1.37 uOS - Impossible to connect SSL VPN

Options
GiuseppeR
GiuseppeR Posts: 644 image  Master Member
Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector
edited February 18 in USG FLEX H Series

Hello everyone,

I setup a SSL VPN via Nebula, I see some issues. I'm using 10443 standard port.

-1- I went here:

immagine.png

And clicking Download button I downloaded a Zip file where the tgb file is NOT accepted by the SecuExtender app:

immagine.png

The error shown is this one:

immagine.png

So I had to download that zip file via On-Premise interface:

immagine.png

And the file tgb is accepted only from here and I see my tunnel available:

immagine.png

-2- Then I checked if that port was open:

immagine.png

Anyway I see this error:

immagine.png

It seems that the gateway does not respond properly.

SSL VPN is also inside Service Group rule Default_Allow_WAN_To_ZyWall:

immagine.png

So I cannot see why with SSLVPN enabled and with open port the gateway does not respond to open the VPN tunnel.

-3- When you use the panel to login, it has an infinite spinning wheel:

immagine.png

And it does not give feedback regarding the 2FA access that the specific Nebula User is using.

All Replies

  • Zyxel_Tina
    Zyxel_Tina Posts: 642 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers 500 Comments

    Hi @GiuseppeR,

    To better assist you, could you please confirm if the issues you're experiencing are as follows?

    • The configuration downloaded from Nebula cannot be applied in the SecuExtender app.
    • The configuration downloaded from the local GUI can be applied successfully in SecuExtender, but the VPN connection still fails to establish.
      • Regarding this, is your FLEX 50H behind NAT, and is port 10443 allowed on the uplink gateway?
    • For the VPN failure screenshot in your post—does this mean the login credentials are correct but authentication fails, or is there another symptom? If possible, please record a short video of the process and send it via private message.

    Additionally, please enable Zyxel Support Access and provide your organization and site names.

    Zyxel Tina

  • GiuseppeR
    GiuseppeR Posts: 644 image  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @Zyxel_Tina

    please refer to Case 260201058

    Here the answers:

    1. I confirm
    2. I confirm (uplink gateway has the Flex 50H in its DMZ, so nothing should interfere with the Zyxel FW)
    3. The login has no response, neither "wrong password"
  • Alex_91
    Alex_91 Posts: 47 image  Freshman Member
    First Comment Friend Collector Seventh Anniversary
    edited February 19

    I have a similar problem, ssl vpn with some domain users the connection is sometimes refused due to non-existent user or wrong password (locally, obviously the user on the server logs in)

    image.png
  • GiuseppeR
    GiuseppeR Posts: 644 image  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @Alex_91

    I have some H series on production.

    I see that you had issues also with local users… Are you using 1.37 latest firmware? Which sort of hardware?

  • Alex_91
    Alex_91 Posts: 47 image  Freshman Member
    First Comment Friend Collector Seventh Anniversary

    Hi @GiuseppeR

    100H, with local users no problem, with domain users some give that problem (authentication correct but not in allowed user list).

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)