IPSec or L2TP/IPsec successfully established, but the USG admin GUI is unusable
sirivanhoe
Posts: 18 
Freshman Member
Freshman Member
HI,
I'm facing a very weird problem for the first time using several vendors firewall appliances. I've just deployed an USG60 behind a NAT model/router, opened port forwarding as required and configured IPSec VPN (Remote Access) to securely access the firewall from the internet using my MacBook and IPSecuritas client.
Testing the connection with my Mac connected to my mobile phone via tethering, I can see the tunnel correctly established (on the NAT modem/router I see proper logs, on the USG I see proper logs) and I can successfully reach the USG GUI login page pretty smoothly. But once I submit my credentials and I've been successfully authenticated, the navigation in the admin GUI gets incredibly slow, so much that it's actually useless.
If by converse I access via OpenVPN to a machine behind the USG (on its LAN) and from there I access the USG GUI, then everything works flawlessly as expected (just the same moment, the same machine, the same mobile phone, position and connection). Switching forth and back between IPSec on USG and OpenVPN on another server behind it produces consistent results: IPSec unusable, OpenVPN ok.
I can't figure what the problem might be. I've been modifying and relaxing the VPN configuration (e.g. weaker encryption) and even switched config to L2TP/IPsec using the native Mac OS client, getting the very same result nonetheless.
I'm facing a very weird problem for the first time using several vendors firewall appliances. I've just deployed an USG60 behind a NAT model/router, opened port forwarding as required and configured IPSec VPN (Remote Access) to securely access the firewall from the internet using my MacBook and IPSecuritas client.
Testing the connection with my Mac connected to my mobile phone via tethering, I can see the tunnel correctly established (on the NAT modem/router I see proper logs, on the USG I see proper logs) and I can successfully reach the USG GUI login page pretty smoothly. But once I submit my credentials and I've been successfully authenticated, the navigation in the admin GUI gets incredibly slow, so much that it's actually useless.
If by converse I access via OpenVPN to a machine behind the USG (on its LAN) and from there I access the USG GUI, then everything works flawlessly as expected (just the same moment, the same machine, the same mobile phone, position and connection). Switching forth and back between IPSec on USG and OpenVPN on another server behind it produces consistent results: IPSec unusable, OpenVPN ok.
I can't figure what the problem might be. I've been modifying and relaxing the VPN configuration (e.g. weaker encryption) and even switched config to L2TP/IPsec using the native Mac OS client, getting the very same result nonetheless.
It should be noted that in the past weeks I've been using the same setup (MacBook and IPSecuritas with the same IPSec phase1/phase2 configs) on a much smaller Watchguard XTM and an older SonicWALL TZ series, and I got no problems (tunnel up, firewall GUI administration usable as expected).
I should say that I'm using Firmware Version:V4.30(AAKY.0) / 2017-11-23 21:17:51
Any hint would be greatly appreciated.
I should say that I'm using Firmware Version:V4.30(AAKY.0) / 2017-11-23 21:17:51
Any hint would be greatly appreciated.
0
Comments
-
For this case,
Can you help to add a static route for L2TP traffic and check it again?
Add the static route:
Example:
Destination Next Hop
192.168.100.0 (L2TP pool) lan1 (USG lan site that client trying to access)255.255.255.0
Charlie
0 -
Thanks for paying attention to this Charlie.
No, unfortunately it didn't help. Indeed, it looks that the problem is not of a mere routing, since at first I can easily (quickly indeed) reach the login page of the USG GUI. It's once I'm authenticated (and I do, I can see it in the logs apart from seeing the login page disappear in the transition to the initial Status page once logged in), that it slows down becoming unusable (i.e. it takes forever getting to the above mentioned initial Status page of the appliance).
In case it might turn out helpful, I've just performed a further test. For a few moments I've published on the Internet (via NAT port forwarding on the modem/router) the HTTPS management port of the ZyWALL, and I got the expected proper result: I can reach and "use" the admin GUI of the USG normally, as I can via the OpenVPN. Yet, the problem of course persists if accessing via IPSec established on the USG.0 -
1
-
That was it Mark !
Thanks a lot not only for your attention, but since you got it right and solved my problem, the admin GUI is now fully usable via IPSec as well.
Thanks again.
Peppe1
Zyxel Employee
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 264 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 41 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
