VPN SSL - Slow unstable connection

2

All Replies

  • Zywak
    Zywak Posts: 8  Freshman Member
    First Comment Friend Collector

    Hi, having the same issues... Using the latest version of SecurExtender 4.0.3


    SSL VPN setup with AD LDAP configured for authentication.. everything worked fine until u upgraded the router to version 4.33 and our SSL VPN has been unstable ever since..


    Slow connection, random disconnects, connected sessions won't last 10 minutes at times... Really frustrating..

    Both Mac and windows users impacted

    Thanks

    Richard

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Zywak

    We have fixed SSL VPN issue in firmware. You can download USG40W firmware by this link:

    ftp://ftp.zyxel.com/USG40W/firmware/433AALB0ITS-WK19-r88384.zip

  • Zywak
    Zywak Posts: 8  Freshman Member
    First Comment Friend Collector

    Thanks, but I'm using zywall 310.. I have also applied the latest WK19 patch without resolving...


    Thanks,

    Richard

  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Hi @Zywak

    Is any error log during SSL VPN disconnect?

    Can you share it?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited July 2019

    Hi @Zywak

    Can you send me the SecuExtenderHelper.log via private message. The file is located at C:\.

  • Zywak
    Zywak Posts: 8  Freshman Member
    First Comment Friend Collector

    @Zyxel_Cooldia

    I just sent you my log file..

    Thanks,

    Richard

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Zywak

    From the log we can see that the IP you get from the USG is 192.168.200.20, it is overlap with SSL VPN Network Extension Local IP 192.168.200.1. 

    It may have problem when SecuExtender add routing to windows routing table. Please change the SSL VPN to other subnet and try it again.

    p.s. Don’t overlap with other USG interface subnet.

     

    ~~~~ SecuExtenderHelper.log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    [ 2019/05/15 14:48:59 ][SecuExtender Helper] Adding an IP/netmask ip = 192.168.200.20/255.255.255.255 to interface 21 using the Win32 IP Helper API, uNTEContext = 348694720, status = 0

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Martin_Kuchar
    Martin_Kuchar Posts: 38  Freshman Member
    First Comment Friend Collector Second Anniversary

    Same problem here for months. USG110, fw 4.33(AAPH.0), latest SecuExtender. No IP range overlaping. Problem: VPN connected, but internal routing lost after some time (from minutes after connection to hours) - no ping to internal ip, no RDP. Disconnect and reconnect with SecuExtender sometimes help, sometimes not. We have the same problem all the time, we own USG (13 months). Every time the same support reply - try the new firmware.. What to do? Anybody cares? Is anybody on Zyxel side able to solve this issue? If not, release the firmware as open source, we will solve it.

  • Zywak
    Zywak Posts: 8  Freshman Member
    First Comment Friend Collector

    @Zyxel_Cooldia

    You can rule that out... I change the VPN pool to 192.168.100.20 - 50 with network extension local IP stays at 192.168.200.1

    After just 10 mins, VPN disconnected... Retry connection again, it stays up for a minute and dropped...


    This is really frustrating..


    Log:


    ==============================

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Request(110): INITIAL 21 342141120 4294967295 353675456 370452672 0 0

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Get netsh path = C:\WINDOWS\system32\netsh.exe

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Get ipconfig path = C:\WINDOWS\system32\ipconfig.exe

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] FlushIpNetTable on interface = 21, error code = 0

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Adding an IP/netmask ip = 192.168.100.20/255.255.255.255 to interface 21 using the Win32 IP Helper API, uNTEContext = 10110332, status = 5010

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Trying to flush previous address

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] delete_temp_addresses context = 342141120

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] delete_temp_addresses status = 0

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Adding an IP/netmask ip = 192.168.100.20/255.255.255.255 to interface 21 using the Win32 IP Helper API, uNTEContext = 342141120, status = 0

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] WriteFile hPipe success agentState.aState = 2, agentState.aError = 0, dwWrite = 8

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Request(130): CREATE 3403446282/2857277247 21 342141120 4294967295 29927616 0 0

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] ACTION_CREATE pNetCfg->myip = 3403446282, pNetCfg->gwip = 2857277247, pNetCfg->dwIfIndex = 21, pNetCfg->nodeip = 342141120, pNetCfg->localip = 29927616

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] argc = 8

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] areacounter = 1

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Remove prioritize routing

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Fail to prioritize route to 63.161.54.150, 255.255.255.255, error = 5010

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Fail to prioritize route to 63.161.54.150, 255.255.255.255, error = 160

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Success to change default route

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Failed to add route 0.0.0.0/0.0.0.0 (160) metric=50

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Succeed to add route 0.0.0.0/0.0.0.0 (0) metirc=500

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Succeed to add route 192.168.200.1/255.255.255.255 (0) metirc=500

    [ 2019/07/02 10:12:18 ][SecuExtender Helper] Get netsh path = C:\WINDOWS\system32\netsh.exe

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited July 2019

    Hi @Martin_Kuchar

    Sorry to hear that, Can you send me your configuration file via private message .

    Let me test it at my lab.

Security Highlight