ZyWALL/USG Series. Troubleshooting Guide. Security Firewalls. ZyWALL 110 / 310 / 1100

Transcription

1 ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 Security Firewalls Firmware Version 4.13 ~ 4.15 Edition 1, 8/2016 Troubleshooting Guide Default Login Details LAN Port IP Address User Name admin Password 1234 Copyright 2016 ZyXEL Communications Corporation 1/147

2 Table of Content 1. HOW TO ACCESS TO THE ZYWALL/USG ACCESS THE ZYWALL/USG BY HTTPS ACCESS THE ZYWALL/USG BY SSH ACCESS THE ZYWALL/USG BY TELNET ACCESS THE ZYWALL/USG BY CONSOLE BASIC INFORMATION COLLECTION COLLECT DIAGNOSTIC INFORMATION FILE By GUI By CLI Packet Capture USB storage HARDWARE TROUBLESHOOTING TOOLS AND SYSTEMS NEEDED PREPARE DEVICE FOR INITIAL TEST FIRMWARE RECOVERY DEVICE REBOOT RANDOMLY COLLECTING MORE DEBUG MESSAGE Collecting console log Collecting diag-info CANNOT ACCESS TO THE DEVICE FIREWALL RULE If you are not able to access the ZyWALL/USG by HTTPS If you are not able to access the ZyWALL/USG by SSH If you are not able to access the ZyWALL/USG by TELNET DHCP (IP/MAC BINDING) /147

3 Check DHCP Setting CANNOT ACCESS TO THE DEVICE PORT ISSUE Issue description Solution ADMIN SERVICE CONTROL ISSUE Issue description Solution OSPF ROUTING ISSUE Unable to distribute routes to the connected device Unable to get routes from the connected device CANNOT ACCESS INTERNET (SESSION FULL/FIREWALL BLOCK) Session full Firewall block CANNOT ACCESS INTERNET (ANTI-SPAM) If you are not able to receive/send s via ZyWALL/USG Must be collected information CANNOT SET UP THE IPSEC VPN FUNCTION SUCCESSFULLY VPN CONNECTION CANNOT BE ESTABLISHED If facing the VPN connection problem, here are the possible root cause: Once the VPN tunnel cannot established then: Once have the connection problem please just check the log IKE category for more information CANNOT ESTABLISH VPN TUNNEL VIA 3GLTE INTERFACE Is the Dongle Included in ZyWALL/USG Support List? Change to Supported Dongle Is the Cellular Status Ready? Activate Cellular Status and Check ISP Account Settings /147

4 Is the Connectivity Set to Nailed-Up? Modify Connectivity Setting Is the Cellular Interface Included in the WAN Trunk? Modify Trunk Is there Any Routing Policy Related to WAN Interface? Check Routing Policy Collect Information to CSO Support VPN FALLBACK IS NOT WORKING The VPN tunnel has establish VPN tunnel successfully, but tunnel can t fallback to primary peer gateway Verify configuration CANNOT SET UP THE IPSEC VPN FUNCTION BY VPN PROVISION SUCCESSFULLY Configuration is successful but the field Remote Gateway Address is empty Authentication Failed Server Not Found IPSEC VPN CLIENT ON WIN10 OPERATION SYSTEM Can t use IPSec VPN client on win10 system The vital of configuration of IPSec Client on Win Wireless possible issue symptoms CANNOT SET UP THE IKEV2 VPN TUNNEL SUCCESSFULLY If IKEv2 traffic does not work completely from your PC If IKEv2 tunnel is not up VPN tunnel is up, but there is no traffic pass through USG to internet Must be collected information VPN CONCENTRATOR WITH THE PROBLEM Site-to Site VPN tunnel is up: VPN Concentrator on Central side Policy route on both branch sides /147

5 Must be collected information IPSEC VPN TUNNEL WAS ESTABLISHED SUCCESSFULLY, BUT THE TRAFFIC CAN'T PASS THROUGH THE TUNNEL Is the PC Firewall Disabled? Is the PC Firewall Allowed VPN/ICMP Traffic? Modify PC Firewall Setting Is the USG NetBIOS Enabled? Modify NetBIOS Setting Perform Ping Check Command from PC Is there Any Response from the Remote Site? Perform Ping Check from PC to Local/Remote Gateway Is there Any Response from the Local /Remote Gateway? Modify Local/Remote Gateway Setting Disable Security Policy on Device Is there Any Response from the Remote Site? Modify Security Policy Setting Perform Ping Check Command from Router Is there Any Response from the Remote Subnet? Modify Routing Does the VPN Routing Priority Higher than 1:1 NAT or Other Routing? Modify Packet Flow Priority Collect Information to CSO Support CANNOT SET UP THE L2TP VPN FUNCTION SUCCESSFULLY CANNOT CONNECT TO THE ZYWALL VIA L2TP CLIENT Incorrect L2TP Address Pool Incorrect Local Policy Incorrect Phase 1 or Phase 2 Settings USER CANNOT BE AUTHENTICATED Authentication Method /147

6 Allowed user WINDOWS SERVICE NOT ACTIVATED (IKE SERVICE) If you are not enabled modules you will saw: How to enable IKE and AuthIP IPSec Keying Modules AFTER L2TP VPN TUNNEL IS ESTABLISHED, THE CLIENT CAN T ACCESS TO THE INTERNET After establish L2TP VPN tunnel all of Internet traffic can t pass at all After you established L2TP VPN tunnel you will saw: How to add additional routing rule for L2TP clients to access internet? IF YOU RE NOT BE ABLE TO CONFIGURE UTM POLICIES OR IT S NOT WORKING CHECK SERVICE EXPIRATION Have you subscribed for the UTM service? Registration on myzyxel.com Have your UTM service expired? Extend UTM license SIGNATURE UPDATE Have your UTM service updated? Update UTM service SECURITY POLICY DIRECTION Is your UTM policy applied to correct direction? Modify Security Policy direction DEVICE-HA DOESN'T WORK AFTER FAIL-OVER, SWITCH ARP LEARNING MODE Have you configured the same Cluster ID for the different Device HA groups? Cluster ID /147

7 10.2. SYNCHRONIZE ISSUE Have you configured the same FTP port for both master and backup devices? Have you enabled FTP service? Does Security Policy block FTP/VRRP services? Does Security Policy block other port when synchronize? Have you configured the same synchronization password for both master and backup devices? Have you experienced synchronization hang issue? Subnet conflict COLLECT INFORMATION TO CSO SUPPORT /147

8 1. How to Access to the ZyWALL/USG 1.1. Access the ZyWALL/USG by HTTPS 1. Connect a PC to lan1 and open a web browser. Type the login screen appears. Type the user name (default: admin) and password (default: 1234) Access the ZyWALL/USG by SSH 1. Connect a PC to lan1 and open PuTTY Configuration. Type into the Host Name and modify Port number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > SSH). Select Configuration Type to be SSH and click Open. 8/147

9 2. The SSH session page appears: 9/147

10 1.3. Access the ZyWALL/USG by TELNET 1. Connect a PC to lan1 and open PuTTY Configuration. Type into the Host Name and modify Port number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > Telnet). Select Configuration Type to be Telnet and click Open. 2. The Telnet session page appears: 10/147

11 1.4. Access the ZyWALL/USG by Console 1. Connect your PC to the console port using a console cable. Open PuTTY Configuration. Type Serial line number (If you re using Windows PC, you can find in Device Manager > Ports) and modify Speed number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > Console Speed, default speed is ). Select Configuration Type to be Serial and click Open. 11/147

12 3. The Console session page appears: 2. Basic Information Collection 2.1. Collect Diagnostic Information File By GUI 1. Go to MAINTANENCE > Diagnostics > Diagnostics, and click Collect Now. 2. After finishing collect, press the Download. 12/147

13 By CLI 1. Log in console as admin, and enter the below CLI command. (Use TeraTerm or Putty) Router > diag-info collect 2. After finishing collect, use the CLI to show the diaginfo name and go to GUI to download the file. Router> show diag-info Packet Capture 1. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture. Select the interface and press the Capture. (Filter condition can be applied if needed) 13/147

14 2. Go to MAINTANENCE > Diagnostics > Packet Capture > Files, and download the packets USB storage 1. Ensure the file system format of USB is FAT32 2. Go to CONFIGUARION > System > USG Storage. Select Active USB Storage service then click Apply. 14/147

15 3. Go to MONITOR > System Status > USB Storage > Storage Information, and check the USB status. 4. What kind of information can be saved on USB storage? Diagnostic info 15/147

16 Packet capture System log 16/147

17 3. Hardware Troubleshooting 3.1 Tools and Systems Needed 1. Laptop x 2; 1 connects via console and Ethernet cable for device management, 1 connects via Ethernet cable for basic traffic testing. 2. Console setting: Baud rate: Data: 8 bit Parity: none Stop: 1bit Flow control: none 3. Windows 7 Operating System (firewall turned off) 4. USB to RS232 console cable 5. Power cord 6. RJ-45 Ethernet cable 17/147

18 3.2. Prepare Device for Initial Test 1. Prerequisite: Reset the device by clicking on the RESET button for 5 seconds when the device is powered on. RESET button location: USG40: USG40W: USG60: USG60W: 18/147

19 ZyWALL110/USG110/USG210 ZyWALL310/ZyWALL1100/USG310/USG1100/USG1900 Test 1: Power on the DEVICE, check the PWR LED status. a. PWR LED keep green light : Normal b. PWR LED doesn t turn on : PWR001 No Power Test 2: Check the SYS LED status. a. Wait until the SYS LED turns into steady on, Device SYS LED will keep blinking for less than 4 minutes b. If SYS LED keep blinking for more than 5 minutes: SYS006 Boot failure c. Recovery: Check the Appendix1. d. If device cannot be recovery by procedure: SYS006 Boot failure e. Sys LED keep green light: Normal Test 3: Check Port LED status. a. Laptop1 uses Ethernet cable connects to the DEVICE ports b. Port upper right LED is steady on (color is Amber): Normal c. Port LED cannot turn on: ETH001 Ethernet port dead d. Port upper left LED blinks aperiodic (color is Green): Normal Test 4: Check the packet forwarding USG40/40W, USG60/60W a. Laptop1 uses Ethernet cable connects to LAN port b. Modify the laptop ip address to , mask c. Laptop2 uses Ethernet cable connects to another LAN port 19/147

20 d. Modify the IP address to , mask e. Laptop 1 pings to the Laptop2 for 30 seconds. f. If no any packet loss: Normal g. If ping loss: ETH004 Ethernet port ping packet loss ZyWALL110/USG110/USG210 a. Laptop1 uses Ethernet cable connects to LAN port (P4) b. Modify the laptop ip address to , mask c. Laptop2 uses Ethernet cable connects to another LAN port(p5) d. Modify the IP address to , mask e. Laptop 1 pings to the Laptop2 for 30 seconds. f. If no any packet loss: Normal g. If ping loss: ETH004 Ethernet port ping packet loss Test 5: Check WiFi Model: USG 40W/USG60W a. Laptop1 and laptop2 try to connect to SSID ZyXEL via wifi, the laptop wifi interface settings should be as below: 20/147

21 b. If wifi connected successfully: Normal c. If wifi can t scan or connect to the ZyXEL SSID: WLN004 WLAN Connect failed d. Laptop1 ping to laptop2 IP address e. Ping success: Normal f. Ping failed: WLN005 WLAN Ping error (Ping loss) Test6: Check USB port USG40/40W a. Connect the flash drive into USB port. Check the USB LED b. Steady on Green: Normal c. LED does not turned on: USB001 USB port dead USG60/60W/110/210/310/1100/1900 ZyWALL110/310/1100 a. Connect the flash drive into the USB port. Login to the device GUI, check the device virtual diagram and see if the flash drive can be detected b. USB drive can be detected: Normal c. USB drive can t be detected: USB001 USB port deadb 21/147

22 3.3. Firmware Recovery In some rare situation (symptom as following), ZyWALL/USG might not boot up successfully after firmware upgrade. The following procedures are the steps to recover firmware to normal condition. Please connect console cable to ZyWALL/USG. 1. Symptom: Booting success but device show error message can t get kernel image while device boot. Device reboot infinitely. 22/147

23 Nothing displays after Press any key to enter debug mode within 3 seconds. for more than1 minute. Startup message displays Invalid Recovery Image. 23/147

24 The message here could be Invalid Firmware. However, it is equivalent to Invalid Recovery Image. 2. Recover steps Press any key to enter debug mode Enter atkz f l to configure FTP server IP address Enter atgof to bring up the FTP server on port 1 The following information shows the FTP service is up and ready to receive FW 24/147

25 You will use FTP to upload the firmware package. Keep the console session open in order to see when the firmware update finishes. Set your computer to use a static IP address from ~ No matter how you have configured the ZyWALL/USG s IP addresses, your computer must use a static IP address in this range to recover the firmware. Connect your computer to the ZyWALL/USG s port 1 (the only port that you can use for recovering the firmware). Use an FTP client on your computer to connect to the ZyWALL/USG. This example uses the ftp command in the Windows command prompt. The ZyWALL/USG s FTP server IP address for firmware recovery is Log in without user name (just press enter). Set the transfer mode to binary. Use bin (or just bi in the Windows command prompt). Transfer the firmware file from your computer to the ZyWALL/USG (the command is put <firmware filename> in the Windows command prompt). Wait for the file transfer to complete. 25/147

26 The console session displays Firmware received after the FTP file transfer is complete. Then you need to wait while the ZyWALL/USG recovers the firmware (this may take up to 4 minutes). The message here might be ZLD-current received. Actually, it is equivalent to Firmware received. The console session displays done when the firmware recovery is complete. Then the ZyWALL/USG automatically restarts. The username prompt displays after the ZyWALL/USG starts up successfully. The firmware recovery process is now complete and the ZyWALL/USG is ready to use. 26/147

27 If one of the following cases occurs, you need to do the firmware recovery process again. Note that if the process is done several time but the problem remains, please collect all the console logs and send to ZyXEL/USG for further analysis. One of the following messages appears on console, the process must be performed again./bin/sh: /etc/zyxel/conf/zldconfig: No such file Error: no system default configuration file, system configuration stop!! 27/147

28 4. Device Reboot Randomly 4.1. Collecting more debug message If your device will reboot randomly and not helpful after upgraded to latest firmware, you can following this document to collect more debug information. Then provided these information to ZyXEL support team Collecting console log 1. Connecting the serial cable between your PC and device serial port. 2. Installing TeraTerm on your PC. ( 3. Run TeraTeam and select correct port and baud rate and click OK to start the session. (USG default baud rate is: ) 4. Click File > log to save all of the logs which displays on the window. 5. Enter debug kernel console-level 8 command to collecting more debug message. 28/147

29 6. Enter show app-watch-dog monitor-list command to shows which daemons are monitored. 7. After done these step the deice will prints out almost debug logs to you PC, and TeraTerm will saves these information directly. Please do not close the session until device reboot itself again Collecting diag-info 1. Until the device reboot itself again, login to device Web GUI and go to MAINTENANCE > Diagnostics > Diagnostics tab > Collect. Click Collect now button to collecting diag-info. (It will take around 3~5 mins) 29/147

30 2. After the process is done, it will shows file name on the GUI (it will show collecting time). Then click Download button to download it. 30/147

31 3. Provide the console logs and diag-info files to ZyXEL support 5 Cannot Access to the Device 5.1. Firewall Rule Security Policies grouped based on the direction of travel of packets to which they apply. Here is the ZyWALL/USG has default Security Policy behavior for traffic going through the ZyWALL/USG in various directions. Policies with Device as the To Zone apply to traffic going to the ZyWALL/USG itself. By default: The Security Policy allows only LAN, or WAN computers to access or manage the ZyWALL/USG. The ZyWALL/USG allows DHCP traffic from any interface to the ZyWALL/USG. The ZyWALL/USG drops most packets from the WAN zone to the ZyWALL/USG itself and generates a log except for Default_Allow_WAN_To_ZyWALL (AH, ESP, GRE, HTTPS, IKE, NATT) If you are not able to access the ZyWALL/USG by HTTPS 1. Connect a console cable to the ZyWALL/USG. Type following command to disable firewall rule in order to login the device via https to check what can go wrong in the configuration: 2. If you were not able to access ZyWALL/USG via public IP: You can check does the policy allow WAN access to the ZyWALL/USG. Please also make sure the Service allow HTTPS, you can move the mouse pointer to the service objects and check does HTTPS include in the service group. 31/147

32 CONFIGURATION > Security Policy > Policy Control 3. If you want to add a new service object into the Service Group, go to CONFIGURATION > Object > Service > Service Group and double click on the group you want to edit. Move the servers you want available to ZyWALL/USG to Member. Click OK. CONFIGURATION > Object > Service > Service Group 32/147

33 4. If you were not able to access ZyWALL/USG via LAN IP: You can check does the policy allow LAN access to the ZyWALL/USG. CONFIGURATION > Security Policy > Policy Control If you are not able to access the ZyWALL/USG by SSH 1. Go to CONFIGURATION > Security Policy > Policy Control and check do you add a To ZyWALL rule allow SSH service. CONFIGURATION > Security Policy > Policy Control 2. If not yet created, you can click Add and create a To ZyWALL rule allow SSH service: 33/147

34 CONFIGURATION > Security Policy > Policy Control > Add corresponding 3. If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control Action should be Accept. CONFIGURAITON > System > SSH 34/147

35 If you are not able to access the ZyWALL/USG by TELNET 1. Go to CONFIGURATION > Security Policy > Policy Control and check do you add a To ZyWALL rule allow TELNET service. CONFIGURATION > Security Policy > Policy Control 2. If not yet created, you can click Add and create a To ZyWALL rule allow TELNET service: CONFIGURATION > Security Policy > Policy Control > Add corresponding 35/147

36 3. If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > TELNET to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control > Action should be Accept. CONFIGURAITON > System > TELNET 36/147

37 5.2. DHCP (IP/MAC Binding) People want to use IP/MAC binding for the LAN users because it will be easier to manage the users. However, if client cannot access the device by static IP and is giving the error Drop packet lan :1e:33:29:bb:fc, there may be issue in the DHCP Setting. 37/147

38 Check DHCP Setting 1. Go to CONFIGURATION > Interface > Ethernet > Lan1 > IP/MAC Binding. Look Static DHCP Table and ensure the computer s IP and MAC address in the list. 2. If this IP/Mac is not in the IP/MAC Binding list, DHCP(IP/MAC Binding) will reject the traffic which from To add the IP/MAC in the Binding list, go to CONFIGURATION > Interface > Ethernet > Lan > IP/MAC Binding > Add or Edit. 4. Another way is adding this IP/MAC address in the Exempt List, go to CONFIGURATION > Network > IP/MAC binding > Exempt List. Note: If IP/MAC binding is enabled, traffic with the following IP address sources will also be allowed to pass through the ZyWALL/USG: 38/147

39 a. DHCP offered Dynamic IP b. User manually configured IP which matches static DHCP table 39/147

40 6. Cannot Access to the Device WWW To allow the ZyWALL/USG to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-zywall/usg security policy rule to block that traffic. If customer cannot login USG, there are might some configuration issue on USG Port Issue Issue description User cannot access ZyWALL/USG by http or or 40/147

41 Solution 1. HTTP example: Make sure the https or http Port numbers. Check the port numbers via console. Please type configure Terminal> Show ip http server status. User will see the Port information for http. HTTP example 41/147

42 As we can see the Server Port number is 1111, so the login IP address should be 2. HTTPS example: Please type configure Terminal> Show ip http server secure status. User will see the Port information for https. HTTPs example 42/147

43 As we can see the Server Port number is 2000, so the login IP address should be Admin Service Control Issue Issue description The user cannot login USG, and after fill login information then press Login, the system will display Login denied. 43/147

44 Solution 1. User needs to make sure that the User Name and Password are correct. 2. User needs to make sure that the did not block by Admin service control 3. Client can check it via console. Type command: configure Terminal> Show ip http server secure status 4. As we can see the Lan2 ( already denied by admin service control, so user cannot login via Lan2. 5. Users can switch the network cable to other Lans, and modify the configuration they needed. Go to CONFIGURATION > system > WWW > Service Control, remove Lan2 deny. 44/147

45 6. After modified, user can access USG via Lan2 45/147

46 6.3. OSPF Routing Issue Unable to distribute routes to the connected device 1. Area Setting Check if the Area ID, Type and Authentication Key are correctly configured. Ensure these same settings are also correctly configured on the connected device which would like to get routes from the ZyWALL. CONFIGURATION > Network > Routing > OSPF > Area 2. OSPF setting in the interface Select the correct Area ID and Authentication in the appropriate interfaces. CONFIGURATION > Network > Interface > Ethernet > Advanced Settings > OSPF Setting 46/147

47 Unable to get routes from the connected device 1. Area Setting Check if the Area ID, Type and Authentication Key are correctly configured. These settings must be the same as that on the connected device from which the ZyWALL would like to get routes. CONFIGURATION > Network > Routing > OSPF > Area 2. OSPF setting in the interface Select the correct Area ID and Authentication in the appropriate interfaces. CONFIGURATION > Network > Interface > Ethernet > Advanced Settings > OSPF Setting 47/147

48 3. OSPF service in the policy control Ensure the OSPF service is allowed in the policy control. From: any; To: ZyWALL; Service: OSPF; access: allow CONFIGURATION > Security Policy > Policy Control > Add 48/147

49 6.4. Cannot access internet (session full/firewall block) Session full 1. Once the client have reach to the maximum of session amount it will not allowed to connect to interface or GUI, you may need use serial port to enter the command line as below. 2. In the CLI monitor screen you can use show logging entries category sessions-limit to make sure if it is block by the session-limit or you can use show logging entries keyword <client IP> to see if have this computer s regarding log. 49/147

50 3. You can disable session-limit temporary once you see the maximum session per host message. 4. Please go to device GUI Monitor>Log> log display select Sessions Limit check if the client block because of the session limit. The GUI monitor shows that client reach to the maximum session threshold. 50/147

51 5. You can go to the Configuration>Security Policy>Session Control change the setting or set the threshold on the specific client. 51/147

52 Firewall block 1. The service will block by the firewall if the security policy didn t set appropriate. 2. The security policy will regarding to the ZONE setting. 3. Please go to the MONITOR > Log. In the Category > Security Policy Control shows FTP service LAN2 client ACCESS BLOCKED by the firewall in this example. 4. Please also check the Zone configuration at CONFIGURATION > Object > Zone. Use Object Reference can see those objects corresponding place or priority in security policy. 5. In this case the client PC ( ) is included in to the Zone LAN2. 52/147

53 6. Zone of LAN2 object referenced by the security policy. Most of the time that cannot reach to the external service is because of the mis-configuration on firewall rule. And restrict the wrong subnet on wrong zone. 53/147

54 6.5. Cannot access internet (anti-spam) The Anti-Spam feature can mark or discard spam (unsolicited commercial or junk ). Use the white list to identify legitimate . Use the black list to identify spam . The ZyWALL/USG can also check against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. If you cannot receive/send pass through ZyWALL/USG, follow below steps to do troubleshoot If you are not able to receive/send s via ZyWALL/USG 1. Connect to the web GUI of ZyWALL/USG. Go to CONFIGURATION > Security Policy > Policy Control. 2. Check the Security Policy setting to ensure it allows the mail protocols (SMTP/POP3/SMTPs/IMAP4) are available. 54/147

55 3. Ensure the receiver/sender IP address is allowed. 4. Connect to the web GUI of ZyWALL/USG. Go to MONITOR > UTM Statistics > Anti-Spam > Status. 5. Check if Concurrent Mail Session Scanning is full or not Must be collected information 1. Configuration 2. Diaginfo 3. Remote access 4. Mail server protocol 55/147

56 7. Cannot Set Up the IPSec VPN Function Successfully There are many different scenarios when establishing VPN tunnel. You can follow these maps to find your scenario. Per scenario with some of the issues may match which you met. And you can follow this guide to find the symptom in your environment VPN connection cannot be established If facing the VPN connection problem, here are the possible root cause: 1. Pre-shared key mismatch. 2. SA proposal mismatch. 3. Local/remote policy mismatch. 4. Firewall rule block Once the VPN tunnel cannot established then: 1. Navigate to MONITOR > Log 2. Select IKE category 3. Check the authentication method, local/peer policy, SA proposal in phase1 and phae2 56/147

57 4. Make sure that firewall rule didn t block the IKE service from LAN or WAN to Device Once have the connection problem please just check the log IKE category for more information. 1. Pre-shared key mismatch 2. Proposal mismatch in phase 1 57/147

58 3. Proposal mismatch in phase 2 4. Local policy mismatch on phase 2 58/147

59 5. If have using Local/Peer id then please check if it is correct. Local site: Remote site 59/147

60 6. Make sure that LAN and WAN to device service have allow the IKE service Cannot establish VPN tunnel via 3GLTE interface Troubleshooting Flowchart: Is the Dongle Included in ZyWALL/USG Support List? If it s not supported, go to If it s supported, go to /147

61 If the dongles are not included in the support list, it may have the compatibility issue. Therefore, please change to supported dongle Change to Supported Dongle Please go to Search by Model Number > Firmware > 3G Dongle Document to see the latest supported 3G cards Is the Cellular Status Ready? If it s not ready, go to If it s ready, go to When you plug the 3G dongle into the device, it will automatically create a cellular interface but the default status inactivate. Please make sure the cellular interface is activated and the status is ready Activate Cellular Status and Check ISP Account Settings Activate Cellular Status 1. Go to CONFIGURATION > Interface > Cellular, the connected device will automatically display in the Cellular Interface Summary. Click Activate and then the Apply button at the bottom of this page. 2. Go to MONITOR > System Status > Cellular Status, please make sure the Status is Device ready and Signal Quality is good. 61/147

62 Check ISP Account If the dongle cannot successfully connect to the ISP, check the following reasons: 1. Mis-configuration of dongle (If you buy a 3G card from overseas, it might store some default configuration of the original ISP) 2. No SIM or incorrect SIM 3. PIN lock 4. Parameter issue 5. Signal strength is weak Is the Connectivity Set to Nailed-Up? The default Connectivity method is Nailed-Up. The connection should always be up after you activate the cellular interface. If you disable Nailed-Up and set Idle timeout value to be zero or only few seconds, the VPN tunnel will disconnect if you do not dial up the cellular or when there is no traffic for few seconds Modify Connectivity Setting 1. If you want the connection should always be up, go to CONFIGURATION > Interface > Cellular > Connectivity, check Nail-Up. 2. If you want the connection up only when there is traffic, go to CONFIGURATION > Network > Interface > Cellular > Connectivity, uncheck Nail-Up and set Idle timeout to be. 62/147

63 Is the Cellular Interface Included in the WAN Trunk? If you do not include cellular interface in the WAN Trunk, the ZyWALL/USG does not send traffic through the interface as part of the trunk Modify Trunk 1. If you re using SYSTEM_DEFAULT_WAN_TRUNK, go to CONFIGURATION > Network > Trunk > System Default. Please make sure the cellular interface is Included in the member of System Default. 63/147

64 2. If you re using User Configured Trunk, go to CONFIGURATION > Network Trunk > User Configuration. Please make sure the cellular interface is Included in the member of User Configuration Is there Any Routing Policy Related to WAN Interface? Once a packet matches the criteria of a routing rule, the ZyWALL/USG takes the corresponding action and does not perform any further flow checking. Since the default priority of Policy Route and 1-1 NAT are higher than VPN and Default WAN Trunk, the internal network access to internet might pass through to other WAN interface but not cellular interface. 64/147

65 Check Routing Policy Policy Route 1. Go to CONFIGURATION > Network > Policy Route, make sure the Next-Hop for VPN tunnel you want to establish cellular interface should not be other WAN interface. You can configure the Next-Hop to be Trunk or cellular interface. NAT 1. Go to CONFIGURATION > Network > NAT, make sure the mapping rules does not conflict with cellular interface and VPN tunnel Collect Information to CSO Support Typology 1. Accessing the ZyWALL/USG's CLI interface and issue below command: Router> configure terminal Router(config)# _cellular debug enable 65/147

66 2. Insert the 3G card into the ZyWALL/USG and wait for 2 minutes. 3. Accessing the ZyWALL/USG's CLI interface and issue below command: Router (config)# _cellular dump daemon-data Router(config)# _cellular cat daemon-log Router(config)# exit Router> show interface cellular status Router> show interface cellular device-status Router> debug interface ifconfig cellular1 Router# diag-info collect Please wait, collecting information (it may take 7-10 minuts) Router# show diag-info (check whether the collection is done) Filename : diaginfo tar.bz2 File size : 3260 KB Date : :51:38 4. Save all of the information after you enter these commands and get the diag-info file via ftp or web GUI. 5. Send above information to the support team. 66/147

67 7.3. VPN fallback is not working The VPN tunnel has establish VPN tunnel successfully, but tunnel can t fallback to primary peer gateway If your scenario is like this topology: One of USG are with 2 interface, and one USG is one interface. On USG#A, the primary interface is WAN1 and secondary interface is WAN2. When USG#A WAN1 interface is dead, then USG#B will triggering the VPN tunnel to WAN2 interface. After USG#B established VPN tunnelto USG#A s WAN2 interface, the VPN tunnel still works fine and without problem. But VPN tunnel can t fallback to WAN1 when WAN1 connection is back Verify configuration 1. VPN Gateway setting on USG#A: In VPN Gateway setting, My Address must be It means the My address would be one of the interface IP address which is alive. 67/147

68 2. On USG#A, make sure WAN1 interface is primary, and WAN2 interface is secondary. Go to CONFIGURATION > Network > Interface > Trunk > User Configuraiton click Add button to add customize trunk. The WAN1 interface is Activate, WAN2 interfcae is Passive. 68/147

69 3. And then apply this object as default WAN trunk. 4. VPN Gateway setting on USG#B: In VPN Gateway setting, setting USG#A s WAN1 and WAN2 interface. And Fall back to Primary Peer Gateway when possible must be enabled. (In this example, USG#B will check Primary gateway IP address status per 300 seconds) 5. Enter fallback command on USG#B: On USG#B must enter client-side-vpn-failover-fallback activate command by CLI command. 69/147

70 7.4. Cannot set up the IPSec VPN function by VPN provision successfully Configuration is successful but the field Remote Gateway Address is empty 1. Check My Address of the VPN gateway : If you select Express when using VPN Setup Wizard to configure VPN Settings for Configuration Provisioning, wan1 will be My Address by default. If wan1 is not used for VPN provisioning, select the correct interface for provisioning. 70/147

71 CONFIGURATION > VPN > IPSec VPN > VPN Gateway Authentication Failed 71/147

72 1. Check if the Login account and password are correctly configured on the ZyWALL IPSec VPN Client. MONITOR > Log > View Log > User 2. The account must be configured as the Allowed User. CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning 72/147

73 Server Not Found 3. Check the Gateway Address configured on the ZyWALL IPSec VPN Client. The address must be the same as My Address in CONFIGURATION > VPN > IPSec VPN > VPN Gateway > WIZ_VPN_PROVISIONING. CONFIGURATION > VPN > IPSec VPN > VPN Gateway 73/147

74 7.5. IPSec VPN Client on Win10 Operation System Enterprises need to have remote access to the company's applications and servers quickly, easily and securely. The VPN Client enables employees to work from home or on the road, and IT managers to connect in remote desktop sharing to the enterprise infrastructure. The VPN Client offers a range of features from simple authentication via simple login to advanced full PKI integration capabilities Can t use IPSec VPN client on win10 system The customers want to access the company s server or application remotely, so the software of IPsec VPN Client is their one of the best choice. However, if customer cannot use IPSec VPN Client on win 10, there may be some issue in the configuration. Please following the below steps to troubleshoot problems The vital of configuration of IPSec Client on Win10 1. On VPN Gateway, make sure the pre-shared key is the same as IPSec VPN client. 2. On VPN connection, select Server Role and make sure the Local policy and Phase 2 setting is the same as the IPSec VPN client s Wireless possible issue symptoms The Issue on Pre-shared key 1. After configuration, the IPSec VPN client session still cannot establish. Client can recognize what kind of the issue on Log message 74/147

75 MONITOR > Log > Select IKE on Display field 2. As client can see the log message and know the issue is on pre-shared keys.need to double check the pre-shared key on ZyWALL/USG side and ZyWALL IPSec VPN Client side. Go to Configuration>VPN Gateway> Edit> Pre-Shared Key, the pre-shared key is Move to ZyWALL IPSec VPN Client, go Ikev 1 Gateway>Authentication>Preshared Key. Changed the Key to /147

76 4. After changed, the IPSec VPN client connection is established. 76/147

77 The issue on Phase 1 setting 1. When the log message display No proposal chosen, client need to double check on ZyWALL/USG and IPSec VPN client. Go to Monitor > Log > Select IKE on Display field. 2. Otherwise, client also can know which misstated configuration because this issue happened. User can see P1 Algorithm mismatch. 77/147

78 3. Client need to double check on both sides. The issue on Phase 2 setting 1. When the log message display Phase 2 Proposal mismatch and No proposal chosen, client need to double check on ZyWALL/USG and IPSec VPN client. Go to MONITOR > Log > Select IKE on Display field. 2. Otherwise, client also can know which misstated configuration because this issue happened. User can see P2 Algorithm mismatch 78/147

79 3. Client need to make sure the Phase 2 setting and ESP are matching. 79/147

80 7.6. Cannot set up the IKEv2 VPN tunnel successfully IKEv2 PC with IPSec VPN Client establishes an IKEv2 VPN tunnel with USG. The PC passes all traffic into the tunnel, and USG will help to forward the traffic to internet or to the LAN server. If the scenario does not work in your environment, please follow the below steps: If IKEv2 traffic does not work completely from your PC Connect to the web GUI of ZyWALL/USG. Go to MONITOR -> VPN Monitor -> IPSec. Check if the IKEv2 tunnel is alive. 80/147

81 If IKEv2 tunnel is not up 1. Connect to USG, and compare with VPN client to ensure the configurations are all correct. 2. Since PC will send all traffic into tunnel, the local policy of USG should be any( ). 81/147

82 3. Configure the IPSec VPN Client IP address as (Owner can assign a specific IP address for the client. This IP address will be used in policy route to separate the traffic.) 82/147

83 83/147

84 4. Ensure to check Disable Split Tunneling VPN tunnel is up, but there is no traffic pass through USG to internet Connect to USG, and go to CONFIGURATION > Network > Routing > Policy route. Ensure there are routings to separate the traffic from IKEv2 tunnel to internet and LAN server. 1. Policy route rule 1st: From IKEv2 IP address to LAN server, Next-Hop: LAN1 2. Policy route rule 2nd: From IKEv2 IP address to internet, Next-Hop: WAN1, SNAT: outgoing-interface 84/147

85 Must be collected information 1. Configuration of ZyWALL/USG and IPSec VPN Client 2. The version of IPSec VPN Client 3. The diaginfo of VPN Client 4. The console log of VPN Client 85/147

86 7.7. VPN concentrator with the problem A VPN concentrator combines several IPSec VPN connections into one secure network. A VPN concentrator reduces the number of VPN connections that you have to set up and maintain in the network. You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke. Consider the following when using the VPN concentrator. 1 The local IP addresses configured in the VPN rules should not overlap. 2 The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule for each spoke. 3 To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in the spoke routers to use (any) as the remote IP address. 4 The VPN must be Site-to-Site VPN. If the scenario does not work in your environment, please follow the below steps: 86/147

87 Site-to Site VPN tunnel is up: Connect to USG, and ensure the VPN tunnel configuration is correct. 1 VPN tunnel between Central side and Branch side 1 2 Branch side 1 to Central side VPN setting(enable Nailed-Up) 87/147

88 88/147

89 Central side to Branch side 1 VPN setting 89/147

90 VPN tunnel between Central side and Branch side 2 Branch side 2 to Central side VPN setting(enable Nailed-Up) 90/147

91 Central side to Branch side 2 VPN setting VPN Concentrator on Central side Go to CONFIGURATION > VPN > IPSec VPN > Concentrator, and check if both tunnels are selected. 91/147

