zywall/usg series · 2/147 table of content 1. how to access to the zywall/usg ..... 8 1.1. access...
TRANSCRIPT
1/147
www.zyxel.com
ZyWALL/USG Series
ZyWALL 110 / 310 / 1100
USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900
Security Firewalls
Firmware Version 4.13 ~ 4.15 Edition 1, 8/2016
Troubleshooting Guide
Copyright © 2016 ZyXEL Communications Corporation
Default Login Details
LAN Port IP Address https://192.168.1.1
User Name admin
Password 1234
2/147
www.zyxel.com
Table of Content
1. HOW TO ACCESS TO THE ZYWALL/USG ........................................................... 8
1.1. ACCESS THE ZYWALL/USG BY HTTPS ................................................................ 8
1.2. ACCESS THE ZYWALL/USG BY SSH ................................................................... 8
1.3. ACCESS THE ZYWALL/USG BY TELNET ............................................................ 10
1.4. ACCESS THE ZYWALL/USG BY CONSOLE......................................................... 11
2. BASIC INFORMATION COLLECTION .............................................................. 12
2.1. COLLECT DIAGNOSTIC INFORMATION FILE ........................................................ 12
2.1.1. By GUI ...................................................................................................... 12
2.1.2. By CLI ....................................................................................................... 13
2.1.3. Packet Capture ..................................................................................... 13
2.1.4. USB storage ............................................................................................. 14
3. HARDWARE TROUBLESHOOTING ................................................................... 17
3.1 TOOLS AND SYSTEMS NEEDED .............................................................................. 17
3.2. PREPARE DEVICE FOR INITIAL TEST ..................................................................... 18
3.3. FIRMWARE RECOVERY ..................................................................................... 22
4. DEVICE REBOOT RANDOMLY ......................................................................... 28
4.1. COLLECTING MORE DEBUG MESSAGE ............................................................... 28
4.1.1. Collecting console log .......................................................................... 28
4.1.2. Collecting diag-info .............................................................................. 29
5 CANNOT ACCESS TO THE DEVICE ................................................................. 31
5.1. FIREWALL RULE ................................................................................................ 31
5.1.1. If you are not able to access the ZyWALL/USG by HTTPS ................ 31
5.1.2. If you are not able to access the ZyWALL/USG by SSH .................... 33
5.1.3. If you are not able to access the ZyWALL/USG by TELNET ............... 35
5.2. DHCP (IP/MAC BINDING) ............................................................................ 37
3/147
www.zyxel.com
5.2.1. Check DHCP Setting ............................................................................. 38
6. CANNOT ACCESS TO THE DEVICE WWW ...................................................... 40
6.1. PORT ISSUE ..................................................................................................... 40
6.1.1. Issue description ..................................................................................... 40
6.1.2. Solution .................................................................................................... 41
6.2. ADMIN SERVICE CONTROL ISSUE ...................................................................... 43
6.2.1. Issue description ..................................................................................... 43
6.2.2. Solution .................................................................................................... 44
6.3. OSPF ROUTING ISSUE ...................................................................................... 46
6.3.1. Unable to distribute routes to the connected device ..................... 46
6.3.2. Unable to get routes from the connected device ........................... 47
6.4. CANNOT ACCESS INTERNET (SESSION FULL/FIREWALL BLOCK) .............................. 49
6.4.1. Session full ............................................................................................... 49
6.4.2. Firewall block .......................................................................................... 52
6.5. CANNOT ACCESS INTERNET (ANTI-SPAM) ........................................................... 54
6.5.1. If you are not able to receive/send emails via ZyWALL/USG .......... 54
6.5.2. Must be collected information ............................................................ 55
7. CANNOT SET UP THE IPSEC VPN FUNCTION SUCCESSFULLY ......................... 56
7.1. VPN CONNECTION CANNOT BE ESTABLISHED .................................................... 56
7.1.1. If facing the VPN connection problem, here are the possible root
cause: 56
7.1.2. Once the VPN tunnel cannot established then: ............................... 56
7.1.3. Once have the connection problem please just check the log “IKE”
category for more information. ....................................................................... 57
7.2. CANNOT ESTABLISH VPN TUNNEL VIA 3GLTE INTERFACE .................................... 60
7.2.1. Is the Dongle Included in ZyWALL/USG Support List? ....................... 60
7.2.2. Change to Supported Dongle ............................................................ 61
7.2.3. Is the Cellular Status Ready? ................................................................ 61
7.2.4. Activate Cellular Status and Check ISP Account Settings .............. 61
4/147
www.zyxel.com
7.2.5. Is the Connectivity Set to Nailed-Up? ................................................. 62
7.2.6. Modify Connectivity Setting ................................................................. 62
7.2.7. Is the Cellular Interface Included in the WAN Trunk? ....................... 63
7.2.8. Modify Trunk ........................................................................................... 63
7.2.9. Is there Any Routing Policy Related to WAN Interface? .................. 64
7.2.10. Check Routing Policy ........................................................................ 65
7.2.11. Collect Information to CSO Support ............................................... 65
7.3. VPN FALLBACK IS NOT WORKING ..................................................................... 67
7.3.1. The VPN tunnel has establish VPN tunnel successfully, but tunnel
can’t fallback to primary peer gateway ....................................................... 67
7.3.2. Verify configuration ............................................................................... 67
7.4. CANNOT SET UP THE IPSEC VPN FUNCTION BY VPN PROVISION SUCCESSFULLY .... 70
7.4.1. Configuration is successful but the field “Remote Gateway Address”
is empty ............................................................................................................... 70
7.4.2. Authentication Failed ........................................................................... 71
7.4.3. Server Not Found ................................................................................... 73
7.5. IPSEC VPN CLIENT ON WIN10 OPERATION SYSTEM ........................................... 74
7.5.1. Can’t use IPSec VPN client on win10 system ..................................... 74
7.5.2. The vital of configuration of IPSec Client on Win10 .......................... 74
7.5.3. Wireless possible issue symptoms ......................................................... 74
7.6. CANNOT SET UP THE IKEV2 VPN TUNNEL SUCCESSFULLY ..................................... 80
7.6.1. If IKEv2 traffic does not work completely from your PC ................... 80
7.6.2. If IKEv2 tunnel is not up .......................................................................... 81
7.6.3. VPN tunnel is up, but there is no traffic pass through USG to internet
84
7.6.4. Must be collected information ............................................................ 85
7.7. VPN CONCENTRATOR WITH THE PROBLEM ......................................................... 86
7.7.1. Site-to Site VPN tunnel is up: ................................................................. 87
7.7.2. VPN Concentrator on Central side ..................................................... 91
7.7.3. Policy route on both branch sides ...................................................... 92
5/147
www.zyxel.com
7.7.4. Must be collected information ............................................................ 92
7.8. IPSEC VPN TUNNEL WAS ESTABLISHED SUCCESSFULLY, BUT THE TRAFFIC CAN'T PASS
THROUGH THE TUNNEL .................................................................................................. 93
7.8.1 Is the PC Firewall Disabled? .................................................................... 93
7.8.2 Is the PC Firewall Allowed VPN/ICMP Traffic? ...................................... 94
7.8.3 Modify PC Firewall Setting ....................................................................... 94
7.8.4 Is the USG NetBIOS Enabled?................................................................ 104
7.8. 5 Modify NetBIOS Setting ......................................................................... 104
