IPSec Mobile VPN, Authentication errors, user seemingly locked
It' s a couple of weeks since we have updated the firmware from V5.21(ABFU.1) to
V5.30(ABFU.0).
Since then, our client-to-site VPN users (IPsec VPN, ikev2) started to experience a strange issue that never happened before.
They get authentication errors but correct credentials are entered, almost like the user is temporarily locked.
This happen on both the vpn clients(software) we use:
1) Zyxel SecuExtender IPsec VPN Client
2) windows native vpn client
The 1) software return the following error:
And the 2) just return "Internal authentication error"
and similar content on the atp500 firewall logs with lines like:
Since then, our client-to-site VPN users (IPsec VPN, ikev2) started to experience a strange issue that never happened before.
They get authentication errors but correct credentials are entered, almost like the user is temporarily locked.
This happen on both the vpn clients(software) we use:
1) Zyxel SecuExtender IPsec VPN Client
2) windows native vpn client
The 1) software return the following error:
And the 2) just return "Internal authentication error"
and similar content on the atp500 firewall logs with lines like:
May 20 10:30:06 atp500 CEF: 0|ZyXEL|ATP500|5.30(ABFU.0)|0|IKE|4|devID=bccf4fc520d6 src=<SOURCE_IP> dst=<DEST_IP> spt=4500 dpt=4500 dvchost=atp500 msg=AUTH fail! cat=IKE ZYlevel=info ZYnote=IKE_LOG
I'm currently "solving" by creating a new vpn user for the affected employee in order to allowing him to connect, but I really don't understand what's happening, if it's a new security layer or a firmware bug.
Thank you for any help and hint.
Best regards
0
All Replies
-
Hi @phphilCan you provide the below information to us for further investigation?1.The complete Monitor screenshots for (1). Zyxel IPsec client and Windows built-in client during establishing IKev2 VPN connection to us?2.The device config of ATP5003. What is the meaning of “temporarily locked”? It means once authentication failed and the account would not work for a while? Or, cannot work anymore unless reboot the ATP500?During the “temporarily locked”, is the account able to login ATP500’s Web-GUI? Maybe you can describe it more in detail for us.4. Is it this issue related to the old account or the new-create account? Why does the new-create account work but the old account can't?Thank you.
Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
I collected the required informations:
1.
2. I cannot provide the firewall configuration due to internal security policy.
3. Temporarily locked meaning: After a certain time the accounts will start to work again. I've just tested, some accounts were locked before reboot, and are still locked now after a reboot performed couple of days ago, meaning that the reboot doesn't unlock them seemingly.
Those accounts are not administrator account, they never login into the web GUI, the only purpose of there users is to IPSEC VPN login.
4. Users only have one account, I've created second, and even a third account for the users that was experiencing this issue, meaning that the issue is related to the old account, and I created a new one for allowing user to successfully login again until their original account get automagically unlocked.
Thank you0 -
Hi @phphilMay I know if those temporarily locked accounts belong to AD user accounts? While those accounts cannot establish VPN, are there any auth failed related logs that can be observed on the Monitor Log of the ATP500 device?
Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
They don't belong to AD, they are simple users like:
They doesn't have two-factor Authentication enabled.
Second question has an answer on the original post:
May 20 10:30:06 atp500 CEF: 0|ZyXEL|ATP500|5.30(ABFU.0)|0|IKE|4|devID=bccf4fc520d6 src=<SOURCE_IP> dst=<DEST_IP> spt=4500 dpt=4500 dvchost=atp500 msg=AUTH fail! cat=IKE ZYlevel=info ZYnote=IKE_LOG
0 -
Hi @phphil
For a more clear purpose of troubleshooting, I sent a private message to you. Please check your message inbox. Perhaps we can arrange a remote session to check this symptom.Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight