SSLVPN Issue HA

Options
Fred_77
Fred_77 Posts: 134  Ally Member
5 Answers First Comment Friend Collector Fourth Anniversary

Hi all,

I am trying to setup a remote SSLVPN access with an OpenVPN client, but I always get a timeout error.

My scenario: 2 Flex 500H in HA mode. A simple IPsec IKE2 remote access (with a self-signed certificate) works as well.

Now I would setup a SSLVPN access. Related WAN-to-device security policy is correct. USG is running the latest firmware. Public IP is on the WAN interface.

From the logs i see incoming traffic fowarded correctly, but no other reports.

image.png

-FYI, nothing changes with standard port 10443-

Did the same test with ipsec/ssl zyxel client: connection provisioning seems ok

image.png

Same results: ipsec ike2 OK; SSL KO

image.png

No issue on other H-Series devices… but this is the first test in an HA scenario. (I don't want to beleave it depends on this).

Thanks in advance for any suggestion.

Lorenzo

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @Fred_77 ,

    It seems the issue is not related to Device HA. We can confirm that the SSL VPN connection has been established with the OpenVPN Connect client on our end.

    We recommend referring to this article to see how to configure SSL VPN connection with OpenVPN Connect client on the H firewall.

    If the issue persists, please share your 500H's WAN access with us, and we'll check directly.

    How to allow HTTPS Web GUI Access from WAN? (USG FLEX H) — Zyxel Community

    Zyxel_Judy

  • Fred_77
    Fred_77 Posts: 134  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    Hi @Zyxel_Judy

    Thanks for the reply.

    The issue does not seem to be related to the OpenVPN client configuration. The Zyxel client is also affected.

    In PM info to web access…

    Lorenzo

  • Fred_77
    Fred_77 Posts: 134  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    …Update

    Hi @Zyxel_Judy, applied FW WK23 as requested.

    Nothing changes. Issue still present.

    Regards

    Lorenzo

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited June 25

    Hi @Fred_77 ,

    Root Cause Analysis
    The primary issue occurs after the VPN client completes the TCP handshake. While the firewall sends PSH, ACK packets, the client fails to receive them.
    We have sent the relevant packet captures via private message. The firewall's pcap shows TCP retransmissions, but the client never receives these packets.

    Recommended Testing Approach
    To determine whether this is a firewall or ISP-related issue, please conduct testing using the topology provided below.

    image.png


    Test Results and Next Steps

    • If VPN connection succeeds: The issue is ISP-related. Please contact your ISP to investigate network connectivity problems.
    • If VPN connection fails: The issue is firewall-related. Please provide TeamViewer or AnyDesk remote access so we can perform detailed troubleshooting.

    Zyxel_Judy

  • Fred_77
    Fred_77 Posts: 134  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    … Update 2… from bad to worse

    Hi @Zyxel_Judy

    i did the requested tests:

    Scenario 1 as you advised

    Scenario 2 laptop connected to ge3 (lan1)

    In both cases the connection is costantly going up and down.

    In PM video and captured traffic.

    Best Regards

    Lorenzo

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,448  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Fred_77,

    After checking, we noticed that you enable 2FA authentication > VPN access, but the VPN user didn't enable 2FA. Thereofre, the VPN user can't connect the SSL VPN if you don't pass 2FA.

    image.png

    After disabling 2FA authentication > VPN access, the VPN user can access now.

    image.png

    Please feel free to let we know if you have further questions.

    Zyxel Melen


  • Fred_77
    Fred_77 Posts: 134  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    Hi @Zyxel_Melen

    Thanks for the prompt reply; but...

    I'm pretty sure I never activated 2fa in my initial configuration and I still have the same problem.

    I'm trying now from multiple devices and different source IPs (to be safe I downloaded the configuration file again).

    From the usg I see that the zyxel staff is connected as admin in the console but I don't see any active vpn sessions

    Maybe i missed something?

    Best Regards

    Lorenzo

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,448  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Fred_77,

    We have disconnected the SSLVPN from our side, so you won't see the SSL VPN connection now.

    Please feel free to let me know if there is still having issue.

    Zyxel Melen


  • Fred_77
    Fred_77 Posts: 134  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    Hi @Zyxel_Melen

    something doesn't add up.

    This is what i see in this moment Jul. 04 3.15PM

    image.png image.png

    Why so many attempts from Zyxel IP and no VPN connection?

    Other than that the problem persists.

    image.png

    This is the log from android.

    image.png

    Regards

    Lorenzo