7.8.6 Perform Ping Check Command from PC ........................................... 105
7.8.7 Is there Any Response from the Remote Site? ................................... 105
7.8.8 Perform Ping Check from PC to Local/Remote Gateway ............... 106
7.8.9 Is there Any Response from the Local /Remote Gateway? ............ 106
7.8.10 Modify Local/Remote Gateway Setting ........................................... 107
7.8.11 Disable Security Policy on Device ...................................................... 108
7.8.12 Is there Any Response from the Remote Site? ................................. 108
7.8.13 Modify Security Policy Setting ............................................................. 109
7.8.14 Perform Ping Check Command from Router ................................... 111
7.8.15 Is there Any Response from the Remote Subnet? ........................... 111
7.8.16 Modify Routing ...................................................................................... 113
7.8.17 Does the VPN Routing Priority Higher than 1:1 NAT or Other Routing?
............................................................................................................................ 113
7.8.18 Modify Packet Flow Priority ................................................................. 114
7.8.19 Collect Information to CSO Support .................................................. 115
8. CANNOT SET UP THE L2TP VPN FUNCTION SUCCESSFULLY ......................... 118
8.1. CANNOT CONNECT TO THE ZYWALL VIA L2TP CLIENT ..................................... 118
8.1.1. Incorrect L2TP Address Pool ............................................................... 118
8.1.2. Incorrect Local Policy ......................................................................... 118
8.1.3. Incorrect Phase 1 or Phase 2 Settings ............................................... 119
8.2. USER CANNOT BE AUTHENTICATED .................................................................. 121
8.2.1. Authentication Method ...................................................................... 121
6/147
www.zyxel.com
8.2.2. Allowed user ......................................................................................... 122
8.3. WINDOWS SERVICE NOT ACTIVATED (IKE SERVICE) .......................................... 123
8.3.1. If you are not enabled modules you will saw: ................................. 123
8.3.2. How to enable IKE and AuthIP IPSec Keying Modules ................... 124
8.4. AFTER L2TP VPN TUNNEL IS ESTABLISHED, THE CLIENT CAN’T ACCESS TO THE INTERNET
125
8.4.1. After establish L2TP VPN tunnel all of Internet traffic can’t pass at all
125
8.4.2. After you established L2TP VPN tunnel you will saw: .................... 125
8.4.3. How to add additional routing rule for L2TP clients to access
internet? ............................................................................................................ 126
9. IF YOU’RE NOT BE ABLE TO CONFIGURE UTM POLICIES OR IT’S NOT WORKING
.............................................................................................................................. 127
9.1. CHECK SERVICE EXPIRATION ........................................................................... 127
9.1.1 Have you subscribed for the UTM service? ......................................... 127
9.1.2 Registration on myZyXEL.com 2.0 ......................................................... 127
9.1.3 Have your UTM service expired? .......................................................... 132
9.1.4 Extend UTM license ................................................................................. 133
9.2. SIGNATURE UPDATE ....................................................................................... 134
9.2.1 Have your UTM service updated? ....................................................... 135
9.2.2 Update UTM service ............................................................................... 135
9.3. SECURITY POLICY DIRECTION ......................................................................... 136
9.3.1 Is your UTM policy applied to correct direction? ............................... 136
9.3.2 Modify Security Policy direction ........................................................... 136
10. DEVICE-HA DOESN'T WORK ........................................................................... 137
10.1. AFTER FAIL-OVER, SWITCH ARP LEARNING MODE .......................................... 138
10.1.1 Have you configured the same Cluster ID for the different Device
HA groups ? ...................................................................................................... 138
10.1.2 Cluster ID ................................................................................................ 138
7/147
www.zyxel.com
10.2. SYNCHRONIZE ISSUE ....................................................................................... 139
10.2.1 Have you configured the same FTP port for both master and
backup devices? ............................................................................................. 139
10.2.2 Have you enabled FTP service? ......................................................... 141
10.2.3 Does Security Policy block FTP/VRRP services? ................................ 141
10.2.4 Does Security Policy block other port when synchronize? ............. 143
10.2.5 Have you configured the same synchronization password for both
master and backup devices? ....................................................................... 144
10.2.6 Have you experienced synchronization hang issue? ..................... 144
10.2.7 Subnet conflict ...................................................................................... 146
10.3. COLLECT INFORMATION TO CSO SUPPORT ..................................................... 147
8/147
www.zyxel.com
1. How to Access to the ZyWALL/USG
1.1. Access the ZyWALL/USG by HTTPS
1. Connect a PC to lan1 and open a web browser. Type https://192.168.1.1, the login
screen appears. Type the user name (default: admin) and password (default: 1234).
1.2. Access the ZyWALL/USG by SSH
1. Connect a PC to lan1 and open PuTTY Configuration. Type 192.168.1.1 into the
Host Name and modify Port number to be the same as your ZyWALL/USG setting (Go
to CONFIGURAITON > System > SSH). Select Configuration Type to be SSH and click
Open.
9/147
www.zyxel.com
2. The SSH session page appears:
10/147
www.zyxel.com
1.3. Access the ZyWALL/USG by TELNET
1. Connect a PC to lan1 and open PuTTY Configuration. Type 192.168.1.1 into the
Host Name and modify Port number to be the same as your ZyWALL/USG setting (Go
to CONFIGURAITON > System > Telnet). Select Configuration Type to be Telnet and
click Open.
2. The Telnet session page appears:
11/147
www.zyxel.com
1.4. Access the ZyWALL/USG by Console
1. Connect your PC to the console port using a console cable. Open PuTTY
Configuration. Type Serial line number (If you’re using Windows PC, you can find in
Device Manager > Ports) and modify Speed number to be the same as your
ZyWALL/USG setting (Go to CONFIGURAITON > System > Console Speed, default
speed is 115200). Select Configuration Type to be Serial and click Open.
12/147
www.zyxel.com
3. The Console session page appears:
2. Basic Information Collection
2.1. Collect Diagnostic Information File
2.1.1. By GUI
1. Go to MAINTANENCE > Diagnostics > Diagnostics, and click Collect Now.
2. After finishing collect, press the Download.
13/147
www.zyxel.com
2.1.2. By CLI
1. Log in console as admin, and enter the below CLI command. (Use TeraTerm or
Putty)
Router > diag-info collect
2. After finishing collect, use the CLI to show the diaginfo name and go to GUI to
download the file.
Router> show diag-info
2.1.3. Packet Capture
1. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture. Select the
interface and press the Capture. (Filter condition can be applied if needed)
14/147
www.zyxel.com
2. Go to MAINTANENCE > Diagnostics > Packet Capture > Files, and download the
packets.
2.1.4. USB storage
1. Ensure the file system format of USB is FAT32
2. Go to CONFIGUARION > System > USG Storage. Select Active USB Storage service
then click Apply.
15/147
www.zyxel.com
3. Go to MONITOR > System Status > USB Storage > Storage Information, and check
the USB status.
4. What kind of information can be saved on USB storage?
Diagnostic info
16/147
www.zyxel.com
Packet capture
System log
17/147
www.zyxel.com
3. Hardware Troubleshooting
3.1 Tools and Systems Needed
1. Laptop x 2; 1 connects via console and Ethernet cable for device management, 1
connects via Ethernet cable for basic traffic testing.
2. Console setting:
Baud rate: 115200
Data: 8 bit
Parity: none
Stop: 1bit
Flow control: none
3. Windows 7 Operating System (firewall turned off)
4. USB to RS232 console cable
5. Power cord
6. RJ-45 Ethernet cable
18/147
www.zyxel.com
3.2. Prepare Device for Initial Test
1. Prerequisite: Reset the device by clicking on the RESET button for 5 seconds when
the device is powered on. RESET button location:
USG40:
USG40W:
USG60:
USG60W:
19/147
www.zyxel.com
ZyWALL110/USG110/USG210
ZyWALL310/ZyWALL1100/USG310/USG1100/USG1900
Test 1: Power on the DEVICE, check the PWR LED status.
a. PWR LED keep green light : Normal
b. PWR LED doesn’t turn on : PWR001 – No Power
Test 2: Check the SYS LED status.
a. Wait until the SYS LED turns into steady on, Device SYS LED will keep blinking for less
than 4 minutes
b. If SYS LED keep blinking for more than 5 minutes: SYS006 – Boot failure
c. Recovery: Check the Appendix1.
d. If device cannot be recovery by procedure: SYS006 – Boot failure
e. Sys LED keep green light: Normal
Test 3: Check Port LED status.
a. Laptop1 uses Ethernet cable connects to the DEVICE ports
b. Port upper right LED is steady on (color is Amber): Normal
c. Port LED cannot turn on: ETH001 – Ethernet port dead
d. Port upper left LED blinks aperiodic (color is Green): Normal
Test 4: Check the packet forwarding
USG40/40W, USG60/60W
a. Laptop1 uses Ethernet cable connects to LAN port
b. Modify the laptop ip address to 192.168.1.10, mask 255.255.255.0
c. Laptop2 uses Ethernet cable connects to another LAN port
20/147
www.zyxel.com
d. Modify the IP address to 192.168.1.20, mask 255.255.255.0
e. Laptop 1 pings to the Laptop2 for 30 seconds.
f. If no any packet loss: Normal
g. If ping loss: ETH004 – Ethernet port ping packet loss
ZyWALL110/USG110/USG210
a. Laptop1 uses Ethernet cable connects to LAN port (P4)
b. Modify the laptop ip address to 192.168.1.10, mask 255.255.255.0
c. Laptop2 uses Ethernet cable connects to another LAN port(P5)
d. Modify the IP address to 192.168.1.20, mask 255.255.255.0
e. Laptop 1 pings to the Laptop2 for 30 seconds.
f. If no any packet loss: Normal
g. If ping loss: ETH004 – Ethernet port ping packet loss
Test 5: Check WiFi
Model: USG 40W/USG60W
a. Laptop1 and laptop2 try to connect to SSID “ZyXEL” via wifi, the laptop wifi
interface settings should be as below:
21/147
www.zyxel.com
b. If wifi connected successfully: Normal
c. If wifi can’t scan or connect to the “ZyXEL” SSID: WLN004 – WLAN Connect failed
d. Laptop1 ping to laptop2 IP address
e. Ping success: Normal
f. Ping failed: WLN005 – WLAN Ping error (Ping loss)
Test6: Check USB port
USG40/40W
a. Connect the flash drive into USB port. Check the USB LED
b. Steady on Green: Normal
c. LED does not turned on: USB001 –USB port dead
USG60/60W/110/210/310/1100/1900 ZyWALL110/310/1100
a. Connect the flash drive into the USB port. Login to the device GUI, check the
device virtual diagram and see if the flash drive can be detected
b. USB drive can be detected: Normal
c. USB drive can’t be detected: USB001 –USB port deadB
22/147
www.zyxel.com
3.3. Firmware Recovery
In some rare situation (symptom as following), ZyWALL/USG might not boot up
successfully after firmware upgrade. The following procedures are the steps to recover
firmware to normal condition. Please connect console cable to ZyWALL/USG.
1. Symptom:
Booting success but device show error message “can’t get kernel image” while
device boot.
Device reboot infinitely.
23/147
www.zyxel.com
Nothing displays after “Press any key to enter debug mode within 3 seconds.” for
more than1 minute.
Startup message displays “Invalid Recovery Image”.
24/147
www.zyxel.com
The message here could be “Invalid Firmware”. However, it is equivalent to
“Invalid Recovery Image”.
2. Recover steps
Press any key to enter debug mode
Enter atkz –f –l 192.168.1.1 to configure FTP server IP address
Enter atgof to bring up the FTP server on port 1
The following information shows the FTP service is up and ready to receive FW
25/147
www.zyxel.com
You will use FTP to upload the firmware package. Keep the console session open in
order to see when the firmware update finishes.
Set your computer to use a static IP address from 192.168.1.2 ~ 192.168.1.254. No
matter how you have configured the ZyWALL/USG’s IP addresses, your computer must
use a static IP address in this range to recover the firmware.
Connect your computer to the ZyWALL/USG’s port 1 (the only port that you can
use for recovering the firmware).
Use an FTP client on your computer to connect to the ZyWALL/USG. This example
uses the ftp command in the Windows command prompt. The ZyWALL/USG’s FTP
server IP address for firmware recovery is 192.168.1.1
Log in without user name (just press enter).
Set the transfer mode to binary. Use “bin” (or just “bi” in the Windows command
prompt).
Transfer the firmware file from your computer to the ZyWALL/USG (the command is
“put <firmware filename>” in the Windows command prompt).
Wait for the file transfer to complete.
26/147
www.zyxel.com
The console session displays “Firmware received” after the FTP file transfer is
complete. Then you need to wait while the ZyWALL/USG recovers the firmware (this
may take up to 4 minutes).
The message here might be “ZLD-current received”. Actually, it is equivalent to
“Firmware received”.
The console session displays “done” when the firmware recovery is complete. Then
the ZyWALL/USG automatically restarts.
The username prompt displays after the ZyWALL/USG starts up successfully. The
firmware recovery process is now complete and the ZyWALL/USG is ready to use.
27/147
www.zyxel.com
If one of the following cases occurs, you need to do the “firmware recovery
process” again. Note that if the process is done several time but the problem remains,
please collect all the console logs and send to ZyXEL/USG for further analysis.
One of the following messages appears on console, the process must be
performed again ./bin/sh: /etc/zyxel/conf/ZLDconfig: No such file
Error: no system default configuration file, system configuration stop!!
28/147
www.zyxel.com
4. Device Reboot Randomly
4.1. Collecting more debug message
If your device will reboot randomly and not helpful after upgraded to latest firmware,
you can following this document to collect more debug information. Then provided
these information to ZyXEL support team.
4.1.1. Collecting console log
1. Connecting the serial cable between your PC and device serial port.
2. Installing TeraTerm on your PC.
(https://en.osdn.jp/projects/ttssh2/downloads/64798/teraterm-4.90.exe/)
3. Run TeraTeam and select correct port and baud rate and click OK to start the
session. (USG default baud rate is: 115200)
4. Click File > log…to save all of the logs which displays on the window.
5. Enter debug kernel console-level 8 command to collecting more debug
message.
29/147
www.zyxel.com
6. Enter show app-watch-dog monitor-list command to shows which daemons are
monitored.
7. After done these step the deice will prints out almost debug logs to you PC, and
TeraTerm will saves these information directly. Please do not close the session until
device reboot itself again.
4.1.2. Collecting diag-info
1. Until the device reboot itself again, login to device Web GUI and go to
MAINTENANCE > Diagnostics > Diagnostics tab > Collect. Click Collect now button to
collecting diag-info. (It will take around 3~5 mins)
30/147
www.zyxel.com
2. After the process is done, it will shows file name on the GUI (it will show collecting
time). Then click Download button to download it.
31/147
www.zyxel.com
3. Provide the console logs and diag-info files to ZyXEL support
5 Cannot Access to the Device
5.1. Firewall Rule
Security Policies grouped based on the direction of travel of packets to which they
apply. Here is the ZyWALL/USG has default Security Policy behavior for traffic going
through the ZyWALL/USG in various directions.
Policies with Device as the To Zone apply to traffic going to the ZyWALL/USG itself. By
default:
The Security Policy allows only LAN, or WAN computers to access or manage the
ZyWALL/USG.
The ZyWALL/USG allows DHCP traffic from any interface to the ZyWALL/USG.
The ZyWALL/USG drops most packets from the WAN zone to the ZyWALL/USG itself
and generates a log except for Default_Allow_WAN_To_ZyWALL (AH, ESP, GRE, HTTPS,
IKE, NATT).
5.1.1. If you are not able to access the ZyWALL/USG by HTTPS
1. Connect a console cable to the ZyWALL/USG. Type following command to disable
firewall rule in order to login the device via https to check what can go wrong in the
configuration:
2. If you were not able to access ZyWALL/USG via public IP:
You can check does the policy allow WAN access to the ZyWALL/USG. Please also
make sure the Service allow HTTPS, you can move the mouse pointer to the service
objects and check does HTTPS include in the service group.
32/147
www.zyxel.com
CONFIGURATION > Security Policy > Policy Control
3. If you want to add a new service object into the Service Group, go to
CONFIGURATION > Object > Service > Service Group and double click on the group
you want to edit. Move the servers you want available to ZyWALL/USG to Member.
Click OK.
CONFIGURATION > Object > Service > Service Group
33/147
www.zyxel.com
4. If you were not able to access ZyWALL/USG via LAN IP:
You can check does the policy allow LAN access to the ZyWALL/USG.
CONFIGURATION > Security Policy > Policy Control
5.1.2. If you are not able to access the ZyWALL/USG by SSH
1. Go to CONFIGURATION > Security Policy > Policy Control and check do you add a
To ZyWALL rule allow SSH service.
CONFIGURATION > Security Policy > Policy Control
2. If not yet created, you can click Add and create a To ZyWALL rule allow SSH
service:
34/147
www.zyxel.com
CONFIGURATION > Security Policy > Policy Control > Add corresponding
3. If the Security Policy is created but still cannot access to ZyWALL, please go to
CONFIGURAITON > System > SSH to check do you Enable the General Settings and
make sure the Service Port is correct and the same in your terminal program. Then,
check the Service Control Action should be Accept.
CONFIGURAITON > System > SSH
35/147
www.zyxel.com
5.1.3. If you are not able to access the ZyWALL/USG by TELNET
1. Go to CONFIGURATION > Security Policy > Policy Control and check do you add a
To ZyWALL rule allow TELNET service.
CONFIGURATION > Security Policy > Policy Control
2. If not yet created, you can click Add and create a To ZyWALL rule allow TELNET
service:
CONFIGURATION > Security Policy > Policy Control > Add corresponding
36/147
www.zyxel.com
3. If the Security Policy is created but still cannot access to ZyWALL, please go to
CONFIGURAITON > System > TELNET to check do you Enable the General Settings and
make sure the Service Port is correct and the same in your terminal program. Then,
check the Service Control > Action should be Accept.
CONFIGURAITON > System > TELNET
37/147
www.zyxel.com
5.2. DHCP (IP/MAC Binding)
People want to use IP/MAC binding for the LAN users because it will be easier to
manage the users. However, if client cannot access the device by static IP and is
giving the error “Drop packet lan1-10.10.1.201-00:1E:33:29:BB:FC”, there may be issue
in the DHCP Setting.
38/147
www.zyxel.com
5.2.1. Check DHCP Setting
1. Go to CONFIGURATION > Interface > Ethernet > Lan1 > IP/MAC Binding. Look Static
DHCP Table and ensure the computer’s IP and MAC address in the list.
2. If this IP/Mac is not in the IP/MAC Binding list, DHCP(IP/MAC Binding) will reject the
traffic which from 10.10.1.201.
3. To add the IP/MAC in the Binding list, go to CONFIGURATION > Interface > Ethernet
> Lan > IP/MAC Binding > Add or Edit.
4. Another way is adding this IP/MAC address in the Exempt List, go to
CONFIGURATION > Network > IP/MAC binding > Exempt List.
Note:
If IP/MAC binding is enabled, traffic with the following IP address sources will also be
allowed to pass through the ZyWALL/USG:
39/147
www.zyxel.com
a. DHCP offered Dynamic IP
b. User manually configured IP which matches static DHCP table
40/147
www.zyxel.com
6. Cannot Access to the Device WWW To allow the ZyWALL/USG to be accessed from a specified computer using a service,
make sure you do not have a service control rule or to-ZyWALL/USG security policy rule
to block that traffic. If customer cannot login USG, there are might some configuration
issue on USG.
6.1. Port Issue
6.1.1. Issue description
User cannot access ZyWALL/USG by http or https://192.168.2.1 or http://192.168.2.1
41/147
www.zyxel.com
6.1.2. Solution
1. HTTP example:
Make sure the https or http “Port numbers”. Check the port numbers via console.
Please type configure Terminal> Show ip http server status. User will see the Port
information for http.
HTTP example
42/147
www.zyxel.com
As we can see the “Server Port” number is 1111, so the login IP address should be
http://192.168.2.1:1111
2. HTTPS example:
Please type configure Terminal> Show ip http server secure status. User will see the Port
information for https.
HTTPs example
43/147
www.zyxel.com
As we can see the “Server Port” number is 2000, so the login IP address should be
https://192.168.2.1:2000.
6.2. Admin Service Control Issue
6.2.1. Issue description
The user cannot login USG, and after fill login information then press Login, the system
will display “Login denied”.
44/147
www.zyxel.com
6.2.2. Solution
1. User needs to make sure that the User Name and Password are correct.
2. User needs to make sure that the https://192.168.2.1 did not block by Admin
service control
3. Client can check it via console. Type command: configure Terminal> Show ip http
server secure status
4. As we can see the Lan2 (https://192.168.2.1) already denied by admin service
control, so user cannot login via Lan2.
5. Users can switch the network cable to other Lans, and modify the configuration
they needed. Go to CONFIGURATION > system > WWW > Service Control, remove Lan2
deny.
45/147
www.zyxel.com
6. After modified, user can access USG via Lan2
46/147
www.zyxel.com
6.3. OSPF Routing Issue
6.3.1. Unable to distribute routes to the connected device
1. Area Setting
Check if the Area ID, Type and Authentication Key are correctly configured.
Ensure these same settings are also correctly configured on the connected device
which would like to get routes from the ZyWALL.
CONFIGURATION > Network > Routing > OSPF > Area
2. OSPF setting in the interface
Select the correct Area ID and Authentication in the appropriate interfaces.
CONFIGURATION > Network > Interface > Ethernet > Advanced Settings > OSPF Setting
47/147
www.zyxel.com
6.3.2. Unable to get routes from the connected device
1. Area Setting
Check if the Area ID, Type and Authentication Key are correctly configured.
These settings must be the same as that on the connected device from which the
ZyWALL would like to get routes.
CONFIGURATION > Network > Routing > OSPF > Area
2. OSPF setting in the interface
Select the correct Area ID and Authentication in the appropriate interfaces.
CONFIGURATION > Network > Interface > Ethernet > Advanced Settings > OSPF Setting
48/147
www.zyxel.com
3. OSPF service in the policy control
Ensure the OSPF service is allowed in the policy control.
From: any; To: ZyWALL; Service: OSPF; access: allow
CONFIGURATION > Security Policy > Policy Control > Add
49/147
www.zyxel.com
6.4. Cannot access internet (session full/firewall block)
6.4.1. Session full
1. Once the client have reach to the maximum of session amount it will not allowed
to connect to interface or GUI, you may need use serial port to enter the command
line as below.
2. In the CLI monitor screen you can use show logging entries category sessions-limit
to make sure if it is block by the session-limit or you can use show logging entries
keyword <client IP> to see if have this computer’s regarding log.
50/147
www.zyxel.com
3. You can disable session-limit temporary once you see the “maximum session per
host” message.
4. Please go to device GUI Monitor>Log> log display select “Sessions Limit” check if
the client block because of the session limit. The GUI monitor shows that client reach to
the maximum session threshold.
51/147
www.zyxel.com
5. You can go to the Configuration>Security Policy>Session Control change the
setting or set the threshold on the specific client.
52/147
www.zyxel.com
6.4.2. Firewall block
1. The service will block by the firewall if the security policy didn’t set appropriate.
2. The security policy will regarding to the ZONE setting.
3. Please go to the MONITOR > Log. In the Category > Security Policy Control shows
FTP service LAN2 client ACCESS BLOCKED by the firewall in this example.
4. Please also check the Zone configuration at CONFIGURATION > Object > Zone. Use
Object Reference can see those objects corresponding place or priority in security
policy.
5. In this case the client PC (192.168.2.33) is included in to the Zone LAN2.
53/147
www.zyxel.com
6. Zone of LAN2 object referenced by the security policy. Most of the time that
cannot reach to the external service is because of the mis-configuration on firewall
rule. And restrict the wrong subnet on wrong zone.
54/147
www.zyxel.com
6.5. Cannot access internet (anti-spam)
The Anti-Spam feature can mark or discard spam (unsolicited commercial or junk
e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam
e-mail. The ZyWALL/USG can also check e-mail against a DNS black list (DNSBL) of IP
addresses of servers that are suspected of being used by spammers.
If you cannot receive/send email pass through ZyWALL/USG, follow below steps to do
troubleshoot.
6.5.1. If you are not able to receive/send emails via ZyWALL/USG
1. Connect to the web GUI of ZyWALL/USG. Go to CONFIGURATION > Security Policy
> Policy Control.
2. Check the Security Policy setting to ensure it allows the mail protocols
(SMTP/POP3/SMTPs/IMAP4) are available.
55/147
www.zyxel.com
3. Ensure the receiver/sender IP address is allowed.
4. Connect to the web GUI of ZyWALL/USG. Go to MONITOR > UTM Statistics >
Anti-Spam > Status.
5. Check if Concurrent Mail Session Scanning is full or not.
6.5.2. Must be collected information
1. Configuration
2. Diaginfo
3. Remote access
4. Mail server protocol
56/147
www.zyxel.com
7. Cannot Set Up the IPSec VPN Function Successfully There are many different scenarios when establishing VPN tunnel. You can follow these
maps to find your scenario. Per scenario with some of the issues may match which you
met. And you can follow this guide to find the symptom in your environment.
7.1. VPN connection cannot be established
7.1.1. If facing the VPN connection problem, here are the possible root cause:
1. Pre-shared key mismatch.
2. SA proposal mismatch.
3. Local/remote policy mismatch.
4. Firewall rule block.
7.1.2. Once the VPN tunnel cannot established then:
1. Navigate to MONITOR > Log
2. Select IKE category
3. Check the authentication method, local/peer policy, SA proposal in phase1 and
phae2
57/147
www.zyxel.com
4. Make sure that firewall rule didn’t block the IKE service from LAN or WAN to Device
7.1.3. Once have the connection problem please just check the log “IKE”
category for more information.
1. Pre-shared key mismatch
2. Proposal mismatch in phase 1
58/147
www.zyxel.com
3. Proposal mismatch in phase 2
4. Local policy mismatch on phase 2
59/147
www.zyxel.com
5. If have using Local/Peer id then please check if it is correct.
Local site:
Remote site
60/147
www.zyxel.com
6. Make sure that LAN and WAN to device service have allow the IKE service.
7.2. Cannot establish VPN tunnel via 3GLTE interface
Troubleshooting Flowchart:
7.2.1. Is the Dongle Included in ZyWALL/USG Support List?
If it’s not supported, go to 7.3.2
If it’s supported, go to 7.3.3
61/147
www.zyxel.com
If the dongles are not included in the support list, it may have the compatibility issue.
Therefore, please change to supported dongle.
7.2.2. Change to Supported Dongle
Please go to http://www.zyxel.com/support/download_landing.shtml, Search by
Model Number > Firmware > 3G Dongle Document to see the latest supported 3G
cards.
7.2.3. Is the Cellular Status Ready?
If it’s not ready, go to 7.3.4
If it’s ready, go to 7.3.5
When you plug the 3G dongle into the device, it will automatically create a cellular
interface but the default status inactivate. Please make sure the cellular interface is
activated and the status is ready.
7.2.4. Activate Cellular Status and Check ISP Account Settings
Activate Cellular Status
1. Go to CONFIGURATION > Interface > Cellular, the connected device will
automatically display in the Cellular Interface Summary. Click Activate and then the
Apply button at the bottom of this page.
2. Go to MONITOR > System Status > Cellular Status, please make sure the Status is
Device ready and Signal Quality is good.
62/147
www.zyxel.com
Check ISP Account
If the dongle cannot successfully connect to the ISP, check the following reasons:
1. Mis-configuration of dongle (If you buy a 3G card from overseas, it might store
some default configuration of the original ISP)
2. No SIM or incorrect SIM
3. PIN lock
4. Parameter issue
5. Signal strength is weak
7.2.5. Is the Connectivity Set to Nailed-Up?
The default Connectivity method is Nailed-Up. The connection should always be up
after you activate the cellular interface. If you disable Nailed-Up and set Idle timeout
value to be zero or only few seconds, the VPN tunnel will disconnect if you do not dial
up the cellular or when there is no traffic for few seconds.
7.2.6. Modify Connectivity Setting
1. If you want the connection should always be up, go to CONFIGURATION >
Interface > Cellular > Connectivity, check Nail-Up.
2. If you want the connection up only when there is traffic, go to CONFIGURATION >
Network > Interface > Cellular > Connectivity, uncheck Nail-Up and set Idle timeout to
be.
63/147
www.zyxel.com
7.2.7. Is the Cellular Interface Included in the WAN Trunk?
If you do not include cellular interface in the WAN Trunk, the ZyWALL/USG does not
send traffic through the interface as part of the trunk.
7.2.8. Modify Trunk
1. If you’re using SYSTEM_DEFAULT_WAN_TRUNK, go to CONFIGURATION > Network >
Trunk > System Default. Please make sure the cellular interface is Included in the
member of System Default.
64/147
www.zyxel.com
2. If you’re using User Configured Trunk, go to CONFIGURATION > Network Trunk >
User Configuration. Please make sure the cellular interface is Included in the member
of User Configuration.
