SSL VPN not working

Patrick
Patrick Posts: 1  Freshman Member
edited April 2021 in Security
Hello everyone,

we recently switched to the Zywall 110. Everything is working fine (great product!) but the SSL VPN. Whenever I try to connect using the SecuExtender, it asks me if I want to trust the Zywall certificate, then thinks for some seconds and tells me I got disconnected.

I've upgraded to the latest Firmware and latest version of SecuExtender. The TAPI device is to be found in the device manager and is running.

The SecuExtendedHelper reads like this:

[ 2018/06/08 17:55:15 ][SecuExtender Helper] Request(106): REMOVE 1119660224/3291670110 20 4294967295 4294967295
[ 2018/06/08 17:55:15 ][SecuExtender Helper] Remove Routing
[ 2018/06/08 17:55:15 ][SecuExtender Helper] Remove prioritize routing
[ 2018/06/08 17:55:15 ][SecuExtender Helper] Get netsh path = powershell
[ 2018/06/08 17:55:15 ][SecuExtender Helper] ia is null
[ 2018/06/08 17:55:15 ][SecuExtender Helper] Failed to read from client(2): 109, 0
[ 2018/06/08 17:55:15 ][SecuExtender Helper] Start to Disconnect pipe...
[ 2018/06/08 17:55:15 ][SecuExtender Helper] Shutting down a pipe connection instance...

The SecuExteneder log shows this:
################################################################################################
[ 2018/06/08 18:16:12 ][SecuExtender Agent][DETAIL]  Build Datetime: Dec 22 2016/15:25:36
[ 2018/06/08 18:16:12 ][SecuExtender Agent][DEBUG]   SecuExtender.log: C:\Users\patri\SecuExtender.log
[ 2018/06/08 18:16:12 ][SecuExtender Agent][DEBUG]   osvi.dwPlatformId = 2, osvi.dwMajorVersion = 6, osvi.dwMinorVersion = 2
[ 2018/06/08 18:16:12 ][SecuExtender Agent][DEBUG]   interface guid: {6F34EA99-F57D-4BCD-8039-B93A14779161}, idx: 2
[ 2018/06/08 18:16:12 ][SecuExtender Agent][DEBUG]   tBuf : (\DEVICE\TCPIP_{6F34EA99-F57D-4BCD-8039-B93A14779161})
[ 2018/06/08 18:16:12 ][SecuExtender Agent][DEBUG]   network name got, idx: 8
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Checking service (first) ...
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  SecuExtender Helper is running
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Try to connect to SecuExtender Helper
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  SecuExtender Helper is connected
[ 2018/06/08 18:16:56 ][SecuExtender Agent][INFO]    [MYUSERNAME] try to login THISISOURSSLHOST:443
[ 2018/06/08 18:16:56 ][SecuExtender Agent][INFO]    Connect to 1592144580:443
[ 2018/06/08 18:16:56 ][SecuExtender Agent][INFO]    Local address is 3232283714
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DEBUG]   Connect success.
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 0
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  1291 bytes of handshake data received
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x90312
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Send 126 bytes of handshake data
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 1
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  274 bytes of handshake data received
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x0
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  SSL Handshake is successful
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Protocol: TLS1.2
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Cipher: AES256
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Cipher strength: 256
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Hash: SHA384
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Hash strength: 0
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Key exchange: 0xae06
[ 2018/06/08 18:16:56 ][SecuExtender Agent][DETAIL]  Key exchange strength: 256
[ 2018/06/08 18:16:56 ][SecuExtender Agent][INFO]    Server subject: CN=zywall_110_5CE28C5E7F9C
[ 2018/06/08 18:16:56 ][SecuExtender Agent][INFO]    Server issuer: CN=zywall_110_5CE28C5E7F9C
[ 2018/06/08 18:16:56 ][SecuExtender Agent][ERROR]   **** Error 0x800b0109 authenticating server credentials! (0x0)
[ 2018/06/08 18:16:58 ][SecuExtender Agent][DETAIL]  SSL session is created
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2018/06/08 18:16:59 ][SecuExtender Agent][INFO]    user login device success
[ 2018/06/08 18:16:59 ][SecuExtender Agent][INFO]    Creating secure tunnel to OURVPNADDRESS:443
[ 2018/06/08 18:16:59 ][SecuExtender Agent][INFO]    Connect to 1592144580:443
[ 2018/06/08 18:16:59 ][SecuExtender Agent][INFO]    Local address is 3232283714
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DEBUG]   Connect success.
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 0
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  1291 bytes of handshake data received
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x90312
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  Send 126 bytes of handshake data
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 1
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  274 bytes of handshake data received
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x0
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  SSL Handshake is successful
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  Secure session is created
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  Secure session negotiation begin
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  stage 1...done
[ 2018/06/08 18:16:59 ][SecuExtender Agent][DETAIL]  stage 2...done
[ 2018/06/08 18:17:09 ][SecuExtender Agent][ERROR]   timeout (0x0)
[ 2018/06/08 18:17:09 ][SecuExtender Agent][ERROR]   Failed to create security tunnel (0x0)
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2018/06/08 18:17:09 ][SecuExtender Agent][INFO]    Connect to 1592144580:443
[ 2018/06/08 18:17:09 ][SecuExtender Agent][INFO]    Local address is 3232283714
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DEBUG]   Connect success.
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 0
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  1291 bytes of handshake data received
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x90312
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  Send 126 bytes of handshake data
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  Handshake LoopCounter: 1
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  274 bytes of handshake data received
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  InitializeSecurityContext returns 0x0
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  SSL Handshake is successful
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384
[ 2018/06/08 18:17:09 ][SecuExtender Agent][INFO]    logout message has sent
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DEBUG]   SSL Connection is going to be closed
[ 2018/06/08 18:17:09 ][SecuExtender Agent][DETAIL]  Connection ends.

I of course replaced username and password, the log shows proper value for these.

Any help is appreciated!

Thanks,

  Patrick

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 940  Zyxel Employee
    Hi @Patrick,
    From SecuExtender Helper log, it indicated that time out on stage 3, this stage is getting the configuration from USG. not sure why It is unable to get configuration from USG, then time out.
    Can you send me your configuration file via private for checking.
  • Daniel_LU
    Daniel_LU Posts: 16  Freshman Member
    edited June 2018
    You see in: Object--->Services---->Service Group---->Default_Allow_WAN_To_ZyWALL.

    If there isn't HTTPS as a member, VPN SSL don't work.

    Do you have changed the default port?

    Bye


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 940  Zyxel Employee
    Hi @Daniel_LU,

    That’s right, you must allow https port for SSL VPN connection.






  • Daniel_LU
    Daniel_LU Posts: 16  Freshman Member
    edited June 2018
    if the default port has been changed, you need to create and add the service.

    if you need help I'll write you step by step.

    Bye





  • ArnaudW
    ArnaudW Posts: 1
    edited January 5
    Hello,

    *** I post this message here, because it was the first result in Google for this problem (there are anothers like this one without solution) and i think i have one :) ***

    Just had the same problem with an ATP-500 and an AD authentication
    Firwmare is V5.10(ABFU.0)


    I think i found something interesting (a bug ?) : 

    If you want to add an authentification AD method (Object>Auth method) and you selected it in System>Authentication server in place to "default" it blocks the connection with this error : [SecuExtender Agent][ERROR]   **** Error 0x800b0109 authenticating server credentials! (0x0)

    Workaround : Edit "default" and add your AD directly in (objet>Authentication method) instead of using a secondary method.
    Notes : Not tested with more than one SSL VPN

    Hopes it helps.


    Best regards,
    Arnaud W.

Security Highlight