SSL VPN user problems

Options

Hello everyone,

I work at a company that does all kinds of IT stuff for dental clinics.
Here we use VPN 100, 110, USG Flex 200 firewalls for our customers with SSL VPN. We have had a problem for over a year now and it doesn't seem to go away no matter what we try, let me explain.

We have 2 scenario's playing, but they both seem to have the same underlying problem.

In the first scenario we set up a vpn account for the user and make sure he/she can use the vpn on his/her computer. After we confirmed that everything is working correctly we log off. Sometimes trouble start the next day, and sometimes in weeks or months there is really no telling when it will happen.
When the connection is not working properly we view the costumer's computer and notice that when you click "Connect" it doesn't prompt with a security message and the taskbar icon instantly turns red, sometimes it takes a long time to load and then turns red.

The second scenario is basically the same as scenario 1 but when you click connect it does come with a prompt. Sometimes it has to load a long time before denying the connection and sometimes it instantly fails.

In both cases when you login to the zywall and go to logs you see that the used SSL VPN accounts have a unknown username or invalid password which is impossible.
We also have one VPN account for ourselves may we ever need to test anything which is using the same password as the admin account does for accessing the firewall. This VPN accounts gets accepted and works just fine, but any other account with a different password gets locked out.

For now the only fix we know of is restarting the device, but doing that everyday is very annoying and the customers really don't like it.
Assigning a different password to one of the accounts does not fix the problem, the firewall log still shows you unknown username or incorrect password however changing the password to the same password as the admin account lets it connect like there is no problem.

All help would be much appreciated,
Thanks in advance!

All Replies

  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2023
    Options

    My guess would the the user did not disconnect from the VPN and the USG thinks they are still connected?

    See what happens when you “Enable user idle detection” to 1 minute in user/group settings

  • KoenV
    KoenV Posts: 5
    Friend Collector First Comment
    Options

    Right now we have it set to 3 minutes, I tested it again just now but still the same result.
    The user was not in use before I used it to connect

  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2023
    Options

    I wonder if some ISP block the TCP RST, ACK that might cause this problem....

  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2023
    Options

    .

  • KoenV
    KoenV Posts: 5
    Friend Collector First Comment
    Options

    Since all our customers are in different locations throughout the country I highly doubt that, also we have tested this by opening everything (not safe ofcourse) but the problem still remains, I am pretty sure it has something to do with the Zyxel firewalls and not something else.

    Probably somewhere today or tomorrow I will have another customer with the same problem, good time to test your vpn, I will keep you posted on that

  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    are they using the newest SSL_VPN_Client 4.0.5.0 ?

  • KoenV
    KoenV Posts: 5
    Friend Collector First Comment
    Options

    Yes they are using the latest client version. Zywall is also updated to the latest firmware.

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I would like to simply clarify the symptoms.

    1. Does it always happen to a specific account? Could you clarify if it's related to the SSL account or the computer?
    2. Do the affected accounts use special characters in the password?
    3. Check if the SSL VPN IP pool is full when the issue occurs. When the IP pool for SSL VPN is full, another account won't be allowed to connect.

    Moreover, we can check the SecuExtender log for further clues.
    C:\SecuExtenderHelper.log
    C:\Users[windows account]\SecuExtender.log

    BTW, I think it's better to directly check on the device when the issue occurs. Is it possible to provide remote access? Please check your inbox for further discussion.

  • KoenV
    KoenV Posts: 5
    Friend Collector First Comment
    Options

    Right now I cannot find a customer having the problems but I doubt it will take longer than a week for some to start experiencing problems again.
    When those come I will check the logs.

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Got it. Please inform me via private message if the issue occurs again, and remains the symptom. (Don't reboot)

Security Highlight