IKEv2 causes USG to crash
Freshman Member
We’ve been running several USG devices (110 and 210) without issues for years. However, our USG110 recently started hanging every three days. By "hang," I mean it completely stops responding and becomes inaccessible by any means.
To rule out hardware or configuration issues, we replaced it with a brand-new USG210 from our stock (including a new power adapter) and manually configured it from scratch—no imports, no old configs. Unfortunately, the issue persisted with the same 3-day freeze cycle.
Findings from Investigation:
We identified that the freezes always happen during IKEv2 rekeying. The issue started when a new remote user (Windows 10 native IKEv2 VPN client) joined. While this user is legitimate, their probably poor network conditions or MTU issues cause a lot of repeated warnings:
- "Replay detected"
- "Network congestion"
- IKEv2 rekeying every 2-3 minutes instead of the configured 8 hours.
[a reason why it's happening is a separate question]
This strongly resembles CVE-2023-33009 and CVE-2023-33010, which were patched in firmware 4.73. I suspect that the fix introduced a new bug even for legitimate users.
I understand that USG110/210 are EOL, but these firmware issues are severe enough that they shouldn't be ignored.
This is IKE debug-level log of the crash moment. System resources within 1 second before crash were generous (CPU < 5%, Memory < 40% etc.)
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 157 Nebula Ideas
- 106 Nebula Status and Incidents
- 5.9K Security
- 327 USG FLEX H Series
- 286 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 257 Service & License
- 400 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 78 Security Highlight
