VPN to Flex100H is driving me crazy

amateur_netops
amateur_netops Posts: 12  Freshman Member
First Comment

I used to use Zywall 110s (primarily) to connect my homes. 6 Locations. As Zywall 110s are no longer updated - it was time to move on. This summer I replaced a Zywall 110 with a Flex 100H. I did not do any further changes when I found out that the 100H Flex does not support forcing a specific VPN tunnel as next hop. Allegedly that will change with a firmware update this October.

But now to my problem: So none of the devices/settings have changed other than the one Flex100H - let's call it Site2 - the tunnels come up - and everything seems fine. I can ping everything from Site1 at Site2 (including the 100H) and vice versa - I can remote desktop into the file server on Site2 - but for some reason http and https connections (on the regular ports) to devices in the LAN on Site2 as well as the device itself don't work. There are "some" packets on port 80 going back and forth - but for all practical purposes it doesn't work.

I can access the web server of my camera system on port 8090. But I can't access any of the cameras directly (can ping them), I can not access the Flex100H and I can't access the Hubitat controller directly.

Zyxel Support claims the issue must be on the (now of course unsupported) Zywall at Site1 (I have the same issue from Site3, Site4, Site5 and Site 6) - which like all other Zywalls have NOT been touched in the Site2 Upgrade.

I find that rather unlikely but nonetheless went through all relevant settings I could think of. I think the issue has to be something on the 100H Flex at Site2 - any thoughts what I could look at?

Best Answers

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @amateur_netops

    Please try adjusting the LAN interface MTU size to 1300 on both firewalls to see if it helps with your issue.

    If the issue persists, could you capture packets on the server end for both the USG FLEX 100H and the USG FLEX 200H traffic?

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • amateur_netops
    amateur_netops Posts: 12  Freshman Member
    First Comment
    Answer ✓

    I ended up rebuilding the 100H after a factory reset - made all VPNS IKE2 now - still didn't work. Set MTU to 1300 - now works.

    Thank you!

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @amateur_netops

    I'm glad to hear it's working! The root cause may be related to packet fragmentation. VPNs encapsulate data into larger packets, which increases their size. When the MTU is set too high, packets might exceed the size supported by network devices or along the internet path, causing fragmentation or packet drops.

    By adjusting the MTU, you've helped the packets fit within network limits, reducing fragmentation and allowing VPN traffic to flow more smoothly.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited October 8

    I have a local VPN site to site Policy-based setup with USG40 to FLEX200H and that fine (mostly other issue) so likely a config problem.

    For routing rules its true you can't set incoming to a VPN tunnel but what I have found is by setting to any you can change what the traffic does but I suggest you you set the rule to be strict or at the bottom of the list to not affect other rules.

    do you have NAT rule with external IP set to any?

  • amateur_netops
    amateur_netops Posts: 12  Freshman Member
    First Comment
    edited October 8

    First of all - thank you for responding.

    I do not have a NAT rule with external IP set to any(thing) - and my apologies if this something obvious I should understand - but what would that do?

    I assume we are talking about the 100H - it has no configured NAT rules

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    As you don't have any NAT rules not a problem just that the any on external IP may cause tunnel traffic to follow that rule when you don't want it to.

    do you have any routing rule? what are they?

  • amateur_netops
    amateur_netops Posts: 12  Freshman Member
    First Comment

    I have no static routes nor active policy routes on the 100H - I do have a whole bunch of policy routes on all of the old 110s. But since I didn't touch those (and they all make sense to me) I don't expect the issue there.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @amateur_netops

    From our experience, when TCP traffic fails over the VPN tunnel while other protocols, such as ping and RDP, work fine, it may be related to the "Don't Fragment" setting in TCP packets. This issue can occur if the packet size exceeds the VPN packet frame, potentially causing traffic disruptions.

    We recommend enabling the "Ignore Don't Fragment" option in the VPN settings on each site, which allows packets to be fragmented and fit within the VPN frame.

    Please apply this setting on all of your firewalls and see if it resolves the issue.

    However, keep in mind that the USG FLEX H series does not currently support this function. We suggest enabling it on the other sites' firewalls first and then testing the connectivity again.

    Let us know how it goes, and feel free to reach out if you need further assistance!

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • amateur_netops
    amateur_netops Posts: 12  Freshman Member
    First Comment
    edited October 15

    Hi Kay,

    I only tried it on the site I am at - but it did not make a difference from here. I still think it has to do with some security setting or service.

    I am currently in 192.168.100.X - the network behind the FlexH is 192.168.111.X - with the device being 111.1

    Ping from 100.x to any device in 111.x works

    RDP to 111.8 works (only machine that is turned on there)

    Windows Fileshare on 111.8 works

    http on port 8090 to 111.8 works

    http to device (port 80) successfully redirects to https - then dies

    http to 111.37 (port 80) results in browser loading the page header (Network Camera) - then dies

    http to 111.34 (port 80) - no response (home control system)

    http to 111.54 (port 80) which is a password protected web cam results in password (browser) verification coming up - but nothing after authentication

    In reverse - accessing a device from 111.x in 100.x works just fine - for example I can access the Zywall at 100.1 from 111.x - same holds true for the hubitat controller in 100.x - can access it from 111.x

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Maybe the problem has to do with the FLEX200H on port 80 which should not be a problem but maybe it is so change the FLEX200 HTTP port to 8080

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Testing here I did the following setup

    VLAN48 > Zywall 110 >tunnel > FLEX200H > LAN138

    PC from 192.168.255.66 to 192.168.138.2 port 80> gateway 192.168.255.65 to Zywall 110
    tunnel on Zywall 110
    local policy 192.168.255.64/28
    remote policy 192.168.138.0/28
    tunnel on FLEX200H
    local policy 192.168.138.0/28
    remote policy 192.168.255.64/28
    Test PC 192.168.138.2 to test server HTTP

    All fine here

  • amateur_netops
    amateur_netops Posts: 12  Freshman Member
    First Comment
    edited October 21

    I bought a 200HP for the house I am currently at - to replace a 110. Allows me more opportunity to experiment too. It arrives tomorrow.

  • amateur_netops
    amateur_netops Posts: 12  Freshman Member
    First Comment

    UPDATE - So I upgraded usdagtw (the way name my gateways) to a Flex 200HP - the issue must be on the 100H at atkdgtw - I can access things behind the 200HP just fine from other Zywall 110 or USG 40 locations. I cannot access stuff on port 80 or 443 behind the 100H from the network with the 200HP either.

    So here is a test with a subset of homes:

    ATSNGTW = Zywall 110 192.168.110.1

    ATKDGTW = Flex 100 192.168.111.1

    USHOGTW = USG 40 192.168.102.1

    USPOGTW = Zywall 110 192.168.210.1

    USDAGTW = Flex 200HP 192.168.100.1

    Any VPN location can open https://192.168.100.1

    Any VPN location can open http://192.168.100.37 (Hubitat)

    No VPN location can open https//192.168.111.1

    No VPN location can open http:192.168.111.37 (Hubitat controller)

Security Highlight