VPN IPsec site to site and L2TP stop working when few SLL VPN sessions is up

CMruk
CMruk Posts: 14  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security

Hello, is SSL VPN can only work exclusive? because VPN IPsek N2N, L2TP stop working when few (around 10) SSL VPN sessions is up, in Zywall 310 log i see "L2TP tunnel build successful" but connection is not finished, and IPsec N2N tunnel with USG50 from branch crashed and not become up, in log i see phase 1 done and not more peers from remote site. It is some restriction using SSL VPN or it is my not well setup on Zywall 310 device?

«1

All Replies

  • CMruk
    CMruk Posts: 14  Freshman Member
    First Anniversary Friend Collector First Comment

    And when is no more SSL VPN sessions, everything working again.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @CMruk

    Can you have a screenshot of the log displayed on the monitor?

    Can you share your topology with IP address?

    Could you private message your configuration for check further?

  • CMruk
    CMruk Posts: 14  Freshman Member
    First Anniversary Friend Collector First Comment
    edited April 2020

    Hi, this is my topology

    SSL VPN use 10.100.200.0/24 network

    L2TP/IPSec use 10.10.1.0/24 network

    N2N USG-20 LAN 10.20.30.0/24

    here is the log when L2TP client trying establish tunnel and N2N Ipsec


    and config sent out via pm

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @CMruk

    I’ve tested your configuration.

    Below is the lab topology

    I changed the WAN IP address on ZyWALL 310

    And I use USG210 to replace USG50


    After build up the scenario, SSL VPN, IPSec VPN , L2TP works fine on your config.

    Below is the test result

    IPSec VPN

    SSL VPN

    L2TP 


    Login User


    Does the symptoms still exist on your site?

    If it is still exist, please collect both ZyWALL310 and USG50 device’s packet on LAN &WAN interface and send to us via private message.

  • CMruk
    CMruk Posts: 14  Freshman Member
    First Anniversary Friend Collector First Comment
    Thank you for responding, unfortunately the problem still exist. when is more then 2 SSL VPN secession up new L2TP client can't connect.
    Can you pleases provide any guide how to collect  "device’s packet on LAN &WAN interface"?
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @CMruk

    Here is the example how to collect packet.

    GO to Maintenance > Diagnostics > Packet Capture > Capture to select the Capture Interfaces > click Capture


    After doing the test, click stop and go to Maintenance > Diagnostics > Packet Capture > Files > select the files and click Download to check the packet on WAN & LAN


    Can you describe more details about “when is more then 2 SSL VPN secession up new L2TP client can't connect.”

    I would like to know when the 2 SSL session is up, how many L2TP user is login on the device.

    Is SSL session using the same user to login or different user?How does SSL user login, is it using SecuExtender ?

    Is IPSec Site to Site VPN still connected ?

    Can you have a screenshot on the Monitor > System Status > Login Users > Login Users ?




  • CMruk
    CMruk Posts: 14  Freshman Member
    First Anniversary Friend Collector First Comment
    edited April 2020
    Hi @Zyxel_Jerry,

    answering Your question, "Can you describe more details about “when is more then 2 SSL VPN secession up new L2TP client can't connect.”
    it's mean, is 2 or more SSLVPN user have establish connection to device (site) using SecuExtender (v4.0.3), usually  there is around 10-15 client up,



    answering Your question "I would like to know when the 2 SSL session is up, how many L2TP user is login on the device"
    there is 1 LT2P/IPsec user/client always connected to device, it's Linux server connected form another local government office, it's for  pgslq database  database replication, it's Linux command line script building up L2TP/IPsec tunnel.



    answering Your question "Is SSL session using the same user to login or different user?How does SSL user login, is it using SecuExtender ?"
    All user have different account for each type VPN, and  group membership is corresponding to specific type VPN client used by user's, all SSL user's use SecuExtender (v4.0.3) from Zyxel site.

    answering Your question "Is IPSec Site to Site VPN still connected ?"
    Occasionally IPSec Site to Site VPN tunnel is not up, but it's maybe internet overload during "Covid 19 realm"

    answering Your question, "Can you have a screenshot on the Monitor > System Status > Login Users > Login Users ?", below is screenshot



    For now i have only chance to collect device’s packet from Zywall 310 (HQ device),  i was send it via PM
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @CMruk

    What firmware are both device current using?

    Can you also provide the configuration file of the device USG20-VPN via private message?


  • CMruk
    CMruk Posts: 14  Freshman Member
    First Anniversary Friend Collector First Comment
    edited April 2020
    Hello @Zyxel_Jerry

    firmware information, currently running on device's, config file from USG20 and Zywall 310 package capture files was send via PM

    Zywall 310
    Nazwa systemu:zw310
    Nazwa modelu:ZyWALL 310
    Numer seryjny:S172L34100353
    Zakres adresów MAC xx:xx:xx:xx:xx:xx ~ xx:xx:xx:xx:xx:xx
    Wersja oprogramowania:V4.38(AAAB.0) / 2020-04-07 00:58:03

    USG20-VPN
    Nazwa modelu:USG20-VPN
    Numer seryjny:S172L01100513
    Zakres adresów MAC xx:xx:xx:xx:xx:xx ~ xx:xx:xx:xx:xx:xx
    Wersja oprogramowania:V4.35(ABAQ.3) / 2020-02-26 17:02:38



  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @CMruk

    Can you changed the the key group into different type and have a test to see if the client can build up L2TP VPN tunnel?
    Below is the example of the settings: 

    Go to Configuration > VPN > IPSec VPN > VPN Gateway > select L2TP_VPN rule > click edit


    Go to the bottom of the settings, changed the key group into different type of key group (example :from DH14 to DH2) and use client to build up L2TP tunnel to check if it can connect to the device.


Security Highlight