7.2.9. Is there Any Routing Policy Related to WAN Interface?
Once a packet matches the criteria of a routing rule, the ZyWALL/USG takes the
corresponding action and does not perform any further flow checking. Since the
default priority of Policy Route and 1-1 NAT are higher than VPN and Default WAN
Trunk, the internal network access to internet might pass through to other WAN
interface but not cellular interface.
65/147
www.zyxel.com
7.2.10. Check Routing Policy
Policy Route
1. Go to CONFIGURATION > Network > Policy Route, make sure the Next-Hop for VPN
tunnel you want to establish cellular interface should not be other WAN interface. You
can configure the Next-Hop to be Trunk or cellular interface.
NAT
1. Go to CONFIGURATION > Network > NAT, make sure the mapping rules does not
conflict with cellular interface and VPN tunnel.
7.2.11. Collect Information to CSO Support
Typology
1. Accessing the ZyWALL/USG's CLI interface and issue below command:
Router> configure terminal
Router(config)# _cellular debug enable
66/147
www.zyxel.com
2. Insert the 3G card into the ZyWALL/USG and wait for 2 minutes.
3. Accessing the ZyWALL/USG's CLI interface and issue below command:
Router (config)# _cellular dump daemon-data
Router(config)# _cellular cat daemon-log
Router(config)# exit
Router> show interface cellular status
Router> show interface cellular device-status
Router> debug interface ifconfig cellular1
Router# diag-info collect
Please wait, collecting information (it may take 7-10 minuts)
Router# show diag-info (check whether the collection is done)
Filename : diaginfo-20160407.tar.bz2
File size : 3260 KB
Date : 2016-04-07 01:51:38
4. Save all of the information after you enter these commands and get the diag-info
file via ftp or web GUI.
5. Send above information to the support team.
67/147
www.zyxel.com
7.3. VPN fallback is not working
7.3.1. The VPN tunnel has establish VPN tunnel successfully, but tunnel can’t
fallback to primary peer gateway
If your scenario is like this topology: One of USG are with 2 interface, and one USG is
one interface.
On USG#A, the primary interface is WAN1 and secondary interface is WAN2. When
USG#A WAN1 interface is dead, then USG#B will triggering the VPN tunnel to WAN2
interface. After USG#B established VPN tunnelto USG#A’s WAN2 interface, the VPN
tunnel still works fine and without problem. But VPN tunnel can’t fallback to WAN1
when WAN1 connection is back.
7.3.2. Verify configuration
1. VPN Gateway setting on USG#A:
In VPN Gateway setting, My Address must be 0.0.0.0. It means the My address would
be one of the interface IP address which is alive.
68/147
www.zyxel.com
2. On USG#A, make sure WAN1 interface is primary, and WAN2 interface is
secondary.
Go to CONFIGURATION > Network > Interface > Trunk > User Configuraiton click Add
button to add customize trunk. The WAN1 interface is Activate, WAN2 interfcae is
Passive.
69/147
www.zyxel.com
3. And then apply this object as default WAN trunk.
4. VPN Gateway setting on USG#B:
In VPN Gateway setting, setting USG#A’s WAN1 and WAN2 interface.
And “Fall back to Primary Peer Gateway when possible” must be enabled. (In this
example, USG#B will check Primary gateway IP address status per 300 seconds)
5. Enter fallback command on USG#B:
On USG#B must enter “client-side-vpn-failover-fallback activate” command by CLI
command.
70/147
www.zyxel.com
7.4. Cannot set up the IPSec VPN function by VPN provision
successfully
7.4.1. Configuration is successful but the field “Remote Gateway Address” is empty
1. Check My Address of the VPN gateway :
If you select “Express” when using VPN Setup Wizard to configure VPN Settings for
Configuration Provisioning, wan1 will be “My Address” by default. If wan1 is not used
for VPN provisioning, select the correct interface for provisioning.
71/147
www.zyxel.com
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
7.4.2. Authentication Failed
72/147
www.zyxel.com
1. Check if the Login account and password are correctly configured on the ZyWALL
IPSec VPN Client.
MONITOR > Log > View Log > User
2. The account must be configured as the Allowed User.
CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning
73/147
www.zyxel.com
7.4.3. Server Not Found
3. Check the Gateway Address configured on the ZyWALL IPSec VPN Client.
The address must be the same as My Address in CONFIGURATION > VPN > IPSec VPN >
VPN Gateway > WIZ_VPN_PROVISIONING.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
74/147
www.zyxel.com
7.5. IPSec VPN Client on Win10 Operation System
Enterprises need to have remote access to the company's applications and servers
quickly, easily and securely. The VPN Client enables employees to work from home or
on the road, and IT managers to connect in remote desktop sharing to the enterprise
infrastructure. The VPN Client offers a range of features from simple authentication via
simple login to advanced full PKI integration capabilities.
7.5.1. Can’t use IPSec VPN client on win10 system
The customers want to access the company’s server or application remotely, so the
software of IPsec VPN Client is their one of the best choice. However, if customer
cannot use IPSec VPN Client on win 10, there may be some issue in the configuration.
Please following the below steps to troubleshoot problems.
7.5.2. The vital of configuration of IPSec Client on Win10
1. On VPN Gateway, make sure the pre-shared key is the same as IPSec VPN client.
2. On VPN connection, select Server Role and make sure the Local policy and Phase
2 setting is the same as the IPSec VPN client’s.
7.5.3. Wireless possible issue symptoms
The Issue on Pre-shared key
1. After configuration, the IPSec VPN client session still cannot establish. Client can
recognize what kind of the issue on Log message
75/147
www.zyxel.com
MONITOR > Log > Select IKE on Display field
2. As client can see the log message and know the issue is on “pre-shared
keys”.Need to double check the pre-shared key on ZyWALL/USG side and ZyWALL
IPSec VPN Client side. Go to Configuration>VPN Gateway> Edit> Pre-Shared Key, the
pre-shared key is “123456789”.
3. Move to ZyWALL IPSec VPN Client, go Ikev 1 Gateway>Authentication>Preshared
Key. Changed the Key to “123456789”.
76/147
www.zyxel.com
4. After changed, the IPSec VPN client connection is established.
77/147
www.zyxel.com
The issue on Phase 1 setting
1. When the log message display “No proposal chosen”, client need to double
check on ZyWALL/USG and IPSec VPN client. Go to Monitor > Log > Select IKE on
Display field.
2. Otherwise, client also can know which misstated configuration because this issue
happened. User can see P1 Algorithm mismatch.
78/147
www.zyxel.com
3. Client need to double check on both sides.
The issue on Phase 2 setting
1. When the log message display “Phase 2 Proposal mismatch” and “No proposal
chosen”, client need to double check on ZyWALL/USG and IPSec VPN client. Go to
MONITOR > Log > Select IKE on Display field.
2. Otherwise, client also can know which misstated configuration because this issue
happened. User can see P2 Algorithm mismatch
79/147
www.zyxel.com
3. Client need to make sure the Phase 2 setting and ESP are matching.
80/147
www.zyxel.com
7.6. Cannot set up the IKEv2 VPN tunnel successfully
IKEv2
PC with IPSec VPN Client establishes an IKEv2 VPN tunnel with USG. The PC passes all
traffic into the tunnel, and USG will help to forward the traffic to internet or to the LAN
server. If the scenario does not work in your environment, please follow the below
steps:
7.6.1. If IKEv2 traffic does not work completely from your PC
Connect to the web GUI of ZyWALL/USG. Go to MONITOR -> VPN Monitor -> IPSec.
Check if the IKEv2 tunnel is alive.
81/147
www.zyxel.com
7.6.2. If IKEv2 tunnel is not up
1. Connect to USG, and compare with VPN client to ensure the configurations are all
correct.
2. Since PC will send all traffic into tunnel, the local policy of USG should be
any(0.0.0.0).
82/147
www.zyxel.com
3. Configure the IPSec VPN Client IP address as 1.1.1.1. (Owner can assign a specific
IP address for the client. This IP address will be used in policy route to separate the
traffic.)
83/147
www.zyxel.com
84/147
www.zyxel.com
4. Ensure to check “Disable Split Tunneling”.
7.6.3. VPN tunnel is up, but there is no traffic pass through USG to internet
Connect to USG, and go to CONFIGURATION > Network > Routing > Policy route.
Ensure there are routings to separate the traffic from IKEv2 tunnel to internet and LAN
server.
1. Policy route rule 1st: From IKEv2 IP address to LAN server, Next-Hop: LAN1
2. Policy route rule 2nd: From IKEv2 IP address to internet, Next-Hop: WAN1, SNAT:
outgoing-interface
85/147
www.zyxel.com
7.6.4. Must be collected information
1. Configuration of ZyWALL/USG and IPSec VPN Client
2. The version of IPSec VPN Client
3. The diaginfo of VPN Client
4. The console log of VPN Client
86/147
www.zyxel.com
7.7. VPN concentrator with the problem
A VPN concentrator combines several IPSec VPN connections into one secure
network.
A VPN concentrator reduces the number of VPN connections that you have to set up
and maintain in the network. You might also be able to consolidate the policy routes
in each spoke router, depending on the IP addresses and subnets of each spoke.
Consider the following when using the VPN concentrator.
1 The local IP addresses configured in the VPN rules should not overlap.
2 The concentrator must have at least one separate VPN rule for each spoke. In the
local policy, specify the IP addresses of the networks with which the spoke is to be
able to have a VPN tunnel. This may require you to use more than one VPN rule for
each spoke.
3 To have all Internet access from the spoke routers go through the VPN tunnel, set
the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
4 The VPN must be Site-to-Site VPN.
If the scenario does not work in your environment, please follow the below steps:
87/147
www.zyxel.com
7.7.1. Site-to Site VPN tunnel is up:
Connect to USG, and ensure the VPN tunnel configuration is correct.
1 VPN tunnel between Central side and Branch side 1
2 Branch side 1 to Central side VPN setting(Enable Nailed-Up)
88/147
www.zyxel.com
89/147
www.zyxel.com
Central side to Branch side 1 VPN setting
90/147
www.zyxel.com
VPN tunnel between Central side and Branch side 2
Branch side 2 to Central side VPN setting(Enable Nailed-Up)
91/147
www.zyxel.com
Central side to Branch side 2 VPN setting
7.7.2. VPN Concentrator on Central side
Go to CONFIGURATION > VPN > IPSec VPN > Concentrator, and check if both tunnels
are selected.
92/147
www.zyxel.com
7.7.3. Policy route on both branch sides
Check if there are policy routes to route the traffic into central tunnel to another
branch.
1 On Brach side 1
2 On Brach side 2
7.7.4. Must be collected information
1. Configurations
2. Diaginfo
3. Topolog
93/147
www.zyxel.com
7.8. IPSec VPN tunnel was established successfully, but the traffic
can't pass through the tunnel
Troubleshooting Flowchart:
7.8.1 Is the PC Firewall Disabled?
In some operation system, by default it may block required protocols for VPN
connection and Ping check (ICMP Echo Request). Therefore, you have to make sure
your PC firewall allows the VPN and ping check traffics.
94/147
www.zyxel.com
7.8.2 Is the PC Firewall Allowed VPN/ICMP Traffic?
IP forwarding must be enabled at the firewall for the following IP protocols and UDP
ports:
1. P Protocol Type=50 <- Used by data path (ESP)
2. P Protocol Type=51 <- Used by data path (AH)
3. Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control
path)
4. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control
path)
5. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
7.8.3 Modify PC Firewall Setting
1. Configure Network to accept access, open Control Panel > Network and Sharing
Center. Click on “Change adapter settings”.
95/147
www.zyxel.com
2. Press Alt + F and click on “New Incoming Connection”
3. Now a wizard will open. In the first step, mark those users whom do you want to
allow access to use your connection.
96/147
www.zyxel.com
4. Put a mark on “Through the internet” and click Next.
5. Now select the protocols you want to connect, and double click on “Internet
Protocol Version 4 (TCP/IPv4).
97/147
www.zyxel.com
6. In this screen which appears, ensure that the Properties set are the same as shown
in the image below. Click OK.
7. Click Allow access.
98/147
www.zyxel.com
8. Now you will see the last step of the Wizard. Click on Close to finish it – but
remember to note down the computer’s name as it will be used when you connect.
Configure Firewall to accept Ping check (ICMP Echo Request)
Windows OS
1. Go to Control Panel > Windows Firewall > Windows Firewall with Advanced
Security.
2. Now click on “Inbound Rules”. Then select Echo Request - ICMP IN.
99/147
www.zyxel.com
3. Right click on Echo Request - ICMP IN rules and click Enable Rule.
100/147
www.zyxel.com
4. Now you will see Echo Request - ICMP IN rules are enabled.
MAC OS X
1. Go to Security & Privacy > Firewall > Advanced, uncheck the Enable stealth mode
checkbox in order to allow pings to respond.
Configure Firewall to accept connections
IPSec does not disturb the original IP header and can be routed as normal IP traffic.
Routers and switches in the data path between the communicating hosts simply
forward the packets to their destination. However, when there is a firewall or gateway
in the data path, IP forwarding must be enabled at the firewall for the following IP
protocols and UDP ports.
101/147
www.zyxel.com
1. P Protocol Type=50 <- Used by data path (ESP)
2. P Protocol Type=51 <- Used by data path (AH)
3. Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control
path)
4. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control
path)
5. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
Windows OS
1. Go to Control Panel > Windows Firewall > Windows Firewall with Advanced
Security. Click on “Inbound Rules”. Next click on the “Actions” menu and then click on
“New Rule…”
102/147
www.zyxel.com
2. A Wizard will open. In the first step, select the “Port” option and click on Next.
3. Select “TCP or UDP”. In the Specific remote ports space, enter port number and
click on Next.
103/147
www.zyxel.com
4. Now select Allow the connection and click Next.
5. Apply the rule to all and click Next.
104/147
www.zyxel.com
6. In the Name and Description (optional) fields, enter anything you want and click
on Finish.
7.8.4 Is the USG NetBIOS Enabled?
Enable NetBIOS if you want the ZyWALL/USG to send NetBIOS (Network Basic
Input/Output System) packets through the IPSec SA.
NetBIOS packets are TCP or UDP packets that enable a computer to connect to and
communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to
pass through IPSec SAs in order to allow local computers to find computers on the
remote network and vice versa.
7.8. 5 Modify NetBIOS Setting
Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Edit > Show Advanced
Settings > General Settings, select Enable NetBIOS broadcast over IPSec.
105/147
www.zyxel.com
7.8.6 Perform Ping Check Command from PC
Ping check allows you to confirm if you have connectivity between VPN Nodes. Open
up the command prompt in Windows.
7.8.7 Is there Any Response from the Remote Site?
If there is no response, go to 7.2.8
If there is response, go to 7.2.11
Typology Example
One PC at Local Network A IP address: 10.90.90.9
One PC at Local Network B IP address: 10.254.0.33
At PC in the Local Network A, type command line: ping 10.254.0.33. The response
should be:
106/147
www.zyxel.com
At PC in the Local Network B, type command line: ping 10.90.90.9. The response should
be:
7.8.8 Perform Ping Check from PC to Local/Remote Gateway
Ping check allows you to confirm if you have connectivity between VPN Participants.
Open up the command prompt in Windows.
7.8.9 Is there Any Response from the Local /Remote Gateway?
If there is no response, go to 7.2.10
If there is response, go to 7.2.11
Typology Example
107/147
www.zyxel.com
One PC at Local Network A IP address: 10.90.90.9; Gateway IP address: 10.90.90.1
One PC at Local Network B IP address: 10.254.0.33; Gateway IP address: 10.254.0.1
At PC in the Local Network A, type command line: ping 10.254.0.1. The response
should be:
At PC in the Local Network B, type command line: ping 10.90.90.1. The response should
be:
7.8.10 Modify Local/Remote Gateway Setting
1. Check the WAN interface on both VPN sites; please make sure you have
configured gateway IP address correctly. Firstly, check whether the gateway IP
address is within the correct host address range by below subnet calculator tool.
http://www.subnet-calculator.com/
108/147
www.zyxel.com
2. Secondly, if the gateway IP is given by the ISP, please contact your service
provider to confirm the correct address.
3. Thirdly, if the gateway IP is assigned by the DHCP server, please make sure your
DHCP server assigned correct gateway IP to your WAN interface.
7.8.11 Disable Security Policy on Device
Customized Security Policy may block required protocols for VPN connection and Ping
check (ICMP Echo Request). Therefore, you have to make sure your Security Policy
allows the VPN and ping check traffics.
7.8.12 Is there Any Response from the Remote Site?
If there is no response, go to 7.2.14
If there is response, go to 7.2.13
1. Tried turning off the Security Policy, see if it works, and if so activate Security Policy
rules one by one until you find the one that breaks it or check the access block
information in Log.
109/147
www.zyxel.com
7.8.13 Modify Security Policy Setting
Security Policy Example
1. Go to MONITOR > Log, check any Security Policy blocks the VPN protocols and
UDP ports. In this example, Security Policy blocks UDP Port 500 traffic.
2. Go to CONFIGURATION > Security Policy > Policy Control, check allow service and
found customize Allow_WAN_To_ZyWALL doesn’t allow AH, ESP and IKE protocols.
110/147
www.zyxel.com
3. Go to CONFIGURATION > Object > Service > Service Group to edit service group.
Move AH, ESP and IKE to be the Allow_WAN_To_ZyWALL Member. Click OK.
4. Go to MONITOR > Log, now the VPN tunnel built successfully.
111/147
www.zyxel.com
7.8.14 Perform Ping Check Command from Router
When traffic is initiated from the ZyWALL/USG to a remote site, the source IP address
will considered as an “external” interface’s IP address instead of one of a “VPN subnet”
interface’s IP address. Meaning the source IP address doesn’t belong to the local
subnet which VPN tunnel allows to access. Therefore, if you ping from router with its IP
address, you should not get response from the remote router.
7.8.15 Is there Any Response from the Remote Subnet?
If there is no response, go to 7.2.15
If there is response, go to 7.2.16
Typology Example
ZyWALL USG A WAN IP address: 10.251.31.22; LAN subnet IP address: 10.90.90.1
ZyWALL USG B WAN IP address: 10.251.31.65; LAN subnet IP address: 10.254.0.1
Wrong response example:
Login device A, type command line: ping 10.254.0.1 and ping 10.254.0.1 source
10.90.90.1, the response is:
112/147
www.zyxel.com
Correct response example:
Login device B, type command line: ping 10.90.90.1 and ping 10.90.90.1 source
10.254.0.1, the response should be:
113/147
www.zyxel.com
7.8.16 Modify Routing
1. To avoid the routing problem, add the Policy Route in ZyWALL USG B:
2. Login device A, type command line: ping 10.254.0.1 and ping 10.254.0.1 source
10.90.90.1, the response now will be:
7.8.17 Does the VPN Routing Priority Higher than 1:1 NAT or Other Routing?
In the default Routing Flow, Policy Route and 1-1 NAT priority is higher than Site To Site
VPN. Therefore, when enabling Policy Route and 1-1 NAT, it may cause the traffic can't
pass through VPN tunnel because all traffic passes through other interface.
114/147
www.zyxel.com
7.8.18 Modify Packet Flow Priority
1. To solve Policy Route issue, please check routing configuration should not interrupt
VPN connection.
2. To solve 1-1 NAT problem, please reorganize the order of the routing priority.
For legacy models with ZLD 3.30 platform, use the following CLI command:
ip route control-virtual-server-rules activate
For next generation USG/ZyWALL series with ZLD 4.13 platform, go to CONFIGURATION
> Network > NAT, enable Use Static-Dynamic Route to Control 1-1 NAT Route and click
Apply.
Go to MAINTENANCE > Packet Flow Explore > Routing Status, now the priority of Site To
Site VPN is higher than 1-1 NAT route.
115/147
www.zyxel.com
7.8.19 Collect Information to CSO Support
Typology
Please provide us network typology and details description of failure symptoms.
Packet capture
1. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture, select interfaces
for VPN tunnels (WAN/LAN) and click the right arrow button to move them to the
Capture Interfaces list. Click Capture.
2. Connect VPN tunnel and wait till dial time out.
3. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture. Click Stop.
116/147
www.zyxel.com
4. Go to MAINTANENCE > Diagnostics > Packet Capture > Files. Select WAN/LAN
captured files and click Download. Provide the files to us.
Log
1. Go to MONITOR > Log, screenshot the error log when initiate VPN tunnel fail.
117/147
www.zyxel.com
Configuration file
1. Go to MAINTANENCE > File Manger > Configuration File. Select files (.conf) and
click Download. Provide files to us.
118/147
www.zyxel.com
8. Cannot set up the L2TP VPN function successfully
8.1. Cannot connect to the ZyWALL via L2TP client
8.1.1. Incorrect L2TP Address Pool
Check IP Address Pool configured in L2TP VPN settings.
Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2,
DMZ, or WLAN zones, even if they are not in use.
8.1.2. Incorrect Local Policy
Phase 2 local policy mismatch
Check Local Policy in VPN connection.
If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, the
local policy of VPN connection is automatically and correctly configured as the
interface IP of My Address. However, if you configure L2TP VPN settings manually
without the wizard, ensure the local policy is the same IP address as My Address used
for L2TP VPN connection.
119/147
www.zyxel.com
CONFIGURATION > VPN > IPSec VPN > VPN Connection
8.1.3. Incorrect Phase 1 or Phase 2 Settings
1. Phase 1 proposal mismatch
Check phase 1 settings in VPN gateway.
If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, phase
1 settings are automatically and correctly configured. However, if you configure L2TP
VPN settings manually without the wizard, ensure the phase 1 settings are configured
as follows.
120/147
www.zyxel.com
2. Phase 1 IKE SA process done but phase 2 proposal mismatch.
Check phase 2 settings in VPN connection.
If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, phase
2 settings are automatically and correctly configured. However, if you configure L2TP
VPN settings manually without the wizard, ensure the phase 2 settings are configured
as follows.
121/147
www.zyxel.com
8.2. User cannot be authenticated
In the log, there is an alert log that the user is denied from L2TP service because of
incorrect username or password. In addition to checking the correctness of username
and password, it is necessary to check if Authentication Method and Allowed User are
correctly configured.
MONITOR > Log > View Log > Display > L2TP Over IPSec
8.2.1. Authentication Method
ZyWALL authenticates a remote user before allowing access to the L2TP VPN tunnel
according to the authentication method.
Ensure the L2TP VPN user belongs to one of the authentication servers or local
database of the configured method list. The default Authentication Method is “default”
which only contains the local database on the method list. If the L2TP VPN user
belongs to an external authentication server, remember to create a new
Authentication Method with corresponding method list.
CONFIGURATION > Object > Auth. Method > Add
122/147
www.zyxel.com
CONFIGURATION > VPN > L2TP VPN
8.2.2. Allowed user
User or group configured as Allower User is able to log into the ZyWALL to use the L2TP
VPN tunnel.
Ensure the user or the group which it belongs to is configured as Allowed User. The
default Allowed User is "any" which allows any user with valid username and password
to establish L2TP VPN tunnel. If only a specific group of users has the privilege to
establish L2TP VPN tunnel, remember to create a new group with the specific users
and groups.
CONFIGURATION > Object > Users/Group > Group > Add
123/147
www.zyxel.com
CONFIGURATION > VPN > L2TP VPN
8.3. Windows service not activated (IKE service)
When establishing L2TP tunnel, the Windows will using IKE and AuthIP IPSec Keying
Modules to encrypting the packets. So the service modules must enable on your
computer.
8.3.1. If you are not enabled modules you will saw:
1. You will saw the tunnel can’t establish success. And it will shows error code: 789. In
the log shows reason is security layer encountered a processing error.
124/147
www.zyxel.com
2. And you can capture the packets on your PC NIC, and filtering “isakmp” packets,
there is no any packets as transmitted to L2TP server.
8.3.2. How to enable IKE and AuthIP IPSec Keying Modules
1. Go to Control Panel > System and Security > Administrative Tools > Services. And
find “IKE and AuthIP IPSec Keying Modules”. Click right button and select properties to
configure status.
Enable IKE and AuthIP IPSec Keying Modules
125/147
www.zyxel.com
8.4. After L2TP VPN tunnel is established, the client can’t access to
the Internet
8.4.1. After establish L2TP VPN tunnel all of Internet traffic can’t pass at all
After you established L2TP VPN tunnel successfully, device will assigned an IP address
to your PC. Then you can access all of the network resource on USG without additional
configuration. Because Windows without split tunnel mechanism, so you Internet traffic
will passed into L2TP VPN tunnel too. If you not add additional policy route, then your
Internet traffic will been timeout due to without response from Internet server.
8.4.2. After you established L2TP VPN tunnel you will saw:
1. If all of your L2TP VPN tunnel configuration without the problem. Then you will see
your L2TP VPN network connection icon shows like following image.
2. And also you can use CLI command to show your routing table. (CLI: route print).
There is a additional routing rule has added in routing table automatically.
(It means all of the traffic will pass into L2TP tunnel by 20.20.20.1 which you received
after estaboished L2TP tunnel)
126/147
www.zyxel.com
8.4.3. How to add additional routing rule for L2TP clients to access internet?
1. Go to Configuration > Network > Routing > Policy route click add button.
2. The Source Network Address Translation must select as outgoing-interface. Then
L2TP client’s Internet traffic will uses interface IP address to access internet.
127/147
www.zyxel.com
9. If you’re not be able to configure UTM policies or it’s not
working Troubleshooting Flowchart:
9.1. Check service expiration
9.1.1 Have you subscribed for the UTM service?
If you have not subscribed, go to 10.1.2
If you have subscribed, go to 10.1.3
1. ZyWALL models need a license for UTM (Unified Threat Management) functionality.
2. You need to create a myZyXEL.com account before you can register your device
and activate the services at myZyXEL.com.
3. You need your ZyWALL/USG’s serial number and LAN MAC address to register it.
Refer to the web site’s on-line help for details.
9.1.2 Registration on myZyXEL.com 2.0
Account Creation
1 Click the link from the Registration screen of your ZyXEL device’s Web Configurator
or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/),
the Sign In screen displays.
Note: After you apply the UTM service, the running session will continue till it’s finished.
128/147
www.zyxel.com
2 Click Not a Member Yet to open the Sign Up screen where you can create an
account.
myZyXEL.com > Not a Member Yet
3 Select Registration Type to create an Individual account or a Business account.
Individual account is for non-commercial, end user of ZyXEL products. Business
account is for commercial users; VAT # is required (the requirement varies in selection
of different countries)
129/147
www.zyxel.com
4 After you click Submit, myZyXEL.com 2.0 will send you an account activation
notification e-mail. Click the URL link from the e-mail to activate your account and log
into myZyXEL.com 2.0.
5 After E-mail activate, sign in myZyXEL.com 2.0 to register or mange your devices
and services. If you are a business account, please go to account page and press the
Reseller Request button.
Note: The business account can be changed into a channel partner
account by an administrator. With a channel partner account, you can
register multiple devices and/or services at a time and check service status
reports. Contact your sales representative to have a channel partner
account.
130/147
www.zyxel.com
Device Registration
6 Click Device Registration in the navigation panel to open the screen. Use this
screen to register your device with myZyXEL.com.
Enter the device’s (first) MAC Address and Serial Number, which can be found on the
sticker on the back of the device. Click Submit.
If you access myZyXEL.com from the Registration screen of your ZyXEL device’s Web
Configurator, the device MAC Address and Serial Number displays automatically.
Service Registration (In the Case of Standard License)
7 Click Service Registration in the navigation panel to open the screen. Fill in the
License Key as shown on E-iCard License.
131/147
www.zyxel.com
8 Go to the Service Management page and click the Link button. Select the device
then click the Activate button to initiate the services license. You will get a Service
Activation Notice Email when you activate a new service.
Device Management (In the Case of Registering Bundled Licenses)
9 Go to Device Management and click on the MAC Address hyper link of your
device. In the Linked Services page, click the Activate button to initiate the services
license. You will get a Service Activation Notice Email when you activate a new
service.
132/147
www.zyxel.com
Refresh Service
10 After service activated, please go to the ZyWALL/USG CONFIGURATION >
Licensing > Registration > Service and click the Service License Refresh button to
update the Status.
9.1.3 Have your UTM service expired?
If your UTM service expired, go to 10.1.4
If your UTM service haven’t expired, go to 10.2.1
133/147
www.zyxel.com
9.1.4 Extend UTM license
11 Go to ZyWALL/USG CONFIGURATION > Licensing > Registration > Service to check
the Service Status.
12 Click the link from the Registration screen of your ZyXEL device’s Web Configurator
or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/),
the Sign In screen displays.
134/147
www.zyxel.com
13 To renew your license, simply click the Buy button in the Service Management
page at myZyXEL.com.
You
can also contact your reseller or ZyXEL’s local agent for license renewals. If you cannot
locate an agent near you, please contact ZyXEL’s local support.
Local ZyXEL contact information:
http://www.zyxel.com/tw/zh/where_to_buy/where_to_buy.shtml
14 After service extended, please go to the ZyWALL/USG CONFIGURATION >
Licensing > Registration > Service and click the Service License Refresh button to
update the Status.
9.2. Signature Update
The UTM service provides updates to Anti-Virus and IDP / App Patrol. The UTM service
involves a number of servers across the world that provides updates to your
ZyWALL/USG device. Problems can occur both with connection to UTM server.
135/147
www.zyxel.com
9.2.1 Have your UTM service updated?
If your UTM service haven’t updated, go to 10.2.2
If your UTM service updated, go to 10.3.1
9.2.2 Update UTM service
1 The ZyWALL/USG comes with signatures for the Anti-Virus, IDP and Application
Patrol features. These signatures are continually updated as new attack types evolve.
New signatures can be downloaded to the ZyWALL/USG periodically if you have
subscribed for the Anti-Virus, IDP and Application Patrol signatures service.
2 Click Update Now button to have the ZyWALL/USG check for new signatures
immediately. If there are new ones, the ZyWALL/USG will then download them.
136/147
www.zyxel.com
9.3. Security Policy Direction
For through-ZyWALL/USG policies, select the correct direction of travel of packets to
which the UTM policy applies. For example, if you would like to scan virus for all LAN to
WAN and WAN to LAN traffic, you should create security policy and select Anti-Virus
profile for scanning traffic from both LAN to WAN and WAN to LAN or Any to Any.
9.3.1 Is your UTM policy applied to correct direction?
If your UTM policy applied to wrong direction, go to 10.3.2
If your UTM policy applied to correct direction, go to 10.4
9.3.2 Modify Security Policy direction
3 Go to CONFIGURATION > Security Policy > Policy Control, make sure your UTM
policy applied to correct direction.
137/147
www.zyxel.com
10. Device-HA doesn't work
Troubleshooting Flowchart:
138/147
www.zyxel.com
10.1. After Fail-Over, Switch ARP Learning Mode
When enabling Device HA, ZyWALL/USG will generate a virtual MAC address for the IP
address base on the "Cluster ID". If these two Device HA groups are using the same
"Cluster ID", ZyWALL/USG will generate the same MAC address to two Device HA
groups. As a result, it will lead to switch confusion and causing packet lost. So if there
are more than one Device HA group behind the same switch, please use different
cluster IDs.
10.1.1 Have you configured the same Cluster ID for the different Device HA groups ?
If you have configured the same Cluster ID, go to 12.1.2
If you haven’t configured the same Cluster ID, go to 12.2
10.1.2 Cluster ID
Go to CONFIGURATION > Device-HA > Activate-Passive Mode > Cluster Setting >
Cluster ID. Use a different cluster ID to identify each virtual router. In the following
example, ZyWALL/USG A and B form a virtual that uses cluster ID 1. ZyWALL/USG C and
D form a virtual that uses cluster ID 2.
139/147
www.zyxel.com
10.2. Synchronize issue
The Device-HA devices use FTP to synchronize information, VRRP to monitor interface
status and password for authentication. Problems can occur when Device-HA devices
connection to each other and its configuration.
10.2.1 Have you configured the same FTP port for both master and backup devices?
If you haven’t configured the same FTP port, continue reading section 12.2.1
If you have configured the same FTP port, go to 12.2.2
1. Go to CONFIGURATION > Device-HA > Activate-Passive Mode > Synchronization >
Server Port. If this ZyWALL/USG is set to Master role, Server Port displays the
ZyWALL/USG’s Secure FTP port number. If this ZyWALL/USG is set to the Backup role,
enter the port number to use for Secure FTP when synchronizing with the specified
master ZyWALL/USG.
140/147
www.zyxel.com
2. Go to CONFIGURATION > System > FTP in master device if you need to change the
FTP port number. Every ZyWALL/USG in the virtual router must use the same port
number. If the master ZyWALL/USG changes, you have to manually change this port
number in the backups.
141/147
www.zyxel.com
10.2.2 Have you enabled FTP service?
If you haven’t enabled the FTP port, continue reading section 12.2.2
If you have configured the FTP port, go to 12.2.3
1. Select Enable to allow the computer with the IP address that matches the IP
address (es) in the Service Control table to access the ZyWALL/USG using FTP service
for Device-HA synchronization.
10.2.3 Does Security Policy block FTP/VRRP services?
If your Security Policy doesn’t allow the FTP or VRRP service, continue reading
section 12.2.3
If you Security Policy allows the FTP or VRRP service, go to 12.2.4
FTP Service
1. Device-HA devices use FTP to synchronize information, go to CONFIGURATION >
System > FTP in both master and backup devices. Please make sure Service Control
allow accessing the ZyWALL/USG using FTP service for Device-HA synchronization.
142/147
www.zyxel.com
2. Go to CONFIGURATION > Security Policy > Policy Control, please make sure the
corresponding rule allows accessing the ZyWALL/USG using FTP service for Device-HA
synchronization.
143/147
www.zyxel.com
VRRP Service
1. Master monitored VRRP interfaces will send the VRRP packet every second.
Backup monitored VRRP interfaces should detect this kind of packet every second.
Once Backup VRRP interfaces cannot detect the VRRP packet for three seconds,
Backup will take over. Therefore, you have to make sure VRRP service is allowed for
interface monitoring.
2. Go to CONFIGURATION > Security Policy > Policy Control, please make sure the
corresponding rule allows accessing the ZyWALL/USG using VRRP service for
Device-HA monitoring.
10.2.4 Does Security Policy block other port when synchronize?
If you see from the log that any port is blocked even after FTP service is allowed,
continue reading section 12.2.5
If you see from the log that none of the port is blocked, go to 12.2.6
1. If you see from the MONITOR > Log that any port is blocked even after FTP and
VRRP services are allowed, please go to CONFIGURATION > Security Policy > Policy
Control, add corresponding security to allow the block port.
144/147
www.zyxel.com
10.2.5 Have you configured the same synchronization password for both master and
backup devices?
If you haven’t configured the same synchronization password, continue reading
section 12.2.5
If you have configured the same synchronization password, go to 12.2.6
1. Go to MONITOR > Log, if you see log shows alert/ User Failed login attempt to
ZyWALL from ftp (incorrect password or inexistent username). It means the Device-HA
synchronization password doesn’t match. Please go to CONFIGURATION > Device-HA
> Activate-Passive Mode > Synchronization > Password. Enter the password used for
verification during synchronization. Every ZyWALL/USG in the virtual router must use the
same password.
10.2.6 Have you experienced synchronization hang issue?
1. In some situations the device takes a while to synchronize, Device-HA sync at first
succeeds but then hangs for more than 10 minutes. The following is a case for
example, there are over 3800 content filtering rules and the configuration file is 456KB.
145/147
www.zyxel.com
The device HA backup device takes around 20 minutes for synchronization.
2. To avoid the similar situation, it is suggested to use the "Auto Synchronize" feature in
Device HA. Use the device’s management IP address as the server address instead of
a virtual IP address. The interval time can be set to 60 minutes.
146/147
www.zyxel.com
10.2.7 Subnet conflict
If VLAN interface subnet overlaps with Device-HA interface subnet, ZyWALL/USG will
not know which interface it should send the sync information to. Please make sure
there is no subnet conflict.
If you configure the conflict subnet, continue reading section 12.2.7
If you doesn’t configure the conflict subnet, go to 12.3
Go to CONFIGURATION > Network > Interface, please make sure your Ethernet and
VLAN interface subnets are not overlapping with each other.
147/147
www.zyxel.com
10.3. Collect information to CSO support
1. A detailed network diagram with complete IP address schema.
2. The configuration file, software version, and model name of both master and
backup devices.
3. Log files when Device-HA sync fail