NXC2500 not accessible after failed upgrade

FrankLauer

Hello,

I tried to upgrade one of our NXC2500 controller from 5.x up to 6.10 from here:https://support.zyxel.eu/hc/de/articles/5741937172370

Unfortunately this link was may not a firmware upgrade instead a kind of a fix. The firmware upgrade failed and the SYS led was blinking red.

After that the controller was not any more accessible by LAN. I have done a factory reset by pressing the reset button, but no luck.

The controller is booting normally but I can't access it on 192.168.1.1 neither by SSH nor by Web GUI and no Ping.

However I have access to the console with serial cable. I can log in with default password 1234 and can't see any special errors. The config file is set back to factory default.

Fun fact: From the console I can ping outside to other devices in 192.168.1.x and if I set a gateway I can ping into the internet, f. ex. 8.8.8.8.

What do I need to do ?

Zyxel_Melen

Hi @FrankLauer,

The SYS LED was blinking red means the NXC2500 is upgrading firmware. I used the firmware from your link to upgrade and successfully upgrade. I can also access the NXC2500.

Since you have reset the NXC2500, I would like to clarify some details with you:

1. What IP address was your PC when you tried to log in to NXC2500?
2. The NXC2500 doesn't enable the DHCP server by default. So, after resetting the NXC2500, your PC might not have an IP address or get the IP address from another DHCP server, and the IP range might be different from 192.168.1.0/24 subnet. Please use the ZON utility to find the NXC2500 and its IP address to log in. The download link is below:
   https://www.zyxel.com/global/en/form/zon-utility-download
3. Or you can set a static IP address, 192.168.1.100, for your PC and try to log in.

FrankLauer

I'm in an own 192.168.1.0/24 network only for setting up zyxel devices. My PC is 192.168.1.10 and the gateway 192.168.1.2.

When I ping on the NXC2500 CLI (connected by serial cable) I can ping PC and gateway successful. Looking with Wireshark I can see the ICMP traffic from 192.168.1.1 to 192.168.1.10.

But if I ping from 192.168.1.10 to 192.168.1.1 the NXC isn't responding to the ICMP requests nor to other requests f.ex. http or https.

Zyxel_Melen

Hi @FrankLauer,

Thanks for your feedback. Since you can access the NXC2500 via serial cable, could you help to dump some information? Please enter these commands to dump:

1. show version
2. show interface all
3. show running-config

Thanks in advance.

FrankLauer

Here it is:

nxc2500.txt

Zyxel_Melen

Hi @FrankLauer,

Thanks for the configuration file. After checking, I found there's no policy that blocks access to device and ping. Since you mentioned you reset the NXC2500, could you help to isolate the NXC2500, only connect a PC to the NXC2500, and access it again? I would like to clarify if there was an IP conflit.

FrankLauer

That's normally what I do on a first step, connecting the laptop with 192.168.1.10 to a Zyxel device for setup.

With this setting I attach 3 files:

CLI messages while booting

Network capture while booting

Network capture while sending a ping from NXC to laptop (192.168.1.1 to 192.168.1.10) with ICMP response. And a ping from laptop to NXC ( 192.168.1.10 to 192.168.1.1) without response.

Hint: You need to remove the .txt extension from the capture file names because I couldn't upload .pcapng files.

Thank you for your help.

nxc_boot_cli.txt

nxc_boot.pcapng.txt

nxc_ping.pcapng.txt

Zyxel_Melen

Hi @FrankLauer,

Thanks for these packets and the boot log.

I found the NXC was trying to use the vulnerability firmware to boot up, but somehow the device uses the older firmware. I'm checking more details from the boot log and might need a remote PC to access your NXC. Once I finish checking, I will send a private message to request the remote.