Routeing rules not failing correctly if interface ping is enabled

Options
PeterUK
PeterUK Posts: 2,848  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
in Security

VPN300 V5.37(ABFC.2)

so this is the setup only with more rules

Untitled Image
Screenshot 2024-05-03 133318.png

When without VPN300 interface ping check on VLAN443 on Zywall 110 I block from VLAN443 to VLAN443 the rules disable correctly then when I remove the block the rules come back on line.

Screenshot 2024-05-03 134108.png

But if I have VPN300 ping check on interface VLAN443 to no-ip.org and bounceme.net with any one responds I then block on Zywall 110 from VLAN443 to OPT to fail the check then after some time unblock it then block VLAN443 to VLAN443 the three rules do not fail all three are up and do not disable requiring the rules to be disabled/enabled to fail check after disabling interface VLAN443 ping check

All Replies

  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    VPN300 V5.37(ABFC.2)

    Never see that firmware version; currently USG Flex are on 5.38, so maybe a "version definition" is now splitting? IDK.

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Yes it might be the last firmware for VPN models being EOL but the problem should happen in current models

  • WJS
    WJS Posts: 142  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Can you see prob traffic sent from VPN300 or receive on zywall110 ?

    And what's your check period timeout tolerance?

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 7
    Options

    Yes I see traffic allowed then I block for testing with routing ping check and interface ping check the problem is they both can't be enabled or it causes problems for VPN300 routing ping check to not fail after you fail interface ping check then enable then you fail routing ping which should fail but the routing ping check does not fail correctly with interface ping check is enabled after you fail it once

    I have ping check as

    ping 5 seconds

    timeout 1 second

    tolerance 2

    looking at a traffic when I block Zywall 110 from VLAN443 to OPT to fail the check then after some time unblock it causes the routing ping check to fail sending ping any more

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 7
    Options
    2024-05-07 16-54-41.zip

    Video of the problem you first see my fail the routing ping check by Zywall110 the reallow then enable  interface ping check then fail that by Zywall110 and reallow interface then try to fail routing ping check by Zywall110 again and will not fail

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 795  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi PeterUK,

    It seems can't replicate on FLEX with 5.38. here is my steps:

    1)Set ping check on Policy route and interface with probe domain name.

    2)block any traffic on upper device, the policy route inactive by conn-check fail.

    image.png

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 9
    Options

    Check my Video 

    You have to fail the interface ping check first but not the routing ping check then allow interface ping check then fail routing ping check.

    It took some attempts to do it

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 795  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Yes I did it, but can't see the issue.

    1)Without interface ping check, then block icmp

    image.png

    2)Allow ping , status back.

    image.png

    3)With interface ping check, Blcok "Any", Policy route set INACTIVE as expected

    image.png

    4)Allow again, status back

    image.png

    5)then block ping again. policy route inactivate as expected.

    image.png
    image.png
    image.png

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 10
    Options

    The interface is external VLAN443 to which you have the interface ping to no-ip.org and bounceme.net which you will fail then allow by other firewall

    The way in which the routing ping check is not blocked when you fail interface ping check to interface of other firewall (all be it thats not how my setup works as I NAT ICMP so not from VLAN443 to Zywall) but routing ping to Zywall to other firewall should work.

    So you have interface ping check to internet IP's which you block VLAN443 to WAN which you first block to fail the allow again

    You have routing ping check to VLAN443 Zywall on other firewall which you allow when you do the above then you block which should fail the routing ping check but it don't and when this happen the routing ping check is not sending ping.

    So when it stop working you have to disable interface ping check then disable/enable routing ping check for it to start working again.

    I could let you remote in to VPN300 when this happen for you to check why routing ping is not sending out pings any more after a fail interface ping check and allow then you can disable interface ping check disable/enable routing ping to see it sending ping.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)