Troubleshooting

This chapter offers some suggestions to solve problems you might encounter.

• You can also refer to the logs (see Log).

• For the order in which the Zyxel Device applies its features and checks, see .

None of the LEDs turn on.

Make sure that you have the power cord connected to the Zyxel Device and plugged in to an appropriate power source. Make sure you have the Zyxel Device turned on. Check all cable connections.

If the LEDs still do not turn on, you may have a hardware problem. In this case, you should contact your local vendor.

Cannot access the Zyxel Device from the LAN.

• Check the cable connection between the Zyxel Device and your computer or switch.

• Ping the Zyxel Device from a LAN computer. Make sure your computer’s Ethernet card is installed and functioning properly. Also make sure that its IP address is in the same subnet as the Zyxel Device’s.

• In the computer, click Start, (All) Programs, Accessories and then Command Prompt. In the Command Prompt window, type “ping” followed by the Zyxel Device’s LAN IP address (192.168.1.1 is the default) and then press [ENTER]. The Zyxel Device should reply.

• If you’ve forgotten the Zyxel Device’s password, use the RESET button. Press the button in for about 5 seconds (or until the SYS LED starts to blink), then release it. It returns the Zyxel Device to the factory defaults (password is 1234, LAN IP address 192.168.1.1, etc).

• If you’ve forgotten the Zyxel Device’s IP address, you can use the commands through the CONSOLE port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed.

I cannot access the Internet.

• Check the Zyxel Device’s connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly.

• Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings. Use the same case as provided by your ISP.

I cannot update the anti-malware/IDP/application patrol/URL Threat filter/IP reputation signatures.

• Make sure your Zyxel Device has the anti-malware/IDP/application patrol service registered and that the license is not expired. Purchase a new license if the license is expired.

• Make sure your Zyxel Device is connected to the Internet.

I cannot update the threat intelligence machine learning (TIML) signatures.

• Make sure your Zyxel Device has the anti-malware service registered and that the gold security pack license is not expired. Purchase a new license if the license is expired.

• Make sure your Zyxel Device is connected to the Internet.

I downloaded updated anti-malware/IDP/application patrol/URL Threat filter/IP reputation signatures. Why has the Zyxel Device not re-booted yet?

The Zyxel Device does not have to reboot when you upload new signatures.

The content filter category service is not working.

• Make sure your Zyxel Device has the content filter category service registered and that the license is not expired. Purchase a new license if the license is expired.

• Make sure your Zyxel Device is connected to the Internet.

• Make sure you select Enable Content Filter Category Service when you add a filter profile in the Configuration > Security Service > Content Filter > Profile > Add or Edit screen.

I configured security settings but the Zyxel Device is not applying them for certain interfaces.

Many security settings are usually applied to zones. Make sure you assign the interfaces to the appropriate zones. When you create an interface, there is no security applied on it until you assign it to a zone.

The Zyxel Device is not applying the custom policy route I configured.

The Zyxel Device checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match.

The Zyxel Device is not applying the custom security policy I configured.

The Zyxel Device checks the security policies in the order that they are listed. So make sure that your custom security policy comes before any other rules that the traffic would also match.

I cannot enter the interface name I want.

The format of interface names other than the Ethernet interface names is very strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, VLAN interfaces are vlan0, vlan1, vlan2,...; and so on.

• The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual interfaces created on Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface.

I cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface on an Ethernet interface.

You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it.

My rules and settings that apply to a particular interface no longer work.

The interface’s IP address may have changed. To avoid this, create an IP address object based on the interface. This way the Zyxel Device automatically updates every rule or setting that uses the object whenever the interface’s IP address settings change. For example, if you change LAN1’s IP address, the Zyxel Device automatically updates the corresponding interface-based, LAN1 subnet address object.

I cannot set up a PPP interface.

You have to set up an ISP account before you create a PPPoE or PPTP interface.

The data rates through my cellular connection are no-where near the rates I expected.

The actual cellular data rate you obtain varies depending on the cellular device you use, the signal strength to the service provider’s base station, and so on.

I created a cellular interface but cannot connect through it.

• Make sure you have a compatible mobile broadband device installed or connected. See www.zyxel.com for details.

• Make sure you have the cellular interface enabled.

• Make sure the cellular interface has the correct user name, password, and PIN code configured with the correct casing.

• If the Zyxel Device has multiple WAN interfaces, make sure their IP addresses are on different subnets.

Hackers have accessed my WEP-encrypted wireless LAN.

WEP is extremely insecure. Its encryption can be broken by an attacker, using widely-available software. It is strongly recommended that you use a more effective security mechanism. Use the strongest security mechanism that all the wireless devices in your network support. WPA2 or WPA2-PSK is recommended.

The wireless security is not following the re-authentication timer setting I specified.

If a RADIUS server authenticates wireless stations, the re-authentication timer on the RADIUS server has priority. Change the RADIUS server’s configuration if you need to use a different re-authentication timer setting.

I cannot configure a particular VLAN interface on top of an Ethernet interface even though I have it configured it on top of another Ethernet interface.

Each VLAN interface is created on top of only one Ethernet interface.

The Zyxel Device is not applying an interface’s configured ingress bandwidth limit.

At the time of writing, the Zyxel Device does not support ingress bandwidth management.

The Zyxel Device is not applying my application patrol bandwidth management settings.

Bandwidth management in policy routes has priority over application patrol bandwidth management.

The Zyxel Device’s performance slowed down after I configured many new application patrol entries.

The Zyxel Device checks the ports and conditions configured in application patrol entries in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the Zyxel Device by putting more commonly used ports at the top of the list.

The Zyxel Device’s anti-malware scanner cleaned an infected file but now I cannot use the file.

The scanning engine checks the contents of the packets for malware. If a malware pattern is matched, the Zyxel Device removes a portion of the file, while the rest goes through. Since the Zyxel Device erases a portion of the file before sending it, you may not be able to open the file.

The Zyxel Device sent an alert that a malware-infected file has been found, but the file was still forwarded to the user and could still be executed.

Make sure you enable Destroy Infected File in the Configuration > Security Service > Anti-Malware screen to modify infected files before forwarding the files to the user, preventing them from being executed.

I added a file pattern in the anti-malware white list, but the Zyxel Device still checks and modifies files that match this pattern.

Make sure you select the Check White List check box above the white list table. If it is already selected, make sure that the white list entry corresponding to this file pattern is activated.

The Zyxel Device is not scanning some zipped files.

The Zyxel Device cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Zyxel Device can concurrently unzip.

The Zyxel Device is deleting some zipped files.

The anti-malware policy may be set to delete zipped files that the Zyxel Device cannot unzip. The Zyxel Device cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Zyxel Device can concurrently unzip.

The threat intelligence machine learning (TIML) feature is not working.

1 Make sure you purchase the gold security pack.

• Make sure you’ve registered the Zyxel Device and activated the anti-malware service on portal.myZyxel.com.

• Go to the screen, and select the Enable check box in the Configuration > Security Service > Anti-Malware to activate the TIML feature.

2 Make sure the gold security pack is not expired. If it is, renew the license.
The Zyxel Device won’t scan the TIML signatures that were downloaded when the gold security pack expired.

The Zyxel Device’s performance seems slower after configuring IDP.

Depending on your network topology and traffic load, binding every packet direction to an IDP profile may affect the Zyxel Device’s performance. You may want to focus IDP scanning on certain traffic directions such as incoming traffic.

IDP is dropping traffic that matches a rule that says no action should be taken.

The Zyxel Device checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the Zyxel Device applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order). If a packet matches a rule for reject-receiver and it also matches a rule for reject-sender, then the Zyxel Device will reject-both.

I uploaded a custom signature file and now all of my earlier custom signatures are gone.

The name of the complete custom signature file on the Zyxel Device is ‘custom.rules’. If you import a file named ‘custom.rules’, then all custom signatures on the Zyxel Device are overwritten with the new file. If this is not your intention, make sure that the files you import are not named ‘custom.rules’.

I cannot configure some items in IDP that I can configure in Snort.

Not all Snort functionality is supported in the Zyxel Device.

The Zyxel Device’s performance seems slower after configuring ADP.

Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the Zyxel Device’s performance.

Some of the files I download don’t go through Sandboxing even though it is enabled.

The Sandboxing feature only applies to certain file types. Check the list in File Submission Options to see if the file types you use are included. If they are, make sure you select their corresponding check box.

The Zyxel Device detected a malicious file from Sandboxing, but the file still went through the Zyxel Device and is still usable.

Make sure you set your Sandboxing settings to destroy malicious files in the Configuration > Security Service > Sandboxing: Action For Malicious File drop-down list box.

The Zyxel Device destroyed/dropped a file/email without notifying me.

Make sure you enable logs for your security features, such as in the following screens:

• Configuration > Security Service > IDP

• Configuration > Security Service > Anti-Malware

• Configuration > Security Service > Sandboxing

• Configuration > Security Service > Email Security

The Zyxel Device routes and applies SNAT for traffic from some interfaces but not from others.

The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic. You must manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to General. You can also configure a policy route to override the default routing and SNAT behavior for an interface with the Interface Type set to Internal or External.

I cannot get Dynamic DNS to work.

• You must have a public WAN IP address to use Dynamic DNS.

• Make sure you recorded your DDNS account’s user name, password, and domain name and have entered them properly in the Zyxel Device.

• You may need to configure the DDNS entry’s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the Zyxel Device and the DDNS server.

• The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server.

I cannot create a second HTTP redirect rule for an incoming interface.

