ZyWALL/USG Series. Troubleshooting Guide. Security Firewalls. ZyWALL 110 / 310 / 1100
|
|
- Marvin Stone
- 5 years ago
- Views:
Transcription
1 ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 Security Firewalls Firmware Version 4.13 ~ 4.15 Edition 1, 8/2016 Troubleshooting Guide Default Login Details LAN Port IP Address User Name admin Password 1234 Copyright 2016 ZyXEL Communications Corporation 1/147
2 Table of Content 1. HOW TO ACCESS TO THE ZYWALL/USG ACCESS THE ZYWALL/USG BY HTTPS ACCESS THE ZYWALL/USG BY SSH ACCESS THE ZYWALL/USG BY TELNET ACCESS THE ZYWALL/USG BY CONSOLE BASIC INFORMATION COLLECTION COLLECT DIAGNOSTIC INFORMATION FILE By GUI By CLI Packet Capture USB storage HARDWARE TROUBLESHOOTING TOOLS AND SYSTEMS NEEDED PREPARE DEVICE FOR INITIAL TEST FIRMWARE RECOVERY DEVICE REBOOT RANDOMLY COLLECTING MORE DEBUG MESSAGE Collecting console log Collecting diag-info CANNOT ACCESS TO THE DEVICE FIREWALL RULE If you are not able to access the ZyWALL/USG by HTTPS If you are not able to access the ZyWALL/USG by SSH If you are not able to access the ZyWALL/USG by TELNET DHCP (IP/MAC BINDING) /147
3 Check DHCP Setting CANNOT ACCESS TO THE DEVICE PORT ISSUE Issue description Solution ADMIN SERVICE CONTROL ISSUE Issue description Solution OSPF ROUTING ISSUE Unable to distribute routes to the connected device Unable to get routes from the connected device CANNOT ACCESS INTERNET (SESSION FULL/FIREWALL BLOCK) Session full Firewall block CANNOT ACCESS INTERNET (ANTI-SPAM) If you are not able to receive/send s via ZyWALL/USG Must be collected information CANNOT SET UP THE IPSEC VPN FUNCTION SUCCESSFULLY VPN CONNECTION CANNOT BE ESTABLISHED If facing the VPN connection problem, here are the possible root cause: Once the VPN tunnel cannot established then: Once have the connection problem please just check the log IKE category for more information CANNOT ESTABLISH VPN TUNNEL VIA 3GLTE INTERFACE Is the Dongle Included in ZyWALL/USG Support List? Change to Supported Dongle Is the Cellular Status Ready? Activate Cellular Status and Check ISP Account Settings /147
4 Is the Connectivity Set to Nailed-Up? Modify Connectivity Setting Is the Cellular Interface Included in the WAN Trunk? Modify Trunk Is there Any Routing Policy Related to WAN Interface? Check Routing Policy Collect Information to CSO Support VPN FALLBACK IS NOT WORKING The VPN tunnel has establish VPN tunnel successfully, but tunnel can t fallback to primary peer gateway Verify configuration CANNOT SET UP THE IPSEC VPN FUNCTION BY VPN PROVISION SUCCESSFULLY Configuration is successful but the field Remote Gateway Address is empty Authentication Failed Server Not Found IPSEC VPN CLIENT ON WIN10 OPERATION SYSTEM Can t use IPSec VPN client on win10 system The vital of configuration of IPSec Client on Win Wireless possible issue symptoms CANNOT SET UP THE IKEV2 VPN TUNNEL SUCCESSFULLY If IKEv2 traffic does not work completely from your PC If IKEv2 tunnel is not up VPN tunnel is up, but there is no traffic pass through USG to internet Must be collected information VPN CONCENTRATOR WITH THE PROBLEM Site-to Site VPN tunnel is up: VPN Concentrator on Central side Policy route on both branch sides /147
5 Must be collected information IPSEC VPN TUNNEL WAS ESTABLISHED SUCCESSFULLY, BUT THE TRAFFIC CAN'T PASS THROUGH THE TUNNEL Is the PC Firewall Disabled? Is the PC Firewall Allowed VPN/ICMP Traffic? Modify PC Firewall Setting Is the USG NetBIOS Enabled? Modify NetBIOS Setting Perform Ping Check Command from PC Is there Any Response from the Remote Site? Perform Ping Check from PC to Local/Remote Gateway Is there Any Response from the Local /Remote Gateway? Modify Local/Remote Gateway Setting Disable Security Policy on Device Is there Any Response from the Remote Site? Modify Security Policy Setting Perform Ping Check Command from Router Is there Any Response from the Remote Subnet? Modify Routing Does the VPN Routing Priority Higher than 1:1 NAT or Other Routing? Modify Packet Flow Priority Collect Information to CSO Support CANNOT SET UP THE L2TP VPN FUNCTION SUCCESSFULLY CANNOT CONNECT TO THE ZYWALL VIA L2TP CLIENT Incorrect L2TP Address Pool Incorrect Local Policy Incorrect Phase 1 or Phase 2 Settings USER CANNOT BE AUTHENTICATED Authentication Method /147
6 Allowed user WINDOWS SERVICE NOT ACTIVATED (IKE SERVICE) If you are not enabled modules you will saw: How to enable IKE and AuthIP IPSec Keying Modules AFTER L2TP VPN TUNNEL IS ESTABLISHED, THE CLIENT CAN T ACCESS TO THE INTERNET After establish L2TP VPN tunnel all of Internet traffic can t pass at all After you established L2TP VPN tunnel you will saw: How to add additional routing rule for L2TP clients to access internet? IF YOU RE NOT BE ABLE TO CONFIGURE UTM POLICIES OR IT S NOT WORKING CHECK SERVICE EXPIRATION Have you subscribed for the UTM service? Registration on myzyxel.com Have your UTM service expired? Extend UTM license SIGNATURE UPDATE Have your UTM service updated? Update UTM service SECURITY POLICY DIRECTION Is your UTM policy applied to correct direction? Modify Security Policy direction DEVICE-HA DOESN'T WORK AFTER FAIL-OVER, SWITCH ARP LEARNING MODE Have you configured the same Cluster ID for the different Device HA groups? Cluster ID /147
7 10.2. SYNCHRONIZE ISSUE Have you configured the same FTP port for both master and backup devices? Have you enabled FTP service? Does Security Policy block FTP/VRRP services? Does Security Policy block other port when synchronize? Have you configured the same synchronization password for both master and backup devices? Have you experienced synchronization hang issue? Subnet conflict COLLECT INFORMATION TO CSO SUPPORT /147
8 1. How to Access to the ZyWALL/USG 1.1. Access the ZyWALL/USG by HTTPS 1. Connect a PC to lan1 and open a web browser. Type the login screen appears. Type the user name (default: admin) and password (default: 1234) Access the ZyWALL/USG by SSH 1. Connect a PC to lan1 and open PuTTY Configuration. Type into the Host Name and modify Port number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > SSH). Select Configuration Type to be SSH and click Open. 8/147
9 2. The SSH session page appears: 9/147
10 1.3. Access the ZyWALL/USG by TELNET 1. Connect a PC to lan1 and open PuTTY Configuration. Type into the Host Name and modify Port number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > Telnet). Select Configuration Type to be Telnet and click Open. 2. The Telnet session page appears: 10/147
11 1.4. Access the ZyWALL/USG by Console 1. Connect your PC to the console port using a console cable. Open PuTTY Configuration. Type Serial line number (If you re using Windows PC, you can find in Device Manager > Ports) and modify Speed number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > Console Speed, default speed is ). Select Configuration Type to be Serial and click Open. 11/147
12 3. The Console session page appears: 2. Basic Information Collection 2.1. Collect Diagnostic Information File By GUI 1. Go to MAINTANENCE > Diagnostics > Diagnostics, and click Collect Now. 2. After finishing collect, press the Download. 12/147
13 By CLI 1. Log in console as admin, and enter the below CLI command. (Use TeraTerm or Putty) Router > diag-info collect 2. After finishing collect, use the CLI to show the diaginfo name and go to GUI to download the file. Router> show diag-info Packet Capture 1. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture. Select the interface and press the Capture. (Filter condition can be applied if needed) 13/147
14 2. Go to MAINTANENCE > Diagnostics > Packet Capture > Files, and download the packets USB storage 1. Ensure the file system format of USB is FAT32 2. Go to CONFIGUARION > System > USG Storage. Select Active USB Storage service then click Apply. 14/147
15 3. Go to MONITOR > System Status > USB Storage > Storage Information, and check the USB status. 4. What kind of information can be saved on USB storage? Diagnostic info 15/147
16 Packet capture System log 16/147
17 3. Hardware Troubleshooting 3.1 Tools and Systems Needed 1. Laptop x 2; 1 connects via console and Ethernet cable for device management, 1 connects via Ethernet cable for basic traffic testing. 2. Console setting: Baud rate: Data: 8 bit Parity: none Stop: 1bit Flow control: none 3. Windows 7 Operating System (firewall turned off) 4. USB to RS232 console cable 5. Power cord 6. RJ-45 Ethernet cable 17/147
18 3.2. Prepare Device for Initial Test 1. Prerequisite: Reset the device by clicking on the RESET button for 5 seconds when the device is powered on. RESET button location: USG40: USG40W: USG60: USG60W: 18/147
19 ZyWALL110/USG110/USG210 ZyWALL310/ZyWALL1100/USG310/USG1100/USG1900 Test 1: Power on the DEVICE, check the PWR LED status. a. PWR LED keep green light : Normal b. PWR LED doesn t turn on : PWR001 No Power Test 2: Check the SYS LED status. a. Wait until the SYS LED turns into steady on, Device SYS LED will keep blinking for less than 4 minutes b. If SYS LED keep blinking for more than 5 minutes: SYS006 Boot failure c. Recovery: Check the Appendix1. d. If device cannot be recovery by procedure: SYS006 Boot failure e. Sys LED keep green light: Normal Test 3: Check Port LED status. a. Laptop1 uses Ethernet cable connects to the DEVICE ports b. Port upper right LED is steady on (color is Amber): Normal c. Port LED cannot turn on: ETH001 Ethernet port dead d. Port upper left LED blinks aperiodic (color is Green): Normal Test 4: Check the packet forwarding USG40/40W, USG60/60W a. Laptop1 uses Ethernet cable connects to LAN port b. Modify the laptop ip address to , mask c. Laptop2 uses Ethernet cable connects to another LAN port 19/147
20 d. Modify the IP address to , mask e. Laptop 1 pings to the Laptop2 for 30 seconds. f. If no any packet loss: Normal g. If ping loss: ETH004 Ethernet port ping packet loss ZyWALL110/USG110/USG210 a. Laptop1 uses Ethernet cable connects to LAN port (P4) b. Modify the laptop ip address to , mask c. Laptop2 uses Ethernet cable connects to another LAN port(p5) d. Modify the IP address to , mask e. Laptop 1 pings to the Laptop2 for 30 seconds. f. If no any packet loss: Normal g. If ping loss: ETH004 Ethernet port ping packet loss Test 5: Check WiFi Model: USG 40W/USG60W a. Laptop1 and laptop2 try to connect to SSID ZyXEL via wifi, the laptop wifi interface settings should be as below: 20/147
21 b. If wifi connected successfully: Normal c. If wifi can t scan or connect to the ZyXEL SSID: WLN004 WLAN Connect failed d. Laptop1 ping to laptop2 IP address e. Ping success: Normal f. Ping failed: WLN005 WLAN Ping error (Ping loss) Test6: Check USB port USG40/40W a. Connect the flash drive into USB port. Check the USB LED b. Steady on Green: Normal c. LED does not turned on: USB001 USB port dead USG60/60W/110/210/310/1100/1900 ZyWALL110/310/1100 a. Connect the flash drive into the USB port. Login to the device GUI, check the device virtual diagram and see if the flash drive can be detected b. USB drive can be detected: Normal c. USB drive can t be detected: USB001 USB port deadb 21/147
22 3.3. Firmware Recovery In some rare situation (symptom as following), ZyWALL/USG might not boot up successfully after firmware upgrade. The following procedures are the steps to recover firmware to normal condition. Please connect console cable to ZyWALL/USG. 1. Symptom: Booting success but device show error message can t get kernel image while device boot. Device reboot infinitely. 22/147
23 Nothing displays after Press any key to enter debug mode within 3 seconds. for more than1 minute. Startup message displays Invalid Recovery Image. 23/147