92 Policy route on both branch sides Check if there are policy routes to route the traffic into central tunnel to another branch. 1 On Brach side 1 2 On Brach side Must be collected information 1. Configurations 2. Diaginfo 3. Topolog 92/147

93 7.8. IPSec VPN tunnel was established successfully, but the traffic can't pass through the tunnel Troubleshooting Flowchart: Is the PC Firewall Disabled? In some operation system, by default it may block required protocols for VPN connection and Ping check (ICMP Echo Request). Therefore, you have to make sure your PC firewall allows the VPN and ping check traffics. 93/147

94 7.8.2 Is the PC Firewall Allowed VPN/ICMP Traffic? IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: 1. P Protocol Type=50 <- Used by data path (ESP) 2. P Protocol Type=51 <- Used by data path (AH) 3. Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path) 4. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path) 5. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path) Modify PC Firewall Setting 1. Configure Network to accept access, open Control Panel > Network and Sharing Center. Click on Change adapter settings. 94/147

95 2. Press Alt + F and click on New Incoming Connection 3. Now a wizard will open. In the first step, mark those users whom do you want to allow access to use your connection. 95/147

96 4. Put a mark on Through the internet and click Next. 5. Now select the protocols you want to connect, and double click on Internet Protocol Version 4 (TCP/IPv4). 96/147

97 6. In this screen which appears, ensure that the Properties set are the same as shown in the image below. Click OK. 7. Click Allow access. 97/147

98 8. Now you will see the last step of the Wizard. Click on Close to finish it but remember to note down the computer s name as it will be used when you connect. Configure Firewall to accept Ping check (ICMP Echo Request) Windows OS 1. Go to Control Panel > Windows Firewall > Windows Firewall with Advanced Security. 2. Now click on Inbound Rules. Then select Echo Request - ICMP IN. 98/147

99 3. Right click on Echo Request - ICMP IN rules and click Enable Rule. 99/147

100 4. Now you will see Echo Request - ICMP IN rules are enabled. MAC OS X 1. Go to Security & Privacy > Firewall > Advanced, uncheck the Enable stealth mode checkbox in order to allow pings to respond. Configure Firewall to accept connections IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports. 100/147

101 1. P Protocol Type=50 <- Used by data path (ESP) 2. P Protocol Type=51 <- Used by data path (AH) 3. Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path) 4. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path) 5. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path) Windows OS 1. Go to Control Panel > Windows Firewall > Windows Firewall with Advanced Security. Click on Inbound Rules. Next click on the Actions menu and then click on New Rule 101/147

102 2. A Wizard will open. In the first step, select the Port option and click on Next. 3. Select TCP or UDP. In the Specific remote ports space, enter port number and click on Next. 102/147

103 4. Now select Allow the connection and click Next. 5. Apply the rule to all and click Next. 103/147

104 6. In the Name and Description (optional) fields, enter anything you want and click on Finish Is the USG NetBIOS Enabled? Enable NetBIOS if you want the ZyWALL/USG to send NetBIOS (Network Basic Input/Output System) packets through the IPSec SA. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa Modify NetBIOS Setting Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Edit > Show Advanced Settings > General Settings, select Enable NetBIOS broadcast over IPSec. 104/147

105 7.8.6 Perform Ping Check Command from PC Ping check allows you to confirm if you have connectivity between VPN Nodes. Open up the command prompt in Windows Is there Any Response from the Remote Site? If there is no response, go to If there is response, go to Typology Example One PC at Local Network A IP address: One PC at Local Network B IP address: At PC in the Local Network A, type command line: ping The response should be: 105/147

106 At PC in the Local Network B, type command line: ping The response should be: Perform Ping Check from PC to Local/Remote Gateway Ping check allows you to confirm if you have connectivity between VPN Participants. Open up the command prompt in Windows Is there Any Response from the Local /Remote Gateway? If there is no response, go to If there is response, go to Typology Example 106/147

107 One PC at Local Network A IP address: ; Gateway IP address: One PC at Local Network B IP address: ; Gateway IP address: At PC in the Local Network A, type command line: ping The response should be: At PC in the Local Network B, type command line: ping The response should be: Modify Local/Remote Gateway Setting 1. Check the WAN interface on both VPN sites; please make sure you have configured gateway IP address correctly. Firstly, check whether the gateway IP address is within the correct host address range by below subnet calculator tool /147

108 2. Secondly, if the gateway IP is given by the ISP, please contact your service provider to confirm the correct address. 3. Thirdly, if the gateway IP is assigned by the DHCP server, please make sure your DHCP server assigned correct gateway IP to your WAN interface Disable Security Policy on Device Customized Security Policy may block required protocols for VPN connection and Ping check (ICMP Echo Request). Therefore, you have to make sure your Security Policy allows the VPN and ping check traffics Is there Any Response from the Remote Site? If there is no response, go to If there is response, go to Tried turning off the Security Policy, see if it works, and if so activate Security Policy rules one by one until you find the one that breaks it or check the access block information in Log. 108/147

109 Modify Security Policy Setting Security Policy Example 1. Go to MONITOR > Log, check any Security Policy blocks the VPN protocols and UDP ports. In this example, Security Policy blocks UDP Port 500 traffic. 2. Go to CONFIGURATION > Security Policy > Policy Control, check allow service and found customize Allow_WAN_To_ZyWALL doesn t allow AH, ESP and IKE protocols. 109/147

110 3. Go to CONFIGURATION > Object > Service > Service Group to edit service group. Move AH, ESP and IKE to be the Allow_WAN_To_ZyWALL Member. Click OK. 4. Go to MONITOR > Log, now the VPN tunnel built successfully. 110/147

111 Perform Ping Check Command from Router When traffic is initiated from the ZyWALL/USG to a remote site, the source IP address will considered as an external interface s IP address instead of one of a VPN subnet interface s IP address. Meaning the source IP address doesn t belong to the local subnet which VPN tunnel allows to access. Therefore, if you ping from router with its IP address, you should not get response from the remote router Is there Any Response from the Remote Subnet? If there is no response, go to If there is response, go to Typology Example ZyWALL USG A WAN IP address: ; LAN subnet IP address: ZyWALL USG B WAN IP address: ; LAN subnet IP address: Wrong response example: Login device A, type command line: ping and ping source , the response is: 111/147

112 Correct response example: Login device B, type command line: ping and ping source , the response should be: 112/147

113 Modify Routing 1. To avoid the routing problem, add the Policy Route in ZyWALL USG B: 2. Login device A, type command line: ping and ping source , the response now will be: Does the VPN Routing Priority Higher than 1:1 NAT or Other Routing? In the default Routing Flow, Policy Route and 1-1 NAT priority is higher than Site To Site VPN. Therefore, when enabling Policy Route and 1-1 NAT, it may cause the traffic can't pass through VPN tunnel because all traffic passes through other interface. 113/147

114 Modify Packet Flow Priority 1. To solve Policy Route issue, please check routing configuration should not interrupt VPN connection. 2. To solve 1-1 NAT problem, please reorganize the order of the routing priority. For legacy models with ZLD 3.30 platform, use the following CLI command: ip route control-virtual-server-rules activate For next generation USG/ZyWALL series with ZLD 4.13 platform, go to CONFIGURATION > Network > NAT, enable Use Static-Dynamic Route to Control 1-1 NAT Route and click Apply. Go to MAINTENANCE > Packet Flow Explore > Routing Status, now the priority of Site To Site VPN is higher than 1-1 NAT route. 114/147

