New Feature Spotlight: VPN Connectivity Check Tool for Easier Tunnel Testing

Zyxel_Lynn
Zyxel_Lynn Posts: 69  Zyxel Employee
5 Answers First Comment Friend Collector
edited August 26 in Other Topics

With the release of firmware version 1.35, Zyxel firewalls now include a VPN Connectivity Check tool—an essential enhancement that streamlines VPN troubleshooting for administrators. Here’s everything you need to know about this powerful new feature.

What Is VPN Connectivity Check?

Traditionally, validating VPN tunnel connectivity between two sites involved manual testing. You had to physically connect a client device behind each firewall, then attempt to ping from one client to the other across the tunnel. This method was time-consuming and not ideal for quick diagnostics.

The VPN Connectivity Check tool eliminates this need.

Now, you can run ping tests directly from the firewall across the VPN tunnel to a remote device—without requiring local clients on either side.

How It Works

  • The tool is available under Site-to-Site VPN in the Zyxel firewall interface.
  • It allows the firewall to initiate a ping to a client across the peer VPN gateway.
  • This feature is designed for troubleshooting VPN tunnels and verifying if traffic can cross the tunnel as expected.

Understanding the Ping Test Behavior

When using the Connectivity Check:

  • The source IP address used for the ping is always the first IP address defined in your local policy.
  • For example, if your local policy subnet is 192.168.10.0/24, the firewall will use 192.168.10.1 as the source IP.
  • This mirrors the behavior of Zyxel’s ZLD firewalls.

VPN Policy Scope Matters

  • The ping target must be within the defined remote policy subnet.
  • If a device lies outside of the remote policy, the connectivity check will fail and indicate that the destination is outside the allowed range.

Key Limitations

1. Not a Persistent Setting

VPN Connectivity Check is a one-time diagnostic tool—not a persistent or toggleable setting. Each time you want to run a test, you need to manually initiate it.

2. Does Not Work with NAT VPN Rules

If you are using VPN SNAT (Static NAT) rules within your VPN profile:

  • Ping tests will not work.
  • The source IP will not undergo NAT translation, meaning the ping may be dropped or blocked by the remote firewall expecting a translated IP.

UI Considerations

In some cases, the Connectivity Check option may not appear:

  • Ensure you have a fully configured and active VPN profile.
  • The feature is dependent on having proper local and remote policy settings.

Summary

The VPN Connectivity Check tool is a valuable addition for administrators seeking faster and easier VPN tunnel diagnostics. By eliminating the need for physical test clients and offering direct firewall-initiated pings, it simplifies the troubleshooting process considerably.

As always, ensure your local and remote policies are correctly configured and be mindful of SNAT rules when using this tool.