VPN Ike2 + 2fa auth page unreachable

Options
Fred_77
Fred_77 Posts: 142 image  Ally Member
5 Answers First Comment Friend Collector Fifth Anniversary
in USG FLEX H Series

Hi all, I'm trying to troubleshoot a VPN remote access issue with 2FA. (Google Auth.)

My scenario: 2 Flex500Hs in HA Pro (Fw 1.35) and 30 remote users.

The VPN is an IKE2 remote access + 2FA, and the authentication web page is 192.168.168.1:20443.

The native Windows client is configured on each device.

Issue: Randomly, when remote users try to connect, after entering their credentials, the authentication page results unreachable (ping to 192.168.168.1 fail). So far any other company

On USG VPN Monitor, I see the user connected with it's public IP and local IP provided by USG.

After 3 minutes, the VPN connection drops due to the authentication timeout.

Anyone experienced?

Thanks in advance

Lorenzo

All Replies

  • Zyxel_Barry
    Zyxel_Barry Posts: 86 image  Zyxel Community Virtual Assistant
    5 Answers First Comment Friend Collector

    Hi @Fred_77,

    I understand you're experiencing an issue with your IKEv2 remote access VPN with 2FA (Google Authenticator) on your USG FLEX 500H devices in HA Pro. Specifically, remote users are randomly unable to reach the authentication web page (192.168.168.1:20443) after entering their credentials, leading to connection drops due to authentication timeouts.

    This sounds like a connectivity issue to the authentication page, even though the VPN tunnel appears to be established initially.

    Here are some steps to troubleshoot this:

    • Verify 2FA Configuration and Authentication Process:

      • Ensure that Google Authenticator is correctly set up for the users and that the "Valid Time" for entering the 2FA code is sufficient (default is 3 minutes).
      • Confirm that the authentication link URL address and port (default is 8008) are correctly configured in the global 2FA settings on your USG FLEX H Series.
      • Since you are using the native Windows client, users will need to manually open a web browser and navigate to the authentication URL (e.g., http://yourdeviceip:8008 or in your case https://192.168.168.1:20443) after establishing the VPN connection to enter the 2FA code. The Zyxel VPN Client (SecuExtender) is designed to automatically open this page, but native clients do not have this built-in functionality.

    • Check Network Connectivity to the Authentication Page:

      • Even though users are connected to the VPN, the ability to reach the internal authentication page (192.168.168.1:20443) needs to be stable. The fact that a ping to this IP fails randomly suggests a potential routing or firewall rule issue within the VPN tunnel or on the USG FLEX H itself.
      • Review your firewall rules to ensure traffic from the VPN client's assigned IP subnet to the USG FLEX H's internal IP (192.168.168.1) on port 20443 is consistently allowed.
      • If using policy routes, ensure they are correctly configured to direct traffic from the VPN tunnel to the internal network where the authentication page resides.

    • Examine HA Pro Synchronization and Potential Conflicts:

      • With HA Pro, ensure that the configurations, especially those related to VPN and 2FA, are correctly synchronized between both USG FLEX 500H devices. Although firmware 1.35 introduces enhancements for HA communication and session synchronization, issues can still arise.
      • Check HA logs for any synchronization errors or conflicts that might randomly affect the active device's ability to serve the authentication page.

    • Review USG FLEX H Logs and VPN Monitor:

      • On the USG FLEX H, navigate to Monitor > IPsec VPN > Remote Access VPN to verify user sessions and connection details.
      • Check Log & Report > Event Logs for any authentication failures, firewall blocks, or other related error messages around the time the issue occurs.
      • Consider enabling IPSec VPN debug logging if the issue persists to gather more detailed information about the VPN tunnel and authentication process. You can use the cmd debug ipsec trace log command via SSH.

    To further assist you, please provide the following information:

    • Network Topology Map: A diagram illustrating your network setup, including the placement of the USG FLEX 500H devices, the internal network segment hosting the 192.168.168.1 IP, and how remote users connect.

    • Screenshots of VPN and 2FA Configuration:

      • Remote Access VPN configuration (Phase 1 and Phase 2 settings).
      • 2FA global settings and user-specific 2FA settings.
      • Firewall rules related to VPN traffic and access to 192.168.168.1:20443.

    • Firmware Version: While you mentioned Fw 1.35, please confirm the exact firmware version running on both USG FLEX 500H devices.

    • Error Message Screenshots: If users are seeing specific error messages in their native Windows VPN client or browser when the authentication page is unreachable.
    • Zyxel Support Access: If you are managing your devices through Nebula, please enable Zyxel Support Access via Help > Support Request in the Nebula console and provide your Organization and Site name. This will allow our support team to view your cloud environment configuration directly, which can significantly shorten troubleshooting time.

    This AI response aims to provide initial troubleshooting steps and identify information needed for further diagnosis. Feel free to share additional details based on the suggestions above — this will help community members offer more targeted assistance.
    If you have feedback or idea about this AI assistant, share them in Community Feedback.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)