IKEv2 causes USG to crash
Freshman Member
We’ve been running several USG devices (110 and 210) without issues for years. However, our USG110 recently started hanging every three days. By "hang," I mean it completely stops responding and becomes inaccessible by any means.
To rule out hardware or configuration issues, we replaced it with a brand-new USG210 from our stock (including a new power adapter) and manually configured it from scratch—no imports, no old configs. Unfortunately, the issue persisted with the same 3-day freeze cycle.
Findings from Investigation:
We identified that the freezes always happen during IKEv2 rekeying. The issue started when a new remote user (Windows 10 native IKEv2 VPN client) joined. While this user is legitimate, their probably poor network conditions or MTU issues cause a lot of repeated warnings:
- "Replay detected"
- "Network congestion"
- IKEv2 rekeying every 2-3 minutes instead of the configured 8 hours.
[a reason why it's happening is a separate question]
This strongly resembles CVE-2023-33009 and CVE-2023-33010, which were patched in firmware 4.73. I suspect that the fix introduced a new bug even for legitimate users.
I understand that USG110/210 are EOL, but these firmware issues are severe enough that they shouldn't be ignored.
This is IKE debug-level log of the crash moment. System resources within 1 second before crash were generous (CPU < 5%, Memory < 40% etc.)
Best Answers
-
Hi @Nikriaz,
Please be aware that the USG 110 and 210 have reached their End of Life (EOL) status, which means our support for this model will be limited. However, I checked with our team, and the USG FLEX H series doesn't have this issue. We recommended migrating to the USG FLEX H series.
Zyxel Melen0 -
I solved all my troubles with USG (IKE crashes, RADIUS bugs, routing inconsistences and many more) by replacing entire infrastructure to Fortigate. The difference is simply unbelievable in terms of features, stability and speed. It's truly hard to believe but IKE speed improved by at least 300%. RADIUS works flawlessly. Logs are rich, clean and easy to understand. Routing is transparent. 10 years with USG… never again.
0
Zyxel Employee
All Replies
-
Hi @Nikriaz,
Please be aware that the USG 110 and 210 have reached their End of Life (EOL) status, which means our support for this model will be limited. However, I checked with our team, and the USG FLEX H series doesn't have this issue. We recommended migrating to the USG FLEX H series.
Zyxel Melen0 -
Latest firmware for USG ZLD 4.x version is V4.73(AAKY.2)ITS-23WK23-r109633 (this for USG60 but also available as Lab Firmware for the whole range).
I don't know if will help to ease the issue, but I'd give it a shot while deceiding your next step.
0 -
I solved all my troubles with USG (IKE crashes, RADIUS bugs, routing inconsistences and many more) by replacing entire infrastructure to Fortigate. The difference is simply unbelievable in terms of features, stability and speed. It's truly hard to believe but IKE speed improved by at least 300%. RADIUS works flawlessly. Logs are rich, clean and easy to understand. Routing is transparent. 10 years with USG… never again.
0 -
Plump clickbait and attention seeking. Before any further discussion here, go and check the total number of CVE's per brand1 and then per brand2. Duh.
1
Guru Member
Ally Member
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 176 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 426 USG FLEX H Series
- 298 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 274 Service & License
- 419 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight
