USG Flex 50AX - SSL VPN Won't Connect

blujedis

Tried both on Mac and Windows with latest client. New router. No port forwarding to speak of very vanilla. Has static public IP.

Followed the guide here at bottom, seemed quite straightforward but the router doesn't seem to allow the connection.

Here's what the log is showing on the client. It behaves like it's blocked somehow, router never picks up, but again this is a new device with very little config. I have tried messing with the port, showing 443 here but I think the default was 10443. I noticed that there's a service the device uses for it's wizard that updates whatever you set the Global SSL port to

Pretty frustrated seems like it should be rather simple…appreciate the help!!

https://www.google.com/search?q=zyxel+ssn+vpn+setup&rlz=1C5CHFA_enUS874US874&oq=zyxel+ssn+vpn+setup&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIICAEQABgWGB4yCAgCEAAYFhgeMggIAxAAGBYYHjINCAQQABiGAxiABBiKBTINCAUQABiGAxiABBiKBTIKCAYQABiABBiiBDIKCAcQABiABBiiBDIKCAgQABiABBiiBNIBCDU0NDNqMWo3qAIIsAIB&sourceid=chrome&ie=UTF-8#fpstate=ive&vld=cid:8b088fe8,vid:r01NWVEnE6E,st:0

blujedis

So it appears I have solved the issue. No more warning is displayed. I'm not sure why but when the wizard warns you to update settings, you then set to restrict SSL VPN to the WAN and create GEO IP restrictions it was failing.

So I removed the wizard created security policies then created a GEO IP Group with the desired regions (note: be sure to update the GEO IP database in services) then updated "Source" below to reflect the fencing.

No more warning and the underlying SSL Policy requires authentication and it works!

My thoughts? A ton of granularity here, bit of a learning curve. Very flexible and powerful. I would encourage Zyxel to create an updated tutorial on this as I doubt I'm the only one who's experienced this. my .02

Zyxel_Judy

Hi @blujedis ,

It appears from the client’s log that the SSL VPN client is unable to connect to the firewall. One of the reasons is that the SSL VPN service port is not enabled. Could you please provide the firewall's monitor log during the SSL VPN connection attempt?

Also, is your firewall located behind a NAT? If so, you will need to configure NAT port forwarding on the upstream router for the SSL VPN service port.

Additionally, could you confirm the current firmware version of your firewall?

blujedis

This turned out to be a combination of things.

Stripped out user, group, policy etc. and started over and viola!

So this was essentially user error.

blujedis

Check that while it is connecting any constraint I put on the policy the VPN doesn't connect. For example if I set a GEO IP group in "Source" I then can't connect even though I'm in that Geo IP. If I set the user to a known user it fails.

If I don't set some sort of constraint the Router complains about insecurity (see below).

The VPN's policy does authenticate if I enter a bad user or password it fails.

blujedis

So it appears I have solved the issue. No more warning is displayed. I'm not sure why but when the wizard warns you to update settings, you then set to restrict SSL VPN to the WAN and create GEO IP restrictions it was failing.

So I removed the wizard created security policies then created a GEO IP Group with the desired regions (note: be sure to update the GEO IP database in services) then updated "Source" below to reflect the fencing.

No more warning and the underlying SSL Policy requires authentication and it works!

My thoughts? A ton of granularity here, bit of a learning curve. Very flexible and powerful. I would encourage Zyxel to create an updated tutorial on this as I doubt I'm the only one who's experienced this. my .02