VPN IPsec site to site and L2TP stop working when few SLL VPN sessions is up
Hello, is SSL VPN can only work exclusive? because VPN IPsek N2N, L2TP stop working when few (around 10) SSL VPN sessions is up, in Zywall 310 log i see "L2TP tunnel build successful" but connection is not finished, and IPsec N2N tunnel with USG50 from branch crashed and not become up, in log i see phase 1 done and not more peers from remote site. It is some restriction using SSL VPN or it is my not well setup on Zywall 310 device?
All Replies
-
And when is no more SSL VPN sessions, everything working again.
0 -
Hi @CMruk
Can you have a screenshot of the log displayed on the monitor?
Can you share your topology with IP address?
Could you private message your configuration for check further?
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
Hi, this is my topology
SSL VPN use 10.100.200.0/24 network
L2TP/IPSec use 10.10.1.0/24 network
N2N USG-20 LAN 10.20.30.0/24
here is the log when L2TP client trying establish tunnel and N2N Ipsec
and config sent out via pm
0 -
Hi @CMruk
I’ve tested your configuration.
Below is the lab topology
I changed the WAN IP address on ZyWALL 310
And I use USG210 to replace USG50
After build up the scenario, SSL VPN, IPSec VPN , L2TP works fine on your config.
Below is the test result
IPSec VPN
SSL VPN
L2TP
Login User
Does the symptoms still exist on your site?
If it is still exist, please collect both ZyWALL310 and USG50 device’s packet on LAN &WAN interface and send to us via private message.
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
Thank you for responding, unfortunately the problem still exist. when is more then 2 SSL VPN secession up new L2TP client can't connect.
Can you pleases provide any guide how to collect "device’s packet on LAN &WAN interface"?
0 -
Hi @CMruk
Here is the example how to collect packet.
GO to Maintenance > Diagnostics > Packet Capture > Capture to select the Capture Interfaces > click Capture
After doing the test, click stop and go to Maintenance > Diagnostics > Packet Capture > Files > select the files and click Download to check the packet on WAN & LAN
Can you describe more details about “when is more then 2 SSL VPN secession up new L2TP client can't connect.”
I would like to know when the 2 SSL session is up, how many L2TP user is login on the device.
Is SSL session using the same user to login or different user?How does SSL user login, is it using SecuExtender ?
Is IPSec Site to Site VPN still connected ?
Can you have a screenshot on the Monitor > System Status > Login Users > Login Users ?
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
Hi @Zyxel_Jerry,
answering Your question, "Can you describe more details about “when is more then 2 SSL VPN secession up new L2TP client can't connect.”
it's mean, is 2 or more SSLVPN user have establish connection to device (site) using SecuExtender (v4.0.3), usually there is around 10-15 client up,
answering Your question "I would like to know when the 2 SSL session is up, how many L2TP user is login on the device"
there is 1 LT2P/IPsec user/client always connected to device, it's Linux server connected form another local government office, it's for pgslq database database replication, it's Linux command line script building up L2TP/IPsec tunnel.
answering Your question "Is SSL session using the same user to login or different user?How does SSL user login, is it using SecuExtender ?"
All user have different account for each type VPN, and group membership is corresponding to specific type VPN client used by user's, all SSL user's use SecuExtender (v4.0.3) from Zyxel site.
answering Your question "Is IPSec Site to Site VPN still connected ?"
Occasionally IPSec Site to Site VPN tunnel is not up, but it's maybe internet overload during "Covid 19 realm"
answering Your question, "Can you have a screenshot on the Monitor > System Status > Login Users > Login Users ?", below is screenshot
For now i have only chance to collect device’s packet from Zywall 310 (HQ device), i was send it via PM
0 -
Hi @CMruk
What firmware are both device current using?
Can you also provide the configuration file of the device USG20-VPN via private message?
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
Hello @Zyxel_Jerry
firmware information, currently running on device's, config file from USG20 and Zywall 310 package capture files was send via PM
Zywall 310
Nazwa systemu:zw310
Nazwa modelu:ZyWALL 310
Numer seryjny:S172L34100353
Zakres adresów MAC xx:xx:xx:xx:xx:xx ~ xx:xx:xx:xx:xx:xx
Wersja oprogramowania:V4.38(AAAB.0) / 2020-04-07 00:58:03
USG20-VPN
Nazwa modelu:USG20-VPN
Numer seryjny:S172L01100513
Zakres adresów MAC xx:xx:xx:xx:xx:xx ~ xx:xx:xx:xx:xx:xx
Wersja oprogramowania:V4.35(ABAQ.3) / 2020-02-26 17:02:38
0 -
Hi @CMruk
Can you changed the the key group into different type and have a test to see if the client can build up L2TP VPN tunnel?
Below is the example of the settings:Go to Configuration > VPN > IPSec VPN > VPN Gateway > select L2TP_VPN rule > click edit
Go to the bottom of the settings, changed the key group into different type of key group (example :from DH14 to DH2) and use client to build up L2TP tunnel to check if it can connect to the device.
Engage in the Community, become an MVP, and win exclusive prizes!
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight