Support User Manuals

ZyXEL Communications 1000 Network Router User Manual

Open as PDF

of 1075

Chapter 56 Troubleshooting

ZyWALL USG 1000 User’s Guide

877

Make sure you have the FTP ALG enabled.

The ZyWALL keeps resetting the connection.

If an alternate gateway on the LAN has an IP address in the same subnet as the

ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is

called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the

connection, as the connection has not been acknowledged.

You can set the ZyWALL’s firewall to permit the use of asymmetrical route

topology on the network (so it does not reset the connection) although this is not

recommended since allowing asymmetrical routes may let traffic from the WAN go

directly to the LAN without passing through the ZyWALL. A better solution is to

use virtual interfaces to put the ZyWALL and the backup gateway on separate

subnets. See Asymmetrical Routes on page 431 and the chapter about interfaces

for more information.

I cannot set up an IPSec VPN tunnel to another device.

If the IPSec tunnel does not build properly, the problem is likely a configuration

error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the

settings in each field methodically and slowly. Make sure both the ZyWALL and

remote IPSec router have the same security settings for the VPN tunnel. It may

help to display the settings for both routers side-by-side.

Here are some general suggestions. See also Chapter 25 on page 441.

• The system log can often help to identify a configuration problem.

• If you enable NAT traversal, the remote IPSec device must also have NAT

traversal enabled.

• The ZyWALL and remote IPSec router must use the same authentication method

to establish the IKE SA.

• Both routers must use the same negotiation mode.

• Both routers must use the same encryption algorithm, authentication algorithm,

and DH key group.

• When using manual keys, the ZyWALL and remote IPSec router must use the

same encryption key and authentication key.

• When using pre-shared keys, the ZyWALL and the remote IPSec router must

use the same pre-shared key.

• The ZyWALL’s local and peer ID type and content must match the remote IPSec

router’s peer and local ID type and content, respectively.

previous next