SSL VPN sometimes disconnects after few second

spallared
spallared Posts: 18  Freshman Member
First Comment Friend Collector Fourth Anniversary
edited April 2021 in Security
Hello, on my USG310, randomly, some user is able to connect only after a couple of retries (sometimes 2, sometimes 50).
Internet connection is fine and no action is necessary to make the vpn works except trying again. In the client log this is what i have when the connection fails:

[ 2020/04/22 11:17:56 ][SecuExtender Helper] Request(100): REMOVE 117549248/123410257 6 4294967295 4294967295
[ 2020/04/22 11:17:56 ][SecuExtender Helper] Remove Routing
[ 2020/04/22 11:17:56 ][SecuExtender Helper] Remove prioritize routing
[ 2020/04/22 11:17:56 ][SecuExtender Helper] Get netsh path = powershell
[ 2020/04/22 11:17:56 ][SecuExtender Helper] ia is null
[ 2020/04/22 11:17:56 ][SecuExtender Helper] Failed to read from client(2): 109, 0
[ 2020/04/22 11:17:56 ][SecuExtender Helper] Start to Disconnect pipe...
[ 2020/04/22 11:17:56 ][SecuExtender Helper] Shutting down a pipe connection instance...
[ 2020/04/22 11:17:56 ][SecuExtender Helper] ==============================

and this is what i see when the connections works:
[ 2020/04/22 11:18:02 ][SecuExtender Helper] Request(114): INITIAL 6 1082099722 4294967295 2608695306 2625472522 0 0
[ 2020/04/22 11:18:02 ][SecuExtender Helper] Get netsh path = C:\Windows\system32\netsh.exe
[ 2020/04/22 11:18:02 ][SecuExtender Helper] Get ipconfig path = C:\Windows\system32\ipconfig.exe
[ 2020/04/22 11:18:02 ][SecuExtender Helper] FlushIpNetTable on interface = 6, error code = 0
[ 2020/04/22 11:18:02 ][SecuExtender Helper] Adding an IP/netmask ip = 10.136.127.64/255.255.255.255 to interface 6 using the Win32 IP Helper API, uNTEContext = 1082099722, status = 0
[ 2020/04/22 11:18:02 ][SecuExtender Helper] WriteFile hPipe success agentState.aState = 2, agentState.aError = 0, dwWrite = 8
[ 2020/04/22 11:18:02 ][SecuExtender Helper] Request(186): CREATE 117549248/123410257 6 1082099722 4294967295 29927616 8161290 16580607 7833610 16777215
[ 2020/04/22 11:18:02 ][SecuExtender Helper] ACTION_CREATE pNetCfg->myip = 117549248, pNetCfg->gwip = 123410257, pNetCfg->dwIfIndex = 6, pNetCfg->nodeip = 1082099722, pNetCfg->localip = 29927616
[ 2020/04/22 11:18:02 ][SecuExtender Helper] argc = 10
[ 2020/04/22 11:18:02 ][SecuExtender Helper] areacounter = 2
[ 2020/04/22 11:18:02 ][SecuExtender Helper] Remove prioritize routing
[ 2020/04/22 11:18:02 ][SecuExtender Helper] Succeed to delete Route: (224.0.0.0)
[ 2020/04/22 11:18:02 ][SecuExtender Helper] Succeed to delete Route: (255.255.255.255)

What can cause the issue? Any suggestion on how to solve the problem?

Thank you in advance
Luca

All Replies

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    In Corona times also we have a lot of HomeOffice worker connected via SSL VPN to our USG110. And experiences have shown instable VPN tunnels in case of:
    - Internet connection / ping times are too bad at home (some users own only an internet access
      connection with <5Mbit down, <1Mbit up, Ping times >40 ms)
    - WLAN repeater in place at home
    - PowerLine adapter in place at home
  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary
    Same - some users have no trouble at all with SSL VPN. Others get dropped constantly. Seems to be related to Internet Connection but hard to tell. Others get stuck at 0 bytes in or out even with successful 2FA.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @spallared
    Before you establish SSL VPN, can I know what is IP address of issued PCs? and Can I know what is IP subent/range on Network list.


    USG_User
    Can I know the PCs(SSL VPN client) establish Tunnel via wifi? Could let PC connect with wire cable without connected wifi, then check it again. Also, regarding this issue, did the tunnel disconnect immediately?
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    @USG_User
    Can I know the PCs(SSL VPN client) establish Tunnel via wifi? Could let PC connect with wire cable without connected wifi, then check it again. Also, regarding this issue, did the tunnel disconnect immediately?
    I have round about 10 SSL VPN user per day, where mostly of them have no problems with establishing and holding the tunnel. Problems occur on WLAN connected machines, only if they connect via WLAN extender (WLAN repeater) or PowerLine adapter. Wired clients have no problems, except if their internet connection speed is too bad. All in all no problems.

    No, in case of problems the tunnel doesn't disconnect immediately but only after a time.

  • spallared
    spallared Posts: 18  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    @spallared
    Before you establish SSL VPN, can I know what is IP address of issued PCs? and Can I know what is IP subent/range on Network list.


    Hello @Zyxel_Charlie, do you mean the local ip address of the client computer? Usually they are connected from home so it's a local ip like 192.168.1.x behind a nat. Server side, under the selected address objects there are two lans (10.136.124.0/22 and 10.136.119.0/24)

    As said before the strange thing is that if the user retries multiple times in sequence the vpn connects succesfully.

    Thank you
    Luca

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @spallared
    Regarding to this case,
    Can you reproduce the issue occur again, and then collect the complete information as below.
    1. Please Go to My PC>Local Disk C
    Collect "SecuExtenderHelper.log"
    2. and then Go to My PC>Local Disk C>Users>select the file of account which you login
    Collect "SecuExtender.log" 
    Please private message the information for check further.

    @ USG_User
    The symptom you described looks like the issue is related with Wifi. 

    Can you draw related location of these device? Where are these device, is it far or near USG?

    When the issue appear, does user ping to internet smoothly?

    Please also private message the secuextender log I mentioned above for check further

    You can try to use application “inSSIDer” to check the details about your Wifi access points.

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Charlie,
    Of course, the problem is always related with WiFi and only reported from some of our Home Workers where I have no access to their home network. But as already said, VPN tunnel instabilities occur only when they try to extend their WiFi by using WLAN extender (repeater) or PowerLine adapter. As soon as they disconnect them and use normal AP Wifi or Wifi provided by the router itself, it works great. No need for further investigation. My remark was only intended for @spallared to check his WLAN environment.

Security Highlight