ATP500: update from 5.21 patch1 to 5.30 and SSL VPN problem

xkp68
xkp68 Posts: 26  Freshman Member
First Comment Second Anniversary
Hi,
after the update of the firmware of my ATP 500 from 5.21 Patch 1 to 5.30 we are facing some problems with SSL VPN access.
Some users who before update were able to connect to the VPN and stay connected for long time, now,  after a short while (usually a few minutes) are disconnected without any reason (see picture below of the FW log).


I compared the "startup-config.conf" file just before the update and just after the update and i have, strangely, noted some differences:
1)a few months ago i removed the object "Wiz_2FA" from the "Deafult_Allow_From_WAN_TO_ZyWall" group as i added a rule to allow WAN to ZyWall connection only from special regions (left part of the image, file before_startup_config.conf), but after the update the
object "Wiz_2FA" appeared again in the "Deafult_Allow_From_WAN_TO_ZyWall" group
(right part of the image, file after_startup_config.conf):

 2)two new lines appears in "startup-config.conf" concerning the"utm-manager":

3)two other differences are i think less important cause it is just a matter of shift of position in the file for "ip http server":


and a new line concerning "language_update":


As, after the update,  the object "Wiz_2FA" appeared again in the "Deafult_Allow_From_WAN_TO_ZyWall" (as i said in 1)), i have disabled the rule i created few months:


but still the problem concerning the VPN persists.
Any idea about the reason for this strange behaviour, or suggestion about how i can investigate or what kind of log i should enable in order to investigate the problem?
Thanks in advance for any help and cooperation.
Regards
Filippo

All Replies

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    AFAIK
    DoH should mean DNS over HTTPS, Port 443 is the default port.
    DoT should mean DNS over TLS, Port 843 is the default port for the protocol.

    Both protocols are... "pards" of DNS with a lick of TLS, so content filtering now is aware of both services.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited May 2022
    Hi @xkp68,
    Welcome to forum. Please kindly check there are not conflict/Overlap ip between VPN Pool and Network Extension Local IP.
    The default Network Extension IP is  192.168.200.1. It looks you use 192.168.200.12 for pool.
    Could you kindly  check that ? 
    If the issue still. Please share your configuration to me (in Private Messages)
    Have a nice day.
    Kevin
  • juanclau
    juanclau Posts: 2  Freshman Member
    Second Anniversary
    Hello,

    I'm also having an issue with my VPN access after upgrading to 5.30 (on two separate devices/networks: ATP500 and ATP200).

    My issue is a little different; I'm unable to connect at all since the device is not sending the authentication emails (have 2FA enabled). I also have it enabled for Admin UI access and the device isn't sending the confirmation code there either.

    Another symptom I noticed after  the upgrade is the System Log stopped saving any information to my USB device except except for device-HA logs. I was trying to retrieve the logs to see if any email issues were being recorded and don't have any entries to review.

    Can someone please provide support?
    This is an urgent matter, my users are unable to connect to VPN and it is affecting productivity.


    Regards,
  • juanclau
    juanclau Posts: 2  Freshman Member
    Second Anniversary
    FYI, I was able to get on a call with support and they simply removed the SSL VPN settings on my box (I'm not using SSL VPN) and that seemed to do the trick.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited May 2022
    Hi @juanclau,
    Please kindly try the following command to remove SSLVPN. 
    1)Find your SSLVPN Policy name
    Router# show sslvpn policy
    2)Then enter "configure terminal",  
    Router(config)# no sslvpn policy "SSLVPN policy name"

    If the issue persist, we can have remote session . I will send the private message  to you.
    Kevin


  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @xkp68,
    We have found the cause. We will release weekly firmware next week to fix the issue
    Thank for your patience.
    Kevin
  • syraarpe
    syraarpe Posts: 7
    First Comment Friend Collector
    @Zyxel_Kevin
    We have a Flex200. After update to 5.30 today, no users cant connect to VPN anymore.
    Logs says Unknown username or password.
    We are using radius setting.

    Will this also be fixet in the next week update?
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    syraarpe said:
    @Zyxel_Kevin
    We have a Flex200. After update to 5.30 today, no users cant connect to VPN anymore.
    I have seen that problem too a somewhat fix it to use another port for SSL VPN different from login 443 
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited May 2022
    Hi @syraarpe,
    What's your Radius Server OS ? If you use Windows Server. Could you remove the Windows patch to test (KB5014018). 
    Looks like auth issue is related the patch.Please kindly check .
    https://www.bleepingcomputer.com/news/microsoft/microsoft-may-windows-updates-cause-ad-authentication-failures/
    Thanks

  • syraarpe
    syraarpe Posts: 7
    First Comment Friend Collector
    @Zyxel_Kevin
    I found out by checking settings, after firmware.
    USG Flex 200 - L2TP over IPsec, not working after firmware 5.30 — Zyxel Community

    Solutions is in the link.
    it just smelled a bit of the same bug in this forum :)