USG FLEX H - LAG Interface edit Transmit Hash Policy issue

fedebros

Hi, editing "Transmit Hash Policy", changing from src-dst-ip-mac to src-dst-mac and viceversa, made the firewall unresponsive.

I had another interface for configuring USG FLEX 200 H via Ethernet, so it wasn't the same LAG interface I was editing.

HTTP access works, but I cannot use any command since it logs me out everytime. Via SSH it was the same, I didn't get the prompt, just some timeout messages.

The only one way to restore it, was unplug e plug again the power cable. After reboot it was working correctly with the setting I've made before it hanged.

Could you check please if there is some issue related to this setting?

Firmware 1.38.

Thank you.

Federico

Zyxel_Tina

Hi @fedebros,

To better understand the issue, could you please help confirm the following:

As you mentioned changing from "src-dst-ip-mac" to "src-dst-mac" and vice versa,

• Which interface was your PC connected to?
• Which firewall interface IP were you using for management access?

We would like to learn whether the management traffic was passing through the affected LAG interface or through a separate interface.

fedebros

Hi Tina, it was a separate interface: I was in the following situation (just covered name ad IP address of my customer):

My PC was attached to ge3 interface, and I was editing "lan" interface, but the same happened this morining editing "wan" interface..

At the first time this moring after some minute the firewall come back responsive, i was editing "wan" interface from remote site. The second time I was locally connected, editing "wan" interface, and I needed to unplug the power connector.

The firewall continue to answer to ping requests and the passive Device HA remain passive since the active device is still responding.

I don't know if it's related to this question

https://community.zyxel.com/en/discussion/33077/usg-flex-200h-lag-lacp-interface-issue

but I don't think that it's specifically related since via ssh I was still connected via ge3 interface, but the firewall gone in timeout executiing commands like get-configuration (sorry I didn't take a note about the command)…

Thank you

Kind regards

Zyxel_Tina

Hi @fedebros,

Thank you for the additional information.

To ensure we correctly understand the sequence of events, could you please confirm the following:

1. First case
   • Your PC was locally connected to ge3.
   • You edited the "lan" LAG interface Transmit Hash Policy.
   • After applying the change, the firewall became unresponsive and only recovered after a power cycle.
2. Second case
   • You were remotely connected (via remote configurator) while editing the "wan" LAG interface.
   • After applying the change, the firewall became temporarily unresponsive, but recovered automatically after a few minutes.
3. Third case
   • You were locally connected again while editing the "wan" LAG interface.
   • After applying the change, the firewall remained unresponsive until the power cable was unplugged.

Additionally, please help clarify at which stage the firewall was still replying to ping requests and the passive HA device remained passive. Was this observed during all three cases above, or only during one specific occurrence?

We have also performed a quick test on another USG FLEX 200H with firmware 1.38. During our test, changing the Transmit Hash Policy temporarily interrupted connectivity for a few seconds before recovering automatically. For example:

• WAN LAG test: around 5 ping packets lost
• LAN LAG test: around 3 ping packets lost

After that, the device became responsive again normally.