[ATP/FLEX]How to fix WAN1 for NCAS auth when WAN2 is UP but no internet connection?

Options
Zyxel_Jeff
Zyxel_Jeff Posts: 1,131  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited September 2023 in VPN

Scenario :

In a specific scenario, the USG Flex/ATP has two WAN interfaces: WAN1 for internet access and WAN2 for special intranet policy and static route purposes only. In this situation, when using WAN1 as the IPsec/L2TP remote VPN server authenticated by NCAS (Nebula Cloud Authentication Server), there are instances where the NCAS authentication fails, preventing the successful establishment of the remote VPN. You might encounter the error message "RADIUS: rejecting the user 'e-mail account.

Answer :

The possible reason for this issue is that when NCAS authentication fails, the Nebula firewall attempts to execute NCAS authentication using the WAN2 interface, possibly due to WRR WAN TRUNK routing. However, WAN2 does not have an internet connection, leading to the failure of NCAS authentication.

How to resolve it?

To resolve this problem, follow these steps:

STEP1. Please navigate to Site-wide > Configure > Firewall> Routing > WAN Load Balancing

STEP2. Set the back interface to WAN2.