115 Collect Information to CSO Support Typology Please provide us network typology and details description of failure symptoms. Packet capture 1. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture, select interfaces for VPN tunnels (WAN/LAN) and click the right arrow button to move them to the Capture Interfaces list. Click Capture. 2. Connect VPN tunnel and wait till dial time out. 3. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture. Click Stop. 115/147

116 4. Go to MAINTANENCE > Diagnostics > Packet Capture > Files. Select WAN/LAN captured files and click Download. Provide the files to us. Log 1. Go to MONITOR > Log, screenshot the error log when initiate VPN tunnel fail. 116/147

117 Configuration file 1. Go to MAINTANENCE > File Manger > Configuration File. Select files (.conf) and click Download. Provide files to us. 117/147

118 8. Cannot set up the L2TP VPN function successfully 8.1. Cannot connect to the ZyWALL via L2TP client Incorrect L2TP Address Pool Check IP Address Pool configured in L2TP VPN settings. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use Incorrect Local Policy Phase 2 local policy mismatch Check Local Policy in VPN connection. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, the local policy of VPN connection is automatically and correctly configured as the interface IP of My Address. However, if you configure L2TP VPN settings manually without the wizard, ensure the local policy is the same IP address as My Address used for L2TP VPN connection. 118/147

119 CONFIGURATION > VPN > IPSec VPN > VPN Connection Incorrect Phase 1 or Phase 2 Settings 1. Phase 1 proposal mismatch Check phase 1 settings in VPN gateway. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, phase 1 settings are automatically and correctly configured. However, if you configure L2TP VPN settings manually without the wizard, ensure the phase 1 settings are configured as follows. 119/147

120 2. Phase 1 IKE SA process done but phase 2 proposal mismatch. Check phase 2 settings in VPN connection. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, phase 2 settings are automatically and correctly configured. However, if you configure L2TP VPN settings manually without the wizard, ensure the phase 2 settings are configured as follows. 120/147

121 8.2. User cannot be authenticated In the log, there is an alert log that the user is denied from L2TP service because of incorrect username or password. In addition to checking the correctness of username and password, it is necessary to check if Authentication Method and Allowed User are correctly configured. MONITOR > Log > View Log > Display > L2TP Over IPSec Authentication Method ZyWALL authenticates a remote user before allowing access to the L2TP VPN tunnel according to the authentication method. Ensure the L2TP VPN user belongs to one of the authentication servers or local database of the configured method list. The default Authentication Method is default which only contains the local database on the method list. If the L2TP VPN user belongs to an external authentication server, remember to create a new Authentication Method with corresponding method list. CONFIGURATION > Object > Auth. Method > Add 121/147

122 CONFIGURATION > VPN > L2TP VPN Allowed user User or group configured as Allower User is able to log into the ZyWALL to use the L2TP VPN tunnel. Ensure the user or the group which it belongs to is configured as Allowed User. The default Allowed User is "any" which allows any user with valid username and password to establish L2TP VPN tunnel. If only a specific group of users has the privilege to establish L2TP VPN tunnel, remember to create a new group with the specific users and groups. CONFIGURATION > Object > Users/Group > Group > Add 122/147

123 CONFIGURATION > VPN > L2TP VPN 8.3. Windows service not activated (IKE service) When establishing L2TP tunnel, the Windows will using IKE and AuthIP IPSec Keying Modules to encrypting the packets. So the service modules must enable on your computer If you are not enabled modules you will saw: 1. You will saw the tunnel can t establish success. And it will shows error code: 789. In the log shows reason is security layer encountered a processing error. 123/147

124 2. And you can capture the packets on your PC NIC, and filtering isakmp packets, there is no any packets as transmitted to L2TP server How to enable IKE and AuthIP IPSec Keying Modules 1. Go to Control Panel > System and Security > Administrative Tools > Services. And find IKE and AuthIP IPSec Keying Modules. Click right button and select properties to configure status. Enable IKE and AuthIP IPSec Keying Modules 124/147

125 8.4. After L2TP VPN tunnel is established, the client can t access to the Internet After establish L2TP VPN tunnel all of Internet traffic can t pass at all After you established L2TP VPN tunnel successfully, device will assigned an IP address to your PC. Then you can access all of the network resource on USG without additional configuration. Because Windows without split tunnel mechanism, so you Internet traffic will passed into L2TP VPN tunnel too. If you not add additional policy route, then your Internet traffic will been timeout due to without response from Internet server After you established L2TP VPN tunnel you will saw: 1. If all of your L2TP VPN tunnel configuration without the problem. Then you will see your L2TP VPN network connection icon shows like following image. 2. And also you can use CLI command to show your routing table. (CLI: route print). There is a additional routing rule has added in routing table automatically. (It means all of the traffic will pass into L2TP tunnel by which you received after estaboished L2TP tunnel) 125/147

126 How to add additional routing rule for L2TP clients to access internet? 1. Go to Configuration > Network > Routing > Policy route click add button. 2. The Source Network Address Translation must select as outgoing-interface. Then L2TP client s Internet traffic will uses interface IP address to access internet. 126/147

127 9. If you re not be able to configure UTM policies or it s not working Troubleshooting Flowchart: Note: After you apply the UTM service, the running session will continue till it s finished Check service expiration Have you subscribed for the UTM service? If you have not subscribed, go to If you have subscribed, go to ZyWALL models need a license for UTM (Unified Threat Management) functionality. 2. You need to create a myzyxel.com account before you can register your device and activate the services at myzyxel.com. 3. You need your ZyWALL/USG s serial number and LAN MAC address to register it. Refer to the web site s on-line help for details Registration on myzyxel.com 2.0 Account Creation 1 Click the link from the Registration screen of your ZyXEL device s Web Configurator or click the myzyxel.com 2.0 icon from the portal page ( the Sign In screen displays. 127/147

128 2 Click Not a Member Yet to open the Sign Up screen where you can create an account. myzyxel.com > Not a Member Yet 3 Select Registration Type to create an Individual account or a Business account. Individual account is for non-commercial, end user of ZyXEL products. Business account is for commercial users; VAT # is required (the requirement varies in selection of different countries) 128/147

129 Note: The business account can be changed into a channel partner account by an administrator. With a channel partner account, you can register multiple devices and/or services at a time and check service status reports. Contact your sales representative to have a channel partner account. 4 After you click Submit, myzyxel.com 2.0 will send you an account activation notification . Click the URL link from the to activate your account and log into myzyxel.com After activate, sign in myzyxel.com 2.0 to register or mange your devices and services. If you are a business account, please go to account page and press the Reseller Request button. 129/147

130 Device Registration 6 Click Device Registration in the navigation panel to open the screen. Use this screen to register your device with myzyxel.com. Enter the device s (first) MAC Address and Serial Number, which can be found on the sticker on the back of the device. Click Submit. If you access myzyxel.com from the Registration screen of your ZyXEL device s Web Configurator, the device MAC Address and Serial Number displays automatically. Service Registration (In the Case of Standard License) 7 Click Service Registration in the navigation panel to open the screen. Fill in the License Key as shown on E-iCard License. 130/147

