USG20W-VPN Session Monitor Traffic from Server "Wiz_SSL_VPN" No VPN Defined after RESET

SierraTech
SierraTech Posts: 39  Freshman Member
First Comment Friend Collector Sixth Anniversary
in Security

After upgrading to 5.39, and performing Factory RESET on Router, I had to rebuild Client's configuration per Zyxel Support recommendation

New configuration (after factory RESET) has no VPN defined, After rebuilding Client's Router manually, I'm seeing a lot of Traffic when I view "Session Monitor" from the Server IP, reference "Wiz_SSL_VPN" service.

How can there be VPN traffic to these Public IPs, when no VPN has been defined

See Attached Graphic.

ZyxelUSG20W-VPN Wiz_ssl_VPN Traffic from Server.jpg

Router was previously Attacked before updating 5.39 with unauthorized Userers Defined.

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @SierraTech,

    Please help us clarify:

    1. Are the admin's password still the same as before? If yes, the hacker might use the same credentials to access the firewall and create the VPN configuration. In addition, since the VPN name is Wiz_SSL_VPN, the hacker might be able to access the firewall's Web GUI because only Web GUI supports wizard.
    2. If the answer above is yes, please remove the configuration or factory default again and rebuild the firewall configuration with the new admin's password/credentials.

    Zyxel Melen

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!


  • SierraTech
    SierraTech Posts: 39  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @Zyxel_Melen

    Thanks for the question. I took the router completely offline and updated offsite in my home office with no Internet. I uploaded 5.39 and performed factory reset (reset button about 15 seconds or longer took a while). While keeping WAN unconnected I changed my password, and started rebuilding configuration again.

    I deployed it yesterday and still seeing suspicious traffic even though WAN access to configure router is disabled and I added geo blocks on both WAN and LAN.

    The internet stops working about 3 hours after reconnecting, due to traffic overloading from what I can tell, and I have to reboot the router again.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @SierraTech,

    Thanks for your update. I will send you a message requesting a remote PC to check this issue.

    Zyxel Melen

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!


  • SierraTech
    SierraTech Posts: 39  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @Zyxel_Melen


    Thank you, I will look for it. Once I connect with RDp after reboot, I can stay connected but the traffic is so overwhelming, I have to run over the office and reboot both the router and modem, to return Internet access (last between 1.5 and 3 hours).

    I appreciate the assistance! It’s like factory reset didn’t complete.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)