Routeing rules not failing correctly if interface ping is enabled

PeterUK

VPN300 V5.37(ABFC.2)

so this is the setup only with more rules

When without VPN300 interface ping check on VLAN443 on Zywall 110 I block from VLAN443 to VLAN443 the rules disable correctly then when I remove the block the rules come back on line.

But if I have VPN300 ping check on interface VLAN443 to no-ip.org and bounceme.net with any one responds I then block on Zywall 110 from VLAN443 to OPT to fail the check then after some time unblock it then block VLAN443 to VLAN443 the three rules do not fail all three are up and do not disable requiring the rules to be disabled/enabled to fail check after disabling interface VLAN443 ping check

mMontana

VPN300 V5.37(ABFC.2)

Never see that firmware version; currently USG Flex are on 5.38, so maybe a "version definition" is now splitting? IDK.

PeterUK

Yes it might be the last firmware for VPN models being EOL but the problem should happen in current models

WJS

Can you see prob traffic sent from VPN300 or receive on zywall110 ?

And what's your check period timeout tolerance?

PeterUK

Yes I see traffic allowed then I block for testing with routing ping check and interface ping check the problem is they both can't be enabled or it causes problems for VPN300 routing ping check to not fail after you fail interface ping check then enable then you fail routing ping which should fail but the routing ping check does not fail correctly with interface ping check is enabled after you fail it once

I have ping check as

ping 5 seconds

timeout 1 second

tolerance 2

looking at a traffic when I block Zywall 110 from VLAN443 to OPT to fail the check then after some time unblock it causes the routing ping check to fail sending ping any more

PeterUK

2024-05-07 16-54-41.zip

Video of the problem you first see my fail the routing ping check by Zywall110 the reallow then enable  interface ping check then fail that by Zywall110 and reallow interface then try to fail routing ping check by Zywall110 again and will not fail

Zyxel_Kevin

Hi PeterUK,

It seems can't replicate on FLEX with 5.38. here is my steps:

1)Set ping check on Policy route and interface with probe domain name.

2)block any traffic on upper device, the policy route inactive by conn-check fail.

PeterUK

Check my Video 

You have to fail the interface ping check first but not the routing ping check then allow interface ping check then fail routing ping check.

It took some attempts to do it

Zyxel_Kevin

Yes I did it, but can't see the issue.

1)Without interface ping check, then block icmp

2)Allow ping , status back.

3)With interface ping check, Blcok "Any", Policy route set INACTIVE as expected

4)Allow again, status back

5)then block ping again. policy route inactivate as expected.

PeterUK

The interface is external VLAN443 to which you have the interface ping to no-ip.org and bounceme.net which you will fail then allow by other firewall

The way in which the routing ping check is not blocked when you fail interface ping check to interface of other firewall (all be it thats not how my setup works as I NAT ICMP so not from VLAN443 to Zywall) but routing ping to Zywall to other firewall should work.

So you have interface ping check to internet IP's which you block VLAN443 to WAN which you first block to fail the allow again

You have routing ping check to VLAN443 Zywall on other firewall which you allow when you do the above then you block which should fail the routing ping check but it don't and when this happen the routing ping check is not sending ping.

So when it stop working you have to disable interface ping check then disable/enable routing ping check for it to start working again.

I could let you remote in to VPN300 when this happen for you to check why routing ping is not sending out pings any more after a fail interface ping check and allow then you can disable interface ping check disable/enable routing ping to see it sending ping.