SSL VPN Network list bug for same subnet as server

PeterUK
PeterUK Posts: 3,326  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited April 2021 in Security

This bug happens for when “Force all client traffic to enter SSL VPN tunnel” is disabled and using network list the bug disconnects the client in under 2mins.

If SSL VPN server is 192.168.255.202 and client at 192.168.255.193 and you add network list LAN1_subnet 192.168.255.192/26 the client disconnects within 2mins of connecting.

If you remove LAN1_subnet and add LAN2_subnet 192.168.138.0/28 the client stays connected.

If you add in the network list a host address 192.168.255.202 the client disconnects within 2mins of connecting.

This is with SecuExtender 4.0.3.0 with Zywall 110 firmware V4.33(AAAA.0)ITS-WK19-r88384

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK

    Do you mean when your connect the ssl VPN,

    In status tab, the client ip is 192.168.255.193, the Sever IP is 192.168.255.202, and the LAN1_subnet is 192.168.255.192/26.

    LAN1 subnet is same as client ip, and server IP?


  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    The SSL VPN range is 192.168.139.1-192.168.139.14.

    The client IP before connecting to the SSL VPN is 192.168.255.193 in subnet 192.168.255.192/26 with the SSL VPN at 192.168.255.202 if network list has LAN1_subnet 192.168.255.192/26 the SSL VPN disconnects within 2mins and also with host address 192.168.255.202


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK

    I did the same scenario as you mentioned. The tunnel uptime is more than 9 minutes.

    Can you send me your configuration via private message. 

    Let me test the scenario with your configuration.

    Screenshot on the right is my lab test result, the connected time is more than 9 minutes.


  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Was the client IP before connecting to the SSL VPN 192.168.255.193? the client was XP so that might have something to do with it?

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2019

    Found the problem its because the client is running XP the issue does not happen with win 7 as XP is EOL its not that important to fix this bug really. The problem can be worked around by single host addresses within same subnet as server.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK

    Thanks for sharing your test result.😄

Security Highlight