www.zyxel.com ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 Security Firewalls Firmware Version 4.13 ~ 4.15 Edition 1, 8/2016 Troubleshooting Guide Default Login Details LAN Port IP Address User Name Password https://192.168.1.1 admin 1234 Copyright © 2016 ZyXEL Communications Corporation 1/147 www.zyxel.com Table of Content 1. 2. HOW TO ACCESS TO THE ZYWALL/USG ........................................................... 8 1.1. ACCESS THE ZYWALL/USG BY HTTPS ................................................................ 8 1.2. ACCESS THE ZYWALL/USG BY SSH ................................................................... 8 1.3. ACCESS THE ZYWALL/USG BY TELNET ............................................................ 10 1.4. ACCESS THE ZYWALL/USG BY CONSOLE......................................................... 11 BASIC INFORMATION COLLECTION .............................................................. 12 2.1. COLLECT DIAGNOSTIC INFORMATION FILE ........................................................ 12 2.1.1. By GUI ...................................................................................................... 12 2.1.2. By CLI ....................................................................................................... 13 2.1.3. Packet Capture ..................................................................................... 13 2.1.4. USB storage ............................................................................................. 14 3. HARDWARE TROUBLESHOOTING ................................................................... 17 3.1 TOOLS AND SYSTEMS NEEDED .............................................................................. 17 4. 3.2. PREPARE DEVICE FOR INITIAL TEST ..................................................................... 18 3.3. FIRMWARE RECOVERY ..................................................................................... 22 DEVICE REBOOT RANDOMLY ......................................................................... 28 4.1. COLLECTING MORE DEBUG MESSAGE ............................................................... 28 4.1.1. Collecting console log .......................................................................... 28 4.1.2. Collecting diag-info .............................................................................. 29 5 CANNOT ACCESS TO THE DEVICE ................................................................. 31 5.1. FIREWALL RULE ................................................................................................ 31 5.1.1. If you are not able to access the ZyWALL/USG by HTTPS ................ 31 5.1.2. If you are not able to access the ZyWALL/USG by SSH .................... 33 5.1.3. If you are not able to access the ZyWALL/USG by TELNET............... 35 5.2. DHCP (IP/MAC BINDING) ............................................................................ 37 2/147 www.zyxel.com 5.2.1. Check DHCP Setting ............................................................................. 38 6. CANNOT ACCESS TO THE DEVICE WWW ...................................................... 40 6.1. PORT ISSUE ..................................................................................................... 40 6.1.1. Issue description..................................................................................... 40 6.1.2. Solution .................................................................................................... 41 6.2. ADMIN SERVICE CONTROL ISSUE ...................................................................... 43 6.2.1. Issue description..................................................................................... 43 6.2.2. Solution .................................................................................................... 44 6.3. OSPF ROUTING ISSUE ...................................................................................... 46 6.3.1. Unable to distribute routes to the connected device ..................... 46 6.3.2. Unable to get routes from the connected device ........................... 47 6.4. CANNOT ACCESS INTERNET (SESSION FULL/FIREWALL BLOCK) .............................. 49 6.4.1. Session full ............................................................................................... 49 6.4.2. Firewall block .......................................................................................... 52 6.5. CANNOT ACCESS INTERNET (ANTI-SPAM)........................................................... 54 6.5.1. If you are not able to receive/send emails via ZyWALL/USG .......... 54 6.5.2. Must be collected information ............................................................ 55 7. CANNOT SET UP THE IPSEC VPN FUNCTION SUCCESSFULLY ......................... 56 7.1. VPN CONNECTION CANNOT BE ESTABLISHED .................................................... 56 7.1.1. If facing the VPN connection problem, here are the possible root cause:56 7.1.2. Once the VPN tunnel cannot established then: ............................... 56 7.1.3. Once have the connection problem please just check the log “IKE” category for more information. ....................................................................... 57 7.2. CANNOT ESTABLISH VPN TUNNEL VIA 3GLTE INTERFACE .................................... 60 7.2.1. Is the Dongle Included in ZyWALL/USG Support List? ....................... 60 7.2.2. Change to Supported Dongle ............................................................ 61 7.2.3. Is the Cellular Status Ready? ................................................................ 61 7.2.4. Activate Cellular Status and Check ISP Account Settings .............. 61 3/147 www.zyxel.com 7.2.5. Is the Connectivity Set to Nailed-Up? ................................................. 62 7.2.6. Modify Connectivity Setting ................................................................. 62 7.2.7. Is the Cellular Interface Included in the WAN Trunk? ....................... 63 7.2.8. Modify Trunk ........................................................................................... 63 7.2.9. Is there Any Routing Policy Related to WAN Interface? .................. 64 7.2.10. Check Routing Policy ........................................................................ 65 7.2.11. Collect Information to CSO Support ............................................... 65 7.3. VPN FALLBACK IS NOT WORKING ..................................................................... 67 7.3.1. The VPN tunnel has establish VPN tunnel successfully, but tunnel can’t fallback to primary peer gateway ....................................................... 67 7.3.2. Verify configuration ............................................................................... 67 7.4. CANNOT SET UP THE IPSEC VPN FUNCTION BY VPN PROVISION SUCCESSFULLY .... 70 7.4.1. Configuration is successful but the field “Remote Gateway Address” is empty ............................................................................................................... 70 7.4.2. Authentication Failed ........................................................................... 71 7.4.3. Server Not Found ................................................................................... 73 7.5. IPSEC VPN CLIENT ON WIN10 OPERATION SYSTEM ........................................... 74 7.5.1. Can’t use IPSec VPN client on win10 system ..................................... 74 7.5.2. The vital of configuration of IPSec Client on Win10 .......................... 74 7.5.3. Wireless possible issue symptoms ......................................................... 74 7.6. CANNOT SET UP THE IKEV2 VPN TUNNEL SUCCESSFULLY ..................................... 80 7.6.1. If IKEv2 traffic does not work completely from your PC ................... 80 7.6.2. If IKEv2 tunnel is not up .......................................................................... 81 7.6.3. VPN tunnel is up, but there is no traffic pass through USG to internet 84 7.6.4. Must be collected information ............................................................ 85 7.7. VPN CONCENTRATOR WITH THE PROBLEM ......................................................... 86 7.7.1. Site-to Site VPN tunnel is up: ................................................................. 87 7.7.2. VPN Concentrator on Central side ..................................................... 91 7.7.3. Policy route on both branch sides ...................................................... 92 4/147 www.zyxel.com 7.7.4. Must be collected information ............................................................ 92 7.8. IPSEC VPN TUNNEL WAS ESTABLISHED SUCCESSFULLY, BUT THE TRAFFIC CAN'T PASS THROUGH THE TUNNEL .................................................................................................. 93 7.8.1 Is the PC Firewall Disabled? .................................................................... 93 7.8.2 Is the PC Firewall Allowed VPN/ICMP Traffic? ...................................... 94 7.8.3 Modify PC Firewall Setting ....................................................................... 94 7.8.4 Is the USG NetBIOS Enabled?................................................................ 104 7.8. 5 Modify NetBIOS Setting ......................................................................... 104 7.8.6 Perform Ping Check Command from PC ........................................... 105 7.8.7 Is there Any Response from the Remote Site? ................................... 105 7.8.8 Perform Ping Check from PC to Local/Remote Gateway ............... 106 7.8.9 Is there Any Response from the Local /Remote Gateway? ............ 106 7.8.10 Modify Local/Remote Gateway Setting ........................................... 107 7.8.11 Disable Security Policy on Device ...................................................... 108 7.8.12 Is there Any Response from the Remote Site? ................................. 108 7.8.13 Modify Security Policy Setting ............................................................. 109 7.8.14 Perform Ping Check Command from Router ................................... 111 7.8.15 Is there Any Response from the Remote Subnet? ........................... 111 7.8.16 Modify Routing ...................................................................................... 113 7.8.17 Does the VPN Routing Priority Higher than 1:1 NAT or Other Routing? ............................................................................................................................ 113 7.8.18 Modify Packet Flow Priority ................................................................. 114 7.8.19 Collect Information to CSO Support .................................................. 115 8. CANNOT SET UP THE L2TP VPN FUNCTION SUCCESSFULLY ......................... 118 8.1. CANNOT CONNECT TO THE ZYWALL VIA L2TP CLIENT ..................................... 118 8.1.1. Incorrect L2TP Address Pool ............................................................... 118 8.1.2. Incorrect Local Policy ......................................................................... 118 8.1.3. Incorrect Phase 1 or Phase 2 Settings ............................................... 119 8.2. USER CANNOT BE AUTHENTICATED .................................................................. 121 8.2.1. Authentication Method ...................................................................... 121 5/147 www.zyxel.com 8.2.2. Allowed user ......................................................................................... 122 8.3. WINDOWS SERVICE NOT ACTIVATED (IKE SERVICE) .......................................... 123 8.3.1. If you are not enabled modules you will saw: ................................. 123 8.3.2. How to enable IKE and AuthIP IPSec Keying Modules ................... 124 8.4. AFTER L2TP VPN TUNNEL IS ESTABLISHED, THE CLIENT CAN’T ACCESS TO THE INTERNET 125 8.4.1. After establish L2TP VPN tunnel all of Internet traffic can’t pass at all 125 8.4.2. After you established L2TP VPN tunnel you will saw: .................... 125 8.4.3. How to add additional routing rule for L2TP clients to access internet? ............................................................................................................ 126 9. IF YOU’RE NOT BE ABLE TO CONFIGURE UTM POLICIES OR IT’S NOT WORKING .............................................................................................................................. 127 9.1. CHECK SERVICE EXPIRATION........................................................................... 127 9.1.1 Have you subscribed for the UTM service? ......................................... 127 9.1.2 Registration on myZyXEL.com 2.0 ......................................................... 127 9.1.3 Have your UTM service expired? .......................................................... 132 9.1.4 Extend UTM license ................................................................................. 133 9.2. SIGNATURE UPDATE ....................................................................................... 134 9.2.1 Have your UTM service updated? ....................................................... 135 9.2.2 Update UTM service ............................................................................... 135 9.3. SECURITY POLICY DIRECTION ......................................................................... 136 9.3.1 Is your UTM policy applied to correct direction? ............................... 136 9.3.2 Modify Security Policy direction ........................................................... 136 10. DEVICE-HA DOESN'T WORK........................................................................... 137 10.1. AFTER FAIL-OVER, SWITCH ARP LEARNING MODE .......................................... 138 10.1.1 Have you configured the same Cluster ID for the different Device HA groups ? ...................................................................................................... 138 10.1.2 Cluster ID ................................................................................................ 138 6/147 www.zyxel.com 10.2. SYNCHRONIZE ISSUE ....................................................................................... 139 10.2.1 Have you configured the same FTP port for both master and backup devices?............................................................................................. 139 10.2.2 Have you enabled FTP service? ......................................................... 141 10.2.3 Does Security Policy block FTP/VRRP services? ................................ 141 10.2.4 Does Security Policy block other port when synchronize? ............. 143 10.2.5 Have you configured the same synchronization password for both master and backup devices? ....................................................................... 144 10.2.6 Have you experienced synchronization hang issue? ..................... 144 10.2.7 Subnet conflict ...................................................................................... 146 10.3. COLLECT INFORMATION TO CSO SUPPORT ..................................................... 147 7/147 www.zyxel.com 1. How to Access to the ZyWALL/USG 1.1. Access the ZyWALL/USG by HTTPS 1. Connect a PC to lan1 and open a web browser. Type https://192.168.1.1, the login screen appears. Type the user name (default: admin) and password (default: 1234). 1.2. Access the ZyWALL/USG by SSH 1. Connect a PC to lan1 and open PuTTY Configuration. Type 192.168.1.1 into the Host Name and modify Port number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > SSH). Select Configuration Type to be SSH and click Open. 8/147 www.zyxel.com 2. The SSH session page appears: 9/147 www.zyxel.com 1.3. Access the ZyWALL/USG by TELNET 1. Connect a PC to lan1 and open PuTTY Configuration. Type 192.168.1.1 into the Host Name and modify Port number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > Telnet). Select Configuration Type to be Telnet and click Open. 2. The Telnet session page appears: 10/147 www.zyxel.com 1.4. Access the ZyWALL/USG by Console 1. Connect your PC to the console port using a console cable. Open PuTTY Configuration. Type Serial line number (If you’re using Windows PC, you can find in Device Manager > Ports) and modify Speed number to be the same as your ZyWALL/USG setting (Go to CONFIGURAITON > System > Console Speed, default speed is 115200). Select Configuration Type to be Serial and click Open. 11/147 www.zyxel.com 3. The Console session page appears: 2. Basic Information Collection 2.1. Collect Diagnostic Information File 2.1.1. By GUI 1. Go to MAINTANENCE > Diagnostics > Diagnostics, and click Collect Now. 2. After finishing collect, press the Download. 12/147 www.zyxel.com 2.1.2. By CLI 1. Log in console as admin, and enter the below CLI command. (Use TeraTerm or Putty) Router > diag-info collect 2. After finishing collect, use the CLI to show the diaginfo name and go to GUI to download the file. Router> show diag-info 2.1.3. Packet Capture 1. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture. Select the interface and press the Capture. (Filter condition can be applied if needed) 13/147 www.zyxel.com 2. Go to MAINTANENCE > Diagnostics > Packet Capture > Files, and download the packets. 2.1.4. USB storage 1. Ensure the file system format of USB is FAT32 2. Go to CONFIGUARION > System > USG Storage. Select Active USB Storage service then click Apply. 14/147 www.zyxel.com 3. Go to MONITOR > System Status > USB Storage > Storage Information, and check the USB status. 4. What kind of information can be saved on USB storage? Diagnostic info 15/147 www.zyxel.com Packet capture System log 16/147 www.zyxel.com 3. Hardware Troubleshooting 3.1 Tools and Systems Needed 1. Laptop x 2; 1 connects via console and Ethernet cable for device management, 1 connects via Ethernet cable for basic traffic testing. 2. Console setting: Baud rate: 115200 Data: 8 bit Parity: none Stop: 1bit Flow control: none 3. Windows 7 Operating System (firewall turned off) 4. USB to RS232 console cable 5. Power cord 6. RJ-45 Ethernet cable 17/147 www.zyxel.com 3.2. Prepare Device for Initial Test 1. Prerequisite: Reset the device by clicking on the RESET button for 5 seconds when the device is powered on. RESET button location: USG40: USG40W: USG60: USG60W: 18/147 www.zyxel.com ZyWALL110/USG110/USG210 ZyWALL310/ZyWALL1100/USG310/USG1100/USG1900 Test 1: Power on the DEVICE, check the PWR LED status. a. PWR LED keep green light : Normal b. PWR LED doesn’t turn on : PWR001 – No Power Test 2: Check the SYS LED status. a. Wait until the SYS LED turns into steady on, Device SYS LED will keep blinking for less than 4 minutes b. If SYS LED keep blinking for more than 5 minutes: SYS006 – Boot failure c. Recovery: Check the Appendix1. d. If device cannot be recovery by procedure: SYS006 – Boot failure e. Sys LED keep green light: Normal Test 3: Check Port LED status. a. Laptop1 uses Ethernet cable connects to the DEVICE ports b. Port upper right LED is steady on (color is Amber): Normal c. Port LED cannot turn on: ETH001 – Ethernet port dead d. Port upper left LED blinks aperiodic (color is Green): Normal Test 4: Check the packet forwarding USG40/40W, USG60/60W a. Laptop1 uses Ethernet cable connects to LAN port b. Modify the laptop ip address to 192.168.1.10, mask 255.255.255.0 c. Laptop2 uses Ethernet cable connects to another LAN port 19/147 www.zyxel.com d. Modify the IP address to 192.168.1.20, mask 255.255.255.0 e. Laptop 1 pings to the Laptop2 for 30 seconds. f. If no any packet loss: Normal g. If ping loss: ETH004 – Ethernet port ping packet loss ZyWALL110/USG110/USG210 a. Laptop1 uses Ethernet cable connects to LAN port (P4) b. Modify the laptop ip address to 192.168.1.10, mask 255.255.255.0 c. Laptop2 uses Ethernet cable connects to another LAN port(P5) d. Modify the IP address to 192.168.1.20, mask 255.255.255.0 e. Laptop 1 pings to the Laptop2 for 30 seconds. f. If no any packet loss: Normal g. If ping loss: ETH004 – Ethernet port ping packet loss Test 5: Check WiFi Model: USG 40W/USG60W a. Laptop1 and laptop2 try to connect to SSID “ZyXEL” via wifi, the laptop wifi interface settings should be as below: 20/147 www.zyxel.com b. If wifi connected successfully: Normal c. If wifi can’t scan or connect to the “ZyXEL” SSID: WLN004 – WLAN Connect failed d. Laptop1 ping to laptop2 IP address e. Ping success: Normal f. Ping failed: WLN005 – WLAN Ping error (Ping loss) Test6: Check USB port USG40/40W a. Connect the flash drive into USB port. Check the USB LED b. Steady on Green: Normal c. LED does not turned on: USB001 –USB port dead USG60/60W/110/210/310/1100/1900 ZyWALL110/310/1100 a. Connect the flash drive into the USB port. Login to the device GUI, check the device virtual diagram and see if the flash drive can be detected b. USB drive can be detected: Normal c. USB drive can’t be detected: USB001 –USB port deadB 21/147 www.zyxel.com 3.3. Firmware Recovery In some rare situation (symptom as following), ZyWALL/USG might not boot up successfully after firmware upgrade. The following procedures are the steps to recover firmware to normal condition. Please connect console cable to ZyWALL/USG. 1. Symptom: Booting success but device show error message “can’t get kernel image” while device boot. Device reboot infinitely. 22/147 www.zyxel.com Nothing displays after “Press any key to enter debug mode within 3 seconds.” for more than1 minute. Startup message displays “Invalid Recovery Image”. 23/147 www.zyxel.com The message here could be “Invalid Firmware”. However, it is equivalent to “Invalid Recovery Image”. 2. Recover steps Press any key to enter debug mode Enter atkz –f –l 192.168.1.1 to configure FTP server IP address Enter atgof to bring up the FTP server on port 1 The following information shows the FTP service is up and ready to receive FW 24/147 www.zyxel.com You will use FTP to upload the firmware package. Keep the console session open in order to see when the firmware update finishes. Set your computer to use a static IP address from 192.168.1.2 ~ 192.168.1.254. No matter how you have configured the ZyWALL/USG’s IP addresses, your computer must use a static IP address in this range to recover the firmware. Connect your computer to the ZyWALL/USG’s port 1 (the only port that you can use for recovering the firmware). Use an FTP client on your computer to connect to the ZyWALL/USG. This example uses the ftp command in the Windows command prompt. The ZyWALL/USG’s FTP server IP address for firmware recovery is 192.168.1.1 Log in without user name (just press enter). Set the transfer mode to binary. Use “bin” (or just “bi” in the Windows command prompt). Transfer the firmware file from your computer to the ZyWALL/USG (the command is “put <firmware filename>” in the Windows command prompt). Wait for the file transfer to complete. 25/147 www.zyxel.com The console session displays “Firmware received” after the FTP file transfer is complete. Then you need to wait while the ZyWALL/USG recovers the firmware (this may take up to 4 minutes). The message here might be “ZLD-current received”. Actually, it is equivalent to “Firmware received”. The console session displays “done” when the firmware recovery is complete. Then the ZyWALL/USG automatically restarts. The username prompt displays after the ZyWALL/USG starts up successfully. The firmware recovery process is now complete and the ZyWALL/USG is ready to use. 26/147 www.zyxel.com If one of the following cases occurs, you need to do the “firmware recovery process” again. Note that if the process is done several time but the problem remains, please collect all the console logs and send to ZyXEL/USG for further analysis. One of the following messages appears on console, the process must be performed again ./bin/sh: /etc/zyxel/conf/ZLDconfig: No such file Error: no system default configuration file, system configuration stop!! 27/147 www.zyxel.com 4. Device Reboot Randomly 4.1. Collecting more debug message If your device will reboot randomly and not helpful after upgraded to latest firmware, you can following this document to collect more debug information. Then provided these information to ZyXEL support team. 4.1.1. Collecting console log 1. Connecting the serial cable between your PC and device serial port. 2. Installing TeraTerm on your PC. (https://en.osdn.jp/projects/ttssh2/downloads/64798/teraterm-4.90.exe/) 3. Run TeraTeam and select correct port and baud rate and click OK to start the session. (USG default baud rate is: 115200) 4. Click File > log…to save all of the logs which displays on the window. 5. Enter debug kernel console-level 8 command to collecting more debug message. 28/147 www.zyxel.com 6. Enter show app-watch-dog monitor-list command to shows which daemons are monitored. 7. After done these step the deice will prints out almost debug logs to you PC, and TeraTerm will saves these information directly. Please do not close the session until device reboot itself again. 4.1.2. Collecting diag-info 1. Until the device reboot itself again, login to device Web GUI and go to MAINTENANCE > Diagnostics > Diagnostics tab > Collect. Click Collect now button to collecting diag-info. (It will take around 3~5 mins) 29/147 www.zyxel.com 2. After the process is done, it will shows file name on the GUI (it will show collecting time). Then click Download button to download it. 30/147 www.zyxel.com 3. Provide the console logs and diag-info files to ZyXEL support 5 Cannot Access to the Device 5.1. Firewall Rule Security Policies grouped based on the direction of travel of packets to which they apply. Here is the ZyWALL/USG has default Security Policy behavior for traffic going through the ZyWALL/USG in various directions. Policies with Device as the To Zone apply to traffic going to the ZyWALL/USG itself. By default: The Security Policy allows only LAN, or WAN computers to access or manage the ZyWALL/USG. The ZyWALL/USG allows DHCP traffic from any interface to the ZyWALL/USG. The ZyWALL/USG drops most packets from the WAN zone to the ZyWALL/USG itself and generates a log except for Default_Allow_WAN_To_ZyWALL (AH, ESP, GRE, HTTPS, IKE, NATT). 5.1.1. If you are not able to access the ZyWALL/USG by HTTPS 1. Connect a console cable to the ZyWALL/USG. Type following command to disable firewall rule in order to login the device via https to check what can go wrong in the configuration: 2. If you were not able to access ZyWALL/USG via public IP: You can check does the policy allow WAN access to the ZyWALL/USG. Please also make sure the Service allow HTTPS, you can move the mouse pointer to the service objects and check does HTTPS include in the service group. 31/147 www.zyxel.com CONFIGURATION > Security Policy > Policy Control 3. If you want to add a new service object into the Service Group, go to CONFIGURATION > Object > Service > Service Group and double click on the group you want to edit. Move the servers you want available to ZyWALL/USG to Member. Click OK. CONFIGURATION > Object > Service > Service Group 32/147 www.zyxel.com 4. If you were not able to access ZyWALL/USG via LAN IP: You can check does the policy allow LAN access to the ZyWALL/USG. CONFIGURATION > Security Policy > Policy Control 5.1.2. If you are not able to access the ZyWALL/USG by SSH 1. Go to CONFIGURATION > Security Policy > Policy Control and check do you add a To ZyWALL rule allow SSH service. CONFIGURATION > Security Policy > Policy Control 2. If not yet created, you can click Add and create a To ZyWALL rule allow SSH service: 33/147 www.zyxel.com CONFIGURATION > Security Policy > Policy Control > Add corresponding 3. If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control Action should be Accept. CONFIGURAITON > System > SSH 34/147 www.zyxel.com 5.1.3. If you are not able to access the ZyWALL/USG by TELNET 1. Go to CONFIGURATION > Security Policy > Policy Control and check do you add a To ZyWALL rule allow TELNET service. CONFIGURATION > Security Policy > Policy Control 2. If not yet created, you can click Add and create a To ZyWALL rule allow TELNET service: CONFIGURATION > Security Policy > Policy Control > Add corresponding 35/147 www.zyxel.com 3. If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > TELNET to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control > Action should be Accept. CONFIGURAITON > System > TELNET 36/147 www.zyxel.com 5.2. DHCP (IP/MAC Binding) People want to use IP/MAC binding for the LAN users because it will be easier to manage the users. However, if client cannot access the device by static IP and is giving the error “Drop packet lan1-10.10.1.201-00:1E:33:29:BB:FC”, there may be issue in the DHCP Setting. 37/147 www.zyxel.com 5.2.1. Check DHCP Setting 1. Go to CONFIGURATION > Interface > Ethernet > Lan1 > IP/MAC Binding. Look Static DHCP Table and ensure the computer’s IP and MAC address in the list. 2. If this IP/Mac is not in the IP/MAC Binding list, DHCP(IP/MAC Binding) will reject the traffic which from 10.10.1.201. 3. To add the IP/MAC in the Binding list, go to CONFIGURATION > Interface > Ethernet > Lan > IP/MAC Binding > Add or Edit. 4. Another way is adding this IP/MAC address in the Exempt List, go to CONFIGURATION > Network > IP/MAC binding > Exempt List. Note: If IP/MAC binding is enabled, traffic with the following IP address sources will also be allowed to pass through the ZyWALL/USG: 38/147 www.zyxel.com a. DHCP offered Dynamic IP b. User manually configured IP which matches static DHCP table 39/147 www.zyxel.com 6. Cannot Access to the Device WWW To allow the ZyWALL/USG to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL/USG security policy rule to block that traffic. If customer cannot login USG, there are might some configuration issue on USG. 6.1. Port Issue 6.1.1. Issue description User cannot access ZyWALL/USG by http or https://192.168.2.1 or http://192.168.2.1 40/147 www.zyxel.com 6.1.2. Solution 1. HTTP example: Make sure the https or http “Port numbers”. Check the port numbers via console. Please type configure Terminal> Show ip http server status. User will see the Port information for http. HTTP example 41/147 www.zyxel.com As we can see the “Server Port” number is 1111, so the login IP address should be http://192.168.2.1:1111 2. HTTPS example: Please type configure Terminal> Show ip http server secure status. User will see the Port information for https. HTTPs example 42/147 www.zyxel.com As we can see the “Server Port” number is 2000, so the login IP address should be https://192.168.2.1:2000. 6.2. Admin Service Control Issue 6.2.1. Issue description The user cannot login USG, and after fill login information then press Login, the system will display “Login denied”. 43/147 www.zyxel.com 6.2.2. Solution 1. User needs to make sure that the User Name and Password are correct. 2. User needs to make sure that the https://192.168.2.1 did not block by Admin service control 3. Client can check it via console. Type command: configure Terminal> Show ip http server secure status 4. As we can see the Lan2 (https://192.168.2.1) already denied by admin service control, so user cannot login via Lan2. 5. Users can switch the network cable to other Lans, and modify the configuration they needed. Go to CONFIGURATION > system > WWW > Service Control, remove Lan2 deny. 44/147 www.zyxel.com 6. After modified, user can access USG via Lan2 45/147 www.zyxel.com 6.3. OSPF Routing Issue 6.3.1. Unable to distribute routes to the connected device 1. Area Setting Check if the Area ID, Type and Authentication Key are correctly configured. Ensure these same settings are also correctly configured on the connected device which would like to get routes from the ZyWALL. CONFIGURATION > Network > Routing > OSPF > Area 2. OSPF setting in the interface Select the correct Area ID and Authentication in the appropriate interfaces. CONFIGURATION > Network > Interface > Ethernet > Advanced Settings > OSPF Setting 46/147 www.zyxel.com 6.3.2. Unable to get routes from the connected device 1. Area Setting Check if the Area ID, Type and Authentication Key are correctly configured. These settings must be the same as that on the connected device from which the ZyWALL would like to get routes. CONFIGURATION > Network > Routing > OSPF > Area 2. OSPF setting in the interface Select the correct Area ID and Authentication in the appropriate interfaces. CONFIGURATION > Network > Interface > Ethernet > Advanced Settings > OSPF Setting 47/147 www.zyxel.com 3. OSPF service in the policy control Ensure the OSPF service is allowed in the policy control. From: any; To: ZyWALL; Service: OSPF; access: allow CONFIGURATION > Security Policy > Policy Control > Add 48/147 www.zyxel.com 6.4. Cannot access internet (session full/firewall block) 6.4.1. Session full 1. Once the client have reach to the maximum of session amount it will not allowed to connect to interface or GUI, you may need use serial port to enter the command line as below. 2. In the CLI monitor screen you can use show logging entries category sessions-limit to make sure if it is block by the session-limit or you can use show logging entries keyword <client IP> to see if have this computer’s regarding log. 49/147 www.zyxel.com 3. You can disable session-limit temporary once you see the “maximum session per host” message. 4. Please go to device GUI Monitor>Log> log display select “Sessions Limit” check if the client block because of the session limit. The GUI monitor shows that client reach to the maximum session threshold. 50/147 www.zyxel.com 5. You can go to the Configuration>Security Policy>Session Control change the setting or set the threshold on the specific client. 51/147 www.zyxel.com 6.4.2. Firewall block 1. The service will block by the firewall if the security policy didn’t set appropriate. 2. The security policy will regarding to the ZONE setting. 3. Please go to the MONITOR > Log. In the Category > Security Policy Control shows FTP service LAN2 client ACCESS BLOCKED by the firewall in this example. 4. Please also check the Zone configuration at CONFIGURATION > Object > Zone. Use Object Reference can see those objects corresponding place or priority in security policy. 5. In this case the client PC (192.168.2.33) is included in to the Zone LAN2. 52/147 www.zyxel.com 6. Zone of LAN2 object referenced by the security policy. Most of the time that cannot reach to the external service is because of the mis-configuration on firewall rule. And restrict the wrong subnet on wrong zone. 53/147 www.zyxel.com 6.5. Cannot access internet (anti-spam) The Anti-Spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL/USG can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. If you cannot receive/send email pass through ZyWALL/USG, follow below steps to do troubleshoot. 6.5.1. If you are not able to receive/send emails via ZyWALL/USG 1. Connect to the web GUI of ZyWALL/USG. Go to CONFIGURATION > Security Policy > Policy Control. 2. Check the Security Policy setting to ensure it allows the mail protocols (SMTP/POP3/SMTPs/IMAP4) are available. 54/147 www.zyxel.com 3. Ensure the receiver/sender IP address is allowed. 4. Connect to the web GUI of ZyWALL/USG. Go to MONITOR > UTM Statistics > Anti-Spam > Status. 5. Check if Concurrent Mail Session Scanning is full or not. 6.5.2. Must be collected information 1. Configuration 2. Diaginfo 3. Remote access 4. Mail server protocol 55/147 www.zyxel.com 7. Cannot Set Up the IPSec VPN Function Successfully There are many different scenarios when establishing VPN tunnel. You can follow these maps to find your scenario. Per scenario with some of the issues may match which you met. And you can follow this guide to find the symptom in your environment. 7.1. VPN connection cannot be established 7.1.1. If facing the VPN connection problem, here are the possible root cause: 1. Pre-shared key mismatch. 2. SA proposal mismatch. 3. Local/remote policy mismatch. 4. Firewall rule block. 7.1.2. Once the VPN tunnel cannot established then: 1. Navigate to MONITOR > Log 2. Select IKE category 3. Check the authentication method, local/peer policy, SA proposal in phase1 and phae2 56/147 www.zyxel.com 4. Make sure that firewall rule didn’t block the IKE service from LAN or WAN to Device 7.1.3. Once have the connection problem please just check the log “IKE” category for more information. 1. Pre-shared key mismatch 2. Proposal mismatch in phase 1 57/147 www.zyxel.com 3. Proposal mismatch in phase 2 4. Local policy mismatch on phase 2 58/147 www.zyxel.com 5. If have using Local/Peer id then please check if it is correct. Local site: Remote site 59/147 www.zyxel.com 6. Make sure that LAN and WAN to device service have allow the IKE service. 7.2. Cannot establish VPN tunnel via 3GLTE interface Troubleshooting Flowchart: 7.2.1. Is the Dongle Included in ZyWALL/USG Support List? If it’s not supported, go to 7.3.2 If it’s supported, go to 7.3.3 60/147 www.zyxel.com If the dongles are not included in the support list, it may have the compatibility issue. Therefore, please change to supported dongle. 7.2.2. Change to Supported Dongle Please go to http://www.zyxel.com/support/download_landing.shtml, Search by Model Number > Firmware > 3G Dongle Document to see the latest supported 3G cards. 7.2.3. Is the Cellular Status Ready? If it’s not ready, go to 7.3.4 If it’s ready, go to 7.3.5 When you plug the 3G dongle into the device, it will automatically create a cellular interface but the default status inactivate. Please make sure the cellular interface is activated and the status is ready. 7.2.4. Activate Cellular Status and Check ISP Account Settings Activate Cellular Status 1. Go to CONFIGURATION > Interface > Cellular, the connected device will automatically display in the Cellular Interface Summary. Click Activate and then the Apply button at the bottom of this page. 2. Go to MONITOR > System Status > Cellular Status, please make sure the Status is Device ready and Signal Quality is good. 61/147 www.zyxel.com Check ISP Account If the dongle cannot successfully connect to the ISP, check the following reasons: 1. Mis-configuration of dongle (If you buy a 3G card from overseas, it might store some default configuration of the original ISP) 2. No SIM or incorrect SIM 3. PIN lock 4. Parameter issue 5. Signal strength is weak 7.2.5. Is the Connectivity Set to Nailed-Up? The default Connectivity method is Nailed-Up. The connection should always be up after you activate the cellular interface. If you disable Nailed-Up and set Idle timeout value to be zero or only few seconds, the VPN tunnel will disconnect if you do not dial up the cellular or when there is no traffic for few seconds. 7.2.6. Modify Connectivity Setting 1. If you want the connection should always be up, go to CONFIGURATION > Interface > Cellular > Connectivity, check Nail-Up. 2. If you want the connection up only when there is traffic, go to CONFIGURATION > Network > Interface > Cellular > Connectivity, uncheck Nail-Up and set Idle timeout to be. 62/147 www.zyxel.com 7.2.7. Is the Cellular Interface Included in the WAN Trunk? If you do not include cellular interface in the WAN Trunk, the ZyWALL/USG does not send traffic through the interface as part of the trunk. 7.2.8. Modify Trunk 1. If you’re using SYSTEM_DEFAULT_WAN_TRUNK, go to CONFIGURATION > Network > Trunk > System Default. Please make sure the cellular interface is Included in the member of System Default. 63/147 www.zyxel.com 2. If you’re using User Configured Trunk, go to CONFIGURATION > Network Trunk > User Configuration. Please make sure the cellular interface is Included in the member of User Configuration. 7.2.9. Is there Any Routing Policy Related to WAN Interface? Once a packet matches the criteria of a routing rule, the ZyWALL/USG takes the corresponding action and does not perform any further flow checking. Since the default priority of Policy Route and 1-1 NAT are higher than VPN and Default WAN Trunk, the internal network access to internet might pass through to other WAN interface but not cellular interface. 64/147 www.zyxel.com 7.2.10. Check Routing Policy Policy Route 1. Go to CONFIGURATION > Network > Policy Route, make sure the Next-Hop for VPN tunnel you want to establish cellular interface should not be other WAN interface. You can configure the Next-Hop to be Trunk or cellular interface. NAT 1. Go to CONFIGURATION > Network > NAT, make sure the mapping rules does not conflict with cellular interface and VPN tunnel. 7.2.11. Collect Information to CSO Support Typology 1. Accessing the ZyWALL/USG's CLI interface and issue below command: Router> configure terminal Router(config)# _cellular debug enable 65/147 www.zyxel.com 2. Insert the 3G card into the ZyWALL/USG and wait for 2 minutes. 3. Accessing the ZyWALL/USG's CLI interface and issue below command: Router (config)# _cellular dump daemon-data Router(config)# _cellular cat daemon-log Router(config)# exit Router> show interface cellular status Router> show interface cellular device-status Router> debug interface ifconfig cellular1 Router# diag-info collect Please wait, collecting information (it may take 7-10 minuts) Router# show diag-info (check whether the collection is done) Filename : diaginfo-20160407.tar.bz2 File size : 3260 KB Date : 2016-04-07 01:51:38 4. Save all of the information after you enter these commands and get the diag-info file via ftp or web GUI. 5. Send above information to the support team. 66/147 www.zyxel.com 7.3. VPN fallback is not working 7.3.1. The VPN tunnel has establish VPN tunnel successfully, but tunnel can’t fallback to primary peer gateway If your scenario is like this topology: One of USG are with 2 interface, and one USG is one interface. On USG#A, the primary interface is WAN1 and secondary interface is WAN2. When USG#A WAN1 interface is dead, then USG#B will triggering the VPN tunnel to WAN2 interface. After USG#B established VPN tunnelto USG#A’s WAN2 interface, the VPN tunnel still works fine and without problem. But VPN tunnel can’t fallback to WAN1 when WAN1 connection is back. 7.3.2. Verify configuration 1. VPN Gateway setting on USG#A: In VPN Gateway setting, My Address must be 0.0.0.0. It means the My address would be one of the interface IP address which is alive. 67/147 www.zyxel.com 2. On USG#A, make sure WAN1 interface is primary, and WAN2 interface is secondary. Go to CONFIGURATION > Network > Interface > Trunk > User Configuraiton button to add click Add customize trunk. The WAN1 interface is Activate, WAN2 interfcae is Passive. 68/147 www.zyxel.com 3. And then apply this object as default WAN trunk. 4. VPN Gateway setting on USG#B: In VPN Gateway setting, setting USG#A’s WAN1 and WAN2 interface. And “Fall back to Primary Peer Gateway when possible” must be enabled. (In this example, USG#B will check Primary gateway IP address status per 300 seconds) 5. Enter fallback command on USG#B: On USG#B must enter “client-side-vpn-failover-fallback activate” command by CLI command. 69/147 www.zyxel.com 7.4. Cannot set up the IPSec VPN function by VPN provision successfully 7.4.1. Configuration is successful but the field “Remote Gateway Address” is empty 1. Check My Address of the VPN gateway : If you select “Express” when using VPN Setup Wizard to configure VPN Settings for Configuration Provisioning, wan1 will be “My Address” by default. If wan1 is not used for VPN provisioning, select the correct interface for provisioning. 70/147 www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway 7.4.2. Authentication Failed 71/147 www.zyxel.com 1. Check if the Login account and password are correctly configured on the ZyWALL IPSec VPN Client. MONITOR > Log > View Log > User 2. The account must be configured as the Allowed User. CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning 72/147 www.zyxel.com 7.4.3. 3. Server Not Found Check the Gateway Address configured on the ZyWALL IPSec VPN Client. The address must be the same as My Address in CONFIGURATION > VPN > IPSec VPN > VPN Gateway > WIZ_VPN_PROVISIONING. CONFIGURATION > VPN > IPSec VPN > VPN Gateway 73/147 www.zyxel.com 7.5. IPSec VPN Client on Win10 Operation System Enterprises need to have remote access to the company's applications and servers quickly, easily and securely. The VPN Client enables employees to work from home or on the road, and IT managers to connect in remote desktop sharing to the enterprise infrastructure. The VPN Client offers a range of features from simple authentication via simple login to advanced full PKI integration capabilities. 7.5.1. Can’t use IPSec VPN client on win10 system The customers want to access the company’s server or application remotely, so the software of IPsec VPN Client is their one of the best choice. However, if customer cannot use IPSec VPN Client on win 10, there may be some issue in the configuration. Please following the below steps to troubleshoot problems. 7.5.2. The vital of configuration of IPSec Client on Win10 1. On VPN Gateway, make sure the pre-shared key is the same as IPSec VPN client. 2. On VPN connection, select Server Role and make sure the Local policy and Phase 2 setting is the same as the IPSec VPN client’s. 7.5.3. Wireless possible issue symptoms The Issue on Pre-shared key 1. After configuration, the IPSec VPN client session still cannot establish. Client can recognize what kind of the issue on Log message 74/147 www.zyxel.com MONITOR > Log > Select IKE on Display field 2. As client can see the log message and know the issue is on “pre-shared keys”.Need to double check the pre-shared key on ZyWALL/USG side and ZyWALL IPSec VPN Client side. Go to Configuration>VPN Gateway> Edit> Pre-Shared Key, the pre-shared key is “123456789”. 3. Move to ZyWALL IPSec VPN Client, go Ikev 1 Gateway>Authentication>Preshared Key. Changed the Key to “123456789”. 75/147 www.zyxel.com 4. After changed, the IPSec VPN client connection is established. 76/147 www.zyxel.com The issue on Phase 1 setting 1. When the log message display “No proposal chosen”, client need to double check on ZyWALL/USG and IPSec VPN client. Go to Monitor > Log > Select IKE on Display field. 2. Otherwise, client also can know which misstated configuration because this issue happened. User can see P1 Algorithm mismatch. 77/147 www.zyxel.com 3. Client need to double check on both sides. The issue on Phase 2 setting 1. When the log message display “Phase 2 Proposal mismatch” and “No proposal chosen”, client need to double check on ZyWALL/USG and IPSec VPN client. Go to MONITOR > Log > Select IKE on Display field. 2. Otherwise, client also can know which misstated configuration because this issue happened. User can see P2 Algorithm mismatch 78/147 www.zyxel.com 3. Client need to make sure the Phase 2 setting and ESP are matching. 79/147 www.zyxel.com 7.6. Cannot set up the IKEv2 VPN tunnel successfully IKEv2 PC with IPSec VPN Client establishes an IKEv2 VPN tunnel with USG. The PC passes all traffic into the tunnel, and USG will help to forward the traffic to internet or to the LAN server. If the scenario does not work in your environment, please follow the below steps: 7.6.1. If IKEv2 traffic does not work completely from your PC Connect to the web GUI of ZyWALL/USG. Go to MONITOR -> VPN Monitor -> IPSec. Check if the IKEv2 tunnel is alive. 80/147 www.zyxel.com 7.6.2. If IKEv2 tunnel is not up 1. Connect to USG, and compare with VPN client to ensure the configurations are all correct. 2. Since PC will send all traffic into tunnel, the local policy of USG should be any(0.0.0.0). 81/147 www.zyxel.com 3. Configure the IPSec VPN Client IP address as 1.1.1.1. (Owner can assign a specific IP address for the client. This IP address will be used in policy route to separate the traffic.) 82/147 www.zyxel.com 83/147 www.zyxel.com 4. Ensure to check “Disable Split Tunneling”. 7.6.3. VPN tunnel is up, but there is no traffic pass through USG to internet Connect to USG, and go to CONFIGURATION > Network > Routing > Policy route. Ensure there are routings to separate the traffic from IKEv2 tunnel to internet and LAN server. 1. Policy route rule 1st: From IKEv2 IP address to LAN server, Next-Hop: LAN1 2. Policy route rule 2nd: From IKEv2 IP address to internet, Next-Hop: WAN1, SNAT: outgoing-interface 84/147 www.zyxel.com 7.6.4. Must be collected information 1. Configuration of ZyWALL/USG and IPSec VPN Client 2. The version of IPSec VPN Client 3. The diaginfo of VPN Client 4. The console log of VPN Client 85/147 www.zyxel.com 7.7. VPN concentrator with the problem A VPN concentrator combines several IPSec VPN connections into one secure network. A VPN concentrator reduces the number of VPN connections that you have to set up and maintain in the network. You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke. Consider the following when using the VPN concentrator. 1 The local IP addresses configured in the VPN rules should not overlap. 2 The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule for each spoke. 3 To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. 4 The VPN must be Site-to-Site VPN. If the scenario does not work in your environment, please follow the below steps: 86/147 www.zyxel.com 7.7.1. Site-to Site VPN tunnel is up: Connect to USG, and ensure the VPN tunnel configuration is correct. 1 VPN tunnel between Central side and Branch side 1 2 Branch side 1 to Central side VPN setting(Enable Nailed-Up) 87/147 www.zyxel.com 88/147 www.zyxel.com Central side to Branch side 1 VPN setting 89/147 www.zyxel.com VPN tunnel between Central side and Branch side 2 Branch side 2 to Central side VPN setting(Enable Nailed-Up) 90/147 www.zyxel.com Central side to Branch side 2 VPN setting 7.7.2. VPN Concentrator on Central side Go to CONFIGURATION > VPN > IPSec VPN > Concentrator, and check if both tunnels are selected. 91/147 www.zyxel.com 7.7.3. Policy route on both branch sides Check if there are policy routes to route the traffic into central tunnel to another branch. 1 On Brach side 1 2 On Brach side 2 7.7.4. Must be collected information 1. Configurations 2. Diaginfo 3. Topolog 92/147 www.zyxel.com 7.8. IPSec VPN tunnel was established successfully, but the traffic can't pass through the tunnel Troubleshooting Flowchart: 7.8.1 Is the PC Firewall Disabled? In some operation system, by default it may block required protocols for VPN connection and Ping check (ICMP Echo Request). Therefore, you have to make sure your PC firewall allows the VPN and ping check traffics. 93/147 www.zyxel.com 7.8.2 Is the PC Firewall Allowed VPN/ICMP Traffic? IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: 1. P Protocol Type=50 <- Used by data path (ESP) 2. P Protocol Type=51 <- Used by data path (AH) 3. Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path) 4. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path) 5. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path) 7.8.3 Modify PC Firewall Setting 1. Configure Network to accept access, open Control Panel > Network and Sharing Center. Click on “Change adapter settings”. 94/147 www.zyxel.com 2. Press Alt + F and click on “New Incoming Connection” 3. Now a wizard will open. In the first step, mark those users whom do you want to allow access to use your connection. 95/147 www.zyxel.com 4. Put a mark on “Through the internet” and click Next. 5. Now select the protocols you want to connect, and double click on “Internet Protocol Version 4 (TCP/IPv4). 96/147 www.zyxel.com 6. In this screen which appears, ensure that the Properties set are the same as shown in the image below. Click OK. 7. Click Allow access. 97/147 www.zyxel.com 8. Now you will see the last step of the Wizard. Click on Close to finish it – but remember to note down the computer’s name as it will be used when you connect. Configure Firewall to accept Ping check (ICMP Echo Request) Windows OS 1. Go to Control Panel > Windows Firewall > Windows Firewall with Advanced Security. 2. Now click on “Inbound Rules”. Then select Echo Request - ICMP IN. 98/147 www.zyxel.com 3. Right click on Echo Request - ICMP IN rules and click Enable Rule. 99/147 www.zyxel.com 4. Now you will see Echo Request - ICMP IN rules are enabled. MAC OS X 1. Go to Security & Privacy > Firewall > Advanced, uncheck the Enable stealth mode checkbox in order to allow pings to respond. Configure Firewall to accept connections IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports. 100/147 www.zyxel.com 1. P Protocol Type=50 <- Used by data path (ESP) 2. P Protocol Type=51 <- Used by data path (AH) 3. Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path) 4. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path) 5. IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path) Windows OS 1. Go to Control Panel > Windows Firewall > Windows Firewall with Advanced Security. Click on “Inbound Rules”. Next click on the “Actions” menu and then click on “New Rule…” 101/147 www.zyxel.com 2. A Wizard will open. In the first step, select the “Port” option and click on Next. 3. Select “TCP or UDP”. In the Specific remote ports space, enter port number and click on Next. 102/147 www.zyxel.com 4. Now select Allow the connection and click Next. 5. Apply the rule to all and click Next. 103/147 www.zyxel.com 6. In the Name and Description (optional) fields, enter anything you want and click on Finish. 7.8.4 Is the USG NetBIOS Enabled? Enable NetBIOS if you want the ZyWALL/USG to send NetBIOS (Network Basic Input/Output System) packets through the IPSec SA. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa. 7.8. 5 Modify NetBIOS Setting Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Edit > Show Advanced Settings > General Settings, select Enable NetBIOS broadcast over IPSec. 104/147 www.zyxel.com 7.8.6 Perform Ping Check Command from PC Ping check allows you to confirm if you have connectivity between VPN Nodes. Open up the command prompt in Windows. 7.8.7 Is there Any Response from the Remote Site? If there is no response, go to 7.2.8 If there is response, go to 7.2.11 Typology Example One PC at Local Network A IP address: 10.90.90.9 One PC at Local Network B IP address: 10.254.0.33 At PC in the Local Network A, type command line: ping 10.254.0.33. The response should be: 105/147 www.zyxel.com At PC in the Local Network B, type command line: ping 10.90.90.9. The response should be: 7.8.8 Perform Ping Check from PC to Local/Remote Gateway Ping check allows you to confirm if you have connectivity between VPN Participants. Open up the command prompt in Windows. 7.8.9 Is there Any Response from the Local /Remote Gateway? If there is no response, go to 7.2.10 If there is response, go to 7.2.11 Typology Example 106/147 www.zyxel.com One PC at Local Network A IP address: 10.90.90.9; Gateway IP address: 10.90.90.1 One PC at Local Network B IP address: 10.254.0.33; Gateway IP address: 10.254.0.1 At PC in the Local Network A, type command line: ping 10.254.0.1. The response should be: At PC in the Local Network B, type command line: ping 10.90.90.1. The response should be: 7.8.10 Modify Local/Remote Gateway Setting 1. Check the WAN interface on both VPN sites; please make sure you have configured gateway IP address correctly. Firstly, check whether the gateway IP address is within the correct host address range by below subnet calculator tool. http://www.subnet-calculator.com/ 107/147 www.zyxel.com 2. Secondly, if the gateway IP is given by the ISP, please contact your service provider to confirm the correct address. 3. Thirdly, if the gateway IP is assigned by the DHCP server, please make sure your DHCP server assigned correct gateway IP to your WAN interface. 7.8.11 Disable Security Policy on Device Customized Security Policy may block required protocols for VPN connection and Ping check (ICMP Echo Request). Therefore, you have to make sure your Security Policy allows the VPN and ping check traffics. 7.8.12 Is there Any Response from the Remote Site? If there is no response, go to 7.2.14 If there is response, go to 7.2.13 1. Tried turning off the Security Policy, see if it works, and if so activate Security Policy rules one by one until you find the one that breaks it or check the access block information in Log. 108/147 www.zyxel.com 7.8.13 Modify Security Policy Setting Security Policy Example 1. Go to MONITOR > Log, check any Security Policy blocks the VPN protocols and UDP ports. In this example, Security Policy blocks UDP Port 500 traffic. 2. Go to CONFIGURATION > Security Policy > Policy Control, check allow service and found customize Allow_WAN_To_ZyWALL doesn’t allow AH, ESP and IKE protocols. 109/147 www.zyxel.com 3. Go to CONFIGURATION > Object > Service > Service Group to edit service group. Move AH, ESP and IKE to be the Allow_WAN_To_ZyWALL Member. Click OK. 4. Go to MONITOR > Log, now the VPN tunnel built successfully. 110/147 www.zyxel.com 7.8.14 Perform Ping Check Command from Router When traffic is initiated from the ZyWALL/USG to a remote site, the source IP address will considered as an “external” interface’s IP address instead of one of a “VPN subnet” interface’s IP address. Meaning the source IP address doesn’t belong to the local subnet which VPN tunnel allows to access. Therefore, if you ping from router with its IP address, you should not get response from the remote router. 7.8.15 Is there Any Response from the Remote Subnet? If there is no response, go to 7.2.15 If there is response, go to 7.2.16 Typology Example ZyWALL USG A WAN IP address: 10.251.31.22; LAN subnet IP address: 10.90.90.1 ZyWALL USG B WAN IP address: 10.251.31.65; LAN subnet IP address: 10.254.0.1 Wrong response example: Login device A, type command line: ping 10.254.0.1 and ping 10.254.0.1 source 10.90.90.1, the response is: 111/147 www.zyxel.com Correct response example: Login device B, type command line: ping 10.90.90.1 and ping 10.90.90.1 source 10.254.0.1, the response should be: 112/147 www.zyxel.com 7.8.16 Modify Routing 1. To avoid the routing problem, add the Policy Route in ZyWALL USG B: 2. Login device A, type command line: ping 10.254.0.1 and ping 10.254.0.1 source 10.90.90.1, the response now will be: 7.8.17 Does the VPN Routing Priority Higher than 1:1 NAT or Other Routing? In the default Routing Flow, Policy Route and 1-1 NAT priority is higher than Site To Site VPN. Therefore, when enabling Policy Route and 1-1 NAT, it may cause the traffic can't pass through VPN tunnel because all traffic passes through other interface. 113/147 www.zyxel.com 7.8.18 Modify Packet Flow Priority 1. To solve Policy Route issue, please check routing configuration should not interrupt VPN connection. 2. To solve 1-1 NAT problem, please reorganize the order of the routing priority. For legacy models with ZLD 3.30 platform, use the following CLI command: ip route control-virtual-server-rules activate For next generation USG/ZyWALL series with ZLD 4.13 platform, go to CONFIGURATION > Network > NAT, enable Use Static-Dynamic Route to Control 1-1 NAT Route and click Apply. Go to MAINTENANCE > Packet Flow Explore > Routing Status, now the priority of Site To Site VPN is higher than 1-1 NAT route. 114/147 www.zyxel.com 7.8.19 Collect Information to CSO Support Typology Please provide us network typology and details description of failure symptoms. Packet capture 1. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture, select interfaces for VPN tunnels (WAN/LAN) and click the right arrow button to move them to the Capture Interfaces list. Click Capture. 2. Connect VPN tunnel and wait till dial time out. 3. Go to MAINTANENCE > Diagnostics > Packet Capture > Capture. Click Stop. 115/147 www.zyxel.com 4. Go to MAINTANENCE > Diagnostics > Packet Capture > Files. Select WAN/LAN captured files and click Download. Provide the files to us. Log 1. Go to MONITOR > Log, screenshot the error log when initiate VPN tunnel fail. 116/147 www.zyxel.com Configuration file 1. Go to MAINTANENCE > File Manger > Configuration File. Select files (.conf) and click Download. Provide files to us. 117/147 www.zyxel.com 8. Cannot set up the L2TP VPN function successfully 8.1. Cannot connect to the ZyWALL via L2TP client 8.1.1. Incorrect L2TP Address Pool Check IP Address Pool configured in L2TP VPN settings. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use. 8.1.2. Incorrect Local Policy Phase 2 local policy mismatch Check Local Policy in VPN connection. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, the local policy of VPN connection is automatically and correctly configured as the interface IP of My Address. However, if you configure L2TP VPN settings manually without the wizard, ensure the local policy is the same IP address as My Address used for L2TP VPN connection. 118/147 www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Connection 8.1.3. Incorrect Phase 1 or Phase 2 Settings 1. Phase 1 proposal mismatch Check phase 1 settings in VPN gateway. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, phase 1 settings are automatically and correctly configured. However, if you configure L2TP VPN settings manually without the wizard, ensure the phase 1 settings are configured as follows. 119/147 www.zyxel.com 2. Phase 1 IKE SA process done but phase 2 proposal mismatch. Check phase 2 settings in VPN connection. If you use VPN setup Wizard to configure VPN settings for L2TP VPN Settings, phase 2 settings are automatically and correctly configured. However, if you configure L2TP VPN settings manually without the wizard, ensure the phase 2 settings are configured as follows. 120/147 www.zyxel.com 8.2. User cannot be authenticated In the log, there is an alert log that the user is denied from L2TP service because of incorrect username or password. In addition to checking the correctness of username and password, it is necessary to check if Authentication Method and Allowed User are correctly configured. MONITOR > Log > View Log > Display > L2TP Over IPSec 8.2.1. Authentication Method ZyWALL authenticates a remote user before allowing access to the L2TP VPN tunnel according to the authentication method. Ensure the L2TP VPN user belongs to one of the authentication servers or local database of the configured method list. The default Authentication Method is “default” which only contains the local database on the method list. If the L2TP VPN user belongs to an external authentication server, remember to create a new Authentication Method with corresponding method list. CONFIGURATION > Object > Auth. Method > Add 121/147 www.zyxel.com CONFIGURATION > VPN > L2TP VPN 8.2.2. Allowed user User or group configured as Allower User is able to log into the ZyWALL to use the L2TP VPN tunnel. Ensure the user or the group which it belongs to is configured as Allowed User. The default Allowed User is "any" which allows any user with valid username and password to establish L2TP VPN tunnel. If only a specific group of users has the privilege to establish L2TP VPN tunnel, remember to create a new group with the specific users and groups. CONFIGURATION > Object > Users/Group > Group > Add 122/147 www.zyxel.com CONFIGURATION > VPN > L2TP VPN 8.3. Windows service not activated (IKE service) When establishing L2TP tunnel, the Windows will using IKE and AuthIP IPSec Keying Modules to encrypting the packets. So the service modules must enable on your computer. 8.3.1. If you are not enabled modules you will saw: 1. You will saw the tunnel can’t establish success. And it will shows error code: 789. In the log shows reason is security layer encountered a processing error. 123/147 www.zyxel.com 2. And you can capture the packets on your PC NIC, and filtering “isakmp” packets, there is no any packets as transmitted to L2TP server. 8.3.2. 1. How to enable IKE and AuthIP IPSec Keying Modules Go to Control Panel > System and Security > Administrative Tools > Services. And find “IKE and AuthIP IPSec Keying Modules”. Click right button and select properties to configure status. Enable IKE and AuthIP IPSec Keying Modules 124/147 www.zyxel.com 8.4. After L2TP VPN tunnel is established, the client can’t access to the Internet 8.4.1. After establish L2TP VPN tunnel all of Internet traffic can’t pass at all After you established L2TP VPN tunnel successfully, device will assigned an IP address to your PC. Then you can access all of the network resource on USG without additional configuration. Because Windows without split tunnel mechanism, so you Internet traffic will passed into L2TP VPN tunnel too. If you not add additional policy route, then your Internet traffic will been timeout due to without response from Internet server. 8.4.2. After you established L2TP VPN tunnel you will saw: 1. If all of your L2TP VPN tunnel configuration without the problem. Then you will see your L2TP VPN network connection icon shows like following image. 2. And also you can use CLI command to show your routing table. (CLI: route print). There is a additional routing rule has added in routing table automatically. (It means all of the traffic will pass into L2TP tunnel by 20.20.20.1 which you received after estaboished L2TP tunnel) 125/147 www.zyxel.com 8.4.3. How to add additional routing rule for L2TP clients to access internet? 1. Go to Configuration > Network > Routing > Policy route click add button. 2. The Source Network Address Translation must select as outgoing-interface. Then L2TP client’s Internet traffic will uses interface IP address to access internet. 126/147 www.zyxel.com 9. If you’re not be able to configure UTM policies or it’s not working Troubleshooting Flowchart: Note: After you apply the UTM service, the running session will continue till it’s finished. 9.1. Check service expiration 9.1.1 Have you subscribed for the UTM service? If you have not subscribed, go to 10.1.2 If you have subscribed, go to 10.1.3 1. ZyWALL models need a license for UTM (Unified Threat Management) functionality. 2. You need to create a myZyXEL.com account before you can register your device and activate the services at myZyXEL.com. 3. You need your ZyWALL/USG’s serial number and LAN MAC address to register it. Refer to the web site’s on-line help for details. 9.1.2 Registration on myZyXEL.com 2.0 Account Creation 1 Click the link from the Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/), the Sign In screen displays. 127/147 www.zyxel.com 2 Click Not a Member Yet to open the Sign Up screen where you can create an account. myZyXEL.com > Not a Member Yet 3 Select Registration Type to create an Individual account or a Business account. Individual account is for non-commercial, end user of ZyXEL products. Business account is for commercial users; VAT # is required (the requirement varies in selection of different countries) 128/147 www.zyxel.com Note: The business account can be changed into a channel partner account by an administrator. With a channel partner account, you can register multiple devices and/or services at a time and check service status reports. Contact your sales representative to have a channel partner account. 4 After you click Submit, myZyXEL.com 2.0 will send you an account activation notification e-mail. Click the URL link from the e-mail to activate your account and log into myZyXEL.com 2.0. 5 After E-mail activate, sign in myZyXEL.com 2.0 to register or mange your devices and services. If you are a business account, please go to account page and press the Reseller Request button. 129/147 www.zyxel.com Device Registration 6 Click Device Registration in the navigation panel to open the screen. Use this screen to register your device with myZyXEL.com. Enter the device’s (first) MAC Address and Serial Number, which can be found on the sticker on the back of the device. Click Submit. If you access myZyXEL.com from the Registration screen of your ZyXEL device’s Web Configurator, the device MAC Address and Serial Number displays automatically. Service Registration (In the Case of Standard License) 7 Click Service Registration in the navigation panel to open the screen. Fill in the License Key as shown on E-iCard License. 