131 8 Go to the Service Management page and click the Link button. Select the device then click the Activate button to initiate the services license. You will get a Service Activation Notice when you activate a new service. Device Management (In the Case of Registering Bundled Licenses) 9 Go to Device Management and click on the MAC Address hyper link of your device. In the Linked Services page, click the Activate button to initiate the services license. You will get a Service Activation Notice when you activate a new service. 131/147

132 Refresh Service 10 After service activated, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status Have your UTM service expired? If your UTM service expired, go to If your UTM service haven t expired, go to /147

133 9.1.4 Extend UTM license 11 Go to ZyWALL/USG CONFIGURATION > Licensing > Registration > Service to check the Service Status. 12 Click the link from the Registration screen of your ZyXEL device s Web Configurator or click the myzyxel.com 2.0 icon from the portal page ( the Sign In screen displays. 133/147

134 13 To renew your license, simply click the Buy button in the Service Management page at myzyxel.com. can also contact your reseller or ZyXEL s local agent for license renewals. If you cannot locate an agent near you, please contact ZyXEL s local support. You Local ZyXEL contact information: 14 After service extended, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status Signature Update The UTM service provides updates to Anti-Virus and IDP / App Patrol. The UTM service involves a number of servers across the world that provides updates to your ZyWALL/USG device. Problems can occur both with connection to UTM server. 134/147

135 9.2.1 Have your UTM service updated? If your UTM service haven t updated, go to If your UTM service updated, go to Update UTM service 1 The ZyWALL/USG comes with signatures for the Anti-Virus, IDP and Application Patrol features. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the ZyWALL/USG periodically if you have subscribed for the Anti-Virus, IDP and Application Patrol signatures service. 2 Click Update Now button to have the ZyWALL/USG check for new signatures immediately. If there are new ones, the ZyWALL/USG will then download them. 135/147

136 9.3. Security Policy Direction For through-zywall/usg policies, select the correct direction of travel of packets to which the UTM policy applies. For example, if you would like to scan virus for all LAN to WAN and WAN to LAN traffic, you should create security policy and select Anti-Virus profile for scanning traffic from both LAN to WAN and WAN to LAN or Any to Any Is your UTM policy applied to correct direction? If your UTM policy applied to wrong direction, go to If your UTM policy applied to correct direction, go to Modify Security Policy direction 3 Go to CONFIGURATION > Security Policy > Policy Control, make sure your UTM policy applied to correct direction. 136/147

137 10. Device-HA doesn't work Troubleshooting Flowchart: 137/147

138 10.1. After Fail-Over, Switch ARP Learning Mode When enabling Device HA, ZyWALL/USG will generate a virtual MAC address for the IP address base on the "Cluster ID". If these two Device HA groups are using the same "Cluster ID", ZyWALL/USG will generate the same MAC address to two Device HA groups. As a result, it will lead to switch confusion and causing packet lost. So if there are more than one Device HA group behind the same switch, please use different cluster IDs Have you configured the same Cluster ID for the different Device HA groups? If you have configured the same Cluster ID, go to If you haven t configured the same Cluster ID, go to Cluster ID Go to CONFIGURATION > Device-HA > Activate-Passive Mode > Cluster Setting > Cluster ID. Use a different cluster ID to identify each virtual router. In the following example, ZyWALL/USG A and B form a virtual that uses cluster ID 1. ZyWALL/USG C and D form a virtual that uses cluster ID /147

139 10.2. Synchronize issue The Device-HA devices use FTP to synchronize information, VRRP to monitor interface status and password for authentication. Problems can occur when Device-HA devices connection to each other and its configuration Have you configured the same FTP port for both master and backup devices? If you haven t configured the same FTP port, continue reading section If you have configured the same FTP port, go to Go to CONFIGURATION > Device-HA > Activate-Passive Mode > Synchronization > Server Port. If this ZyWALL/USG is set to Master role, Server Port displays the ZyWALL/USG s Secure FTP port number. If this ZyWALL/USG is set to the Backup role, enter the port number to use for Secure FTP when synchronizing with the specified master ZyWALL/USG. 139/147

140 2. Go to CONFIGURATION > System > FTP in master device if you need to change the FTP port number. Every ZyWALL/USG in the virtual router must use the same port number. If the master ZyWALL/USG changes, you have to manually change this port number in the backups. 140/147

141 Have you enabled FTP service? If you haven t enabled the FTP port, continue reading section If you have configured the FTP port, go to Select Enable to allow the computer with the IP address that matches the IP address (es) in the Service Control table to access the ZyWALL/USG using FTP service for Device-HA synchronization Does Security Policy block FTP/VRRP services? If your Security Policy doesn t allow the FTP or VRRP service, continue reading section If you Security Policy allows the FTP or VRRP service, go to FTP Service 1. Device-HA devices use FTP to synchronize information, go to CONFIGURATION > System > FTP in both master and backup devices. Please make sure Service Control allow accessing the ZyWALL/USG using FTP service for Device-HA synchronization. 141/147

142 2. Go to CONFIGURATION > Security Policy > Policy Control, please make sure the corresponding rule allows accessing the ZyWALL/USG using FTP service for Device-HA synchronization. 142/147

143 VRRP Service 1. Master monitored VRRP interfaces will send the VRRP packet every second. Backup monitored VRRP interfaces should detect this kind of packet every second. Once Backup VRRP interfaces cannot detect the VRRP packet for three seconds, Backup will take over. Therefore, you have to make sure VRRP service is allowed for interface monitoring. 2. Go to CONFIGURATION > Security Policy > Policy Control, please make sure the corresponding rule allows accessing the ZyWALL/USG using VRRP service for Device-HA monitoring Does Security Policy block other port when synchronize? If you see from the log that any port is blocked even after FTP service is allowed, continue reading section If you see from the log that none of the port is blocked, go to If you see from the MONITOR > Log that any port is blocked even after FTP and VRRP services are allowed, please go to CONFIGURATION > Security Policy > Policy Control, add corresponding security to allow the block port. 143/147

144 Have you configured the same synchronization password for both master and backup devices? If you haven t configured the same synchronization password, continue reading section If you have configured the same synchronization password, go to Go to MONITOR > Log, if you see log shows alert/ User Failed login attempt to ZyWALL from ftp (incorrect password or inexistent username). It means the Device-HA synchronization password doesn t match. Please go to CONFIGURATION > Device-HA > Activate-Passive Mode > Synchronization > Password. Enter the password used for verification during synchronization. Every ZyWALL/USG in the virtual router must use the same password Have you experienced synchronization hang issue? 1. In some situations the device takes a while to synchronize, Device-HA sync at first succeeds but then hangs for more than 10 minutes. The following is a case for example, there are over 3800 content filtering rules and the configuration file is 456KB. 144/147

145 The device HA backup device takes around 20 minutes for synchronization. 2. To avoid the similar situation, it is suggested to use the "Auto Synchronize" feature in Device HA. Use the device s management IP address as the server address instead of a virtual IP address. The interval time can be set to 60 minutes. 145/147

146 Subnet conflict If VLAN interface subnet overlaps with Device-HA interface subnet, ZyWALL/USG will not know which interface it should send the sync information to. Please make sure there is no subnet conflict. If you configure the conflict subnet, continue reading section If you doesn t configure the conflict subnet, go to 12.3 Go to CONFIGURATION > Network > Interface, please make sure your Ethernet and VLAN interface subnets are not overlapping with each other. 146/147