Trunk and remote access VPN issue
Guru Member
USG FLEX 200H V1.21(ABWV.0)ITS-24WK35-0813-240800592
So bit of a problem for my setup to work WAN2 must not be in the User-Defined Trunk but when its not in the trunk then remote access VPN does not work
In other words not having WAN in trunk works better but for VPN to work WAN must be in trunk
So can you get VPN to work without the WAN in trunk?
Edit testing how trunk compares on a USG40 I can set Trunk to VLAN443 and VPN to OPT fine so must be possible
Thanks
All Replies
-
Hi @PeterUK,
I would like to clarify with you:
- Your user-defined trunk setting except the WAN2 interface only?
- "but when its not in the trunk then remote access VPN does not work" Do you mean you can configure but the VPN cannot build up, is it correct?
Zyxel Melen
Don't miss this great chance to upgrade your Nebula org. for free!
0 -
1. yes I have other WAN interfaces in trunk but not WAN2
2. yes the client can not connect to the VPN on WAN2 unless WAN2 is in the trunk
0 -
Just to let you know Melen this is under case #453841 Zyxel Support Campus EMEA
0 -
Hi @PeterUK,
Thanks for your update.
I did a simple test with the user-defined trunk profile except WAN2 but there's no issue in my lab. This could be due to the configuration difference. Our engineer will check your configuration and find a solution for you.
Zyxel MelenDon't miss this great chance to upgrade your Nebula org. for free!
0 -
Odd…I did found a workaround by routeing rule to tell Zywall next hop WAN2 for source ports VPN
0 -
This is what I have found out so far
So I have a trunk with P3 WAN3 and P4 VLAN443
If I remove ge1 P1 from the bridge same problem VPN don't work
But if I do a trunk with just ge1 P1 WAN1 then the VPN connects on WAN2 P2The problem looks to be that some order logic that if ge1 P1 is not in the trunk first by a User-Defined Trunk it skips incoming traffic on other interfaces
So I had WAN3 on ge3 P3 moved to WAN1 ge1 P1 with trunk ge1 thinking that now WAN2 on P2 for the VPN would work...it did not.
0 -
Hi @PeterUK,
Update: this is a spec limitation and we have raised a feature request for this scenario.
Currently, we have a workaround for this scenario: Change the WAN2 to passive mode in the trunk profile.
Zyxel MelenDon't miss this great chance to upgrade your Nebula org. for free!
0 -
Hi Melen
As said in the case this workaround is no good to me causes problems with the setup I'm doing but the other workaround by routeing rule incoming zywall source IP WAN2 source ports VPN next hop WAN2 works fine and I'm happy with how it currently works.
0 -
Hmmm….so the VPN connects but even with other routeing rules I can get DNS and ping to work but not TCP odd how the its tied to the trunk for VPN so this is not working so for the time being I have to wait for the firmware to fix this as I can't add that interface to the trunk.
Thinking this option might fix it too
0
Zyxel Employee
Categories
- All Categories
- 414 Beta Program
- 2.3K Nebula
- 132 Nebula Ideas
- 92 Nebula Status and Incidents
- 5.4K Security
- 181 USG FLEX H Series
- 258 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 37 Wireless Ideas
- 6.2K Consumer Product
- 236 Service & License
- 372 News and Release
- 79 Security Advisories
- 24 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 80 About Community
- 69 Security Highlight
