Does the USG FLEX Series have Port Forwarding problems?

PaoloFracas

LATEST TESTS

Today I tried to reboot starting from the partition with the Beta Firmware (I backed up the active configuration with the consolidated firmware first).

Like the last attempt, booting from the "Beta" Partition returned the configuration to the factory condition.

As an example I report the screenshot of the Policy Firewall.

At this point I loaded the consolidated firmware active configuration and successfully applied it.

I then modified the Firewall Rule to allow communication with only TCP port 6281 between Remote NAS (Source) and local NAS (Destination) and successfully performed 3 consecutive backups (Hyper Backup Synology).

Once the backups were tested, I rebooted using the Partition with the consolidated Firmware.

I then checked if the change to the Firewall Rule related to Backup had been retained.

This was not the case, the "Service" field had the value "Any" while with the Beta Firmware it was set to "TCP_6281".

The impression is that the two Firewall Partitions work with different Configuration Cards which generates the problem of loading the factory configuration for the Beta Firmware.

To be safe, I successfully restored the last Configuration Backup and performed a NAS Backup.

I still have to verify (I didn't have more time) if after restoring and modifying the configuration of the consolidated firmware with the Beta Partition, restarting with the latter, the definitive configuration is maintained or the factory one is restored.

To conclude...

The new firmware seems to work but there are some critical issues in terms of configurations.

I'm out of the office tomorrow so it will be impossible for me to run new tests.

Best Regards

Paolo Fracas

Zyxel_Jeff

(2).Did the boot status appear "Fallback to system default configuration" when fallback to V5.32 firmware?

A question... Is it normal that the "MAINTENANCE - File Manager - Configuration File - Configuration" tab is completely different depending on the firmware partition from which you boot?

Best Regards

Paolo Fracas

Hi @PaoloFracas

It's abnormal behavior, we consider it might be related to config conflict. Once this symptom occurs again, please collect the diag-info log and then provide it to us. Thanks.

Zyxel_Jeff

To conclude...

The new firmware seems to work but there are some critical issues in terms of configurations.

I'm out of the office tomorrow so it will be impossible for me to run new tests.

It looks like the data transfer rate is more stable than before and we think that there might be a potential config conflict on the device, you can monitor it for a few days. Once this symptom occurs again, please collect the diag-info log and then provide it to us. Thanks for your verifications so far .

PaoloFracas

Hi Jeff,

the data transfer rate is absolutely stable.

What do you mean when you say "Once this symptom occurs again".

I think that the only way to check the symptom is to upload a firmware more updated that the beta one.
That at the moment is not available.
I think.

It seems that the "stable firmware" work with a configurations folder and the "beta firmware" with another configurations folder.

Is it possible?

I need to check the restart with the "beta firmware" to be sure.
Could you please explain me how to collect the "diag-info log".
On Monday I will do all the tests including verifying the customer backup with the beta firmware.

Best Regards

Paolo Fracas

Zyxel_Jeff

PaoloFracas said:

Hi Jeff,

the data transfer rate is absolutely stable.

What do you mean when you say "Once this symptom occurs again".

I mean when the device occurs the below status:

It seems that the "stable firmware" work with a configurations folder and the "beta firmware" with another configurations folder.

Is it possible?

It might be a possible cause but needs to do more checks.

Could you please explain me how to collect the "diag-info log".

You can go to MAINTENANCE > Diagnostics > Diagnostics >  Controller > Press "Collect Now" button


Wait for a while(it will take 2~3mins)...


Go to "Files" tab to download the diag-info log.

PaoloFracas

I had this state only during the first application of the Beta Firmware.

After I was able to load it into the Standbye Partition the problem no longer occurred except with the application of the two configurations which are not loaded with either the consolidated firmware or the beta version.

Do you need that I collect the "diag-info log" between the switching from consolidate and beta firmware Partition?

Zyxel_Jeff

Hi @PaoloFracas

Do you need that I collect the "diag-info log" between the switching from consolidate and beta firmware Partition?

Currently, we don't need it. We prefer when the next time it occurs "Fall back to lastgood configuration" symptom then to collect the diag-info log for us.  So, we suggest you could monitor the USG Flex 100 for a few days. Thanks.

PaoloFracas

I confirm that the beta firmware works with a different configuration folder than the consolidated firmware.

Verification with Customer Backup was successful so the Firewall problem with TCP port 6281 would seem to be solved.

So, we suggest you could monitor the USG Flex 100 for a few days. Thanks.

I honestly don't understand why problems should arise in the next few days.

In my opinion the problem should occur during the next firmware update and in this sense I have taken steps to disable the "Auto Update" option to avoid surprises.

Remember that we are talking about a Firewall in a real environment where surprises are unwelcome and above all expensive.

Best Regards

Paolo Fracas

Zyxel_Jeff

Dear @PaoloFracas  

PaoloFracas said:

I confirm that the beta firmware works with a different configuration folder than the consolidated firmware.

Verification with Customer Backup was successful so the Firewall problem with TCP port 6281 would seem to be solved.

Many thanks for your feedback for us.

So, we suggest you could monitor the USG Flex 100 for a few days. Thanks.

I honestly don't understand why problems should arise in the next few days.

In my opinion the problem should occur during the next firmware update and in this sense I have taken steps to disable the "Auto Update" option to avoid surprises.

Remember that we are talking about a Firewall in a real environment where surprises are unwelcome and above all expensive.

 It seems occurred a config conflict on your USG Flex 100 previously, we are not sure whether you would apply the config again in the next few days, so we suggest you could monitor it during that time. You could pay attention when the next time applying the config whether this symptom would appear or not.  Besides, the other purpose is to watch the stability of NAT Port Forwarding performance as well. Thanks for your understanding.

PaoloFracas

Between yesterday and today I ran a simulation for an IKEv2 VPN with Client StrongSwan.

Once the simulation was completed, I restored the backup of the Configuration performed before carrying out the checks.

The restore was successful.