USG FLEX 100 - 5.39: Loss of Internet Access after update

MikeForshock
MikeForshock Posts: 40  Freshman Member
First Comment Friend Collector Third Anniversary
edited September 2 in Security

Had a unit auto-update this morning and since restart has not allowed internet access. No internal devices (LAN or VPN) show any logs for WAN access, even with the security policy set to log for approved and deny. Was working perfectly fine until the update.

No errors found, no config was changed, only the firmware update.

Prevents WAN from VPN, only shows a DNS request to the Zyxel and then it stops (the DNS return works, resolves on client requesting info).

All Replies

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Must be a feature your using to cause this my Flex 200 is up and running on 5.39 VPN site to site up

    You can try a reset then apply config with "Ignore errors and finish applying the configuration file"

  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary

    It appears it may be related to VLAN WAN connections.

    Our primary connection is sent via VLAN from a head router at this location.
    The USG can ping, trace, lookup, speed test, etc.

    Anything "behind" the USG will not access any external/WAN connections.
    Making this much odder is that the log shows no entries for forward/block (all in/out is logged, confirmed.)


  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Try adding a routeing rule incoming LAN next hop VLAN WAN

  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary

    Create a policy entry and it does work, but is has to use the specific interface.

    This unfortunately will remove our redundant connection (cellular modem, WAN2/opt).

    So there is certainly an issue with the update, hopefully gets fixed quickly. Will possible revert back to 5.38 and disable auto update. The consequences of security sometimes

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So are you using Default system Trunk?

    What if you make a User Configured Trunk with cellular modem, WAN2/opt with the routing rule with next hop that trunk?

  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary

    Negative, custom trunk. Each connection has connection checking, primary (VLAN) as active, secondary (WAN2/opt) as passive. As specified in guides.

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,630  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @MikeForshock ,

    To better assist with the issue of losing Internet after updating to the 5.39 firmware, please download the diagnostic file and send it to me privately by clicking on my account and selecting "Message."

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • p4_greg
    p4_greg Posts: 16  Freshman Member
    Network Detective-New Adventure Badge First Comment Friend Collector Third Anniversary

    Just curious if there are any updates on this issue?

    I am interested in the outcome here since we use a similar setup at some of our clients: a VLAN interface for cellular backup connection, in a custom WAN-trunk with wan1=active, vlan1001=passive

    Just noticed this thread, I have not had a chance to upgrade/test our setup yet…

  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited September 9

    How can I send this over with the credentials stripped?
    Literally has every password, two-step, psk, certificate, etc.

    I would be okay with a remote session so you can see the config via my system, only with a tool we can limit file & clipboard sharing. Contact and we can work that out.

  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary

    As of yet, no solution.
    All the other non-VLAN routers updated without issue. Luckily!

Security Highlight