ZyWALL (ZLD) VPN Troubleshooting

Similar documents
Configuring and Using Dynamic DNS in SmartCenter

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

VPN2S. Handbook VPN VPN2S. Default Login Details. Firmware V1.12(ABLN.0)b9 Edition 1, 5/ LAN Port IP Address

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

How to Configure a Client-to-Site L2TP/IPsec VPN

A specific IP with specific Ports and Protocols uses a dedicated WAN (Load Balance Policy).

Pre-Installation Recommendations... 1 Platform Compatibility... 1 New Features... 2 Known Issues... 2 Resolved Issues... 3 Troubleshooting...

Sophos Connect. help

Using a VPN with Niagara Systems. v0.3 6, July 2013

Microsoft Exam

Example - Configuring a Site-to-Site IPsec VPN Tunnel

LKR Port Broadband Router. User's Manual. Revision C

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.1.0:

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

G806+H3C WSR realize VPN networking

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Application Note. Applies to MultiMax

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

VPN Connection. VPN Gateway. 17 December 2002

Wireless-G Router User s Guide

Setting up L2TP Over IPSec Server for remote access to LAN

UIP1869V User Interface Guide

Abstract. Avaya Solution and Interoperability Test Lab

Setup L2TP/IPsec VPN Server on SoftEther VPN Server

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

Broadband Router. User s Manual

Proxicast IPSec VPN Client Example

Configuration Guide. For Managing EAPs via EAP Controller

Greenbow VPN Client Example

D-Link DSR Series Router

Step 3 - How to Configure Basic System Settings

MTA_98-366_Vindicator930

Lab 7.5.1: Basic Wireless Configuration

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

The Administration Tab - Diagnostics

CHAPTER 7 ADVANCED ADMINISTRATION PC

Digi Connect Family Application Guide How to Create a VPN between the Wi-Point 3G and TheGreenBow VPN Client

SonicOS Enhanced Release Notes

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Connecting the DI-804V Broadband Router to your network

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

ARCSERVE UDP CLOUD DIRECT DISASTER RECOVERY APPLIANCE VMWARE

User Guide TL-R470T+/TL-R480T REV9.0.2

SonicOS Enhanced Release Notes

IP Office 403 and SG VPN Application Note September

TCP/IP CONFIGURATION 3-6

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

RX3041. User's Manual

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

vrealize Operations Management Pack for NSX for vsphere 2.0

I m InTouch Installation Guide for the DSL/Cable environment with a Linksys router Models: BEFSRU31, BEFSR41 V.2, BEFSR11

Express EtherNetwork TM DI-604

Shaw Business Hitron Modem (CGNM-2250) Configuration User Guide

NETWORK LAB 2 Configuring Switch Desktop

Appendix B NETGEAR VPN Configuration

ZyWALL 10W. Internet Security Gateway. Quick Start Guide Version 3.62 December 2003

Efficient SpeedStream 5861

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Click on Close button to close Network Connection Details. You are back to the Local Area Connection Status window.

IP806GA/GB Wireless ADSL Router

Remote Access via Cisco VPN Client

SonicOS Enhanced Release Notes

Broadband Router DC-202. User's Guide

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Configuring the VPN Client

Troubleshooting Can not access the router on

Deployment Guide: Routing Mode with No DMZ

Lab 5.6.2: Challenge RIP Configuration

ZyWALL/USG Series. Troubleshooting Guide. Security Firewalls. ZyWALL 110 / 310 / 1100

Manual Overview. This manual contains the following sections:

FAQ about Communication

AT&T SD-WAN Network Based service quick start guide

The following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models

Using the SSM Administration Console

Networking Basics Sharing a network printer

DHCP and DDNS Services for Threat Defense

AirCruiser G Wireless Router GN-BR01G

Sonicwall NSA240 / TZ210 Configuration Guide (Firmware: SonicOS Enhanced o & up)

Identity Firewall. About the Identity Firewall

Wireless a CPE User Manual

User Manual. SSV Remote Access Gateway. Web ConfigTool

C HAPTER 24. The USG SecuExtender icon color indicates the SSL VPN tunnel s connection status.

Chapter 8: Lab B: Configuring a Remote Access VPN Server and Client

Computer to Network Connection

Client VPN OS Configuration. Android

MRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide

Grandstream Networks, Inc. GWN7000 Command Line Guide

SonicOS Release Notes

DIR-882. FAQ _Ver.1.1 A Written By

Wireless-G VPN Router with RangeBooster. Quick Install Guide

ZyWALL USG-Series How to setup a Site-to-Site VPN connection between two ZyWALL USG series appliances. 1/8

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

Lab 2.8.2: Challenge Static Route Configuration

F5 WANJet 200. Quick Start Guide. Quick Start Overview

Device Interface IP Address Subnet Mask Default Gateway

Transcription:

ZyWALL (ZLD) VPN Troubleshooting L2TP VPN will not connect No traffic flow through L2TP VPN tunnel Client-to-Site (RoadWarrior) VPN will not connect No traffic flow through client-to-site IPSec VPN tunnel (RoadWarrior) Site-to-Site VPN will not establish No traffic flow through site-to-site IPSec VPN tunnel SSL VPN connection will not establish Connection issues with SSL VPN L2TP VPN will not connect Please verify your VPN rule setup with the example provided on the ZyWALL_L2TP_VPN_Setup.pdf walkthrough. If your setup is similar to the example provided please check the following: Is the ZyWALL behind a NAT (another router)? The L2TP function will not work if the ZyWALL is behind another router. This is a limitation on the devices L2TP capability, the ZyWALL needs direct communication with the public network (internet). If the L2TP client is behind a router please make sure that VPN pass-through is enabled or create port forwarding rules so it does not block the L2TP communication to the ZyWALL. 1/26

Does the client have any other VPN clients installed? Only one application can use the IKE/IPSec services at a time, if there is another VPN client installed on the computer (and running) such as Cisco IPSec client, TheGreenBow, ShrewSoft, etc., you will need to close the application completely and restart the IKE/IPSec services so that the L2TP client can use them. [Windows] To restart the services on your computer open a RUN dialog box. You can access this by pressing the Windows + R keys on the keyboard. Type services.msc and click OK or hit the Enter/Return key. 2/26

Scroll down the list to find the IKE and AuthIP IPsec Keying Modules and IPsec Policy Agent to restart these services. Please check your L2TP clients settings against our setup example(s) [link to Windows, macos, ios, etc., setup guides] Disable your computers firewall to make sure it is not blocking the VPN connection attempt. Windows: To disable the Windows firewall, open a RUN dialog box. You can access this by pressing the Windows + R keys on the keyboard. 3/26

Type firewall.cpl and click OK or hit the Enter/Return key. Select the option to Turn Windows Firewall on or off on the left. Disable the firewall by selecting the Turn off Windows Firewall and click the OK button to save the settings. Note: If you re using a third party software firewall, Trend Micro, Norton, McAfee, etc., please open the softwares control panel and disable the firewall feature. macos: To disable the firewall on macos open System Preferences Security & Privacy, click the Firewall tab and press the Turn Off Firewall button to disable. 4/26

Update your computers NIC drivers. Note: For updates to your computers NIC cards please visit the computer manufacturer or the NIC cards chipset manufacturer. Bypass your router (if possible) to make sure it is not blocking the attempt to connect/establish the L2TP VPN. Check the ZyWALL s IKE logs to make sure it is receiving a request to establish the VPN. By default the ZyWALL is programmed to allow VPN traffic, if the IKE logs on the ZyWALL do not show any IKE connection attempts try disabling the ZyWALL s Firewall/Policy Control. If still no luck, check with your ISP to make sure they are not blocking ports on the service end. To disable the ZyWALL s firewall/policy control, go to: Configuration Firewall OR Configuration Security Policy Policy Control 5/26

Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 6/26

No traffic flow through L2TP VPN tunnel Please follow the instructions below if you have successfully established an L2TP VPN connection but cannot pass traffic through the tunnel. By default L2TP clients are programmed to send all traffic through the L2TP connection once established. If you have disabled this option you will need to manually create routes on your devices operating system to route traffic through the tunnel accordingly. Make sure there are no IP conflicts. The ZyWALL s internal (LAN) IP scheme and the L2TP IP pool should be on different subnets, using the same IP scheme can cause routing issues. Create a policy route on the ZyWALL to specify that any traffic destined for the L2TP IP Pool needs to take a hop (Next-Hop) at the L2TP VPN tunnel. Configuration Network Routing Policy Route Disable the ZyWALL s Firewall/Policy Control. To disable the ZyWALL s firewall/policy control, go to: 7/26

Configuration Firewall Policy Policy Control OR Configuration Security Make sure the L2TP connection has a higher priority than any other route on your computer. On macos you need to change the service order to give the VPN connection a higher priority than the Ethernet or Wi-Fi connections. Windows: All routes for the L2TP interface should have a higher metric than the standard routes. Open command prompt or PowerShell and type route print to view the routing table. macos: Open System Preferences Network, click the configuration icon at the bottom of the network interface list and Set Service Order. 8/26

Verify that the device you are trying to contact across the VPN is pointing to the ZyWALL for its default gateway. If the device is pointing to a different default gateway the traffic will not get sent back through the L2TP VPN tunnel. Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 9/26

Client-to-Site (RoadWarrior) VPN will not connect Please use the walkthrough Dynamic_VPN_Setup_CR.pdf as an example to verify the setup on your ZyWALL, to make sure all necessary settings and rules have been created on the router. If the ZyWALL is behind a NAT (another router) make sure the first NAT is forwarding the VPN ports to the ZyWALL. IKE UDP:500 and NAT-T UDP:4500 Make sure your network router is allowing the IPSec ports through (UDP:500 and UDP:4500) or be sure to enable VPN pass-through if the router supports this option. Bypass the router if possible to make sure it is not causing the problem. Make sure your ISP is not blocking VPN ports, some providers will block the VPN ports on their end. Verify that your computers firewall is allowing communications from the VPN client. Update your NIC drivers (Ethernet and/or Wi-Fi). Note: For updates to your computers NIC cards please visit the computer manufacturer or the NIC cards chipset manufacturer. 10/26

Check the VPN settings on the ZyWALL and make sure they match the software client configuration. Check the ZyWALL s IKE logs to make sure it is receiving a request to establish the VPN. By default the ZyWALL is programmed to allow VPN traffic, if the IKE logs on the ZyWALL do not show any IKE connection attempts try disabling the ZyWALL s Firewall/Policy Control. If still no luck, check with your ISP to make sure they are not blocking ports on the service end. To disable the ZyWALL s firewall/policy control, go to: Configuration Firewall OR Configuration Security Policy Policy Control Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 11/26

No traffic flow through client-to-site IPSec VPN tunnel (RoadWarrior) If you have successfully established a VPN connection to the ZyWALL but cannot get traffic across, please try the following: Login to the ZyWALL s WebGUI and disable the Use Policy Route to control dynamic IPSec rules in the VPN menu. Configuration VPN IPSec VPN VPN Connection Disable the ZyWALL routers Firewall. Configuration Firewall Policy Policy Control OR Configuration Security Disable the firewall on the remote host (computer/device) to make sure it is not blocking the request. Windows: To disable the Windows firewall, open a RUN dialog box. You can access this by pressing the Windows + R keys on the keyboard. 12/26

Type firewall.cpl and click OK or hit the Enter/Return key. Select the option to Turn Windows Firewall on or off on the left. Disable the firewall by selecting the Turn off Windows Firewall and click the OK button to save the settings. Note: If you re using a third party software firewall, Trend Micro, Norton, McAfee, etc., please open the softwares control panel and disable the firewall feature. macos: To disable the firewall on macos open System Preferences Security & Privacy, click the Firewall tab and press the Turn Off Firewall button to disable. 13/26

If you are attempting to access resources using computer hostname, try using the IP address assigned to the computer/device instead. Using a computer hostname requires the NetBIOS broadcast protocol to resolve the computers IP address, broadcasts are not supported by the IPSec standard. Because broadcasts are not supported by the IPSec VPN standard we cannot guarantee that using hostnames instead of IP s will work. A work around for this limitation of the IPSec standard would be to use a WINS server. Make sure there are no IP conflicts, if the ZyWALL network is configured to use the 192.168.1.0/24 network and the remote user is also using the same IP scheme, traffic will not route through the VPN tunnel properly. Make sure your network router is allowing the IPSec ports through (UDP:500 and UDP:4500) or be sure to enable VPN pass-through if the router supports this option. Bypass the router if possible to make sure it is not causing the problem. 14/26

Verify that the device you are trying to contact is pointing to the ZyWALL for its default gateway. If the device is pointing to a different default gateway the traffic will not get sent back through the VPN tunnel. Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 15/26

