WFH VPN impacted after updating 100H to 1.30(ABXF.1)

chrisfits7

Two days ago updated my 100H to the latest 1.30(ABXF.1) from 1.21 firmware version to resolve the issue of the device locking up/freezing every 3-5 days at random times (hopefully I will find my answer by next week). My new issue is that my business computer VPN connection is now so slow that it takes 20 seconds to open a 7k text file from a remote system.

I know this is the issue since I can swap all cables back to my USG 40 and everything works without issue.

This issue started after upgrading the firmware on 100H with no policy changes to outbound LAN > WAN configuration. Also, I am not seeing any logs that show a problem, unless I am not looking in the correct place.

Is there a special configuration for Global Protect to connect without impact?

Zyxel_Melen

Hi @chrisfits7,

I would like to clarify:

1. Does the "business computer VPN connection" mean remote access VPN? What kind of remote access VPN is it?
2. Does the 100H enable any UTM services during the VPN connection?
3. Does the USG40 enable any UTM services during the VPN connection?
4. Is the VPN configuration between USG40 and FLEX 100H the same? Like the phase 1 and phase 2 settings.

Thanks!

chrisfits7

Hello Zyxel_Melen,

1. Does the "business computer VPN connection" mean remote access VPN? What kind of remote access VPN is it?
   1. This is a laptop with a Palo Alto (PA) VPN client installed (Global Protect) that resides on the internal LAN and connects outbound via the WAN connection to PA VPN server.
2. Does the 100H enable any UTM services during the VPN connection?
   1. No
3. Does the USG40 enable any UTM services during the VPN connection?
   1. No
4. Is the VPN configuration between USG40 and FLEX 100H the same? Like the phase 1 and phase 2 settings.
   1. This is a Palo Alto Windows client configuration on the laptop and not from the Zyxel device.

This was not an issue until I upgraded the firmware to 1.30(ABXF.1). Nothing else changed when this issue started.

Here's what my degraded experience with 100H 1.30(ABXF.1) scenario looks like:

When I just plug in my previous USG 40, I have no issues with the comparable policy:

Besides this issue, my connectivity is severely degraded since updating the firmware on 12/3:

Edit: The speed test above shows download (column 3) and upload (column 4) speeds.

Thanks!

PeterUK

To double check do the following

How to display the standby firmware partition on GUI? — Zyxel Community

Then you can reboot to the old firmware

chrisfits7

@PeterUK - I will try that - actually saw that post a few days ago and I see the old FW in the GUI. I hope my firewall won't start locking up every 3-5 days if I revert.

I also talked to a colleague and he mention that sometimes on a new firmware update he's had to factory reset and then manually set up the config.

Does anyone know how to selectively download a specific FW version? in my old MyZyxel page there was a FW listing but 100H is not in the list.

chrisfits7

I guess I must not have done my due diligence. I don't even see my 1.21 version in the GUI. I see a version that goes back to 10/2023

It would be great if I could go back to a more recent firmware version.

If I go to the Download Library and try to select a firmware version, I get redirected to my portal.myZyxel.com page where there is no firmware to download.

chrisfits7

I've been trying to troubleshoot constantly as the issue has become unbearable. What I found is that if I disable IPS then my issue with the local outbound Global Protect VPN goes away. I have tested for the past 30 minutes by toggling the option on and off while copying files.

Is there a way I can see what IPS is doing so the issue with IPS can be isolated?

PeterUK

I don't see how that happened the firmware update is meant to install on standby then boot it

was your updates done by the FLEX UI or Nebula?

IPS? DoS Prevention?

chrisfits7

@PeterUK I performed the firmware update using Nebula.

Also, disabling IPS resolved my VPN issue.

PeterUK

So you was using UTM services? do you have a License when that option is on?

chrisfits7

Yes. Initially, I was thinking that the use of the IPS UTM services was activated on the security policy but I missed that the 100H was a global setting.

As far as I can see, I am licensed for IPS.