Lost SSL Connection - after firmware upgrade from 4.38 on ZyWall 110 to 4.60

IPCETRIX
IPCETRIX Posts: 4  Freshman Member
First Anniversary First Comment
edited April 2021 in Security
After we upgraded the above USG with new firmware 4.60 we can't establish connection to our SSL VPN.
Rolling back to original firmware 4.38 doesn't help.
Are there any specific new configurations required?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @IPCETRIX  

    You may double confirm your SSL VPN IP pool and Network extension local IP without IP subnet conflict with your interfaces.


    And then you can make sure SecuExtender has installed successfully on your PC. (TAP-Windows Adapter V9 for Zyxel Extender has installed successfully)

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2020
    But may the SSP IP Pool and the Local Network Extension IP Address be of the same subnet (of course without conflict)?
    For example, our USG Local Network Extension IP reads 192.168.200.1 while the SSL IP Pool is from 192.168.200.10 to 192.168.200.50.

    Unfortunately the term Local Network Extension IP is not really good explained in user manual.

    edit:
    At least both our SSL VPN and IPSec VPN are still running after firmware update from 4.39 to 4.60(AAPH.1)

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @USG_User

    Local Network Extension IP address is a virtual interface on device.

    After SSL VPN is established, SSL VPN client traffic will send to virtual interface.

    You can check routing table, you will find the extension IP as a gateway in the list.

    And it is the reason IP shouldn’t conflict.


  • IPCETRIX
    IPCETRIX Posts: 4  Freshman Member
    First Anniversary First Comment
    edited December 2020
    Hi!
    Thank you all for your professional advice.
    Apparently from the firmware 4.39 and above ZyXel restrict all users from Admin group to use SSL.
    Don't ask me why as I have no explanation. Moving user from Admin to User group resolve the problem.
    Second issue was that we shift HTTPS listening port from 443 to XX443 for remote access to web interface from specific IPs, however SSL VPN continue listen to port 443. From firmware 4.39 Zyxel bind both services. You need to set the same port in SecureExtender as it in WWW setting.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @IPCETRIX  

    It’s good to know you can establish SSL VPN tunnel.

    We have restricted admin type user to establish SSL VPN tunnel.


    In the future, we has planed to change SSL VPN port to others.

    Then WebGUI and SSL VPN will listen in different ports.

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    We've changed the SSL VPN Access Port from 443 to XX443 in SYSTEM > WWW. Further we've denied the access to Admin GUI from any other zones than internal LAN1. Works fine since many months.

Security Highlight