyway, I haven't attempted to roll back to the old firmware, but it's seeming like that is what I'll have to do. I read the release notes beforehand (didn't notice any gotchas) and then made a config backup before the upgrade. Thankfully we have a third site which I hadn't upgraded yet. I can VPN there and then get to my computer.
As a little more info, the ATP800 upgrade was from "5.30(ABIQ.0)" to "5.31(ABIQ.0)" and the ATP200 was from "5.30(ABFW.0)" to "5.31(ABFW.0)". Neither being a major upgrade, at least in my mind :-)
This isn't my first Zyxel router upgrade, but it certainly is the first time I've had "major" trouble. Hopefully there is a simple fix. Let me know if you need any other info and thank you for your time!
0
Best Answers
-
Using a limited-admin user is definitely not the solution. If you look under User/Group you'll notice that we have two admins and the rest are simply users. The limited-admin was created special for you guys to access the portal. Also, we don't use the admin users to connect with the VPN. That was disabled when you guys rolled out v5.00 I believe.
That said, based on your screenshot, I was able to get connected. The issue being that I was using 9999 instead of 9998. However, this is not a solution either because prior to the upgrade to v5.31 and v5.32, port 9999 connected as expected. Why is it now broken with these updates? Is it not standard practice to use the same port? This is how the outside networking firm originally hooked it up.
Again, this would seem related to "[Bug Fix] eITS#220701020 - SSL VPN client for macOS is not connected if HTTPS port and SSL VPN server port are not identical."0 -
Hi @NEP
It is the same symptom on eITS#220701020, on v.5.30 firmware you can establish an SSL VPN connection via the device Web-GUI port and SSL VPN server port as well. Once you update to v.5.32 firmware, only can use the SSL VPN server port to establish SSL VPN, such as the below specific port 9998.
The default port is still 443 in v.5.32 firmware.
Thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
Yes, you are correct. We fixed it on V.5.31 firmware, the purpose is to differentiate SSL VPN and HPPTs web-GUI port. Besides, we encourage our customers to differentiate those two ports for better security protection. Please refer to this guide - Best Practices to Secure a Distributed Network Infrastructure.NEP said:@Zyxel_Jeff Or is that what "[Bug Fix] eITS#220500690 a. Fix: SSLVPN service port keeps using the original port after manually customized it" indicates?
Thanks
.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0
Zyxel Employee
All Replies
-
I faced a similar issue. Looking forward to getting help.
0 -
I hadn't tried restarting the router before the initial post, but did so now to be thorough. It didn't help!0
-
Hi @NEP,
What SSL VPN SecuExtender software version and PC OS you are using?
Could you check if the MTU size is 1370(as the below)?
While this symptom occurring, are there any logs on the Monitor log page(Web GUI path: Monitor > Log > View Log) that could be observed?
Could you provide the current device config file of ATP800 and ATP200 to us via private message?
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
Hi @NEP
Moreover, could you update V5.31 WK31 firmware to your ATP800 and ATP200 then to see if it is working? We fixed some SSL VPN issues in the firmware. Thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
Hi @Zyxel_Jeff. I'll try the new firmware on those devices after hours (~7PM ET).
I must say that your first post was rather stock. The only change made was the updated firmware (5.30 to 5.31). No config change or SSL VPN software updates. Can't imagine that there would have been a breaking change between minor builds that would not have been documented in the Release Notes.
At any rate, I have tested multiple computers. A mix of 4.0.4.0 and 4.0.3.0, but all are showing MTU 1370.
I'll let you know how the update goes this evening. Thanks!0 -
The updated firmware did not work on the ATP200. Same issue. Immediate cancellation of the connection. Same errors in the SecuExtender logs as well. Rolled back to 5.30 and the VPN immediately connected.
I looked at the Web GUI logs and didn't see anything there either. Did not try the ATP800 as it didn't seem necessary.
0 -
Can make another user with simple password for testing and set for the SSL VPN with just that user and see if that works.0
-
I just created a brand new user and added it to the SSL VPN group, but still no change.0
-
Hi @NEP
I applied your ATP200 config file and could establish SSL VPN connection on our lab site with 5.31 firmware version, as below:
I found that Selected User/Group Objects are null, so I created a brand new user "zyxel_test" to verify it.
Could you provide your SSL VPN information(URL/account/password) and let Zyxel HQ try to establish SSL VPN connection to your ATP200 and ATP800 sites to see if it is working?
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
1 -
I redacted a bunch of information in the ATP200 config, which was seemingly irrelevant to the issue at hand. This included our users and hashed passwords. I'll send you the details for the test user that you asked me to create earlier via DM. Let's just start with the ATP200 for now.0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 246 Service & License
- 383 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
