Loss of connection after 15 days on the Wan Access
Hi everybody, i have a problem with a USG20-VPN at a customer.
Indeed, after 15 - 20 days, i lose connection with the USG on WAN management, no answer ping in public address, no ssh access, and my client can no longer connect by SSL VPN from outside.
On the other hand, in the LAN, no problem of internet access, everything works.
I must reboot the USG from LAN regularly to find my admin access on WAN.
The firewall is at version 4.35
Do you have an idea ?
Thank you in advance.
Comments
-
Does the USG have a WAN IP and not from another NAT router?
Setup a no-ip for the client connecting from WAN and change the rule thats from wan1 to ZyWALL with source IP the FQDN of the no-ip domain name so that only you with the no-ip client by that remote IP can ping or access USG everything else is blocked see if that works.
0 -
Does USG20-VPN wan IP change every 15-20 days?
0 -
Thank you for your answers.
So if i understand correctly, i create a new Address/Geo IP in
Object, with Type FQDN and IPv4 "XXXXXX.ddns.net"
Then i create new rule in Policy Control with my
"NoipDomain" From WAN to ZyWALL and with IPv4 Source the noip domain
Just do this or is there another parameter ?
Thank you in advance. (Yes my client has a fixed IP address).
0 -
Hi Berry as Jeremylin asked if the WAN IP changes .. for the point of my suggest let's say you may have a DYNAMIC IP ADDRESS (Service) with your ISP.. (true?)
It's as you state you use a DYN DNS of sorts to get access from WAN over inter-webs.
If so .. else don't read any further...)
Assuming your service with your ISP is a DYNAMIC IP. address (it changes as alluded to by Jeremylin)
Possible Problem:
it's likely the DYNAMIC DHCP for your ISP WAN is not being renewed correctly from your USG20 to your ISP.
This probably accounts for the regular outage. You can ask your ISP what the DHCP LEASe in the WAN is.... for our office ISP (HKT/PCCW) is looks like 10 days..)
I'd be curious is there's a way to find out upstream or some for stored locally in the lease on the router.? PeterUK ?
You can check the logs next time it happens and see if he WAN(x) port is
Status=DOWN.
The fix ..(usually)
is to do any of these:
1) dynamically renew the WAN port manually
a) through cli - :
Router> release dhcp wan1 Router> renew dhcp wan
b) WEB UI - Dashboard, Interface Status Summary widget / want RENEW
2) or more elegantly , use a zsh script to rew the WAN DHCP LEASE (regularly) ..
- i.e. weekly every Sunday morning etc (or what ever feels least disruptive)
- this is very very easy to do - plenty of ZYxel docs on this.
- - a 2 x line .zysh script.
3) or what works automatically is to use a local LAN host with a script
- that interrogates the upstream and detects the WAN(s) ports DOWn and auto news the through the router. - code and scripts..
- we deployed this at some of our clients.
4) or use BRUTE force and Power cycle the ISP's Fibre modem
- or equivalent NEP
- that always fixes it!
Background:
Here in Hong Kong, this WAN ISP DHCP LEASE RENEWAL failure occurs regularly with Zyxel USG and other brand appliances with ISP HKT/PCCW's BizNetvigator 1GB fibre broadband service on several of our clients including ourselves at our lab. An industry guru colleague told us ages ago "old news .. change your ISP...) ?
We've had to deal with this for over 4 years+.
We're told that the ISP WAN DHCP Renewal Negotiation for DHCP lease may fail depending on the state of the planets and stars.. (meaning they don't know). Only occurs with Fibre VDSL etc etc .. (PPoE etc ok) ...
we have heard of similar experiences with other ISP's in there countries. looks like a bit of hit and miss.
The DLSReports forums also have some older posts about issue with US based ISP's.
HTH
Warwick
Hong Kong
0 -
For DDNS setting, you have to register a account on DDNS service provider(eg. NO-IP or DynDNS), and create a DNS hostname for dynamic IP, then configure the DDNS on USG for IP updating .
USG DDNS configuration as below,
0 -
Thank you everybody for your intervention :-)
Me and my client are based in France with a local fiber FAI.
And i confirm that the IP address provided does not change, it is very strange..
For now everything works, i disabled a user configuration in PPP settings and enabled the system default profil.
I also settled the " IP Address Assignment " section to " Use Fixed IP Address "
Watch this space ...
1 -
HI Berry just noticed it would suggest you gather the logs for the WAN outage and post them here.
(you may need to set up a syslog host somewhere on your LAN .. it's simple enough to do)
You point out above that your WAN_PPP responds when you (assuming) you inactivate and then reactivate the WAN_PPP connection (true | false?)
Although our issues (posted formerly) were plainly with DHCP lease and vdsl renewal on Fibre service it was clearly an issue with ISP that we can't resolve.
Instead we worked around it with hosts that automatically kicks the WAN connection when its appears down ... until one day it will get resolved.
Further you might check with your infrastructure ISP "FAI" and see if this is a known issue.
I'm interested in your resolution.
Regards,
Warwick
Hong Kong
0
Guru Member
Master Member
Ally Member
Zyxel Employee
Categories
- All Categories
- 388 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 913 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 330 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 872 Nebula FAQ
- 413 Security FAQ
- 220 Switch FAQ
- 193 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 61 Security Highlight
