Problem l2tp connect

integratedsolutions · October 2

Good evening,
We have a Zyxel VPN 100 and the L2TP protocol enabled, which several users with Macs with their configurations use. Everything worked for a week now, but it no longer works without any changes. Can you tell us what the problem is based on the logs I've attached and how to fix it?

warn sessions-limit ACCESS BLOCKMaximum sessions per host (1000) was exceeded. [count=67]
619 2025-09-29 11:59:13 82.52.139.253:51381 192.168.100.2:500info ike IKE_LOGThe cookie pair is : 0x548ac67f509aff13 / 0x0000000000000000
620 2025-09-29 11:59:13 82.52.139.253:51381 192.168.100.2:500info ike IKE_LOGRecv Main Mode request from [82.52.139.253]
621 2025-09-29 11:59:13 82.52.139.253:51381 192.168.100.2:500info ike IKE_LOGThe cookie pair is : 0x0fd6ecf1b3cd7690 / 0x548ac67f509aff13
622 2025-09-29 11:59:13 82.52.139.253:51381 192.168.100.2:500info ike IKE_LOGRecv:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
623 2025-09-29 11:59:13 82.52.139.253:51381 192.168.100.2:500info ike IKE_LOGRecv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 2048 bit MODP, HMAC-SHA1 PRF, HMAC-SHA1-96, HMAC-MD5 PRF, HMAC-MD5-96, HMAC-SHA512 PRF, HMAC-SHA512-256, 1536 bit MODP, 1024 bit MODP, AES CBC key len = 128,
624 2025-09-29 11:59:13 192.168.100.2:500 82.52.139.253:51381info ike IKE_LOGThe cookie pair is : 0x548ac67f509aff13 / 0x0fd6ecf1b3cd7690 [count=3]
625 2025-09-29 11:59:13 192.168.100.2:500 82.52.139.253:51381info ike IKE_LOG[ID] : Tunnel [RemoteAccess_L2TP_Wiz] Local IP mismatch

PeterUK · October 2

Disable session limit set in VPN connection local policy to IP 0.0.0.0

Do you have internet access out the WAN port?

integratedsolutions · October 3

The problem only occurs when using a VPN in L2TP mode. I have regular access to the network both when we're on-site at the company and when we connect remotely using SSL. Can you give me some guidance or schedule a Teams call to disable this limitation?

PeterUK · October 3

To disable session limit it be in config > policy control > session control set default session per host to 0

to set local policy to IP 0.0.0.0 go to config > VPN > IPSec VPN > in VPN connection look for the VPN and set like the following:

The USG looks to have WAN interface with a 192.168.100.2 IP has this always been the case?

integratedsolutions · October 3

It's already set to 0 as in the photo. That 100.2 address has always been like this, in fact, as I reported, it had worked until last Friday, suddenly it no longer allowed the connection to be made in I2TP.

PeterUK · October 3

Have you added any more VPN connections?

Is the L2TP VPN gateway set to Pre-Shared Key or Certificate? is Certificate IP or domain name and valid or self signed?

have you tried a reboot?

integratedsolutions · October 6

I have other connections in SSL mode, and they work fine with Windows clients.
The L2TP VPN gateway is set to pre-shared keys and properly configured on the PCs that need to connect, but it still fails. The domain issues internal certificates, but I don't think that's the problem, otherwise it would have caused the problem with SSL mode as well. However, I haven't tried rebooting the device since the last time I did, two-factor authentication didn't work. Isn't there a way to reboot just the required part (L2TP) via SSH?

PeterUK · October 6

You can disable two-factor and reboot if you think its a problem

integratedsolutions · October 6

Could restarting the device solve the problem that l2tp suddenly stopped working?

PeterUK · October 6

Just seems odd that if you have not added or changed anything that it stopped working of course its not ideal that you might need to reboot and that would need looking into if it happen again but if a reboot don't fix it that would seem to mean something was changed.