Zyxel USG 110

Options
Raitis
Raitis Posts: 1
edited April 2021 in Security
Hi, 

I have USG 110. We use Zyxel SSL VPN with SecuExtender version 4.0.2 for some users and few versions 4.0.3. Yesterday service was working. Today we have problem that it don't work. 

I have checked configuration, nothing has been changed. 

We have version  V4.32(AAPH.0).

Under service group Default_Allow_WAN_To_ZyWALL there is service HTTPS. 

In SecuExtender log file I see this information: 

[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Checking service (first) ...[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  SecuExtender Helper is running[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Try to connect to SecuExtender Helper[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  SecuExtender Helper is connected[ 2018/10/23 11:56:42 ][SecuExtender Agent][INFO]    [raitism] try to login ssl.domain.org:442[ 2018/10/23 11:56:42 ][SecuExtender Agent][INFO]    Connect to 1111111111:442[ 2018/10/23 11:56:42 ][SecuExtender Agent][INFO]    Local address is 1111111111[ 2018/10/23 11:56:42 ][SecuExtender Agent][DEBUG]   Connect success.[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 0[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  2140 bytes of handshake data received[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x90312[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Send 126 bytes of handshake data[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 1[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  274 bytes of handshake data received[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x0[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  SSL Handshake is successful[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Protocol: TLS1.2[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Cipher: AES256[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Cipher strength: 256[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Hash: SHA384[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Hash strength: 0[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Key exchange: 0xae06[ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  Key exchange strength: 256[ 2018/10/23 11:56:42 ][SecuExtender Agent][INFO]    Server subject: OU=Domain Control Validated, CN=*.domain.org[ 2018/10/23 11:56:42 ][SecuExtender Agent][INFO]    Server issuer: C=US, [ 2018/10/23 11:56:42 ][SecuExtender Agent][DETAIL]  SSL session is created[ 2018/10/23 11:56:43 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed[ 2018/10/23 11:56:43 ][SecuExtender Agent][INFO]    user login device success[ 2018/10/23 11:56:43 ][SecuExtender Agent][INFO]    Creating secure tunnel to ssl.domain.org:442[ 2018/10/23 11:56:43 ][SecuExtender Agent][INFO]    Connect to 1111111111:442[ 2018/10/23 11:56:43 ][SecuExtender Agent][INFO]    Local address is 1111111111[ 2018/10/23 11:56:43 ][SecuExtender Agent][DEBUG]   Connect success.[ 2018/10/23 11:56:43 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 0[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  2140 bytes of handshake data received[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x90312[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  Send 126 bytes of handshake data[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 1[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  274 bytes of handshake data received[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x0[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  SSL Handshake is successful[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  Secure session is created[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  Secure session negotiation begin[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  stage 1...done[ 2018/10/23 11:56:44 ][SecuExtender Agent][DETAIL]  stage 2...done[ 2018/10/23 11:56:54 ][SecuExtender Agent][ERROR]   timeout (0x0)[ 2018/10/23 11:56:54 ][SecuExtender Agent][ERROR]   Failed to create security tunnel (0x0)[ 2018/10/23 11:56:54 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed[ 2018/10/23 11:56:54 ][SecuExtender Agent][INFO]    Connect to 1111111111:442[ 2018/10/23 11:56:54 ][SecuExtender Agent][INFO]    Local address is 1111111111[ 2018/10/23 11:56:54 ][SecuExtender Agent][DEBUG]   Connect success.[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 0[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  2140 bytes of handshake data received[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x90312[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  Send 126 bytes of handshake data[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 1[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  274 bytes of handshake data received[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x0[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  SSL Handshake is successful[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384[ 2018/10/23 11:56:54 ][SecuExtender Agent][INFO]    logout message has sent[ 2018/10/23 11:56:54 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed[ 2018/10/23 11:56:54 ][SecuExtender Agent][DETAIL]  Connection ends.

Could somebody help me, because this service is very crucial for companies users. 

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    If it is related to SecuExtender software, here is FAQ for your reference.


    Some users on the forum also reported the issue as follows. After ZyWALL is upgraded to the latest firmware, the issue is resolved. I will send you the firmware in the private message later.


    If the issue at your site is none of above symptoms, we need more information for troubleshooting.
    The required information will be sent in the private message along with the latest firmware. 
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Raitis,

     

    Goal:

    Allow SecuExtender clients to access servers in the remote site/company through VPN tunnel.

     

    Here is the topology and example for your reference.

    (lan: 192.168.1.0/24)USG60------IPSec VPN------USG210(lan: 192.168.11.0/24)----PC(192.168.11.33)

     

    SSL VPN client is connected to USG60. SSL VPN pool is 192.168.99.0/24.

    Site to site VPN tunnel is established between USG60 and USG210.

     

    On USG60, create a policy route.

    Source: SSL VPN pool. In this example, SSL VPN pool is 192.168.99.0/24.

    Destination: Remote Subnet. In this example, Remote Subnet is 192.168.11.0/24.

    Next-Hop: site to site VPN tunnel.


    Add 192.168.11.0/24 into Network List.

    On USG210, create a policy route.

    Source: LAN subnet. In this example, USG210's LAN subnet is 192.168.11.0/24.

    Destination: USG60's SSL VPN pool. In this example, USG60's SSL VPN pool is 192.168.99.0/24.

    Next-Hop: site to site VPN tunnel. 


    Test result

    SSL VPN client is connected to USG60 and gets IP 192.168.99.1.

    Ping USG60's LAN successfully.

    Ping 8.8.8.8 successfully.

    Ping USG210's LAN PC 192.168.11.33 successfully.

Security Highlight