24 The message here could be Invalid Firmware. However, it is equivalent to Invalid Recovery Image. 2. Recover steps Press any key to enter debug mode Enter atkz f l to configure FTP server IP address Enter atgof to bring up the FTP server on port 1 The following information shows the FTP service is up and ready to receive FW 24/147
25 You will use FTP to upload the firmware package. Keep the console session open in order to see when the firmware update finishes. Set your computer to use a static IP address from ~ No matter how you have configured the ZyWALL/USG s IP addresses, your computer must use a static IP address in this range to recover the firmware. Connect your computer to the ZyWALL/USG s port 1 (the only port that you can use for recovering the firmware). Use an FTP client on your computer to connect to the ZyWALL/USG. This example uses the ftp command in the Windows command prompt. The ZyWALL/USG s FTP server IP address for firmware recovery is Log in without user name (just press enter). Set the transfer mode to binary. Use bin (or just bi in the Windows command prompt). Transfer the firmware file from your computer to the ZyWALL/USG (the command is put <firmware filename> in the Windows command prompt). Wait for the file transfer to complete. 25/147
26 The console session displays Firmware received after the FTP file transfer is complete. Then you need to wait while the ZyWALL/USG recovers the firmware (this may take up to 4 minutes). The message here might be ZLD-current received. Actually, it is equivalent to Firmware received. The console session displays done when the firmware recovery is complete. Then the ZyWALL/USG automatically restarts. The username prompt displays after the ZyWALL/USG starts up successfully. The firmware recovery process is now complete and the ZyWALL/USG is ready to use. 26/147
27 If one of the following cases occurs, you need to do the firmware recovery process again. Note that if the process is done several time but the problem remains, please collect all the console logs and send to ZyXEL/USG for further analysis. One of the following messages appears on console, the process must be performed again./bin/sh: /etc/zyxel/conf/zldconfig: No such file Error: no system default configuration file, system configuration stop!! 27/147
28 4. Device Reboot Randomly 4.1. Collecting more debug message If your device will reboot randomly and not helpful after upgraded to latest firmware, you can following this document to collect more debug information. Then provided these information to ZyXEL support team Collecting console log 1. Connecting the serial cable between your PC and device serial port. 2. Installing TeraTerm on your PC. ( 3. Run TeraTeam and select correct port and baud rate and click OK to start the session. (USG default baud rate is: ) 4. Click File > log to save all of the logs which displays on the window. 5. Enter debug kernel console-level 8 command to collecting more debug message. 28/147
29 6. Enter show app-watch-dog monitor-list command to shows which daemons are monitored. 7. After done these step the deice will prints out almost debug logs to you PC, and TeraTerm will saves these information directly. Please do not close the session until device reboot itself again Collecting diag-info 1. Until the device reboot itself again, login to device Web GUI and go to MAINTENANCE > Diagnostics > Diagnostics tab > Collect. Click Collect now button to collecting diag-info. (It will take around 3~5 mins) 29/147
30 2. After the process is done, it will shows file name on the GUI (it will show collecting time). Then click Download button to download it. 30/147
31 3. Provide the console logs and diag-info files to ZyXEL support 5 Cannot Access to the Device 5.1. Firewall Rule Security Policies grouped based on the direction of travel of packets to which they apply. Here is the ZyWALL/USG has default Security Policy behavior for traffic going through the ZyWALL/USG in various directions. Policies with Device as the To Zone apply to traffic going to the ZyWALL/USG itself. By default: The Security Policy allows only LAN, or WAN computers to access or manage the ZyWALL/USG. The ZyWALL/USG allows DHCP traffic from any interface to the ZyWALL/USG. The ZyWALL/USG drops most packets from the WAN zone to the ZyWALL/USG itself and generates a log except for Default_Allow_WAN_To_ZyWALL (AH, ESP, GRE, HTTPS, IKE, NATT) If you are not able to access the ZyWALL/USG by HTTPS 1. Connect a console cable to the ZyWALL/USG. Type following command to disable firewall rule in order to login the device via https to check what can go wrong in the configuration: 2. If you were not able to access ZyWALL/USG via public IP: You can check does the policy allow WAN access to the ZyWALL/USG. Please also make sure the Service allow HTTPS, you can move the mouse pointer to the service objects and check does HTTPS include in the service group. 31/147
32 CONFIGURATION > Security Policy > Policy Control 3. If you want to add a new service object into the Service Group, go to CONFIGURATION > Object > Service > Service Group and double click on the group you want to edit. Move the servers you want available to ZyWALL/USG to Member. Click OK. CONFIGURATION > Object > Service > Service Group 32/147
33 4. If you were not able to access ZyWALL/USG via LAN IP: You can check does the policy allow LAN access to the ZyWALL/USG. CONFIGURATION > Security Policy > Policy Control If you are not able to access the ZyWALL/USG by SSH 1. Go to CONFIGURATION > Security Policy > Policy Control and check do you add a To ZyWALL rule allow SSH service. CONFIGURATION > Security Policy > Policy Control 2. If not yet created, you can click Add and create a To ZyWALL rule allow SSH service: 33/147
34 CONFIGURATION > Security Policy > Policy Control > Add corresponding 3. If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control Action should be Accept. CONFIGURAITON > System > SSH 34/147
35 If you are not able to access the ZyWALL/USG by TELNET 1. Go to CONFIGURATION > Security Policy > Policy Control and check do you add a To ZyWALL rule allow TELNET service. CONFIGURATION > Security Policy > Policy Control 2. If not yet created, you can click Add and create a To ZyWALL rule allow TELNET service: CONFIGURATION > Security Policy > Policy Control > Add corresponding 35/147
36 3. If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > TELNET to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control > Action should be Accept. CONFIGURAITON > System > TELNET 36/147
37 5.2. DHCP (IP/MAC Binding) People want to use IP/MAC binding for the LAN users because it will be easier to manage the users. However, if client cannot access the device by static IP and is giving the error Drop packet lan :1e:33:29:bb:fc, there may be issue in the DHCP Setting. 37/147
38 Check DHCP Setting 1. Go to CONFIGURATION > Interface > Ethernet > Lan1 > IP/MAC Binding. Look Static DHCP Table and ensure the computer s IP and MAC address in the list. 2. If this IP/Mac is not in the IP/MAC Binding list, DHCP(IP/MAC Binding) will reject the traffic which from To add the IP/MAC in the Binding list, go to CONFIGURATION > Interface > Ethernet > Lan > IP/MAC Binding > Add or Edit. 4. Another way is adding this IP/MAC address in the Exempt List, go to CONFIGURATION > Network > IP/MAC binding > Exempt List. Note: If IP/MAC binding is enabled, traffic with the following IP address sources will also be allowed to pass through the ZyWALL/USG: 38/147
39 a. DHCP offered Dynamic IP b. User manually configured IP which matches static DHCP table 39/147
40 6. Cannot Access to the Device WWW To allow the ZyWALL/USG to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-zywall/usg security policy rule to block that traffic. If customer cannot login USG, there are might some configuration issue on USG Port Issue Issue description User cannot access ZyWALL/USG by http or or 40/147
41 Solution 1. HTTP example: Make sure the https or http Port numbers. Check the port numbers via console. Please type configure Terminal> Show ip http server status. User will see the Port information for http. HTTP example 41/147
42 As we can see the Server Port number is 1111, so the login IP address should be 2. HTTPS example: Please type configure Terminal> Show ip http server secure status. User will see the Port information for https. HTTPs example 42/147
43 As we can see the Server Port number is 2000, so the login IP address should be Admin Service Control Issue Issue description The user cannot login USG, and after fill login information then press Login, the system will display Login denied. 43/147
44 Solution 1. User needs to make sure that the User Name and Password are correct. 2. User needs to make sure that the did not block by Admin service control 3. Client can check it via console. Type command: configure Terminal> Show ip http server secure status 4. As we can see the Lan2 ( already denied by admin service control, so user cannot login via Lan2. 5. Users can switch the network cable to other Lans, and modify the configuration they needed. Go to CONFIGURATION > system > WWW > Service Control, remove Lan2 deny. 44/147
45 6. After modified, user can access USG via Lan2 45/147
46 6.3. OSPF Routing Issue Unable to distribute routes to the connected device 1. Area Setting Check if the Area ID, Type and Authentication Key are correctly configured. Ensure these same settings are also correctly configured on the connected device which would like to get routes from the ZyWALL. CONFIGURATION > Network > Routing > OSPF > Area 2. OSPF setting in the interface Select the correct Area ID and Authentication in the appropriate interfaces. CONFIGURATION > Network > Interface > Ethernet > Advanced Settings > OSPF Setting 46/147
47 Unable to get routes from the connected device 1. Area Setting Check if the Area ID, Type and Authentication Key are correctly configured. These settings must be the same as that on the connected device from which the ZyWALL would like to get routes. CONFIGURATION > Network > Routing > OSPF > Area 2. OSPF setting in the interface Select the correct Area ID and Authentication in the appropriate interfaces. CONFIGURATION > Network > Interface > Ethernet > Advanced Settings > OSPF Setting 47/147
48 3. OSPF service in the policy control Ensure the OSPF service is allowed in the policy control. From: any; To: ZyWALL; Service: OSPF; access: allow CONFIGURATION > Security Policy > Policy Control > Add 48/147
49 6.4. Cannot access internet (session full/firewall block) Session full 1. Once the client have reach to the maximum of session amount it will not allowed to connect to interface or GUI, you may need use serial port to enter the command line as below. 2. In the CLI monitor screen you can use show logging entries category sessions-limit to make sure if it is block by the session-limit or you can use show logging entries keyword <client IP> to see if have this computer s regarding log. 49/147
50 3. You can disable session-limit temporary once you see the maximum session per host message. 4. Please go to device GUI Monitor>Log> log display select Sessions Limit check if the client block because of the session limit. The GUI monitor shows that client reach to the maximum session threshold. 50/147
51 5. You can go to the Configuration>Security Policy>Session Control change the setting or set the threshold on the specific client. 51/147
52 Firewall block 1. The service will block by the firewall if the security policy didn t set appropriate. 2. The security policy will regarding to the ZONE setting. 3. Please go to the MONITOR > Log. In the Category > Security Policy Control shows FTP service LAN2 client ACCESS BLOCKED by the firewall in this example. 4. Please also check the Zone configuration at CONFIGURATION > Object > Zone. Use Object Reference can see those objects corresponding place or priority in security policy. 5. In this case the client PC ( ) is included in to the Zone LAN2. 52/147
53 6. Zone of LAN2 object referenced by the security policy. Most of the time that cannot reach to the external service is because of the mis-configuration on firewall rule. And restrict the wrong subnet on wrong zone. 53/147
54 6.5. Cannot access internet (anti-spam) The Anti-Spam feature can mark or discard spam (unsolicited commercial or junk ). Use the white list to identify legitimate . Use the black list to identify spam . The ZyWALL/USG can also check against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. If you cannot receive/send pass through ZyWALL/USG, follow below steps to do troubleshoot If you are not able to receive/send s via ZyWALL/USG 1. Connect to the web GUI of ZyWALL/USG. Go to CONFIGURATION > Security Policy > Policy Control. 2. Check the Security Policy setting to ensure it allows the mail protocols (SMTP/POP3/SMTPs/IMAP4) are available. 54/147
55 3. Ensure the receiver/sender IP address is allowed. 4. Connect to the web GUI of ZyWALL/USG. Go to MONITOR > UTM Statistics > Anti-Spam > Status. 5. Check if Concurrent Mail Session Scanning is full or not Must be collected information 1. Configuration 2. Diaginfo 3. Remote access 4. Mail server protocol 55/147
56 7. Cannot Set Up the IPSec VPN Function Successfully There are many different scenarios when establishing VPN tunnel. You can follow these maps to find your scenario. Per scenario with some of the issues may match which you met. And you can follow this guide to find the symptom in your environment VPN connection cannot be established If facing the VPN connection problem, here are the possible root cause: 1. Pre-shared key mismatch. 2. SA proposal mismatch. 3. Local/remote policy mismatch. 4. Firewall rule block Once the VPN tunnel cannot established then: 1. Navigate to MONITOR > Log 2. Select IKE category 3. Check the authentication method, local/peer policy, SA proposal in phase1 and phae2 56/147
57 4. Make sure that firewall rule didn t block the IKE service from LAN or WAN to Device Once have the connection problem please just check the log IKE category for more information. 1. Pre-shared key mismatch 2. Proposal mismatch in phase 1 57/147
58 3. Proposal mismatch in phase 2 4. Local policy mismatch on phase 2 58/147
59 5. If have using Local/Peer id then please check if it is correct. Local site: Remote site 59/147
60 6. Make sure that LAN and WAN to device service have allow the IKE service Cannot establish VPN tunnel via 3GLTE interface Troubleshooting Flowchart: Is the Dongle Included in ZyWALL/USG Support List? If it s not supported, go to If it s supported, go to /147
61 If the dongles are not included in the support list, it may have the compatibility issue. Therefore, please change to supported dongle Change to Supported Dongle Please go to Search by Model Number > Firmware > 3G Dongle Document to see the latest supported 3G cards Is the Cellular Status Ready? If it s not ready, go to If it s ready, go to When you plug the 3G dongle into the device, it will automatically create a cellular interface but the default status inactivate. Please make sure the cellular interface is activated and the status is ready Activate Cellular Status and Check ISP Account Settings Activate Cellular Status 1. Go to CONFIGURATION > Interface > Cellular, the connected device will automatically display in the Cellular Interface Summary. Click Activate and then the Apply button at the bottom of this page. 2. Go to MONITOR > System Status > Cellular Status, please make sure the Status is Device ready and Signal Quality is good. 61/147
62 Check ISP Account If the dongle cannot successfully connect to the ISP, check the following reasons: 1. Mis-configuration of dongle (If you buy a 3G card from overseas, it might store some default configuration of the original ISP) 2. No SIM or incorrect SIM 3. PIN lock 4. Parameter issue 5. Signal strength is weak Is the Connectivity Set to Nailed-Up? The default Connectivity method is Nailed-Up. The connection should always be up after you activate the cellular interface. If you disable Nailed-Up and set Idle timeout value to be zero or only few seconds, the VPN tunnel will disconnect if you do not dial up the cellular or when there is no traffic for few seconds Modify Connectivity Setting 1. If you want the connection should always be up, go to CONFIGURATION > Interface > Cellular > Connectivity, check Nail-Up. 2. If you want the connection up only when there is traffic, go to CONFIGURATION > Network > Interface > Cellular > Connectivity, uncheck Nail-Up and set Idle timeout to be. 62/147
63 Is the Cellular Interface Included in the WAN Trunk? If you do not include cellular interface in the WAN Trunk, the ZyWALL/USG does not send traffic through the interface as part of the trunk Modify Trunk 1. If you re using SYSTEM_DEFAULT_WAN_TRUNK, go to CONFIGURATION > Network > Trunk > System Default. Please make sure the cellular interface is Included in the member of System Default. 63/147
64 2. If you re using User Configured Trunk, go to CONFIGURATION > Network Trunk > User Configuration. Please make sure the cellular interface is Included in the member of User Configuration Is there Any Routing Policy Related to WAN Interface? Once a packet matches the criteria of a routing rule, the ZyWALL/USG takes the corresponding action and does not perform any further flow checking. Since the default priority of Policy Route and 1-1 NAT are higher than VPN and Default WAN Trunk, the internal network access to internet might pass through to other WAN interface but not cellular interface. 64/147
65 Check Routing Policy Policy Route 1. Go to CONFIGURATION > Network > Policy Route, make sure the Next-Hop for VPN tunnel you want to establish cellular interface should not be other WAN interface. You can configure the Next-Hop to be Trunk or cellular interface. NAT 1. Go to CONFIGURATION > Network > NAT, make sure the mapping rules does not conflict with cellular interface and VPN tunnel Collect Information to CSO Support Typology 1. Accessing the ZyWALL/USG's CLI interface and issue below command: Router> configure terminal Router(config)# _cellular debug enable 65/147
66 2. Insert the 3G card into the ZyWALL/USG and wait for 2 minutes. 3. Accessing the ZyWALL/USG's CLI interface and issue below command: Router (config)# _cellular dump daemon-data Router(config)# _cellular cat daemon-log Router(config)# exit Router> show interface cellular status Router> show interface cellular device-status Router> debug interface ifconfig cellular1 Router# diag-info collect Please wait, collecting information (it may take 7-10 minuts) Router# show diag-info (check whether the collection is done) Filename : diaginfo tar.bz2 File size : 3260 KB Date : :51:38 4. Save all of the information after you enter these commands and get the diag-info file via ftp or web GUI. 5. Send above information to the support team. 66/147
67 7.3. VPN fallback is not working The VPN tunnel has establish VPN tunnel successfully, but tunnel can t fallback to primary peer gateway If your scenario is like this topology: One of USG are with 2 interface, and one USG is one interface. On USG#A, the primary interface is WAN1 and secondary interface is WAN2. When USG#A WAN1 interface is dead, then USG#B will triggering the VPN tunnel to WAN2 interface. After USG#B established VPN tunnelto USG#A s WAN2 interface, the VPN tunnel still works fine and without problem. But VPN tunnel can t fallback to WAN1 when WAN1 connection is back Verify configuration 1. VPN Gateway setting on USG#A: In VPN Gateway setting, My Address must be It means the My address would be one of the interface IP address which is alive. 67/147
68 2. On USG#A, make sure WAN1 interface is primary, and WAN2 interface is secondary. Go to CONFIGURATION > Network > Interface > Trunk > User Configuraiton click Add button to add customize trunk. The WAN1 interface is Activate, WAN2 interfcae is Passive. 68/147
69 3. And then apply this object as default WAN trunk. 4. VPN Gateway setting on USG#B: In VPN Gateway setting, setting USG#A s WAN1 and WAN2 interface. And Fall back to Primary Peer Gateway when possible must be enabled. (In this example, USG#B will check Primary gateway IP address status per 300 seconds) 5. Enter fallback command on USG#B: On USG#B must enter client-side-vpn-failover-fallback activate command by CLI command. 69/147
70 7.4. Cannot set up the IPSec VPN function by VPN provision successfully Configuration is successful but the field Remote Gateway Address is empty 1. Check My Address of the VPN gateway : If you select Express when using VPN Setup Wizard to configure VPN Settings for Configuration Provisioning, wan1 will be My Address by default. If wan1 is not used for VPN provisioning, select the correct interface for provisioning. 70/147
71 CONFIGURATION > VPN > IPSec VPN > VPN Gateway Authentication Failed 71/147
72 1. Check if the Login account and password are correctly configured on the ZyWALL IPSec VPN Client. MONITOR > Log > View Log > User 2. The account must be configured as the Allowed User. CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning 72/147
73 Server Not Found 3. Check the Gateway Address configured on the ZyWALL IPSec VPN Client. The address must be the same as My Address in CONFIGURATION > VPN > IPSec VPN > VPN Gateway > WIZ_VPN_PROVISIONING. CONFIGURATION > VPN > IPSec VPN > VPN Gateway 73/147
74 7.5. IPSec VPN Client on Win10 Operation System Enterprises need to have remote access to the company's applications and servers quickly, easily and securely. The VPN Client enables employees to work from home or on the road, and IT managers to connect in remote desktop sharing to the enterprise infrastructure. The VPN Client offers a range of features from simple authentication via simple login to advanced full PKI integration capabilities Can t use IPSec VPN client on win10 system The customers want to access the company s server or application remotely, so the software of IPsec VPN Client is their one of the best choice. However, if customer cannot use IPSec VPN Client on win 10, there may be some issue in the configuration. Please following the below steps to troubleshoot problems The vital of configuration of IPSec Client on Win10 1. On VPN Gateway, make sure the pre-shared key is the same as IPSec VPN client. 2. On VPN connection, select Server Role and make sure the Local policy and Phase 2 setting is the same as the IPSec VPN client s Wireless possible issue symptoms The Issue on Pre-shared key 1. After configuration, the IPSec VPN client session still cannot establish. Client can recognize what kind of the issue on Log message 74/147
75 MONITOR > Log > Select IKE on Display field 2. As client can see the log message and know the issue is on pre-shared keys.need to double check the pre-shared key on ZyWALL/USG side and ZyWALL IPSec VPN Client side. Go to Configuration>VPN Gateway> Edit> Pre-Shared Key, the pre-shared key is Move to ZyWALL IPSec VPN Client, go Ikev 1 Gateway>Authentication>Preshared Key. Changed the Key to /147
76 4. After changed, the IPSec VPN client connection is established. 76/147
77 The issue on Phase 1 setting 1. When the log message display No proposal chosen, client need to double check on ZyWALL/USG and IPSec VPN client. Go to Monitor > Log > Select IKE on Display field. 2. Otherwise, client also can know which misstated configuration because this issue happened. User can see P1 Algorithm mismatch. 77/147
78 3. Client need to double check on both sides. The issue on Phase 2 setting 1. When the log message display Phase 2 Proposal mismatch and No proposal chosen, client need to double check on ZyWALL/USG and IPSec VPN client. Go to MONITOR > Log > Select IKE on Display field. 2. Otherwise, client also can know which misstated configuration because this issue happened. User can see P2 Algorithm mismatch 78/147
79 3. Client need to make sure the Phase 2 setting and ESP are matching. 79/147
80 7.6. Cannot set up the IKEv2 VPN tunnel successfully IKEv2 PC with IPSec VPN Client establishes an IKEv2 VPN tunnel with USG. The PC passes all traffic into the tunnel, and USG will help to forward the traffic to internet or to the LAN server. If the scenario does not work in your environment, please follow the below steps: If IKEv2 traffic does not work completely from your PC Connect to the web GUI of ZyWALL/USG. Go to MONITOR -> VPN Monitor -> IPSec. Check if the IKEv2 tunnel is alive. 80/147
81 If IKEv2 tunnel is not up 1. Connect to USG, and compare with VPN client to ensure the configurations are all correct. 2. Since PC will send all traffic into tunnel, the local policy of USG should be any( ). 81/147
82 3. Configure the IPSec VPN Client IP address as (Owner can assign a specific IP address for the client. This IP address will be used in policy route to separate the traffic.) 82/147
83 83/147
84 4. Ensure to check Disable Split Tunneling VPN tunnel is up, but there is no traffic pass through USG to internet Connect to USG, and go to CONFIGURATION > Network > Routing > Policy route. Ensure there are routings to separate the traffic from IKEv2 tunnel to internet and LAN server. 1. Policy route rule 1st: From IKEv2 IP address to LAN server, Next-Hop: LAN1 2. Policy route rule 2nd: From IKEv2 IP address to internet, Next-Hop: WAN1, SNAT: outgoing-interface 84/147
85 Must be collected information 1. Configuration of ZyWALL/USG and IPSec VPN Client 2. The version of IPSec VPN Client 3. The diaginfo of VPN Client 4. The console log of VPN Client 85/147
86 7.7. VPN concentrator with the problem A VPN concentrator combines several IPSec VPN connections into one secure network. A VPN concentrator reduces the number of VPN connections that you have to set up and maintain in the network. You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke. Consider the following when using the VPN concentrator. 1 The local IP addresses configured in the VPN rules should not overlap. 2 The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule for each spoke. 3 To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in the spoke routers to use (any) as the remote IP address. 4 The VPN must be Site-to-Site VPN. If the scenario does not work in your environment, please follow the below steps: 86/147
87 Site-to Site VPN tunnel is up: Connect to USG, and ensure the VPN tunnel configuration is correct. 1 VPN tunnel between Central side and Branch side 1 2 Branch side 1 to Central side VPN setting(enable Nailed-Up) 87/147
88 88/147
89 Central side to Branch side 1 VPN setting 89/147
90 VPN tunnel between Central side and Branch side 2 Branch side 2 to Central side VPN setting(enable Nailed-Up) 90/147
91 Central side to Branch side 2 VPN setting VPN Concentrator on Central side Go to CONFIGURATION > VPN > IPSec VPN > Concentrator, and check if both tunnels are selected. 91/147
92 Policy route on both branch sides Check if there are policy routes to route the traffic into central tunnel to another branch. 1 On Brach side 1 2 On Brach side Must be collected information 1. Configurations 2. Diaginfo 3. Topolog 92/147
93 7.8. IPSec VPN tunnel was established successfully, but the traffic can't pass through the tunnel Troubleshooting Flowchart: Is the PC Firewall Disabled? In some operation system, by default it may block required protocols for VPN connection and Ping check (ICMP Echo Request). Therefore, you have to make sure your PC firewall allows the VPN and ping check traffics. 93/147
94 7.8.2 Is the PC Firewall Allowed VPN/ICMP Traffic? IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: 1. P Protocol Type=50 <- Used by data path (ESP) 2. P Protocol Type=51 <- Used by data path (AH) 3. Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path) 4. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path) 5. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path) Modify PC Firewall Setting 1. Configure Network to accept access, open Control Panel > Network and Sharing Center. Click on Change adapter settings. 94/147
95 2. Press Alt + F and click on New Incoming Connection 3. Now a wizard will open. In the first step, mark those users whom do you want to allow access to use your connection. 95/147
96 4. Put a mark on Through the internet and click Next. 5. Now select the protocols you want to connect, and double click on Internet Protocol Version 4 (TCP/IPv4). 96/147
97 6. In this screen which appears, ensure that the Properties set are the same as shown in the image below. Click OK. 7. Click Allow access. 97/147
98 8. Now you will see the last step of the Wizard. Click on Close to finish it but remember to note down the computer s name as it will be used when you connect. Configure Firewall to accept Ping check (ICMP Echo Request) Windows OS 1. Go to Control Panel > Windows Firewall > Windows Firewall with Advanced Security. 2. Now click on Inbound Rules. Then select Echo Request - ICMP IN. 98/147
99 3. Right click on Echo Request - ICMP IN rules and click Enable Rule. 99/147
100 4. Now you will see Echo Request - ICMP IN rules are enabled. MAC OS X 1. Go to Security & Privacy > Firewall > Advanced, uncheck the Enable stealth mode checkbox in order to allow pings to respond. Configure Firewall to accept connections IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports. 100/147
101 1. P Protocol Type=50 <- Used by data path (ESP) 2. P Protocol Type=51 <- Used by data path (AH) 3. Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path) 4. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path) 5. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path) Windows OS 1. Go to Control Panel > Windows Firewall > Windows Firewall with Advanced Security. Click on Inbound Rules. Next click on the Actions menu and then click on New Rule 101/147
102 2. A Wizard will open. In the first step, select the Port option and click on Next. 3. Select TCP or UDP. In the Specific remote ports space, enter port number and click on Next. 102/147
103 4. Now select Allow the connection and click Next. 5. Apply the rule to all and click Next. 103/147
104 6. In the Name and Description (optional) fields, enter anything you want and click on Finish Is the USG NetBIOS Enabled? Enable NetBIOS if you want the ZyWALL/USG to send NetBIOS (Network Basic Input/Output System) packets through the IPSec SA. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa Modify NetBIOS Setting Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Edit > Show Advanced Settings > General Settings, select Enable NetBIOS broadcast over IPSec. 104/147
105 7.8.6 Perform Ping Check Command from PC Ping check allows you to confirm if you have connectivity between VPN Nodes. Open up the command prompt in Windows Is there Any Response from the Remote Site? If there is no response, go to If there is response, go to Typology Example One PC at Local Network A IP address: One PC at Local Network B IP address: At PC in the Local Network A, type command line: ping The response should be: 105/147
106 At PC in the Local Network B, type command line: ping The response should be: Perform Ping Check from PC to Local/Remote Gateway Ping check allows you to confirm if you have connectivity between VPN Participants. Open up the command prompt in Windows Is there Any Response from the Local /Remote Gateway? If there is no response, go to If there is response, go to Typology Example 106/147
107 One PC at Local Network A IP address: ; Gateway IP address: One PC at Local Network B IP address: ; Gateway IP address: At PC in the Local Network A, type command line: ping The response should be: At PC in the Local Network B, type command line: ping The response should be: Modify Local/Remote Gateway Setting 1. Check the WAN interface on both VPN sites; please make sure you have configured gateway IP address correctly. Firstly, check whether the gateway IP address is within the correct host address range by below subnet calculator tool /147
108 2. Secondly, if the gateway IP is given by the ISP, please contact your service provider to confirm the correct address. 3. Thirdly, if the gateway IP is assigned by the DHCP server, please make sure your DHCP server assigned correct gateway IP to your WAN interface Disable Security Policy on Device Customized Security Policy may block required protocols for VPN connection and Ping check (ICMP Echo Request). Therefore, you have to make sure your Security Policy allows the VPN and ping check traffics Is there Any Response from the Remote Site? If there is no response, go to If there is response, go to Tried turning off the Security Policy, see if it works, and if so activate Security Policy rules one by one until you find the one that breaks it or check the access block information in Log. 108/147
109 Modify Security Policy Setting Security Policy Example 1. Go to MONITOR > Log, check any Security Policy blocks the VPN protocols and UDP ports. In this example, Security Policy blocks UDP Port 500 traffic. 2. Go to CONFIGURATION > Security Policy > Policy Control, check allow service and found customize Allow_WAN_To_ZyWALL doesn t allow AH, ESP and IKE protocols. 109/147
110 3. Go to CONFIGURATION > Object > Service > Service Group to edit service group. Move AH, ESP and IKE to be the Allow_WAN_To_ZyWALL Member. Click OK. 4. Go to MONITOR > Log, now the VPN tunnel built successfully. 110/147
111 Perform Ping Check Command from Router When traffic is initiated from the ZyWALL/USG to a remote site, the source IP address will considered as an external interface s IP address instead of one of a VPN subnet interface s IP address. Meaning the source IP address doesn t belong to the local subnet which VPN tunnel allows to access. Therefore, if you ping from router with its IP address, you should not get response from the remote router Is there Any Response from the Remote Subnet? If there is no response, go to If there is response, go to Typology Example ZyWALL USG A WAN IP address: ; LAN subnet IP address: ZyWALL USG B WAN IP address: ; LAN subnet IP address: Wrong response example: Login device A, type command line: ping and ping source , the response is: 111/147
112 Correct response example: Login device B, type command line: ping and ping source , the response should be: 112/147
113 Modify Routing 1. To avoid the routing problem, add the Policy Route in ZyWALL USG B: 2. Login device A, type command line: ping and ping source , the response now will be: Does the VPN Routing Priority Higher than 1:1 NAT or Other Routing? In the default Routing Flow, Policy Route and 1-1 NAT priority is higher than Site To Site VPN. Therefore, when enabling Policy Route and 1-1 NAT, it may cause the traffic can't pass through VPN tunnel because all traffic passes through other interface. 113/147
114 Modify Packet Flow Priority 1. To solve Policy Route issue, please check routing configuration should not interrupt VPN connection. 2. To solve 1-1 NAT problem, please reorganize the order of the routing priority. For legacy models with ZLD 3.30 platform, use the following CLI command: ip route control-virtual-server-rules activate For next generation USG/ZyWALL series with ZLD 4.13 platform, go to CONFIGURATION > Network > NAT, enable Use Static-Dynamic Route to Control 1-1 NAT Route and click Apply. Go to MAINTENANCE > Packet Flow Explore > Routing Status, now the priority of Site To Site VPN is higher than 1-1 NAT route. 114/147
