ATP500: update from 5.21 patch1 to 5.30 and SSL VPN problem
Hi,
after the update of the firmware of my ATP 500 from 5.21 Patch 1 to 5.30 we are facing some problems with SSL VPN access.
Some users who before update were able to connect to the VPN and stay connected for long time, now, after a short while (usually a few minutes) are disconnected without any reason (see picture below of the FW log).
I compared the "startup-config.conf" file just before the update and just after the update and i have, strangely, noted some differences:
1)a few months ago i removed the object "Wiz_2FA" from the "Deafult_Allow_From_WAN_TO_ZyWall" group as i added a rule to allow WAN to ZyWall connection only from special regions (left part of the image, file before_startup_config.conf), but after the update the
object "Wiz_2FA" appeared again in the "Deafult_Allow_From_WAN_TO_ZyWall" group
(right part of the image, file after_startup_config.conf):
2)two new lines appears in "startup-config.conf" concerning the"utm-manager":
3)two other differences are i think less important cause it is just a matter of shift of position in the file for "ip http server":
and a new line concerning "language_update":
As, after the update, the object "Wiz_2FA" appeared again in the "Deafult_Allow_From_WAN_TO_ZyWall" (as i said in 1)), i have disabled the rule i created few months:
but still the problem concerning the VPN persists.
Any idea about the reason for this strange behaviour, or suggestion about how i can investigate or what kind of log i should enable in order to investigate the problem?
Thanks in advance for any help and cooperation.
Regards
Filippo
3)two other differences are i think less important cause it is just a matter of shift of position in the file for "ip http server":
and a new line concerning "language_update":
As, after the update, the object "Wiz_2FA" appeared again in the "Deafult_Allow_From_WAN_TO_ZyWall" (as i said in 1)), i have disabled the rule i created few months:
but still the problem concerning the VPN persists.
Any idea about the reason for this strange behaviour, or suggestion about how i can investigate or what kind of log i should enable in order to investigate the problem?
Thanks in advance for any help and cooperation.
Regards
Filippo
0
All Replies
-
AFAIKDoH should mean DNS over HTTPS, Port 443 is the default port.DoT should mean DNS over TLS, Port 843 is the default port for the protocol.Both protocols are... "pards" of DNS with a lick of TLS, so content filtering now is aware of both services.0
-
Hi @xkp68,
Welcome to forum. Please kindly check there are not conflict/Overlap ip between VPN Pool and Network Extension Local IP.
The default Network Extension IP is 192.168.200.1. It looks you use 192.168.200.12 for pool.
Could you kindly check that ?
If the issue still. Please share your configuration to me (in Private Messages)
Have a nice day.
Kevin0 -
Hello,
I'm also having an issue with my VPN access after upgrading to 5.30 (on two separate devices/networks: ATP500 and ATP200).
My issue is a little different; I'm unable to connect at all since the device is not sending the authentication emails (have 2FA enabled). I also have it enabled for Admin UI access and the device isn't sending the confirmation code there either.
Another symptom I noticed after the upgrade is the System Log stopped saving any information to my USB device except except for device-HA logs. I was trying to retrieve the logs to see if any email issues were being recorded and don't have any entries to review.
Can someone please provide support?
This is an urgent matter, my users are unable to connect to VPN and it is affecting productivity.
Regards,0 -
FYI, I was able to get on a call with support and they simply removed the SSL VPN settings on my box (I'm not using SSL VPN) and that seemed to do the trick.0
-
Hi @juanclau,
Please kindly try the following command to remove SSLVPN.
1)Find your SSLVPN Policy nameRouter# show sslvpn policy
2)Then enter "configure terminal",Router(config)# no sslvpn policy "SSLVPN policy name"
If the issue persist, we can have remote session . I will send the private message to you.
Kevin0 -
Hi @xkp68,We have found the cause. We will release weekly firmware next week to fix the issueThank for your patience.Kevin0
-
@Zyxel_Kevin
We have a Flex200. After update to 5.30 today, no users cant connect to VPN anymore.
Logs says Unknown username or password.
We are using radius setting.
Will this also be fixet in the next week update?0 -
syraarpe said:0
-
Hi @syraarpe,
What's your Radius Server OS ? If you use Windows Server. Could you remove the Windows patch to test (KB5014018).
Looks like auth issue is related the patch.Please kindly check .
https://www.bleepingcomputer.com/news/microsoft/microsoft-may-windows-updates-cause-ad-authentication-failures/
Thanks
0 -
@Zyxel_Kevin
I found out by checking settings, after firmware.
USG Flex 200 - L2TP over IPsec, not working after firmware 5.30 — Zyxel Community
Solutions is in the link.
it just smelled a bit of the same bug in this forum0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight