usg60 to usg60 site-to-site ipsec vpn fail after firmware update 4.60 --> 4.70

cjh
cjh Posts: 5
ipsec vpn with firmware 4.60 on both usg60's worked for years, updated both usg60's to latest firmware 4.70 now vpn connects but does not pass data. why? how do I fix it?

All Replies

  • cjh
    cjh Posts: 5
    tried down rev firmware 4.65 p0 and p1, no luck
    tried 4.70 on one and 4.65 on the other, no luck
    4.60 is no longer available on zyxel web site that I can find, so I cannot go back to what worked.
    looking into another firewall brand as this is ridiculous.
    however, I would be happy to stay with zyxel if they could tell me how to make this work again.
  • PeterUK
    PeterUK Posts: 2,654  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2022

    I have a local site to site setup that works with with 4.70

    When you upgrade to 4.70 there are two firmware slots so it should be possible to go back to the other one?

    Their can be some reasons why it stopped working like IP change for the site to site or routing problem or ISP blocking VPN traffic can you allow ping on one USG then ping it by the other?


  • cjh
    cjh Posts: 5
    I was able to find old firmware which I will try tomorrow.

    No IP changes, the vpn was working fine for years, then after the firmware update, we get connection but no data flow.

    I'll be happy if we can get this to work again with old firmware. I understand that 4.60 has a serious issue with a hard coded username where the password cannot be changed.
    This is bad news but if that is what I have to live with to get this VPN back for now, I will.


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @cjh,

    Suppose 192.168.1.33 ping 192.168.10.33 and ping failed. Use the command on each site to capture packets and check which site doesn't respond.

    On Site A
    lan1 is the subnet of the client 192.168.10.33.


    On Site B
    lan1 is the subnet of the client 192.168.1.33.

  • cjh
    cjh Posts: 5
    Unbelievable, it must be documented somewhere but I have not seen it; the fastforward feature causes the ipsec vpn to fail, that's all it was, just uncheck that box and the vpn started working again.
    I had forgotten I made that change as well as the firmware update. Rookie mistake; more than one change at a time. Oh well, its back and up to the latest 4.70 firmware rev. Thank you for your responses.

  • PeterUK
    PeterUK Posts: 2,654  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    cjh said:
    Unbelievable, it must be documented somewhere but I have not seen it; the fastforward feature causes the ipsec vpn to fail...
    Good to know
  • DeanH
    DeanH Posts: 45  Freshman Member
    First Anniversary 10 Comments
    Where is this fastforward feature located?
  • cjh
    cjh Posts: 5
    Configuration > System > Advanced

Security Highlight