IPSec Mobile VPN, Authentication errors, user seemingly locked

phphil
phphil Posts: 39  Freshman Member
First Comment Friend Collector Fifth Anniversary
It' s a couple of weeks since we have updated the firmware from V5.21(ABFU.1) to
V5.30(ABFU.0).

Since then, our client-to-site VPN users (IPsec VPN, ikev2) started to experience a strange issue that never happened before. 
They get authentication errors but correct credentials are entered, almost like the user is temporarily locked.

This happen on both the vpn clients(software) we use:

 1) Zyxel SecuExtender IPsec VPN Client
 2) windows native vpn client

The 1) software return the following error: 


And the 2) just return "Internal authentication error"

and similar content on the atp500 firewall logs with lines like: 

May 20 10:30:06 atp500 CEF: 0|ZyXEL|ATP500|5.30(ABFU.0)|0|IKE|4|devID=bccf4fc520d6 src=<SOURCE_IP> dst=<DEST_IP> spt=4500 dpt=4500 dvchost=atp500 msg=AUTH fail! cat=IKE ZYlevel=info ZYnote=IKE_LOG


I'm currently "solving" by creating a new vpn user for the affected employee in order to allowing him to connect, but I really don't understand what's happening, if it's a new security layer or a firmware bug.


Thank you for any help and hint.

Best regards

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,230  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Can you provide the below information to us for further investigation?
    1.The complete Monitor screenshots for (1). Zyxel IPsec client and Windows built-in client during establishing IKev2 VPN connection to us?
    2.The device config of ATP500
    3. What is the meaning of “temporarily locked”? It means once authentication failed and the account would not work for a while? Or, cannot work anymore unless reboot the ATP500? 
    During the “temporarily locked”, is the account able to login ATP500’s Web-GUI? Maybe you can describe it more in detail for us.
    4. Is it this issue related to the old account or the new-create account? Why does the new-create account work but the old account can't?
    Thank you.


    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

  • phphil
    phphil Posts: 39  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    edited August 2022
    I collected the required informations: 
    1.


    2. I cannot provide the firewall configuration due to internal security policy.
    3. Temporarily locked meaning: After a certain time the accounts will start to work again. I've just tested, some accounts were locked before reboot, and are still locked now after a reboot performed couple of days ago, meaning that the reboot doesn't unlock them seemingly.
    Those accounts are not administrator account, they never login into the web GUI, the only purpose of there users is to IPSEC VPN login. 
    4. Users only have one account, I've created second, and even a third account for the users that was experiencing this issue, meaning that the issue is related to the old account, and I created a new one for allowing user to successfully login again until their original account get automagically unlocked. 

    Thank you 
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,230  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    May I know if those temporarily locked accounts belong to AD user accounts? While those accounts cannot establish VPN, are there any auth failed related logs that can be observed on the Monitor Log of the ATP500 device?


    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

  • phphil
    phphil Posts: 39  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    They don't belong to AD, they are simple users like: 


    They doesn't have two-factor Authentication enabled.


    Second question has an answer on the original post:  
    May 20 10:30:06 atp500 CEF: 0|ZyXEL|ATP500|5.30(ABFU.0)|0|IKE|4|devID=bccf4fc520d6 src=<SOURCE_IP> dst=<DEST_IP> spt=4500 dpt=4500 dvchost=atp500 msg=AUTH fail! cat=IKE ZYlevel=info ZYnote=IKE_LOG
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,230  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Hi @phphil

    For a more clear purpose of troubleshooting, I sent a private message to you. Please check your message inbox. Perhaps we can arrange a remote session to check this symptom. 


    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

Security Highlight