VPN SSL - Slow unstable connection

Zywak

Hi, having the same issues... Using the latest version of SecurExtender 4.0.3

SSL VPN setup with AD LDAP configured for authentication.. everything worked fine until u upgraded the router to version 4.33 and our SSL VPN has been unstable ever since..

Slow connection, random disconnects, connected sessions won't last 10 minutes at times... Really frustrating..

Both Mac and windows users impacted

Thanks

Richard

Zyxel_Stanley

Hi @Zywak

We have fixed SSL VPN issue in firmware. You can download USG40W firmware by this link:

ftp://ftp.zyxel.com/USG40W/firmware/433AALB0ITS-WK19-r88384.zip

Zywak

Thanks, but I'm using zywall 310.. I have also applied the latest WK19 patch without resolving...

https://webstore.zyxel.eu/index.php/s/GHffbycDKXJXT4c

Thanks,

Richard

CHS

Hi @Zywak

Is any error log during SSL VPN disconnect?

Can you share it?

Zyxel_Cooldia

Hi @Zywak

Can you send me the SecuExtenderHelper.log via private message. The file is located at C:\.

Zywak

@Zyxel_Cooldia

I just sent you my log file..

Thanks,

Richard

Zyxel_Cooldia

Hi @Zywak

From the log we can see that the IP you get from the USG is 192.168.200.20, it is overlap with SSL VPN Network Extension Local IP 192.168.200.1. 

It may have problem when SecuExtender add routing to windows routing table. Please change the SSL VPN to other subnet and try it again.

p.s. Don’t overlap with other USG interface subnet.

 

~~~~ SecuExtenderHelper.log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[ 2019/05/15 14:48:59 ][SecuExtender Helper] Adding an IP/netmask ip = 192.168.200.20/255.255.255.255 to interface 21 using the Win32 IP Helper API, uNTEContext = 348694720, status = 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Martin_Kuchar

Same problem here for months. USG110, fw 4.33(AAPH.0), latest SecuExtender. No IP range overlaping. Problem: VPN connected, but internal routing lost after some time (from minutes after connection to hours) - no ping to internal ip, no RDP. Disconnect and reconnect with SecuExtender sometimes help, sometimes not. We have the same problem all the time, we own USG (13 months). Every time the same support reply - try the new firmware.. What to do? Anybody cares? Is anybody on Zyxel side able to solve this issue? If not, release the firmware as open source, we will solve it.

Zywak

@Zyxel_Cooldia

You can rule that out... I change the VPN pool to 192.168.100.20 - 50 with network extension local IP stays at 192.168.200.1

After just 10 mins, VPN disconnected... Retry connection again, it stays up for a minute and dropped...

This is really frustrating..

Log:

==============================

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Request(110): INITIAL 21 342141120 4294967295 353675456 370452672 0 0

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Get netsh path = C:\WINDOWS\system32\netsh.exe

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Get ipconfig path = C:\WINDOWS\system32\ipconfig.exe

[ 2019/07/02 10:12:18 ][SecuExtender Helper] FlushIpNetTable on interface = 21, error code = 0

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Adding an IP/netmask ip = 192.168.100.20/255.255.255.255 to interface 21 using the Win32 IP Helper API, uNTEContext = 10110332, status = 5010

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Trying to flush previous address

[ 2019/07/02 10:12:18 ][SecuExtender Helper] delete_temp_addresses context = 342141120

[ 2019/07/02 10:12:18 ][SecuExtender Helper] delete_temp_addresses status = 0

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Adding an IP/netmask ip = 192.168.100.20/255.255.255.255 to interface 21 using the Win32 IP Helper API, uNTEContext = 342141120, status = 0

[ 2019/07/02 10:12:18 ][SecuExtender Helper] WriteFile hPipe success agentState.aState = 2, agentState.aError = 0, dwWrite = 8

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Request(130): CREATE 3403446282/2857277247 21 342141120 4294967295 29927616 0 0

[ 2019/07/02 10:12:18 ][SecuExtender Helper] ACTION_CREATE pNetCfg->myip = 3403446282, pNetCfg->gwip = 2857277247, pNetCfg->dwIfIndex = 21, pNetCfg->nodeip = 342141120, pNetCfg->localip = 29927616

[ 2019/07/02 10:12:18 ][SecuExtender Helper] argc = 8

[ 2019/07/02 10:12:18 ][SecuExtender Helper] areacounter = 1

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Remove prioritize routing

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Fail to prioritize route to 63.161.54.150, 255.255.255.255, error = 5010

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Fail to prioritize route to 63.161.54.150, 255.255.255.255, error = 160

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Success to change default route

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Failed to add route 0.0.0.0/0.0.0.0 (160) metric=50

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Succeed to add route 0.0.0.0/0.0.0.0 (0) metirc=500

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Succeed to add route 192.168.200.1/255.255.255.255 (0) metirc=500

[ 2019/07/02 10:12:18 ][SecuExtender Helper] Get netsh path = C:\WINDOWS\system32\netsh.exe

Zyxel_Cooldia

Hi @Martin_Kuchar

Sorry to hear that, Can you send me your configuration file via private message .

Let me test it at my lab.