Help with USG310, timeout access via GUI and CLI, IPSec stops working.
Good afternoon. We have a client (HOSPITAL) that has a USG310 firewall and is on the latest FW version available (4.73(AAPJ.2)).
We are having a problem where the equipment loses the IPSEC VPN connection and after that it becomes inaccessible both via console and via http, requiring a physical reboot of the equipment. Internet access keeps working on clients.
This case has already occurred about 4 times, and even collecting the logs and checking the outputs via the console, I was unable to discover what is causing the crashes.
All Replies
-
Its hard to know what can cause this at times one possibility is any attempt that packet(s) and can cause problems.
If you can its best to allow incoming traffic by source IP or FQDN in policy control
I have seem myself problems like this but still can't pin point the cause
is the USG310 to another Zyxel? Or is this Remote Access (Server Role)?
0 -
Thanks for the answer. The Ipsec connection is closed with an Oracle CLoud server, however the fact that the VPN drops is not the worst problem. When the problem happens, I can't access the equipment via GUI or CLI, so I have to physically go to the location and this is annoying the customer. I saw here on the forum situations where equipment with previous firmware was suffering flood attacks on UDP port 500, and this caused crashes. However, this issue appears to have been resolved in the latest update. IPSEC incoming traffic is being filtered by GEOIP. I connected a console cable and will monitor the logs at debug level, if you have any other ideas I would appreciate it. I've already looked for local support with Zyxel in my country too.
0 -
It would be best to limit access by FQDN with DDNS setup
The USG310 is EOL and may not get any more updates
try with Anomaly Detection and Prevention disabled
0 -
I cannot restrict access by FQND, as we also use L2TP over IPsec. Just for information, straight from the console I'm getting the following messages:
[17454.045127] xt_TCPMSS: bad length (302 bytes)
[17486.432469] xt_TCPMSS: bad length (589 bytes)
[17486.460217] xt_TCPMSS: bad length (589 bytes)
[18167.350757] xt_TCPMSS: bad length (302 bytes)
We are also aware of the EOL, but we had the misfortune of selling the equipment right in this transition to the FLEX line, so it will be a little stressful to convince the customer to upgrade.0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight