Troubleshooting
This chapter offers some suggestions to solve problems you might encounter.
You can also refer to the logs (see Log Screen).
For the order in which the ZyWALL applies its features and checks, see Packet Flow Explore.
None of the LEDs turn on.
Make sure that you have the power cord connected to the ZyWALL and plugged in to an appropriate power source. Make sure you have the ZyWALL turned on. Check all cable connections.
If the LEDs still do not turn on, you may have a hardware problem. In this case, you should contact your local vendor.
Cannot access the ZyWALL from the LAN.
Check the cable connection between the ZyWALL and your computer or switch.
Ping the ZyWALL from a LAN computer. Make sure your computer’s Ethernet card is installed and functioning properly. Also make sure that its IP address is in the same subnet as the ZyWALL’s.
In the computer, click Start, (All) Programs, Accessories and then Command Prompt. In the Command Prompt window, type "ping" followed by the ZyWALL’s LAN IP address (192.168.1.1 is the default) and then press [ENTER]. The ZyWALL should reply.
If you’ve forgotten the ZyWALL’s password, use the RESET button. Press the button in for about 5 seconds (or until the PWR LED starts to blink), then release it. It returns the ZyWALL to the factory defaults (password is 1234, LAN IP address 192.168.1.1 etc.; see your User’s Guide for details).
If you’ve forgotten the ZyWALL’s IP address, you can use the commands through the console port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed.
I cannot access the Internet.
Check the ZyWALL’s connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly.
Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings. Use the same case as provided by your ISP.
I cannot update the anti-virus signatures.
Make sure your ZyWALL has the anti-virus service registered and that the license is not expired. Purchase a new license if the license is expired.
Make sure your ZyWALL is connected to the Internet.
I cannot update the IDP/application patrol signatures.
Make sure your ZyWALL has the IDP/application patrol service registered and that the license is not expired. Purchase a new license if the license is expired.
Make sure your ZyWALL is connected to the Internet.
I downloaded updated anti-virus or IDP/application patrol signatures. Why has the ZyWALL not re-booted yet?
The ZyWALL does not have to reboot when you upload new signatures.
The content filter category service is not working.
Make sure your ZyWALL has the content filter category service registered and that the license is not expired. Purchase a new license if the license is expired.
Make sure your ZyWALL is connected to the Internet.
I configured security settings but the ZyWALL is not applying them for certain interfaces.
Many security settings are usually applied to zones. Make sure you assign the interfaces to the appropriate zones. When you create an interface, there is no security applied on it until you assign it to a zone.
The ZyWALL is not applying the custom policy route I configured.
The ZyWALL checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match.
The ZyWALL is not applying the custom firewall rule I configured.
The ZyWALL checks the firewall rules in the order that they are listed. So make sure that your custom firewall rule comes before any other rules that the traffic would also match.
I cannot enter the interface name I want.
The format of interface names other than the Ethernet interface names is very strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on.
The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual interfaces created on Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface.
I cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface on an Ethernet interface.
You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it.
My rules and settings that apply to a particular interface no longer work.
The interface’s IP address may have changed. To avoid this create an IP address object based on the interface. This way the ZyWALL automatically updates every rule or setting that uses the object whenever the interface’s IP address settings change. For example, if you change LAN1’s IP address, the ZyWALL automatically updates the corresponding interface-based, LAN1 subnet address object.
I cannot set up a PPP interface.
You have to set up an ISP account before you create a PPPoE or PPTP interface.
The data rates through my cellular connection are no-where near the rates I expected.
The actual cellular data rate you obtain varies depending on the cellular device you use, the signal strength to the service provider’s base station, and so on.
I created a cellular interface but cannot connect through it.
Make sure you have a compatible 3G device installed or connected. See www.zyxel.com for details.
Make sure you have the cellular interface enabled.
Make sure the cellular interface has the correct user name, password, and PIN code configured with the correct casing.
If the ZyWALL has multiple WAN interfaces, make sure their IP addresses are on different subnets.
Hackers have accessed my WEP-encrypted wireless LAN.
WEP is extremely insecure. Its encryption can be broken by an attacker, using widely-available software. It is strongly recommended that you use a more effective security mechanism. Use the strongest security mechanism that all the wireless devices in your network support. WPA2 or WPA2-PSK is recommended.
The wireless security is not following the re-authentication timer setting I specified.
If a RADIUS server authenticates wireless stations, the re-authentication timer on the RADIUS server has priority. Change the RADIUS server’s configuration if you need to use a different re-authentication timer setting.
I cannot configure a particular VLAN interface on top of an Ethernet interface even though I have it configured it on top of another Ethernet interface.
Each VLAN interface is created on top of only one Ethernet interface.
The ZyWALL is not applying an interface’s configured ingress bandwidth limit.
At the time of writing, the ZyWALL does not support ingress bandwidth management.
The ZyWALL is not applying my application patrol bandwidth management settings.
Bandwidth management in policy routes has priority over application patrol bandwidth management.
The ZyWALL’s performance slowed down after I configured many new application patrol entries.
The ZyWALL checks the ports and conditions configured in application patrol entries in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list.
The ZyWALL’s anti-virus scanner cleaned an infected file but now I cannot use the file.
The scanning engine checks the contents of the packets for virus. If a virus pattern is matched, the ZyWALL removes the infected portion of the file along with the rest of the file. The un-infected portion of the file before a virus pattern was matched still goes through. Since the ZyWALL erases the infected portion of the file before sending it, you may not be able to open the file.
The ZyWALL is not scanning some zipped files.
The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip.
The ZyWALL is deleting some zipped files.
The anti-virus policy may be set to delete zipped files that the ZyWALL cannot unzip. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip.
The ZyWALL’s performance seems slower after configuring IDP.
Depending on your network topology and traffic load, binding every packet direction to an IDP profile may affect the ZyWALL’s performance. You may want to focus IDP scanning on certain traffic directions such as incoming traffic.
IDP is dropping traffic that matches a rule that says no action should be taken.
The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZyWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order). If a packet matches a rule for reject-receiver and it also matches a rule for reject-sender, then the ZyWALL will reject-both.
I uploaded a custom signature file and now all of my earlier custom signatures are gone.
The name of the complete custom signature file on the ZyWALL is ‘custom.rules’. If you import a file named ‘custom.rules’, then all custom signatures on the ZyWALL are overwritten with the new file. If this is not your intention, make sure that the files you import are not named ‘custom.rules’.
I cannot configure some items in IDP that I can configure in Snort.
Not all Snort functionality is supported in the ZyWALL.
The ZyWALL’s performance seems slower after configuring ADP.
Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the ZyWALL’s performance.
The ZyWALL routes and applies SNAT for traffic from some interfaces but not from others.
The ZyWALL automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic. You must manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to General. You can also configure a policy route to override the default routing and SNAT behavior for an interface with the Interface Type set to Internal or External.
The ZyWALL is not applying a policy route’s port triggering settings.
You also need to create a firewall rule to allow an incoming service.
I cannot get Dynamic DNS to work.
You must have a public WAN IP address to use Dynamic DNS.
Make sure you recorded your DDNS account’s user name, password, and domain name and have entered them properly in the ZyWALL.
You may need to configure the DDNS entry’s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the ZyWALL and the DDNS server.
The ZyWALL may not determine the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server.
I cannot create a second HTTP redirect rule for an incoming interface.
You can configure up to one HTTP redirect rule for each (incoming) interface.
I cannot get the application patrol to manage SIP traffic.
Make sure you have the SIP ALG enabled.
I cannot get the application patrol to manage H.323 traffic.
Make sure you have the H.323 ALG enabled.
I cannot get the application patrol to manage FTP traffic.
Make sure you have the FTP ALG enabled.
The ZyWALL keeps resetting the connection.
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged.
You can set the ZyWALL’s firewall to permit the use of asymmetrical route topology on the network (so it does not reset the connection) although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. See Asymmetrical Routes and the chapter about interfaces for more information.
I cannot set up an IPSec VPN tunnel to another device.
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel. It may help to display the settings for both routers side-by-side.
Here are some general suggestions. See also IPSec VPN.
The system log can often help to identify a configuration problem.
If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled.
The ZyWALL and remote IPSec router must use the same authentication method to establish the IKE SA.
Both routers must use the same negotiation mode.
Both routers must use the same encryption algorithm, authentication algorithm, and DH key group.
When using manual keys, the ZyWALL and remote IPSec router must use the same encryption key and authentication key.
When using pre-shared keys, the ZyWALL and the remote IPSec router must use the same pre-shared key.
The ZyWALL’s local and peer ID type and content must match the remote IPSec router’s peer and local ID type and content, respectively.
The ZyWALL and remote IPSec router must use the same active protocol.
The ZyWALL and remote IPSec router must use the same encapsulation.
The ZyWALL and remote IPSec router must use the same SPI.
If the sites are/were previously connected using a leased line or ISDN router, physically disconnect these devices from the network before testing your new VPN connection. The old route may have been learnt by RIP and would take priority over the new VPN connection.
To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
Before doing so, ensure that both computers have Internet access (via the IPSec routers).
It is also helpful to have a way to look at the packets that are being sent and received by the ZyWALL and remote IPSec router (for example, by using a packet sniffer).
Check the configuration for the following ZyWALL features.
The ZyWALL does not put IPSec SAs in the routing table. You must create a policy route for each VPN tunnel.
Make sure the To-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too.
Make sure regular firewall rules allow traffic between the VPN tunnel and the rest of the network. Regular firewall rules check packets the ZyWALL sends before the ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed.
If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using).
If you have the ZyWALL and remote IPSec router use certificates to authenticate each other, You must set up the certificates for the ZyWALL and remote IPSec router first and make sure they trust each other’s certificates. If the ZyWALL’s certificate is self-signed, import it into the remote IPsec router. If it is signed by a CA, make sure the remote IPsec router trusts that CA. The ZyWALL uses one of its Trusted Certificates to authenticate the remote IPSec router’s certificate. The trusted certificate can be the remote IPSec router’s self-signed certificate or that of a trusted CA that signed the remote IPSec router’s certificate.
Multiple SAs connecting through a secure gateway must have the same negotiation mode.
The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel.
If you have the Configuration > VPN > IPSec VPN > VPN Connection screen’s Use Policy Route to control dynamic IPSec rules option enabled, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels.
I uploaded a logo to show in the SSL VPN user screens but it does not display properly.
The logo graphic must be GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The ZyWALL automatically resizes a graphic of a different resolution to 103 x 29 pixels. The file size must be 100 kilobytes or less. Transparent background is recommended.
I logged into the SSL VPN but cannot see some of the resource links.
Available resource links vary depending on the SSL application object’s configuration.
I cannot download the ZyWALL’s firmware package.
The ZyWALL’s firmware package cannot go through the ZyWALL when you enable the anti-virus Destroy compressed files that could not be decompressed option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it.
You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package. See Anti-Virus Policy Add or Edit Screen for more on the anti-virus Destroy compressed files that could not be decompressed option.
I changed the LAN IP address and can no longer access the Internet.
The ZyWALL automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface.
I configured application patrol to allow and manage access to a specific service but access is blocked.
If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL.
The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL.
I configured application patrol to block use of a specific service but a few packet’s still get through.
The ZyWALL allows the first eight packets to go through the firewall, regardless of the application patrol policy for the application. The ZyWALL examines these first eight packets to identify the application.
I configured policy routes to manage the bandwidth of TCP and UDP traffic but the bandwidth management is not being applied properly.
It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic.
I cannot get the RADIUS server to authenticate the ZyWALL‘s default admin account.
The default admin account is always authenticated locally, regardless of the authentication method setting.
The ZyWALL fails to authentication the ext-user user accounts I configured.
An external server such as AD, LDAP or RADIUS must authenticate the ext-user accounts. If the ZyWALL tries to use the local database to authenticate an ext-user, the authentication attempt will always fail. (This is related to AAA servers and authentication methods, which are discussed in AAA Server and Authentication Method, respectively.)
I cannot add the admin users to a user group with access users.
You cannot put access users and admin users in the same user group.
I cannot add the default admin account to a user group.
You cannot put the default admin account into any user group.
The schedule I configured is not being applied at the configured times.
Make sure the ZyWALL’s current date and time are correct.
I cannot get a certificate to import into the ZyWALL.
1
For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the ZyWALL. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys.
2
You must remove any spaces from the certificate’s filename before you can import the certificate.
3
Any certificate that you want to import has to be in one of these file formats:
Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate.
PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.
Binary PKCS#12: This is a format for transferring public key and private key certificates.The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL.
Note:
Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.
I cannot access the ZyWALL from a computer connected to the Internet.
Check the service control rules and to-ZyWALL firewall rules.
I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly.
Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less.
I uploaded a logo to use as the screen or window background but it does not display properly.
Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less.
The ZyWALL’s traffic throughput rate decreased after I started collecting traffic statistics.
Data collection may decrease the ZyWALL’s traffic throughput rate.
I can only see newer logs. Older logs are missing.
When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.
The commands in my configuration file or shell script are not working properly.
In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the ZyWALL treat the line as a comment.
Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode.
Include write commands in your scripts. Otherwise the changes will be lost when the ZyWALL restarts. You could use multiple write commands in a long script.
Note:
“exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode.
See File Manager for more on configuration files and shell scripts.
I cannot get the firmware uploaded using the commands.
The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.
My packet capture captured less than I wanted or failed.
The packet capture screen’s File Size sets a maximum size limit for the total combined size of all the capture files on the ZyWALL, including any existing capture files and any new capture files you generate. If you have existing capture files you may need to set this size larger or delete existing capture files.
The ZyWALL stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires.
My earlier packet capture files are missing.
New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this.
Resetting the ZyWALL
If you cannot access the ZyWALL by any method, try restarting it by turning the power off and then on again. If you still cannot access the ZyWALL by any method or you forget the administrator password(s), you can reset the ZyWALL to its factory-default settings. Any configuration files or shell scripts that you saved on the ZyWALL should still be available afterwards.
Use the following procedure to reset the ZyWALL to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file.
Note:
This procedure removes the current configuration.
If you want to reboot the device without changing the current configuration, see Reboot.
1
Make sure the SYS LED is on and not blinking.
2
Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.)
3
Release the RESET button, and wait for the ZyWALL to restart.
You should be able to access the ZyWALL using the default settings.
Getting More Troubleshooting Help
Search for support information for your model at www.zyxel.com for more troubleshooting suggestions.