SSLVPN Issue HA

Fred_77 · June 12

Hi all,

I am trying to setup a remote SSLVPN access with an OpenVPN client, but I always get a timeout error.

My scenario: 2 Flex 500H in HA mode. A simple IPsec IKE2 remote access (with a self-signed certificate) works as well.

Now I would setup a SSLVPN access. Related WAN-to-device security policy is correct. USG is running the latest firmware. Public IP is on the WAN interface.

From the logs i see incoming traffic fowarded correctly, but no other reports.

-FYI, nothing changes with standard port 10443-

Did the same test with ipsec/ssl zyxel client: connection provisioning seems ok

Same results: ipsec ike2 OK; SSL KO

No issue on other H-Series devices… but this is the first test in an HA scenario. (I don't want to beleave it depends on this).

Thanks in advance for any suggestion.

Lorenzo

Zyxel_Judy · June 16

Hi @Fred_77 ,

It seems the issue is not related to Device HA. We can confirm that the SSL VPN connection has been established with the OpenVPN Connect client on our end.

We recommend referring to this article to see how to configure SSL VPN connection with OpenVPN Connect client on the H firewall.

https://community.zyxel.com/en/discussion/20526/how-to-configure-ssl-vpn-connection-with-openvpn-connect-client

If the issue persists, please share your 500H's WAN access with us, and we'll check directly.

How to allow HTTPS Web GUI Access from WAN? (USG FLEX H) — Zyxel Community

Fred_77 · June 16

Hi @Zyxel_Judy

Thanks for the reply.

The issue does not seem to be related to the OpenVPN client configuration. The Zyxel client is also affected.

In PM info to web access…

Lorenzo

Fred_77 · June 18

…Update

Hi @Zyxel_Judy, applied FW WK23 as requested.

Nothing changes. Issue still present.

Regards

Lorenzo

Zyxel_Judy · June 20

Hi @Fred_77 ,

Root Cause Analysis
The primary issue occurs after the VPN client completes the TCP handshake. While the firewall sends PSH, ACK packets, the client fails to receive them.
We have sent the relevant packet captures via private message. The firewall's pcap shows TCP retransmissions, but the client never receives these packets.

Recommended Testing Approach
To determine whether this is a firewall or ISP-related issue, please conduct testing using the topology provided below.

Test Results and Next Steps

If VPN connection succeeds: The issue is ISP-related. Please contact your ISP to investigate network connectivity problems.
If VPN connection fails: The issue is firewall-related. Please provide TeamViewer or AnyDesk remote access so we can perform detailed troubleshooting.

Fred_77 · June 26

… Update 2… from bad to worse

Hi @Zyxel_Judy

i did the requested tests:

Scenario 1 as you advised

Scenario 2 laptop connected to ge3 (lan1)

In both cases the connection is costantly going up and down.

In PM video and captured traffic.

Best Regards

Lorenzo

Zyxel_Melen · July 2

Hi @Fred_77,

After checking, we noticed that you enable 2FA authentication > VPN access, but the VPN user didn't enable 2FA. Thereofre, the VPN user can't connect the SSL VPN if you don't pass 2FA.