USG Flex H freezing issues

Options
Lucas_Wilson
Lucas_Wilson Posts: 14 image  Freshman Member
Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector
in USG FLEX H Series

Hi,

Over the past three weeks, we’ve had three different sites experience downtime because the USG Flex H firewall randomly blocks all outbound traffic. So far, this issue has only occurred on the USG Flex 50H and 100H models.

The only workaround I’ve found is to connect to the firewall through Nebula and perform a reboot. After restarting, the device comes back online and functions normally again.

Has anyone else run into this issue? Is there a known fix, or any insight into why this might be happening?

I can share log screenshots via DM if needed, although there’s nothing unusual in them—the firewall simply appears to “freeze,” with no logs, system errors, or warning messages.

The firmware version of all 3 devices is uOS 1.37

All Replies

  • Zyxel_Ivan
    Zyxel_Ivan Posts: 407 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @Lucas_Wilson,

    I'm sorry to hear you're experiencing a device freeze.

    To verify this issue, we need your help to help us with the following items:

    1. Please share the Org name and enable support access with us
    2. Please have more description about the free. Do you remember whether any symptoms occur when the device freezes? Or have you tried to access an end device or website, and then the device froze? Any information could help the team verify the issue.

    Thanks.

    Ivan

  • Lucas_Wilson
    Lucas_Wilson Posts: 14 image  Freshman Member
    Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @Zyxel_Ivan,

    The only consistent symptom we’ve observed is a sudden burst of 5–6 port up/down event email alerts on the WAN port (ge1) immediately prior to the issue occurring. We’ve seen the same behavior on the USG Flex 200H, though it appears to handle it more gracefully.

    On the 50H and 100H models, even though the WAN port comes back up, these alerts are often followed by the device freezing for outgoing traffic, while still remaining externally accessible.

    As we’re an MSP, we’re not on site when this occurs and typically just recieve an urgent support ticket from the client. We haven’t identified any clear common factors beyond the port up/down events. In one instance, the issue occurred outside business hours around 8pm, so it’s unlikely to be related to any user activity or a specific website, unless it relates to the firewall calling home to Nebula, which seems unlikely.

    I’ve shared the organization with Zyxel and sent you a DM with the organization name.

    Any assistance you can provide would be greatly appreciated.

  • Zyxel_Tina
    Zyxel_Tina Posts: 642 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers 500 Comments

    Hi @Lucas_Wilson,

    Thank you for your feedback and org/site name!

    Since our engineers are currently on holiday, as a temporary workaround, we kindly suggest setting up a schedule reboot in local GUI to prevent the issue for now. Once they're back, we'll disable it and continue monitoring the issue.

    image.png

    Apologies for any inconvenience.

    Zyxel Tina

  • Lucas_Wilson
    Lucas_Wilson Posts: 14 image  Freshman Member
    Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @Zyxel_Tina,

    Since the issue seems to be only related to when the WAN port experiences port up/down events in quick succession, I think the issue would still occur even after implementing the scheduled reboot.

    I will give it a go, but please do keep me updated on the status of this

  • GiuseppeR
    GiuseppeR Posts: 644 image  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @Lucas_Wilson

    have you got any sort of custom setup for ge1?

  • Lucas_Wilson
    Lucas_Wilson Posts: 14 image  Freshman Member
    Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @GiuseppeR ,

    We haven’t identified anything consistent configuration wise across the three sites where this issue has occurred.

    One of the three sites uses a custom WAN failover trunk with an active ge1 and passive ge2 interface. The other two sites are using the default WAN trunk configuration, with only ge1 actually in use.

    It’s likely that the WAN port up/down alerts are legitimate and related to intermittent power issues. However, this still should not cause the firewall itself to freeze. The firewalls are UPS protected and are not losing power, even if connected downstream devices are experiencing power interruptions.

    Rapid interface status fluctuations just appears to be causing the affected interface to freeze.

  • GiuseppeR
    GiuseppeR Posts: 644 image  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector
    edited February 18

    Hi @Lucas_Wilson

    I see your setup, it seems standard.

    In your 3x sites do you have all H series and maybe VPN Orchestrator for VPN Site-to-site?

    If so, please could you confirm if you have issues in abnormal "Clients by manufacturers" counters?

    I have this issues since 1.36 uOS:

    https://community.zyxel.com/en/discussion/31837/multiple-unknown-clients-via-vpn-listed-inside-another-fw-clients-list

    I still have this problem… Showing thousands of clients inside my 3x sites with 50Hs linked in VPN

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)