115 Collect Information to CSO Support Typology Please provide us network typology and details description of failure symptoms. Packet capture 1. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture, select interfaces for VPN tunnels (WAN/LAN) and click the right arrow button to move them to the Capture Interfaces list. Click Capture. 2. Connect VPN tunnel and wait till dial time out. 3. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture. Click Stop. 115/147
116 4. Go to MAINTANENCE > Diagnostics > Packet Capture > Files. Select WAN/LAN captured files and click Download. Provide the files to us. Log 1. Go to MONITOR > Log, screenshot the error log when initiate VPN tunnel fail. 116/147
117 Configuration file 1. Go to MAINTANENCE > File Manger > Configuration File. Select files (.conf) and click Download. Provide files to us. 117/147
118 8. Cannot set up the L2TP VPN function successfully 8.1. Cannot connect to the ZyWALL via L2TP client Incorrect L2TP Address Pool Check IP Address Pool configured in L2TP VPN settings. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use Incorrect Local Policy Phase 2 local policy mismatch Check Local Policy in VPN connection. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, the local policy of VPN connection is automatically and correctly configured as the interface IP of My Address. However, if you configure L2TP VPN settings manually without the wizard, ensure the local policy is the same IP address as My Address used for L2TP VPN connection. 118/147
119 CONFIGURATION > VPN > IPSec VPN > VPN Connection Incorrect Phase 1 or Phase 2 Settings 1. Phase 1 proposal mismatch Check phase 1 settings in VPN gateway. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, phase 1 settings are automatically and correctly configured. However, if you configure L2TP VPN settings manually without the wizard, ensure the phase 1 settings are configured as follows. 119/147
120 2. Phase 1 IKE SA process done but phase 2 proposal mismatch. Check phase 2 settings in VPN connection. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, phase 2 settings are automatically and correctly configured. However, if you configure L2TP VPN settings manually without the wizard, ensure the phase 2 settings are configured as follows. 120/147
121 8.2. User cannot be authenticated In the log, there is an alert log that the user is denied from L2TP service because of incorrect username or password. In addition to checking the correctness of username and password, it is necessary to check if Authentication Method and Allowed User are correctly configured. MONITOR > Log > View Log > Display > L2TP Over IPSec Authentication Method ZyWALL authenticates a remote user before allowing access to the L2TP VPN tunnel according to the authentication method. Ensure the L2TP VPN user belongs to one of the authentication servers or local database of the configured method list. The default Authentication Method is default which only contains the local database on the method list. If the L2TP VPN user belongs to an external authentication server, remember to create a new Authentication Method with corresponding method list. CONFIGURATION > Object > Auth. Method > Add 121/147
122 CONFIGURATION > VPN > L2TP VPN Allowed user User or group configured as Allower User is able to log into the ZyWALL to use the L2TP VPN tunnel. Ensure the user or the group which it belongs to is configured as Allowed User. The default Allowed User is "any" which allows any user with valid username and password to establish L2TP VPN tunnel. If only a specific group of users has the privilege to establish L2TP VPN tunnel, remember to create a new group with the specific users and groups. CONFIGURATION > Object > Users/Group > Group > Add 122/147
123 CONFIGURATION > VPN > L2TP VPN 8.3. Windows service not activated (IKE service) When establishing L2TP tunnel, the Windows will using IKE and AuthIP IPSec Keying Modules to encrypting the packets. So the service modules must enable on your computer If you are not enabled modules you will saw: 1. You will saw the tunnel can t establish success. And it will shows error code: 789. In the log shows reason is security layer encountered a processing error. 123/147
124 2. And you can capture the packets on your PC NIC, and filtering isakmp packets, there is no any packets as transmitted to L2TP server How to enable IKE and AuthIP IPSec Keying Modules 1. Go to Control Panel > System and Security > Administrative Tools > Services. And find IKE and AuthIP IPSec Keying Modules. Click right button and select properties to configure status. Enable IKE and AuthIP IPSec Keying Modules 124/147
125 8.4. After L2TP VPN tunnel is established, the client can t access to the Internet After establish L2TP VPN tunnel all of Internet traffic can t pass at all After you established L2TP VPN tunnel successfully, device will assigned an IP address to your PC. Then you can access all of the network resource on USG without additional configuration. Because Windows without split tunnel mechanism, so you Internet traffic will passed into L2TP VPN tunnel too. If you not add additional policy route, then your Internet traffic will been timeout due to without response from Internet server After you established L2TP VPN tunnel you will saw: 1. If all of your L2TP VPN tunnel configuration without the problem. Then you will see your L2TP VPN network connection icon shows like following image. 2. And also you can use CLI command to show your routing table. (CLI: route print). There is a additional routing rule has added in routing table automatically. (It means all of the traffic will pass into L2TP tunnel by which you received after estaboished L2TP tunnel) 125/147
126 How to add additional routing rule for L2TP clients to access internet? 1. Go to Configuration > Network > Routing > Policy route click add button. 2. The Source Network Address Translation must select as outgoing-interface. Then L2TP client s Internet traffic will uses interface IP address to access internet. 126/147
127 9. If you re not be able to configure UTM policies or it s not working Troubleshooting Flowchart: Note: After you apply the UTM service, the running session will continue till it s finished Check service expiration Have you subscribed for the UTM service? If you have not subscribed, go to If you have subscribed, go to ZyWALL models need a license for UTM (Unified Threat Management) functionality. 2. You need to create a myzyxel.com account before you can register your device and activate the services at myzyxel.com. 3. You need your ZyWALL/USG s serial number and LAN MAC address to register it. Refer to the web site s on-line help for details Registration on myzyxel.com 2.0 Account Creation 1 Click the link from the Registration screen of your ZyXEL device s Web Configurator or click the myzyxel.com 2.0 icon from the portal page ( the Sign In screen displays. 127/147
128 2 Click Not a Member Yet to open the Sign Up screen where you can create an account. myzyxel.com > Not a Member Yet 3 Select Registration Type to create an Individual account or a Business account. Individual account is for non-commercial, end user of ZyXEL products. Business account is for commercial users; VAT # is required (the requirement varies in selection of different countries) 128/147
129 Note: The business account can be changed into a channel partner account by an administrator. With a channel partner account, you can register multiple devices and/or services at a time and check service status reports. Contact your sales representative to have a channel partner account. 4 After you click Submit, myzyxel.com 2.0 will send you an account activation notification . Click the URL link from the to activate your account and log into myzyxel.com After activate, sign in myzyxel.com 2.0 to register or mange your devices and services. If you are a business account, please go to account page and press the Reseller Request button. 129/147
130 Device Registration 6 Click Device Registration in the navigation panel to open the screen. Use this screen to register your device with myzyxel.com. Enter the device s (first) MAC Address and Serial Number, which can be found on the sticker on the back of the device. Click Submit. If you access myzyxel.com from the Registration screen of your ZyXEL device s Web Configurator, the device MAC Address and Serial Number displays automatically. Service Registration (In the Case of Standard License) 7 Click Service Registration in the navigation panel to open the screen. Fill in the License Key as shown on E-iCard License. 130/147
131 8 Go to the Service Management page and click the Link button. Select the device then click the Activate button to initiate the services license. You will get a Service Activation Notice when you activate a new service. Device Management (In the Case of Registering Bundled Licenses) 9 Go to Device Management and click on the MAC Address hyper link of your device. In the Linked Services page, click the Activate button to initiate the services license. You will get a Service Activation Notice when you activate a new service. 131/147
132 Refresh Service 10 After service activated, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status Have your UTM service expired? If your UTM service expired, go to If your UTM service haven t expired, go to /147
133 9.1.4 Extend UTM license 11 Go to ZyWALL/USG CONFIGURATION > Licensing > Registration > Service to check the Service Status. 12 Click the link from the Registration screen of your ZyXEL device s Web Configurator or click the myzyxel.com 2.0 icon from the portal page ( the Sign In screen displays. 133/147
134 13 To renew your license, simply click the Buy button in the Service Management page at myzyxel.com. can also contact your reseller or ZyXEL s local agent for license renewals. If you cannot locate an agent near you, please contact ZyXEL s local support. You Local ZyXEL contact information: 14 After service extended, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status Signature Update The UTM service provides updates to Anti-Virus and IDP / App Patrol. The UTM service involves a number of servers across the world that provides updates to your ZyWALL/USG device. Problems can occur both with connection to UTM server. 134/147
135 9.2.1 Have your UTM service updated? If your UTM service haven t updated, go to If your UTM service updated, go to Update UTM service 1 The ZyWALL/USG comes with signatures for the Anti-Virus, IDP and Application Patrol features. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the ZyWALL/USG periodically if you have subscribed for the Anti-Virus, IDP and Application Patrol signatures service. 2 Click Update Now button to have the ZyWALL/USG check for new signatures immediately. If there are new ones, the ZyWALL/USG will then download them. 135/147
136 9.3. Security Policy Direction For through-zywall/usg policies, select the correct direction of travel of packets to which the UTM policy applies. For example, if you would like to scan virus for all LAN to WAN and WAN to LAN traffic, you should create security policy and select Anti-Virus profile for scanning traffic from both LAN to WAN and WAN to LAN or Any to Any Is your UTM policy applied to correct direction? If your UTM policy applied to wrong direction, go to If your UTM policy applied to correct direction, go to Modify Security Policy direction 3 Go to CONFIGURATION > Security Policy > Policy Control, make sure your UTM policy applied to correct direction. 136/147
