Repeatedly used wrong user name leads to lockout - how to release the IP?

USG_User Posts: 318  Master Member
We have arranged different SSLVPN users which are connecting via SecuExtender. All works fine.
Yesterday we've created a new SSLVPN user account. But our new colleague has repeatedly typed a wrong user name (e.g. "USER10" instead "USER_10") again and again.
After trying the predefined number of login attempts the USG110 locked the IP address (we guess) because the wrong user doesn't exist and cannot be locked.

After searching for unlocking opportunities within the GUI we learnt that this is possible via CLI command only. OK, no problem. Now we've tried the CLI command

unlock lockout-users <IP>

But without success. We are thinking, because a wrong unregistered user name has been used, the regular SSLVPN user account cannot be locked, but the IP address only.
That's why we don't know whether the command "unlock lockout-users" is the right one for that case.
Is there another CLI command in place to release a locked IP address?
Finally the locked IP address has been released by USG on its own after 10 minutes. But also this lock time span is defined for "user account login attempts" but not for IP addresses and wrong user accounts.

Has anybody an idea how to release a locked IP immediately?

Accepted Solution

  • Zyxel_Emily
    Zyxel_Emily Posts: 910  Zyxel Employee
    Answer ✓

    You can use the command to unlock the IP address. Then you can use the correct username to login again.
    Router(config)# unlock lockout-users <IP address>

    In the example, use the user "test" to login but "test" doesn't exist in the local database. Enter the command to unlock the user from the IP address. 

All Replies

  • USG_User
    USG_User Posts: 318  Master Member
    edited November 2021
    Thanks Emily,
    We've exactly tried it, but the remote user was still not able to login.
    But since there is no other alternative command available, we will give it a re-try next time.

Security Highlight