SSL VPN / L2TP / AD Authentication: connection fail when VTI active

Alexander_Morozov

Briefly:

When we add VTI into our configuration of Zywall 310, SSL VPN (SecuExtender) and L2TP clients cannot connect using AD authentication, while local authentication (on Zywall itself) works fine.

We supposed, that our new VTI does not let Zywall to get to DC.

We used "Configuration validation" in Object/AAA Server/Active Directory section to check this idea.

Everithing is "ok" there.

Also we captured LDAP interchange between Zywall and DC and found, that bind is sucsessfull, Zywall authenticates user in AD with a password as well (for SSL VPN)

And bind is successfull / authentication fail (for L2TP/PAP)

Simple things, like: disable firewall, update firmware, etc., etc. is already done.

So, we caught a complicated bug.

When we disable VTI, SSL VPN client and L2TP client connects well.

We need a remote assistance of an expert, ready to share the configuration and debug logs.

Zyxel_Emily

Hi @Alexander_Morozov,

Here is the test result in our lab.

Model: ZyWALL 310, USG110

FW: 4.35

VTI interfaces and VTI trunk are created on both devices.

VPN tunnels are established.

L2TP VPN and SSL VPN can be connected to ZyWALL 310 using the AD user account.

Since the issue is not able to be reproduced in our lab, could you share startup-config.conf with us to check the symptom?

I will contact you in private message for more information.

Alexander_Morozov

Hello, Emily!

I sent you conf. in a private message.