New USG20W-VPN SSL VPN dropping sessions randomly and cannot determine reason?

Paluszak
Paluszak Posts: 8  Freshman Member
First Comment
edited April 2021 in Security

I have 5 accounts (of the 5 user limit established), of which only 2 or 3 really ever connect, and hardly ever more than 2 simultaneously (quite literally)? Can someone please shed some light on this? It is usually after about 5-10 minutes and the user(s) can typically reconnect right away without issue. I cannot find ANY time-outs or the like anywhere? What might I be missing?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Paluszak

    It’s recommended to upgrade your firmware to the 4.33wk19 first.

    And you can go to Monitor > Log to check SSL VPN log during client establishing fail to get more information regarding to your symptom.

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi @Paluszak

    The logs are very helpful.... just to add...

    L2TP clients disconnecting as well?.... I might add as well assuming the connection are L2TP VPN clients??.

    Try (and or these) in the L2TP VPN Gateway for the (Phase 1 Settings) through CLI or WEB UI

    • disabling DPD (Dead Peer Connection) and or
    no dpd
    • changing the DPD period.
    dpd-interval nn seconds

    In this actual example, the L2TP VPN Gateway at has its DPD disabled.

    Router> show isakmp policy yeun_long_site3_L2TP_gateway
ISAKMP policy: yeun_long_site3_L2TP_gateway
  IKD_ID: 5
  negotiation mode: main
  proposal: 1
  encryption: 3des
  authentication: sha
  SA lifetime: 3600
  key group: group2
  NAT traversal: yes
  dead peer detection: no
................
..... snip
..... snip
................
 
  allowed auth method: mschapv2
  username:
  auth method: mschapv2
  password:
  VPN connection:yeun_long_site3_L2TP_connection
  vcp reference count: 0
  IKE_version: IKEv1
  active: yes
Router>

    Worth a look,

    HTH

    Warwickt

    Hong Kong

  • Paluszak
    Paluszak Posts: 8  Freshman Member
    First Comment

    Thank you so much. I have looked at the logs but I cannot trace it back to anything definite, plus they are are difficult to understand frankly.

    I currently have them setup using ONLY the SSL VPN.

    I will review your suggestions and thank you kindly again!

    Jason

  • Paluszak
    Paluszak Posts: 8  Freshman Member
    First Comment

    ZyXel_Stanley

    I assume that Release V4.33wk19 is newer than V4.33(ABAR.0)C0. I currently have release V4.33wk19.

    Still working on reviewing logs with customer. Has been hard to coordinate but I will be doing soon!

    Thank you!

    Jason

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Paluszak

    Yes, 4.33WK19 is newer than 4.33C0 firmware.

  • Paluszak
    Paluszak Posts: 8  Freshman Member
    First Comment

    This is the ONLY log entries that are shown when someone gets disco'd...


    40

    2019-06-25 08:25:10

    info

    SSL VPN

    Account: Darcy

    network extention has been accessed. sent=256659 rcvd=205365


    41

    2019-06-25 08:25:10

    info

    SSL VPN

    64.53.192.11

    192.168.200.100

    Account: Darcy

    SSL tunnel has been disconnected

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Paluszak

    Can you take screenshot in Monitor > Log during SSL VPN client connecting fail?(do not filter category)

    Maybe it will have disconnect reason.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)