New Feature Spotlight: VPN Connectivity Check Tool for Easier Tunnel Testing
Ally Member
With the release of firmware version 1.35, Zyxel firewalls now include a VPN Connectivity Check tool—an essential enhancement that streamlines VPN troubleshooting for administrators. Here’s everything you need to know about this powerful new feature.
What Is VPN Connectivity Check?
Traditionally, validating VPN tunnel connectivity between two sites involved manual testing. You had to physically connect a client device behind each firewall, then attempt to ping from one client to the other across the tunnel. This method was time-consuming and not ideal for quick diagnostics.
The VPN Connectivity Check tool eliminates this need.
Now, you can run ping tests directly from the firewall across the VPN tunnel to a remote device—without requiring local clients on either side.
How It Works
- The tool is available under Site-to-Site VPN in the Zyxel firewall interface.
- It allows the firewall to initiate a ping to a client across the peer VPN gateway.
- This feature is designed for troubleshooting VPN tunnels and verifying if traffic can cross the tunnel as expected.
Understanding the Ping Test Behavior
When using the Connectivity Check:
- The source IP address used for the ping is always the first IP address defined in your local policy.
- For example, if your local policy subnet is
192.168.10.0/24, the firewall will use192.168.10.1as the source IP. - This mirrors the behavior of Zyxel’s ZLD firewalls.
VPN Policy Scope Matters
- The ping target must be within the defined remote policy subnet.
- If a device lies outside of the remote policy, the connectivity check will fail and indicate that the destination is outside the allowed range.
Key Limitations
1. Not a Persistent Setting
VPN Connectivity Check is a one-time diagnostic tool—not a persistent or toggleable setting. Each time you want to run a test, you need to manually initiate it.
2. Does Not Work with NAT VPN Rules
If you are using VPN SNAT (Static NAT) rules within your VPN profile:
- Ping tests will not work.
- The source IP will not undergo NAT translation, meaning the ping may be dropped or blocked by the remote firewall expecting a translated IP.
UI Considerations
In some cases, the Connectivity Check option may not appear:
- Ensure you have a fully configured and active VPN profile.
- The feature is dependent on having proper local and remote policy settings.
Summary
The VPN Connectivity Check tool is a valuable addition for administrators seeking faster and easier VPN tunnel diagnostics. By eliminating the need for physical test clients and offering direct firewall-initiated pings, it simplifies the troubleshooting process considerably.
As always, ensure your local and remote policies are correctly configured and be mindful of SNAT rules when using this tool.
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 193 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 473 USG FLEX H Series
- 311 Security Ideas
- 1.6K Switch
- 82 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 282 Service & License
- 445 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 93 Security Highlight