137 10. Device-HA doesn't work Troubleshooting Flowchart: 137/147
138 10.1. After Fail-Over, Switch ARP Learning Mode When enabling Device HA, ZyWALL/USG will generate a virtual MAC address for the IP address base on the "Cluster ID". If these two Device HA groups are using the same "Cluster ID", ZyWALL/USG will generate the same MAC address to two Device HA groups. As a result, it will lead to switch confusion and causing packet lost. So if there are more than one Device HA group behind the same switch, please use different cluster IDs Have you configured the same Cluster ID for the different Device HA groups? If you have configured the same Cluster ID, go to If you haven t configured the same Cluster ID, go to Cluster ID Go to CONFIGURATION > Device-HA > Activate-Passive Mode > Cluster Setting > Cluster ID. Use a different cluster ID to identify each virtual router. In the following example, ZyWALL/USG A and B form a virtual that uses cluster ID 1. ZyWALL/USG C and D form a virtual that uses cluster ID /147
139 10.2. Synchronize issue The Device-HA devices use FTP to synchronize information, VRRP to monitor interface status and password for authentication. Problems can occur when Device-HA devices connection to each other and its configuration Have you configured the same FTP port for both master and backup devices? If you haven t configured the same FTP port, continue reading section If you have configured the same FTP port, go to Go to CONFIGURATION > Device-HA > Activate-Passive Mode > Synchronization > Server Port. If this ZyWALL/USG is set to Master role, Server Port displays the ZyWALL/USG s Secure FTP port number. If this ZyWALL/USG is set to the Backup role, enter the port number to use for Secure FTP when synchronizing with the specified master ZyWALL/USG. 139/147
140 2. Go to CONFIGURATION > System > FTP in master device if you need to change the FTP port number. Every ZyWALL/USG in the virtual router must use the same port number. If the master ZyWALL/USG changes, you have to manually change this port number in the backups. 140/147
141 Have you enabled FTP service? If you haven t enabled the FTP port, continue reading section If you have configured the FTP port, go to Select Enable to allow the computer with the IP address that matches the IP address (es) in the Service Control table to access the ZyWALL/USG using FTP service for Device-HA synchronization Does Security Policy block FTP/VRRP services? If your Security Policy doesn t allow the FTP or VRRP service, continue reading section If you Security Policy allows the FTP or VRRP service, go to FTP Service 1. Device-HA devices use FTP to synchronize information, go to CONFIGURATION > System > FTP in both master and backup devices. Please make sure Service Control allow accessing the ZyWALL/USG using FTP service for Device-HA synchronization. 141/147
142 2. Go to CONFIGURATION > Security Policy > Policy Control, please make sure the corresponding rule allows accessing the ZyWALL/USG using FTP service for Device-HA synchronization. 142/147
143 VRRP Service 1. Master monitored VRRP interfaces will send the VRRP packet every second. Backup monitored VRRP interfaces should detect this kind of packet every second. Once Backup VRRP interfaces cannot detect the VRRP packet for three seconds, Backup will take over. Therefore, you have to make sure VRRP service is allowed for interface monitoring. 2. Go to CONFIGURATION > Security Policy > Policy Control, please make sure the corresponding rule allows accessing the ZyWALL/USG using VRRP service for Device-HA monitoring Does Security Policy block other port when synchronize? If you see from the log that any port is blocked even after FTP service is allowed, continue reading section If you see from the log that none of the port is blocked, go to If you see from the MONITOR > Log that any port is blocked even after FTP and VRRP services are allowed, please go to CONFIGURATION > Security Policy > Policy Control, add corresponding security to allow the block port. 143/147
144 Have you configured the same synchronization password for both master and backup devices? If you haven t configured the same synchronization password, continue reading section If you have configured the same synchronization password, go to Go to MONITOR > Log, if you see log shows alert/ User Failed login attempt to ZyWALL from ftp (incorrect password or inexistent username). It means the Device-HA synchronization password doesn t match. Please go to CONFIGURATION > Device-HA > Activate-Passive Mode > Synchronization > Password. Enter the password used for verification during synchronization. Every ZyWALL/USG in the virtual router must use the same password Have you experienced synchronization hang issue? 1. In some situations the device takes a while to synchronize, Device-HA sync at first succeeds but then hangs for more than 10 minutes. The following is a case for example, there are over 3800 content filtering rules and the configuration file is 456KB. 144/147
145 The device HA backup device takes around 20 minutes for synchronization. 2. To avoid the similar situation, it is suggested to use the "Auto Synchronize" feature in Device HA. Use the device s management IP address as the server address instead of a virtual IP address. The interval time can be set to 60 minutes. 145/147
146 Subnet conflict If VLAN interface subnet overlaps with Device-HA interface subnet, ZyWALL/USG will not know which interface it should send the sync information to. Please make sure there is no subnet conflict. If you configure the conflict subnet, continue reading section If you doesn t configure the conflict subnet, go to 12.3 Go to CONFIGURATION > Network > Interface, please make sure your Ethernet and VLAN interface subnets are not overlapping with each other. 146/147
CHAPTER 7 ADVANCED ADMINISTRATION PC
ii Table of Contents CHAPTER 1 INTRODUCTION... 1 Broadband ADSL Router Features... 1 Package Contents... 3 Physical Details... 4 CHAPTER 2 INSTALLATION... 6 Requirements... 6 Procedure... 6 CHAPTER 3 SETUP...
More informationZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003
ZyWALL 70 Internet Security Appliance Quick Start Guide Version 3.62 December 2003 Introducing the ZyWALL The ZyWALL 70 is the ideal secure gateway for all data passing between the Internet and the LAN.
More informationIP806GA/GB Wireless ADSL Router
IP806GA/GB Wireless ADSL Router 802.11g/802.11b Wireless Access Point ADSL Modem NAT Router 4-Port Switching Hub User's Guide Table of Contents CHAPTER 1 INTRODUCTION... 1 Wireless ADSL Router Features...
More informationBroadband Router DC-202. User's Guide
Broadband Router DC-202 User's Guide Table of Contents CHAPTER 1 INTRODUCTION... 1 Broadband Router Features... 1 Package Contents... 3 Physical Details...3 CHAPTER 2 INSTALLATION... 5 Requirements...
More informationVPN2S. Handbook VPN VPN2S. Default Login Details. Firmware V1.12(ABLN.0)b9 Edition 1, 5/ LAN Port IP Address
VPN2S VPN2S VPN Firmware V1.12(ABLN.0)b9 Edition 1, 5/2018 Handbook Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Copyright 2018 ZyXEL Communications Corporation
More informationLevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver
LevelOne FBR-1416 1W, 4L 10/100 Mbps ADSL Router User s Manual Ver 1.00-0510 Table of Contents CHAPTER 1 INTRODUCTION... 1 FBR-1416 Features... 1 Package Contents... 3 Physical Details... 3 CHAPTER 2
More informationBroadband Router DC 202
Broadband Router DC 202 Full Manual Table of Contents DC-202 xdsl/cable Broadband router REQUIREMENTS...4 INTRODUCTION...4 DC-202 Features...4 Internet Access Features...4 Advanced Internet Functions...5
More informationRX3041. User's Manual
RX3041 User's Manual Table of Contents 1 Introduction... 2 1.1 Features and Benefits... 3 1.2 Package Contents... 3 1.3 Finding Your Way Around... 4 1.4 System Requirements... 6 1.5 Installation Instruction...
More informationZyWALL 10W. Internet Security Gateway. Quick Start Guide Version 3.62 December 2003
Internet Security Gateway Quick Start Guide Version 3.62 December 2003 Introducing the ZyWALL The is the ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT,
More informationSonicOS Release Notes
SonicOS Contents Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 4 Upgrading SonicOS Enhanced Image Procedures... 5 Related Technical Documentation... 10 Platform Compatibility The SonicOS
More informationBroadband Router. User s Manual
Broadband Router User s Manual 1 Introduction... 4 Features... 4 Minimum Requirements... 4 Package Content... 4 Note... 4 Get to know the Broadband Router... 5 Back Panel... 5 Front Panel... 6 Setup Diagram...7
More informationSonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide
SonicWALL Security Appliances SonicWALL SSL-VPN 200 Getting Started Guide SonicWALL SSL-VPN 200 Appliance Getting Started Guide This Getting Started Guide contains installation procedures and configuration
More informationDownloaded from manuals search engine
Table of Contents CHAPTER 1 INTRODUCTION... 1 Broadband Router Features... 1 Package Contents... 3 Physical Details... 4 CHAPTER 2 INSTALLATION... 6 Requirements... 6 Procedure... 6 CHAPTER 3 SETUP...
More informationSonicWALL / Toshiba General Installation Guide
SonicWALL / Toshiba General Installation Guide SonicWALL currently maintains two operating systems for its Unified Threat Management (UTM) platform, StandardOS and EnhancedOS. When a SonicWALL is implemented
More informationMRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide
Web configuration reference guide 6623-3201 MRD-310 MRD-330 Westermo Teleindustri AB 2008 3G Cellular Modem / Router Web configuration reference guide www.westermo.com Table of Contents 1 Basic Configuration...
More informationBarracuda Link Balancer
Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.3 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.3-111215-01-1215
More informationUIP1869V User Interface Guide
UIP1869V User Interface Guide (Firmware version 0.1.8 and later) Table of Contents Opening the UIP1869V's Configuration Utility... 3 Connecting to Your Broadband Modem... 5 Setting up with DHCP... 5 Updating
More informationZyWALL (ZLD) VPN Troubleshooting
ZyWALL (ZLD) VPN Troubleshooting L2TP VPN will not connect No traffic flow through L2TP VPN tunnel Client-to-Site (RoadWarrior) VPN will not connect No traffic flow through client-to-site IPSec VPN tunnel
More informationVG422R. User s Manual. Rev , 5
VG422R User s Manual Rev 1.0 2003, 5 CONGRATULATIONS ON YOUR PURCHASE OF VG422R... 1 THIS PACKAGE CONTAINS... 1 CONFIRM THAT YOU MEET INSTALLATION REQUIREMENTS... 1 1. INSTALLATION GUIDE... 2 1.1. HARDWARE
More informationThe following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models
The following topics explain how to get started configuring Firepower Threat Defense. Is This Guide for You?, page 1 Logging Into the System, page 2 Setting Up the System, page 6 Configuration Basics,
More informationSeries 1000 / G Cellular Modem / Router. Firmware Release Notes
Series 1000 / 2000 3G Cellular Modem / Router Firmware Release Notes Document Number: 0013-001-000138 () Firmware Version: v1.42 Dcoumentation Control Generation Date: October 29, 2010 Cybertec Pty Limited
More informationUTM Content Security Gateway CS-2001
UTM Content Security Gateway CS-2001 Quick Installation Guide Table of Contents 1. Package Contents... 3 2. Setup the UTM Content Security Gateway... 4 3. Hardware Installation... 5 4. Basic System Configuration...
More informationQuick Installation Guide
Quick Installation Guide DL-200 Cellular Data logger V1.2_201610 TABLE OF CONTENTS CHAPTER 1 INTRODUCTION... 4 1.1 CONTENTS LIST... 5 1.2 HARDWARE INSTALLATION... 6 1.2.1 WARNING... 6 1.2.2 SYSTEM REQUIREMENTS...
More informationAirCruiser G Wireless Router GN-BR01G
AirCruiser G Wireless Router GN-BR01G User s Guide i Contents Chapter 1 Introduction... 1 Overview...1 Features...1 Package Contents...2 AirCruiser G Wireless Router Rear Panel...2 AirCruiser G Wireless
More informationHigh Availability GUIDE. Netgate
High Availability GUIDE Netgate Dec 16, 2017 CONTENTS 1 High Availability Prerequisites 2 2 Configuring a HA Cluster 5 3 Components of a High Availability Cluster 13 4 Testing High Availability 15 5 Troubleshooting
More informationSeries 1000 / G Cellular Modem / Router. Firmware Release Notes
Series 1000 / 2000 3G Cellular Modem / Router Firmware Release Notes Document Number: 0013-001-000138 () Firmware Version: v1.40 Dcoumentation Control Generation Date: April 28, 2010 Cybertec Pty Limited
More informationLevelOne WBR User s Manual. 11g Wireless ADSL VPN Router. Ver
LevelOne WBR-3407 11g Wireless ADSL VPN Router User s Manual Ver 1.00-0510 Table of Contents CHAPTER 1 INTRODUCTION... 1 Wireless ADSL Router Features... 1 Package Contents... 5 Physical Details... 6 CHAPTER
More informationSonicOS Enhanced Release Notes
SonicOS Contents Platform Compatibility... 1 Known Issues... 2 Resolved Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 4 Related Technical Documentation...7 Platform Compatibility The
More informationUser Manual. SSV Remote Access Gateway. Web ConfigTool
SSV Remote Access Gateway Web ConfigTool User Manual SSV Software Systems GmbH Dünenweg 5 D-30419 Hannover Phone: +49 (0)511/40 000-0 Fax: +49 (0)511/40 000-40 E-mail: sales@ssv-embedded.de Document Revision:
More informationSonicOS Enhanced Release Notes
SonicOS Contents Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 5 Upgrading SonicOS Enhanced Image Procedures... 8 Related Technical Documentation... 13 Platform Compatibility The SonicOS
More informationHigh Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
More informationManual Overview. This manual contains the following sections:
Table of Contents Manual Overview This manual contains the following sections: Section 1 - Product Overview describes what is included with the DIR-130 router, and things to consider before installing
More informationVI. Corente Services Client
VI. Corente Services Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 II. Corente Client Configuration...
More informationSonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:
GVC SonicWALL Global VPN Client 4.0.0 Contents Pre-installation Recommendations... 1 Platform Compatibility... 1 New Features... 2 Known Issues... 3 Resolved Known Issues... 4 Troubleshooting... 5 Pre-installation
More informationMulti-Function Wireless Router. User's Guide. Wireless Access Point Broadband Internet Access. 4-Port Switching Hub
Multi-Function Wireless Router Wireless Access Point Broadband Internet Access 4-Port Switching Hub User's Guide Table of Contents CHAPTER 1 INTRODUCTION... 1 Wireless Router Features... 1 Package Contents...
More information07/ CONFIGURING SECURITY SETTINGS
SECURITY LOG Malformed packet: Failed parsing a packed has been blocked because it is malformed. Maximum security enabled service a packet has been accepted because it belongs to a permitted service in
More informationJT4100P LTE Outdoor CPE Administrator User Manual V1.0
JT4100P LTE Outdoor CPE Administrator User Manual V1.0 Page 1 PLEASE READ THESE SAFETY PRECAUTIONS! RF Energy Health Hazard The radio equipment described in this guide uses radio frequency transmitters.
More informationSecurity SSID Selection: Broadcast SSID:
69 Security SSID Selection: Broadcast SSID: WMM: Encryption: Select the SSID that the security settings will apply to. If Disabled, then the device will not be broadcasting the SSID. Therefore it will
More informationIP806GA/GB Wireless ADSL Router
IP806GA/GB Wireless ADSL Router 802.11g/802.11b Wireless Access Point ADSL Modem NAT Router 4-Port Switching Hub User's Guide DECLARATION OF CON FORMITY This device complies with Part 15 of the FCC Rules.
More informationDSL/CABLE ROUTER with PRINT SERVER
USER S MANUAL DSL/CABLE ROUTER with PRINT SERVER MODEL No:SP888BP http://www.micronet.info 1 Content Table CHAPTER 0:INTRODUCTION... 4 FEATURES... 4 MINIMUM REQUIREMENTS... 4 PACKAGE CONTENT... 4 GET TO
More information4-Port Broadband user manual Model
4-Port Broadband Router user manual Model 524537 INT-524537-UM-0309-02 introduction Thank you for purchasing the INTELLINET NETWORK SOLUTIONS 4-Port Broadband Router, Model 524537. Combining a router,
More information802.11N Wireless Broadband Router
802.11N Wireless Broadband Router Pre-N Wireless Access Point Broadband Internet Access WPS 4-Port Switching Hub User's Guide Table of Contents CHAPTER 1 INTRODUCTION... 1 Wireless Router Features... 1
More informationMoxa Remote Connect Gateway User s Manual
User s Manual Edition 1.0, December 2017 www.moxa.com/product 2017 Moxa Inc. All rights reserved. User s Manual The software described in this manual is furnished under a license agreement and may be used
More informationDrayTek Vigor Technical Specifications. PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6. Redundancy. By WAN interfaces traffic volume
DrayTek Vigor 3900 Technical Specifications WAN Protocol Ethernet PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6 Multi WAN Outbound policy based load balance Allow your local network to access Internet
More informationIP819VGA g ADSL VoIP Gateway
IP819VGA 802.11g ADSL VoIP Gateway 802.11g/802.11b Access Point ADSL Modem NAT Router VoIP Gateway User's Guide Table of Contents CHAPTER 1 INTRODUCTION... 1 802.11g ADSL VoIP Gateway Features... 1 Package
More informationNXC Series. Handbook. NXC Controllers NXC 2500/ Default Login Details. Firmware Version 5.00 Edition 19, 5/
NXC Series NXC 2500/ 5500 NXC Controllers Firmware Version 5.00 Edition 19, 5/2017 Handbook Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Copyright 2017 ZyXEL
More informationWireless-G Router User s Guide
Wireless-G Router User s Guide 1 Table of Contents Chapter 1: Introduction Installing Your Router System Requirements Installation Instructions Chapter 2: Preparing Your Network Preparing Your Network
More informationViewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418
This chapter describes how to maintain the configuration and firmware, reboot or reset the security appliance, manage the security license and digital certificates, and configure other features to help
More informationThe Administration Tab - Diagnostics
The Administration Tab - Diagnostics The diagnostic tests (Ping and Traceroute) allow you to check the connections of your network components. Ping Test. The Ping test will check the status of a connection.
More informationUSG/ZyWALL ZLD
USG/ZyWALL ZLD 4.25 1 Agenda 01 UTM Enhancement Device activation flow License grace period Buy license link 03 Could Helper Enhancement Option to auto-update with setting schedule 02 Firmware Update Enhancement
More informationLKR Port Broadband Router. User's Manual. Revision C
LKR-604 4-Port Broadband Router User's Manual Revision C 1 Contents 1 Introduction... 4 1.1 Features... 4 1.2 Package Contents... 4 1.3 Finding Your Way Around... 5 1.3.1 Front Panel... 5 1.3.2 Rear Panel
More informationSection 3 - Configuration. Enable Auto Channel Scan:
Enable Auto Channel Scan: Wireless Channel: The Auto Channel Scan setting can be selected to allow the DGL-4500 to choose the channel with the least amount of interference. Indicates the channel setting
More informationMulti-Homing Broadband Router. User Manual
Multi-Homing Broadband Router User Manual 1 Introduction... 4 Features... 4 Minimum Requirements... 4 Package Content... 4 Note... 4 Get to know the Broadband Router... 5 Back Panel... 5 Front Panel...
More informationNTC-6908T Firmware Release Notes
Information Product Code: NTC-6908T Firmware Version: 1.9.107.22 Main system firmware file name: ntc_6908_1.9.107.22.cdi Recovery system firmware file name: Module firmware files name: ntc_6908_1.9.107.21_r.cdi
More informationKey Features... 2 Known Issues... 3 Resolved Issues... 5 Upgrading SonicOS Enhanced Image Procedures... 6 Related Technical Documentation...
SonicOS Notes Contents Key Features... 2 Known Issues... 3 Resolved Issues... 5 Upgrading SonicOS Enhanced Image Procedures... 6 Related Technical Documentation... 9 Platform Compatibility The SonicOS
More informationGrandstream Networks, Inc. GWN7000 Command Line Guide
Grandstream Networks, Inc. Table of Contents INTRODUCTION... 3 CONNECTING AND ACCESSING THE GWN7XXX... 4 Connecting the GWN7000... 4 SSH Access... 5 USING THE CLI MENU... 6 Menu Structure And Navigation...
More informationAplombTech Smart Router Manual
AplombTech Smart Router Manual (Version: 1.0) 1 Version & Purpose Version Manual version V 1.0 Explanation Corresponds to the initial version of device Purpose This manual describes the function features
More informationSonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide
SonicWALL 6.2.0.0 Addendum A Supplement to the SonicWALL Internet Security Appliance User's Guide Contents SonicWALL Addendum 6.2.0.0... 3 New Network Features... 3 NAT with L2TP Client... 3 New Tools
More informationBroadband Router User s Manual. Broadband Router User s Manual
Broadband Router User s Manual Table of Contents 1 Introduction... 1 1.1 Features... 1 1.2 Package Contents... 2 1.3 LEDs & Connectors of Broadband Router... 2 1.4 System Requirements... 2 1.5 Installation
More informationHUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date
HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN Issue 1.1 Date 2014-03-14 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or
More informationLevelOne. User's Guide. Broadband Router FBR-1402TX FBR-1403TX
LevelOne Broadband Router FBR-1402TX FBR-1403TX User's Guide Table of Contents CHAPTER 1 INTRODUCTION... 1 LevelOne Broadband Router Features... 1 Package Contents... 3 Physical Details...4 CHAPTER 2 INSTALLATION...