Site-to-Site VPN will not establish If you have configured an IPSec VPN rule for site-to-site (router-to-router) connection and the tunnel is not being established, please try the following: Reboot/Restart the ZyWALL appliance to reload the VPN daemon. Check the ZyWALL logs to verify that IKE connection attempts are being sent and received. If the logs show one way IKE traffic, send only for example, check the internet connection to make sure traffic is not being blocked/stopped on the service end. Double check the VPN rules on both ends to make sure all settings are matching. If using DDNS hostname or domain name to dial the connection instead of the public IP address, please make sure there are DNS servers programmed on the ZyWALL and that they can resolve the DDNS hostname/domain name. To check if the ZyWALL can resolve the name you will need to open a terminal session using SSH/Telnet/Console and run a ping command to the DDNS hostname/domain name. Router> ping hostname/domain (ex: Router> ping www.google.com) If the ping test fails double check the ZyWALL s DNS settings and try again. If your internet service is DHCP the ZyWALL would have automatically obtained the DNS server settings from your ISP. To check this go to Configuration System DNS. 16/26

If your WAN IP was statically assigned the DNS settings will show N/A for the Default entry (the Default entry is for the WAN ports DHCP client capability only), click the Add button to manually enter your ISP provided or public (OpenDNS, Google DNS, etc.) DNS servers. Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 17/26

No traffic flow through site-to-site IPSec VPN tunnel Tunnel established but can t get traffic across: Make sure there are no IP conflicts between the two sites. Disable the ZyWALL routers firewall. To disable the ZyWALL s firewall/policy control, go to: Configuration Firewall OR Configuration Security Policy Policy Control Verify that the host you are attempting to reach is pointing to the ZyWALL for the default gateway. Check for conflicting policy/static routes. A misconfigured or out of order route can cause problems. To verify the policy/static route rules go to, Configuration Network Routing. Verify that the host you are attempting to reach is listening for the traffic you are sending to it. Example: If you re sending a ping request to a device, make sure it is set to respond to ping/icmp requests. Windows: Open command prompt or powershell and type netstat -an for a list of listening ports. 18/26

macos: Open terminal and type sudo lsof -i -n -P for a printout of the listening ports. Manually create a route (Configuration Routing) to stipulate that traffic destined for the remote network should take its Next-Hop on the appropriate VPN tunnel. 19/26

Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 20/26

SSL VPN connection will not establish SSL VPN connection will not connect or being redirected to a different screen, try the following steps to troubleshoot the issue. Make sure you are using a USER account to establish the SSL VPN connection. Users with ADMIN privileges cannot be part of the SSL VPN rule/policy. Administrative users will automatically get redirected to the configuration GUI. To verify the user account type, login to the ZyWALL s WebGUI and go to Configuration Object User/Group. Make sure the network connection is not Disabled on Windows. To check this, click the Windows Logo key on your keyboard + the R key. This will open the RUN dialog box. Type ncpa.cpl and click OK or hit the Enter/Return key. On the Network Connections screen look for the connection using the TAP-Windows adapter for ZyXEL SecuExtender. Verify the server IP address the SecuExtender is dialing to and user credentials. Windows macos 21/26

Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 22/26

Connection issues with SSL VPN If you have successfully established an SSL VPN connection to the ZyWALL and are experiencing issues, please try the following. Can t access local network resources when VPN connection is established? Please make sure there are no IP conflicts between the remote and local network. If both sites are using the same IP scheme, 192.168.1.0/24 for example, routing will not work properly. Once the VPN tunnel is established all traffic destined for a 192.168.1.0/24 address will flow through the VPN tunnel. This is because the route the computer operating system created to send traffic through the VPN tunnel has a higher priority/metric that the regular route. Disable the ZyWALL s firewall if you are having problems getting traffic through the tunnel. To disable the ZyWALL s firewall/policy control, go to: Configuration Firewall OR Configuration Security Policy Policy Control Disable the computers firewall if you are having problems getting traffic through the tunnel to make sure it is not blocking. Windows: To disable the Windows firewall, open a RUN dialog box. You can access this by pressing the Windows + R keys on the keyboard. 23/26

Type firewall.cpl and click OK or hit the Enter/Return key. Select the option to Turn Windows Firewall on or off on the left. Disable the firewall by selecting the Turn off Windows Firewall and click the OK button to save the settings. Note: If you re using a third party software firewall, Trend Micro, Norton, McAfee, etc., please open the softwares control panel and disable the firewall feature. macos: To disable the firewall on macos open System Preferences Security & Privacy, click the Firewall tab and press the Turn Off Firewall button to disable. 24/26

Verify that the workstation is listening to the traffic you are using to access it remotely. Windows: Open command prompt or powershell and type netstat -an for a list of listening ports. macos: Open terminal and type sudo lsof -i -n -P for a printout of the listening ports. 25/26

Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 26/26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback