L2TP VPN doesn't work with a USG Flex 200

I'm having a strange issue with an L2TP/IPSEC VPN connection on a USG Flex 200 that has me stumped.

The connection has been working fine for over a year with the Windows native VPN client. Then out of the blue a few weeks ago it stopped working. Times out on "Connecting" and says "The network connection between your computer and the VPN server could not be established because the remote server is not responding".

Log entries show up like with a normal VPN connection but it doesn't complete.

I've tested this on four different systems (all originating from different networks).

I rolled back the firmware from 5.10 to 5.02 thinking it could have been a firmware bug since I updated recently. This did not fix the issue.

I uninstalled my AV (Bitdefender) completely to verify that wasn't causing the issue. No effect.

I should also note that I can successfully VPN into OTHER Flex 200s from my system so I'm fairly certain it's not an issue with my system. There seems to be an issue with the appliance but I need some help tracking it down.
«1

All Replies

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @jbender
    1. Is there a firewall in front of your PC before visiting internet? What had been changed (fw upgrade? OS upgrade? ISP network changing?) before this connection problem happens
    2. What's the windows and windows patch version when you met this symtom?
    3. Can you share the IKE log when the VPN connection failure from device GUI "Monitor" --> "Log" page?
    4. All four systems you tried failed to build up the VPN tunnel to this FLEX200 or just the specific ones can't work? Can you help to collect packets from the FLEX 200 so that we can know further if the IKE flow working correctly

  • Thanks for the response @Zyxel_Vic. Below are the answers to your questions. For the log and packet capture, I sent them in a PM.

    • No, there is no firewall. The connection goes directly from our ISP fiber connection to the WAN port on the Zyxel.
    • There have been no ISP changes.
    • As for firmware, I had updated to 5.10 around the same time this happened, so my first thought is that it was a firmware issue. But I rolled back to 5.02 and the problem persists.
    • All four systems are running Windows 10. Three are on 21H1 and one is on 20H2. The VPN connection is failing on ALL of them (and they are all in completely different locations).

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @jbender
    Thank you for answering. Not sure what happened to your device, can we have a temp account for the VPN accessing? I'd like to try if I have the same result with yours, please send me the connection information via private message. Also,  can you share your configuration file with us or just let me check on your settings remotely if it's okay to you?

    Thank you.
  • Did you solve this problem? I have same problem with our Flex 100. It's really strange. We cannot connect from windows 10. It seems to be intermittent problem cause I have set up connection for several users this week and it works for a while then suddenly when you disconnect and try to connect i get same problem as thread starter here.  And yesterday morning I was able to connect working from home, my colleague couldn't connect I tried to disconnect my connection to try again and then I could not connect no changes made at all. And yesterday evening i found out there were a firmware upgrade and upgraded to v5.20 and hoped it should be better after reboot and upgrade it worked fine for me to connect, also a colleague I held could connect.. then this morning we cannot connect again.. what's causing this problem??
  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi Tobias!

    Currently, there is an ongoing issue with Windows Update!

    Please try the following Hotfix:

    https://support.zyxel.eu/hc/en-us/articles/4415084375954

  • TobiasK
    TobiasK Posts: 5
    edited January 2022
    Hi Tobias!

    Currently, there is an ongoing issue with Windows Update!

    Please try the following Hotfix:

    https://support.zyxel.eu/hc/en-us/articles/4415084375954

    Ok, thanx, strange thing, I just now turned off and on the VPN in nebula and then I could connect from my laptop to VPN.. it must be something with the firewall? Yesterday after reboot of firewall i could connect but not this morning.. and now when turning on and off firewall i could connect.. also checked link for hot fix but I did not had that hot fix installed yet on my windows 10. 

    Also I need to add that when it's not working to connect from my laptop i don't can connect from my Android phone either. But after turning off and on the VPN in nebula now I also can connect from my Android phone. So this must be Zyxel related. Not windows? I will see if it still works tomorrow of if it's suddenly stop working again and i need to restart VPN on the firewall.
  • Hi Tobias!

    Currently, there is an ongoing issue with Windows Update!

    Please try the following Hotfix:

    https://support.zyxel.eu/hc/en-us/articles/4415084375954

    Ok, thanx, strange thing is that I just now turned off VPN in nebula and then turned it on and then I could connect again now.
  • Ok same thing this morning, after turning off and on L2TP over IPSec VPN server in Nebula, yesterday it worked to connect from both android and windows 10.. now this morning when I tried to connect and also my colleague it doesnt work? I just clicked of in nebula for L2TP over IPSec VPN server and then saved, and then turned on again and clicked save... and now it´s working again???? What is going on? This must be a bug and I cannot be the only one who have the issue?
  • Can someone from Zyxel please give an update here? It must be more then me that have same problem? 
  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi Tobias,

    we can´t intense debug for the dedicated network through Forum.

    Can you please send us a ticket from here and I´ll make sure one of our agents will look into it through Teamviewer Session or Remote Access to fix it.

    Also, enable Nebula Admin for us to proceed quickly:

    Adding a Nebula admin for support purposes

    Open Support Ticket

    Thanks!

    Tobias

Security Highlight