More informationD-Link DSR Series Router
D-Link DSR Series Router U s e r M a n u a l Copyright 2010 TeamF1, Inc. All rights reserved Names mentioned are trademarks, registered trademarks or service marks of their respective companies. Part No.:
More informationConfiguring a Hub & Spoke VPN in AOS
June 2008 Quick Configuration Guide Configuring a Hub & Spoke VPN in AOS Configuring a Hub & Spoke VPN in AOS Introduction The traditional VPN connection is used to connect two private subnets using a
More informationUser Manual. MP441W High Availability LTE Router
User Manual MP441W High Availability LTE Router TABLE OF CONTENTS CHAPTER 1 INTRODUCTION... 7 1.1 CONTENTS LIST... 8 1.2 HARDWARE INSTALLATION... 9 1.2.1 WARNING... 9 1.2.2 SYSTEM REQUIREMENTS... 9 1.2.3
More informationActual4Test. Actual4test - actual test exam dumps-pass for IT exams
Actual4Test http://www.actual4test.com Actual4test - actual test exam dumps-pass for IT exams Exam : 200-125 Title : CCNA Cisco Certified Network Associate CCNA (v3.0) Vendor : Cisco Version : DEMO Get
More informationUser Guide TL-R470T+/TL-R480T REV9.0.2
User Guide TL-R470T+/TL-R480T+ 1910012468 REV9.0.2 September 2018 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Accessing the Router Overview... 3 Web Interface
More informationDeployment Guide: Routing Mode with No DMZ
Deployment Guide: Routing Mode with No DMZ March 15, 2007 Deployment and Task Overview Description Follow the tasks in this guide to deploy the appliance as a router-firewall device on your network with
More informationVigor2900 Series Broadband Security Router Highly integrated broadband security router, combining high-speed routing technology with a comprehensive
Vigor2900 Series Broadband Security Router Highly integrated broadband security router, combining high-speed routing technology with a comprehensive security suite of firewall, VPN, URL content filtering
More informationSeries 5000 ADSL Modem / Router. Firmware Release Notes
Series 5000 ADSL Modem / Router Firmware Release Notes Document Number: 0013-001-000201 () Firmware Version: v1.49 Dcoumentation Control Generation Date: April 5, 2012 Cybertec Pty Limited All rights Reserved.
More informationTEW-211BRP. Wireless AP Router. User s Manual
TEW-211BRP Wireless AP Router User s Manual Version 1.4 - Jan 2002 CONTENTS Introduction...3 Hardware Installation...5 General Wireless AP Router System Connection...6 Wireless AP Router Default Settings
More informationSonicOS Enhanced Release Notes
SonicOS Contents Platform Compatibility... 1 Known Issues... 2 Resolved Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 5 Related Technical Documentation...8 Platform Compatibility The
More informationDual WAN VPN Firewall VPN 3000 User s Guide. Version 1.0 Date : 1 July 2005 Please check for the latest version
Dual WAN VPN Firewall VPN 3000 User s Guide Version 1.0 Date : 1 July 2005 Please check www.basewall.com for the latest version Basewall 2005 TABLE OF CONTENTS 1: INTRODUCTION... 4 Internet Features...
More informationContents. 2 NB750 Load Balancing Router User Guide YML817 Rev1
Contents CHAPTER 1. INTRODUCTION... 4 1.1 Overview... 4 1.2 Hardware... 6 1.2.1 Front Panel View... 6 1.2.2 Rear Panel View... 7 1.2.3 Hardware Load Default... 7 1.3 Features... 8 1.3.1 Software Feature...
More informationDPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0
DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any
More informationChapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM
Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights
More informationPeplink Balance Multi-WAN Routers
Peplink Balance Multi-WAN Routers Model 20/30/210/310/380/390/580/710/1350 User Manual Firmware 5.1 September 10 Copyright & Trademarks Specifications are subject to change without prior notice. Copyright
More informationSUPERSTACK 3 FIREWALL FIRMWARE VERSION RELEASE NOTES
SUPERSTACK 3 FIREWALL FIRMWARE VERSION 6.0.2 RELEASE NOTES Please use these notes in conjunction with the following documents: SuperStack 3 Firewall User Guide Part number: DUA1611-0AAA02 SuperStack 3
More informationCE APPROVED.4 INTRODUCTION.5 PACKAGE CONTENTS. 6 PRE - INSTALLATION CHECKLIST. 6 SYSTEM REQUIREMENTS. 6 FEATURES AND BENEFITS.11 SETUP WIZARD.
Web Edition Dec. 2002 Contents CE APPROVED...4 INTRODUCTION...5 PACKAGE CONTENTS... 6 PRE - INSTALLATION CHECKLIST... 6 SYSTEM REQUIREMENTS... 6 FEATURES AND BENEFITS... 7 4 - PORT CABLE/XDSL ROUTER...9
More informationMoxa Remote Connect Server Software User s Manual
User s Manual Edition 1.0, April 2018 www.moxa.com/product 2018 Moxa Inc. All rights reserved. User s Manual The software described in this manual is furnished under a license agreement and may be used
More informationCisco ASA 5500 LAB Guide
INGRAM MICRO Cisco ASA 5500 LAB Guide Ingram Micro 4/1/2009 The following LAB Guide will provide you with the basic steps involved in performing some fundamental configurations on a Cisco ASA 5500 series
More informationWireless a CPE User Manual
NOTICE Changes or modifications to the equipment, which are not approved by the party responsible for compliance, could affect the user's authority to operate the equipment. Company has an on-going policy
More informationComputer to Network Connection
Computer to Network Connection Network Installation Steps Having a clear understanding of all the steps required to physically building a network improves the success of a project. You may need to install
More informationUser Manual IDG761AM-0P001 Cellular M2M Gateway
User Manual IDG761AM-0P001 Cellular M2M Gateway FW: 00SA0.1003 UM: V1.2_20140717 TABLE OF CONTENTS CHAPTER 1 INTRODUCTION... 7 1.1 CONTENTS LIST... 8 1.2 HARDWARE INSTALLATION... 9 1.2.1 WARNING... 9 1.2.2
More informationLevelOne Broadband Routers
LevelOne Broadband Routers FBR-1100TX FBR-1400TX FBR-1401TX FBR-1700TX User's Guide TABLE OF CONTENTS CHAPTER 1 INTRODUCTION... 1 Features of your LevelOne Broadband Router... 1 Package Contents... 4
More informationVIP-102B IP Solutions Setup Tool Reference Manual
VIP-102B IP Solutions Setup Tool Reference Manual Version 6.3.0.0 For latest updates to this manual please check our website at: http://www.valcom.com/vipsetuptool/default.htm then click on Reference Manual
More information4-Port Cable/DSL Router DX-E401. Product Name [French] Product Name [Spanish] USER GUIDE GUIDE DE L UTILISATEUR GUÍA DEL USUARIO
4-Port Cable/DSL Router Product Name [French] Product Name [Spanish] DX-E401 USER GUIDE GUIDE DE L UTILISATEUR GUÍA DEL USUARIO 2 Introduction Dynex 4-Port Cable/DSL Router Introduction This router enables
More informationD-Link (Europe) Ltd. 4 th Floor Merit House Edgware Road London HA7 1DP U.K. Tel: Fax:
Product: DFL-500 Internet Firewall Index Setup Introduction...2 Set Up Using Web Configurator...3 Setting Up Internal IP Address using CLI...4 Setting UP External IP Address Manually Using CLI...4 How
More informationWiNG 5.x How-To Guide
WiNG 5.x How-To Guide Tunneling Remote Traffic using L2TPv3 Part No. TME-08-2012-01 Rev. A MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola
More informationFirepower Threat Defense Site-to-site VPNs
About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec
More informationKX GPRS M2M I-NET. User s Guide. Version: 1.0. Date: March 17, KORTEX PSI 3 Bd Albert Camus Tel:
KX GPRS M2M I-NET User s Guide Version: 1.0 Date: March 17, 2011 KORTEX PSI 3 Bd Albert Camus Tel: +33-1-34043760 e-mail: contact@kortex-psi.fr Revision History Version Date Changes 1.0 March 17, 2011
More informationDevice HA Setup. 1) Two+ same model ZyWALL/USG devices (running the same firmware version)
Device HA Setup Supported Devices ZyWALL 110 ZyWALL 310 ZyWALL 1100 USG40/40W/40HE USG60/60W USG110 USG210 USG310 USG1100 USG1900 Overview Device High Availability (Device HA) adds network/internet redundancy
More informationPre-Installation Recommendations... 1 Platform Compatibility... 1 New Features... 2 Known Issues... 2 Resolved Issues... 3 Troubleshooting...
Global VPN Client SonicWALL Global VPN Client 4.6.4 Contents Pre-Installation Recommendations... 1 Platform Compatibility... 1 New Features... 2 Known Issues... 2 Resolved Issues... 3 Troubleshooting...
More informationMANUAL NWAC7000. Wireless Management Platform
MANUAL NWAC7000 Wireless Management Platform Contents Chapter 1 Manual Introduction... 4 Chapter 2:Product Introduction... 4 2.1 Products description... 4 2.2 Products Properties... 4 2.2.1Hardware Property...
More informationNBG-416N. Wireless N-lite Home Router. Default Login Details. IMPORTANT! READ CAREFULLY BEFORE USE.
NBG-416N Wireless N-lite Home Router IMPORTANT! Default Login Details LAN IP https://192.168.1.1 Address User Name admin Password 1234 READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. IMPORTANT!
More informationA Division of Cisco Systems, Inc. Broadband Router. with 2 Phone Ports. User Guide WIRED RT41P2-AT. Model No.
A Division of Cisco Systems, Inc. WIRED Broadband Router with 2 Phone Ports User Guide Model No. RT41P2-AT Copyright and Trademarks Specifications are subject to change without notice. Linksys is a registered
More informationPrestige 660HW Series. Prestige 660H Series. Quick Start Guide
Prestige 660HW Series ADSL 2+ 4-Port Gateway with 802.11g Wireless Prestige 660H Series ADSL 2+ 4-Port Gateway Quick Start Guide Version 3.40 01/2005 Table of Contents Introducing the Prestige... 3 1 Hardware
More information4-Port Router. Share your broadband Internet connection. E Wired. Ethernet. Ethernet. User Manual. F5D5231-4_uk
4-Port Router Share your broadband Internet connection User Manual E Wired Ethernet Ethernet 10/100 Mbps F5D5231-4_uk Table of Contents 1 Introduction............................................. 1 Benefits
More informationGigaset Router / en / A31008-E105-B / cover_front_router.fm / s Be inspired
s Be inspired Table of Contents Table of Contents Safety precautions........................... 3 The Gigaset Router........................... 3 Features and Benefits..................................................
More informationIntroduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Note... 3 Get to know the Broadband Router... 4 Back Panel...
Introduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Note... 3 Get to know the Broadband Router... 4 Back Panel... 4 Front Panel... 5 Setup Diagram... 6 Getting started... 7 Chapter
More informationSpreedbox Getting Started Guide
Spreedbox Getting Started Guide Last Updated: September 2017 CONTENTS 1. Introduction... 3 2. Prerequisites... 4 3. Opening the box... 5 4. USB Manual, Quick Start Guide & MAC Sticker... 6 5. International
More information