Help with USG310, timeout access via GUI and CLI, IPSec stops working.

Good afternoon. We have a client (HOSPITAL) that has a USG310 firewall and is on the latest FW version available (4.73(AAPJ.2)).
We are having a problem where the equipment loses the IPSEC VPN connection and after that it becomes inaccessible both via console and via http, requiring a physical reboot of the equipment. Internet access keeps working on clients.
This case has already occurred about 4 times, and even collecting the logs and checking the outputs via the console, I was unable to discover what is causing the crashes.

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 31

    Its hard to know what can cause this at times one possibility is any attempt that packet(s) and can cause problems.

    If you can its best to allow incoming traffic by source IP or FQDN in policy control

    I have seem myself problems like this but still can't pin point the cause

    is the USG310 to another Zyxel? Or is this Remote Access (Server Role)?

  • TiagoPereira
    TiagoPereira Posts: 3
    First Comment

    Thanks for the answer. The Ipsec connection is closed with an Oracle CLoud server, however the fact that the VPN drops is not the worst problem. When the problem happens, I can't access the equipment via GUI or CLI, so I have to physically go to the location and this is annoying the customer. I saw here on the forum situations where equipment with previous firmware was suffering flood attacks on UDP port 500, and this caused crashes. However, this issue appears to have been resolved in the latest update. IPSEC incoming traffic is being filtered by GEOIP. I connected a console cable and will monitor the logs at debug level, if you have any other ideas I would appreciate it. I've already looked for local support with Zyxel in my country too.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 31

    It would be best to limit access by FQDN with DDNS setup

    The USG310 is EOL and may not get any more updates

    try with Anomaly Detection and Prevention disabled

  • TiagoPereira
    TiagoPereira Posts: 3
    First Comment

    I cannot restrict access by FQND, as we also use L2TP over IPsec. Just for information, straight from the console I'm getting the following messages:

    [17454.045127] xt_TCPMSS: bad length (302 bytes)
    [17486.432469] xt_TCPMSS: bad length (589 bytes)
    [17486.460217] xt_TCPMSS: bad length (589 bytes)
    [18167.350757] xt_TCPMSS: bad length (302 bytes)
    We are also aware of the EOL, but we had the misfortune of selling the equipment right in this transition to the FLEX line, so it will be a little stressful to convince the customer to upgrade.

Security Highlight