130/147 www.zyxel.com 8 Go to the Service Management page and click the Link button. Select the device then click the Activate button to initiate the services license. You will get a Service Activation Notice Email when you activate a new service. Device Management (In the Case of Registering Bundled Licenses) 9 Go to Device Management and click on the MAC Address hyper link of your device. In the Linked Services page, click the Activate button to initiate the services license. You will get a Service Activation Notice Email when you activate a new service. 131/147 www.zyxel.com Refresh Service 10 After service activated, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status. 9.1.3 Have your UTM service expired? If your UTM service expired, go to 10.1.4 If your UTM service haven’t expired, go to 10.2.1 132/147 www.zyxel.com 9.1.4 Extend UTM license 11 Go to ZyWALL/USG CONFIGURATION > Licensing > Registration > Service to check the Service Status. 12 Click the link from the Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/), the Sign In screen displays. 133/147 www.zyxel.com 13 To renew your license, simply click the Buy button in the Service Management page at myZyXEL.com. You can also contact your reseller or ZyXEL’s local agent for license renewals. If you cannot locate an agent near you, please contact ZyXEL’s local support. Local ZyXEL contact information: http://www.zyxel.com/tw/zh/where_to_buy/where_to_buy.shtml 14 After service extended, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status. 9.2. Signature Update The UTM service provides updates to Anti-Virus and IDP / App Patrol. The UTM service involves a number of servers across the world that provides updates to your ZyWALL/USG device. Problems can occur both with connection to UTM server. 134/147 www.zyxel.com 9.2.1 Have your UTM service updated? If your UTM service haven’t updated, go to 10.2.2 If your UTM service updated, go to 10.3.1 9.2.2 Update UTM service 1 The ZyWALL/USG comes with signatures for the Anti-Virus, IDP and Application Patrol features. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the ZyWALL/USG periodically if you have subscribed for the Anti-Virus, IDP and Application Patrol signatures service. 2 Click Update Now button to have the ZyWALL/USG check for new signatures immediately. If there are new ones, the ZyWALL/USG will then download them. 135/147 www.zyxel.com 9.3. Security Policy Direction For through-ZyWALL/USG policies, select the correct direction of travel of packets to which the UTM policy applies. For example, if you would like to scan virus for all LAN to WAN and WAN to LAN traffic, you should create security policy and select Anti-Virus profile for scanning traffic from both LAN to WAN and WAN to LAN or Any to Any. 9.3.1 Is your UTM policy applied to correct direction? If your UTM policy applied to wrong direction, go to 10.3.2 If your UTM policy applied to correct direction, go to 10.4 9.3.2 Modify Security Policy direction 3 Go to CONFIGURATION > Security Policy > Policy Control, make sure your UTM policy applied to correct direction. 136/147 www.zyxel.com 10. Device-HA doesn't work Troubleshooting Flowchart: 137/147 www.zyxel.com 10.1. After Fail-Over, Switch ARP Learning Mode When enabling Device HA, ZyWALL/USG will generate a virtual MAC address for the IP address base on the "Cluster ID". If these two Device HA groups are using the same "Cluster ID", ZyWALL/USG will generate the same MAC address to two Device HA groups. As a result, it will lead to switch confusion and causing packet lost. So if there are more than one Device HA group behind the same switch, please use different cluster IDs. 10.1.1 Have you configured the same Cluster ID for the different Device HA groups ? If you have configured the same Cluster ID, go to 12.1.2 If you haven’t configured the same Cluster ID, go to 12.2 10.1.2 Cluster ID Go to CONFIGURATION > Device-HA > Activate-Passive Mode > Cluster Setting > Cluster ID. Use a different cluster ID to identify each virtual router. In the following example, ZyWALL/USG A and B form a virtual that uses cluster ID 1. ZyWALL/USG C and D form a virtual that uses cluster ID 2. 138/147 www.zyxel.com 10.2. Synchronize issue The Device-HA devices use FTP to synchronize information, VRRP to monitor interface status and password for authentication. Problems can occur when Device-HA devices connection to each other and its configuration. 10.2.1 Have you configured the same FTP port for both master and backup devices? If you haven’t configured the same FTP port, continue reading section 12.2.1 If you have configured the same FTP port, go to 12.2.2 1. Go to CONFIGURATION > Device-HA > Activate-Passive Mode > Synchronization > Server Port. If this ZyWALL/USG is set to Master role, Server Port displays the ZyWALL/USG’s Secure FTP port number. If this ZyWALL/USG is set to the Backup role, enter the port number to use for Secure FTP when synchronizing with the specified master ZyWALL/USG. 139/147 www.zyxel.com 2. Go to CONFIGURATION > System > FTP in master device if you need to change the FTP port number. Every ZyWALL/USG in the virtual router must use the same port number. If the master ZyWALL/USG changes, you have to manually change this port number in the backups. 140/147 www.zyxel.com 10.2.2 Have you enabled FTP service? If you haven’t enabled the FTP port, continue reading section 12.2.2 If you have configured the FTP port, go to 12.2.3 1. Select Enable to allow the computer with the IP address that matches the IP address (es) in the Service Control table to access the ZyWALL/USG using FTP service for Device-HA synchronization. 10.2.3 Does Security Policy block FTP/VRRP services? If your Security Policy doesn’t allow the FTP or VRRP service, continue reading section 12.2.3 If you Security Policy allows the FTP or VRRP service, go to 12.2.4 FTP Service 1. Device-HA devices use FTP to synchronize information, go to CONFIGURATION > System > FTP in both master and backup devices. Please make sure Service Control allow accessing the ZyWALL/USG using FTP service for Device-HA synchronization. 141/147 www.zyxel.com 2. Go to CONFIGURATION > Security Policy > Policy Control, please make sure the corresponding rule allows accessing the ZyWALL/USG using FTP service for Device-HA synchronization. 142/147 www.zyxel.com VRRP Service 1. Master monitored VRRP interfaces will send the VRRP packet every second. Backup monitored VRRP interfaces should detect this kind of packet every second. Once Backup VRRP interfaces cannot detect the VRRP packet for three seconds, Backup will take over. Therefore, you have to make sure VRRP service is allowed for interface monitoring. 2. Go to CONFIGURATION > Security Policy > Policy Control, please make sure the corresponding rule allows accessing the ZyWALL/USG using VRRP service for Device-HA monitoring. 10.2.4 Does Security Policy block other port when synchronize? If you see from the log that any port is blocked even after FTP service is allowed, continue reading section 12.2.5 If you see from the log that none of the port is blocked, go to 12.2.6 1. If you see from the MONITOR > Log that any port is blocked even after FTP and VRRP services are allowed, please go to CONFIGURATION > Security Policy > Policy Control, add corresponding security to allow the block port. 143/147 www.zyxel.com 10.2.5 Have you configured the same synchronization password for both master and backup devices? If you haven’t configured the same synchronization password, continue reading section 12.2.5 If you have configured the same synchronization password, go to 12.2.6 1. Go to MONITOR > Log, if you see log shows alert/ User Failed login attempt to ZyWALL from ftp (incorrect password or inexistent username). It means the Device-HA synchronization password doesn’t match. Please go to CONFIGURATION > Device-HA > Activate-Passive Mode > Synchronization > Password. Enter the password used for verification during synchronization. Every ZyWALL/USG in the virtual router must use the same password. 10.2.6 Have you experienced synchronization hang issue? 1. In some situations the device takes a while to synchronize, Device-HA sync at first succeeds but then hangs for more than 10 minutes. The following is a case for example, there are over 3800 content filtering rules and the configuration file is 456KB. 144/147 www.zyxel.com The device HA backup device takes around 20 minutes for synchronization. 2. To avoid the similar situation, it is suggested to use the "Auto Synchronize" feature in Device HA. Use the device’s management IP address as the server address instead of a virtual IP address. The interval time can be set to 60 minutes. 145/147 www.zyxel.com 10.2.7 Subnet conflict If VLAN interface subnet overlaps with Device-HA interface subnet, ZyWALL/USG will not know which interface it should send the sync information to. Please make sure there is no subnet conflict. If you configure the conflict subnet, continue reading section 12.2.7 If you doesn’t configure the conflict subnet, go to 12.3 Go to CONFIGURATION > Network > Interface, please make sure your Ethernet and VLAN interface subnets are not overlapping with each other. 146/147 www.zyxel.com 10.3. Collect information to CSO support 1. A detailed network diagram with complete IP address schema. 2. The configuration file, software version, and model name of both master and backup devices. 3. Log files when Device-HA sync fail 147/147
