[USG20W-VPN] VPN error while assigning a profile to local AP

Chris10

Hello,

I'm getting the below error when I'm assigning a profile to the local-ap with:

ap-group-member [ap_group_profile] member local-ap

Knowing that I have also the following configuration:

wlan-ssid-profile [ssid_profile]

>{…}

>outgoing-interface lan1

***

sslvpn policy Main_SSL_VPN

>{…}

>network-extension network LAN1_SUBNET

>network-extension network DMZ_SUBNET

If I remove "network-extension network LAN1_SUBNET", the error is not popping out anymore.

I don't see an immediate link between an AP profile and a VPN network extension that could explain such an error. Also, I had previously this configuration working on a USG40W.

Could you help me figure it out ?

Happy to give you more details if needed.

Thanks,

Chris

Zyxel_Melen

Hi @Chris10,

Thanks for the information. Since USG20W-VPN doesn't support the AP controller function, you won't see the controller option, and cannot apply this configuration.Below table is from USG20W-VPN user's guide:

For manage your Zyxel APs, please consider upgrade the firewall models to which support AP controller functions, like USG FLEX 100 or above. Or, you can use Nebula control center for centrolized management.

Zyxel_Melen

Hi @Chris10,

Apologize for the delayed reply. Let me answer the second question first.

Please enter the command show capwap ap all to find the default SSID profile. Then use the commands below to disable the default SSID. P.S. You might need to disable more than one slot.

#Configure terminal

(config)#Capwap ap local-ap

(AP local-ap)#no <slot x> ssid-profile 1

You can also edit the default SSID to have 2 different SSID that each using different outgoing interfaces.

Please check the CLI reference guide USG20-VPN_V5.37.pdf Chapter 9 Wireless LAN profiles > SSID profile commands(page 89) for more details.

By the way, you may also use web GUI to edit. The path is Wireless > Built-in AP > General >Add/Edit SSID.

Hope it helps.

Zyxel_Melen

Hi @Chris10,

May I know how did you change the settings? By command line or by web GUI?

Chris10

Hello @Zyxel_Melen ,

By command line.

The GUI changed, and I'm not able to set AP profiles/AP groups anymore through the GUI (I only have "Built-in AP" menu).

Zyxel_Melen

Hi @Chris10,

Thanks for the information. Since USG20W-VPN doesn't support the AP controller function, you won't see the controller option, and cannot apply this configuration.Below table is from USG20W-VPN user's guide:

For manage your Zyxel APs, please consider upgrade the firewall models to which support AP controller functions, like USG FLEX 100 or above. Or, you can use Nebula control center for centrolized management.

Chris10

Hi @Zyxel_Melen ,

Thanks for the information.

What would be an equivalent basic configuration with 2 SSID (and 2 different outgoing-interface for those) for this model ?

Is it possible to completely disable built-in AP by command line ?

• Somehting like this :

ap-group-profile Disabled-WLAN

slot1 ap-profile default

slot1 output-power 0dBm

ap-group-profile Enabled-WLAN

slot1 ap-profile default

slot1 output-power 30dBm

Zyxel_Melen

Hi @Chris10,

Apologize for the delayed reply. Let me answer the second question first.

Please enter the command show capwap ap all to find the default SSID profile. Then use the commands below to disable the default SSID. P.S. You might need to disable more than one slot.

#Configure terminal

(config)#Capwap ap local-ap

(AP local-ap)#no <slot x> ssid-profile 1

You can also edit the default SSID to have 2 different SSID that each using different outgoing interfaces.

Please check the CLI reference guide USG20-VPN_V5.37.pdf Chapter 9 Wireless LAN profiles > SSID profile commands(page 89) for more details.

By the way, you may also use web GUI to edit. The path is Wireless > Built-in AP > General >Add/Edit SSID.

Hope it helps.