1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 154
Page 766 / 944 Scroll up to view Page 761 - 765
Chapter 51 Troubleshooting
ZyWALL USG 50 User’s Guide
766
The ZyWALL may not determine the proper IP address if there is an HTTP proxy
server between the ZyWALL and the DDNS server.
I cannot create a second HTTP redirect rule for an incoming interface.
You can configure up to one HTTP redirect rule for each (incoming) interface.
I cannot get the application patrol to manage SIP traffic.
Make sure you have the SIP ALG enabled.
I cannot get the application patrol to manage H.323 traffic.
Make sure you have the H.323 ALG enabled.
I cannot get the application patrol to manage FTP traffic.
Make sure you have the FTP ALG enabled.
The ZyWALL keeps resetting the connection.
If an alternate gateway on the LAN has an IP address in the same subnet as the
ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is
called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the
connection, as the connection has not been acknowledged.
You can set the ZyWALL’s firewall to permit the use of asymmetrical route
topology on the network (so it does not reset the connection) although this is not
recommended since allowing asymmetrical routes may let traffic from the WAN go
directly to the LAN without passing through the ZyWALL. A better solution is to
use virtual interfaces to put the ZyWALL and the backup gateway on separate
subnets. See
Asymmetrical Routes on page 365
and the chapter about interfaces
for more information.
Page 767 / 944
Chapter 51 Troubleshooting
ZyWALL USG 50 User’s Guide
767
I cannot set up an IPSec VPN tunnel to another device.
If the IPSec tunnel does not build properly, the problem is likely a configuration
error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the
settings in each field
methodically and slowly. Make sure both the ZyWALL and
remote IPSec router have the same security settings for the VPN tunnel. It may
help to display the settings for both routers side-by-side.
Here are some general suggestions. See also
Chapter 23 on page 375
.
The system log can often help to identify a configuration problem.
If you enable NAT traversal, the remote IPSec device must also have NAT
traversal enabled.
The ZyWALL and remote IPSec router must use the same authentication method
to establish the IKE SA.
Both routers must use the same negotiation mode.
Both routers must use the same encryption algorithm, authentication algorithm,
and DH key group.
When using manual keys, the ZyWALL and remote IPSec router must use the
same encryption key and authentication key.
When using pre-shared keys, the ZyWALL and the remote IPSec router must
use the same pre-shared key.
The ZyWALL’s local and peer ID type and content must match the remote IPSec
router’s peer and local ID type and content, respectively.
The ZyWALL and remote IPSec router must use the same active protocol.
The ZyWALL and remote IPSec router must use the same encapsulation.
The ZyWALL and remote IPSec router must use the same SPI.
If the sites are/were previously connected using a leased line or ISDN router,
physically disconnect these devices from the network before testing your new
VPN connection. The old route may have been learnt by RIP and would take
priority over the new VPN connection.
To test whether or not a tunnel is working, ping from a computer at one site to a
computer at the other.
Before doing so, ensure that both computers have Internet access (via the
IPSec routers).
It is also helpful to have a way to look at the packets that are being sent and
received by the ZyWALL and remote IPSec router (for example, by using a
packet sniffer).
Check the configuration for the following ZyWALL features.
The ZyWALL does not put IPSec SAs in the routing table. You must create a
policy route for each VPN tunnel. See
Chapter 13 on page 281
.
Page 768 / 944
Chapter 51 Troubleshooting
ZyWALL USG 50 User’s Guide
768
Make sure the To-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL.
IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you
enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too.
Make sure regular firewall rules allow traffic between the VPN tunnel and the
rest of the network. Regular firewall rules check packets the ZyWALL sends
before the ZyWALL encrypts them and check packets the ZyWALL receives after
the ZyWALL decrypts them. This depends on the zone to which you assign the
VPN tunnel and the zone from which and to which traffic may be routed.
If you set up a VPN tunnel across the Internet, make sure your ISP supports AH
or ESP (whichever you are using).
If you have the ZyWALL and remote IPSec router use certificates to authenticate
each other, You must set up the certificates for the ZyWALL and remote IPSec
router first and make sure they trust each other’s certificates. If the ZyWALL’s
certificate is self-signed, import it into the remote IPsec router. If it is signed by
a CA, make sure the remote IPsec router trusts that CA. The ZyWALL uses one
of its
Trusted Certificates
to authenticate the remote IPSec router’s
certificate. The trusted certificate can be the remote IPSec router’s self-signed
certificate or that of a trusted CA that signed the remote IPSec router’s
certificate.
Multiple SAs connecting through a secure gateway must have the same
negotiation mode.
The VPN connection is up but VPN traffic cannot be transmitted through the VPN
tunnel.
If you have the
Configuration > VPN > IPSec VPN > VPN Connection
screen’s
Use Policy Route to control dynamic IPSec rules option
enabled,
check the routing policies to see if they are sending traffic elsewhere instead of
through the VPN tunnels.
I uploaded a logo to show in the SSL VPN user screens but it does not display
properly.
The logo graphic must be GIF, JPG, or PNG format. The graphic should use a
resolution of 127 x 57 pixels to avoid distortion when displayed. The ZyWALL
automatically resizes a graphic of a different resolution to 127 x 57 pixels. The file
size must be 100 kilobytes or less. Transparent background is recommended.
I logged into the SSL VPN but cannot see some of the resource links.
Page 769 / 944
Chapter 51 Troubleshooting
ZyWALL USG 50 User’s Guide
769
Available resource links vary depending on the SSL application object’s
configuration.
I cannot download the ZyWALL’s firmware package.
The ZyWALL’s firmware package cannot go through the ZyWALL when you enable
the anti-virus
Destroy compressed files that could not be decompressed
option. The ZyWALL classifies the firmware package as not being able to be
decompressed and deletes it.
You can upload the firmware package to the ZyWALL with the option enabled, so
you only need to clear the
Destroy compressed files that could not be
decompressed
option while you download the firmware package. See
Section
29.2.1 on page 469
for more on the anti-virus
Destroy compressed files that
could not be decompressed
option.
I changed the LAN IP address and can no longer access the Internet.
The ZyWALL automatically updates address objects based on an interface’s IP
address, subnet, or gateway if the interface’s IP address settings change.
However, you need to manually edit any address objects for your LAN that are not
based on the interface.
I configured application patrol to allow and manage access to a specific service
but access is blocked.
If you want to use a service, make sure both the firewall and application patrol
allow the service’s packets to go through the ZyWALL.
The ZyWALL checks firewall rules before it checks application patrol rules for
traffic going through the ZyWALL.
I configured application patrol to block use of a specific service but a few packet’s
still get through.
The ZyWALL allows the first eight packets to go through the firewall, regardless of
the application patrol policy for the application. The ZyWALL examines these first
eight packets to identify the application.
Page 770 / 944
Chapter 51 Troubleshooting
ZyWALL USG 50 User’s Guide
770
I configured policy routes to manage the bandwidth of TCP and UDP traffic but the
bandwidth management is not being applied properly.
It is recommended to use application patrol instead of policy routes to manage the
bandwidth of TCP and UDP traffic.
I cannot get the RADIUS server to authenticate the ZyWALL‘s default admin
account.
The default
admin
account is always authenticated locally, regardless of the
authentication method setting. (See
Chapter 39 on page 617
for more information
about authentication methods.)
The ZyWALL fails to authentication the ext-user user accounts I configured.
An external server such as AD, LDAP or RADIUS must authenticate the ext-user
accounts. If the ZyWALL tries to use the local database to authenticate an
ext-
user
, the authentication attempt will always fail. (This is related to AAA servers
and authentication methods, which are discussed in
Chapter 39 on page 617
and
Chapter 40 on page 627
, respectively.)
I cannot add the admin users to a user group with access users.
You cannot put access users and admin users in the same user group.
I cannot add the default admin account to a user group.
You cannot put the default
admin
account into any user group.
The schedule I configured is not being applied at the configured times.
Make sure the ZyWALL’s current date and time are correct.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top