SSLVPN Issue HA






Hi all,
I am trying to setup a remote SSLVPN access with an OpenVPN client, but I always get a timeout error.
My scenario: 2 Flex 500H in HA mode. A simple IPsec IKE2 remote access (with a self-signed certificate) works as well.
Now I would setup a SSLVPN access. Related WAN-to-device security policy is correct. USG is running the latest firmware. Public IP is on the WAN interface.
From the logs i see incoming traffic fowarded correctly, but no other reports.
-FYI, nothing changes with standard port 10443-
Did the same test with ipsec/ssl zyxel client: connection provisioning seems ok
Same results: ipsec ike2 OK; SSL KO
No issue on other H-Series devices… but this is the first test in an HA scenario. (I don't want to beleave it depends on this).
Thanks in advance for any suggestion.
Lorenzo
All Replies
-
Hi @Fred_77 ,
It seems the issue is not related to Device HA. We can confirm that the SSL VPN connection has been established with the OpenVPN Connect client on our end.
We recommend referring to this article to see how to configure SSL VPN connection with OpenVPN Connect client on the H firewall.
If the issue persists, please share your 500H's WAN access with us, and we'll check directly.
How to allow HTTPS Web GUI Access from WAN? (USG FLEX H) — Zyxel Community
Zyxel_Judy
0 -
Hi @Zyxel_Judy
Thanks for the reply.
The issue does not seem to be related to the OpenVPN client configuration. The Zyxel client is also affected.
In PM info to web access…
Lorenzo
0 -
…Update
Hi @Zyxel_Judy, applied FW WK23 as requested.
Nothing changes. Issue still present.
Regards
Lorenzo
0 -
Hi @Fred_77 ,
Root Cause Analysis
The primary issue occurs after the VPN client completes the TCP handshake. While the firewall sends PSH, ACK packets, the client fails to receive them.
We have sent the relevant packet captures via private message. The firewall's pcap shows TCP retransmissions, but the client never receives these packets.Recommended Testing Approach
To determine whether this is a firewall or ISP-related issue, please conduct testing using the topology provided below.
Test Results and Next Steps- If VPN connection succeeds: The issue is ISP-related. Please contact your ISP to investigate network connectivity problems.
- If VPN connection fails: The issue is firewall-related. Please provide TeamViewer or AnyDesk remote access so we can perform detailed troubleshooting.
Zyxel_Judy
0 - If VPN connection succeeds: The issue is ISP-related. Please contact your ISP to investigate network connectivity problems.
-
… Update 2… from bad to worse
Hi @Zyxel_Judy
i did the requested tests:
Scenario 1 as you advised
Scenario 2 laptop connected to ge3 (lan1)
In both cases the connection is costantly going up and down.
In PM video and captured traffic.
Best Regards
Lorenzo
0 -
Hi @Fred_77,
After checking, we noticed that you enable 2FA authentication > VPN access, but the VPN user didn't enable 2FA. Thereofre, the VPN user can't connect the SSL VPN if you don't pass 2FA.
After disabling 2FA authentication > VPN access, the VPN user can access now.
Please feel free to let we know if you have further questions.
Zyxel Melen0 -
Hi @Zyxel_Melen
Thanks for the prompt reply; but...
I'm pretty sure I never activated 2fa in my initial configuration and I still have the same problem.
I'm trying now from multiple devices and different source IPs (to be safe I downloaded the configuration file again).
From the usg I see that the zyxel staff is connected as admin in the console but I don't see any active vpn sessions
Maybe i missed something?
Best Regards
Lorenzo
0 -
Hi @Fred_77,
We have disconnected the SSLVPN from our side, so you won't see the SSL VPN connection now.
Please feel free to let me know if there is still having issue.
Zyxel Melen0 -
Hi @Zyxel_Melen
something doesn't add up.
This is what i see in this moment Jul. 04 3.15PM
Why so many attempts from Zyxel IP and no VPN connection?
Other than that the problem persists.
This is the log from android.
Regards
Lorenzo
0
Categories
- All Categories
- 434 Beta Program
- 2.7K Nebula
- 174 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 418 USG FLEX H Series
- 297 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 43 Wireless Ideas
- 6.7K Consumer Product
- 270 Service & License
- 416 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 87 Security Highlight