Slow (unusable) web intreface with one WAN down

Martin_Kuchar
Martin_Kuchar Posts: 38  Freshman Member
First Comment Friend Collector Second Anniversary
edited April 2021 in Security
Hello,

With USG 110 we had a particular problem with admin www interface. One of our wan (WAN2) have had unavailable internet (the error between the gateway and the rest of the world) - no chane to ping anything on the internet, but gateway OK.

As a result, the administrative www interface, accessible through the second wan (WAN1), became unusable. The interface was so slow that it was hardly possible to load the entire www interface page, or it took more than 15 minutes.

Likewise, the USG was unable to serve SSL VPN logging, which (IMHO) uses the same www interface internally.

NAT worked normally. Thanks to one NAT, we could get into the internal network. Interestingly, prom internal LAN, the www administration interface worked normally. Restart USG helped for only a few minutes, then the situation was the same.

The only solutions were manually disabling WAN2 in the www interface. Then, the WAN1 administration interface speed returned to normal speed.

Can anyone explain this USG behavior?  I am afraid we will not be able to simulate again the situation, but we would like to avoid such a disaster in the future.

thank you, Martin Kuchař

Accepted Solution

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Martin_Kuchar

    It looks the traffic trying pass by WAN2 interface, so leads this situation.

    You can add a custom trunk interface which may improve this situation.

    Configuration > Network > Interface > Trunk > Add User Configuration.


    And apply to Default trunk


  • Martin_Kuchar
    Martin_Kuchar Posts: 38  Freshman Member
    First Comment Friend Collector Second Anniversary
    Thank you very much. I will try it at Saturday when people will not working.
    Martin
  • Martin_Kuchar
    Martin_Kuchar Posts: 38  Freshman Member
    First Comment Friend Collector Second Anniversary
    OK.. So.. Results :(
    We tried it tonight. We cannot use "Wan1 active 1", "Wan2 passive 0", because we use both interfaces at once and in users manual in section 10.12 is about the "passive" is only for running as backup interface (not used unless other WANs are dead).
    Because of this, we used now "Wan1 active 1", "Wan2 active 2" (because Wan2 is fastest).

    The problem is the same. As simulation, our provider turned off interface on Wan2's Gateway.
    In USG we see "Wan2 dead" - OK, connect from remote to Wan1 interface was OK for the first 35 minutes after USG reboot. After 35 minutes, the USG login page, requested remotely, loaded 5 minutes, part by part (texts, css, pictures), like with very old 300baud modem.

    I have some more info for you this time:
    1. It is before midnight here, so no traffic on USG - only me and about 50 packets blocked by firewall
    2. CPU almost 0%
    3. RAM around 50%
    4. Nothing interested in logs (and we have all set to debug)
    5. Wan2 is correctly marked as "down"
    6. Access from NATted user to USG interface is still OK !? Especialy this is what i cannot understand. Why the slowdown is only from WAN and not from LAN ? (in case there is only one web server running inside USG)

    Thank you,
    Martin




Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)