You can configure up to one HTTP redirect rule for each (incoming) interface.

I cannot get the application patrol to manage SIP traffic.

Make sure you have the SIP ALG enabled.

I cannot get the application patrol to manage H.323 traffic.

Make sure you have the H.323 ALG enabled.

I cannot get the application patrol to manage FTP traffic.

Make sure you have the FTP ALG enabled.

The Zyxel Device keeps resetting the connection.

If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or “triangle” route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged.

You can set the Zyxel Device’s security policy to permit the use of asymmetrical route topology on the network (so it does not reset the connection) although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. See Asymmetrical Routes and the chapter about interfaces for more information.

I cannot set up an IPSec VPN tunnel to another device.

If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both Zyxel IPSec routers and check the settings in each field methodically and slowly. Make sure both the Zyxel Device and remote IPSec router have the same security settings for the VPN tunnel. It may help to display the settings for both routers side-by-side.

Here are some general suggestions. See also IPSec VPN.

• The system log can often help to identify a configuration problem.

• If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled.

• The Zyxel Device and remote IPSec router must use the same authentication method to establish the IKE SA.

• Both routers must use the same negotiation mode.

• Both routers must use the same encryption algorithm, authentication algorithm, and DH key group.

• When using pre-shared keys, the Zyxel Device and the remote IPSec router must use the same pre-shared key.

• The Zyxel Device’s local and peer ID type and content must match the remote IPSec router’s peer and local ID type and content, respectively.

• The Zyxel Device and remote IPSec router must use the same active protocol.

• The Zyxel Device and remote IPSec router must use the same encapsulation.

• The Zyxel Device and remote IPSec router must use the same SPI.

• If the sites are/were previously connected using a leased line or ISDN router, physically disconnect these devices from the network before testing your new VPN connection. The old route may have been learned by RIP and would take priority over the new VPN connection.

• To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
Before doing so, ensure that both computers have Internet access (via the IPSec routers).

• It is also helpful to have a way to look at the packets that are being sent and received by the Zyxel Device and remote IPSec router (for example, by using a packet sniffer).

Check the configuration for the following Zyxel Device features.

• The Zyxel Device does not put IPSec SAs in the routing table. You must create a policy route for each VPN tunnel. See Routing.

• Make sure the To-Zyxel Device security policies allow IPSec VPN traffic to the Zyxel Device. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.

• The Zyxel Device supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-Zyxel Device security policies allow UDP port 4500 too.

• Make sure regular security policies allow traffic between the VPN tunnel and the rest of the network. Regular security policies check packets the Zyxel Device sends before the Zyxel Device encrypts them and check packets the Zyxel Device receives after the Zyxel Device decrypts them. This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed.

• If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using).

• If you have the Zyxel Device and remote IPSec router use certificates to authenticate each other, You must set up the certificates for the Zyxel Device and remote IPSec router first and make sure they trust each other’s certificates. If the Zyxel Device’s certificate is self-signed, import it into the remote IPSec router. If it is signed by a CA, make sure the remote IPSec router trusts that CA. The Zyxel Device uses one of its Trusted Certificates to authenticate the remote IPSec router’s certificate. The trusted certificate can be the remote IPSec router’s self-signed certificate or that of a trusted CA that signed the remote IPSec router’s certificate.

• Multiple SAs connecting through a secure gateway must have the same negotiation mode.

The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel.

If you have the Configuration > VPN > IPSec VPN > VPN Connection screen’s Use Policy Route to control dynamic IPSec rules option enabled, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels.

I uploaded a logo to show in the SSL VPN user screens but it does not display properly.

The logo graphic must be GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The Zyxel Device automatically resizes a graphic of a different resolution to 103 x 29 pixels. The file size must be 100 kilobytes or less. Transparent background is recommended.

I logged into the SSL VPN but cannot see some of the resource links.

Available resource links vary depending on the SSL application object’s configuration.

I cannot download the Zyxel Device’s firmware package.

The Zyxel Device’s firmware package cannot go through the Zyxel Device when you enable the anti-malware Destroy compressed files that could not be decompressed option. The Zyxel Device classifies the firmware package as not being able to be decompressed and deletes it.

You can upload the firmware package to the Zyxel Device with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package. See Anti-Malware Screen for more on the anti-malware Destroy compressed files that could not be decompressed option.

I changed the LAN IP address and can no longer access the Internet.

The Zyxel Device automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface.

I configured application patrol to allow and manage access to a specific service but access is blocked.

• If you want to use a service, make sure the security policy allows Security Service application patrol to go through the Zyxel Device.

I configured policy routes to manage the bandwidth of TCP and UDP traffic but the bandwidth management is not being applied properly.

It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic.

I cannot get the RADIUS server to authenticate the Zyxel Device‘s default admin account.

The default admin account is always authenticated locally, regardless of the authentication method setting.

The Zyxel Device fails to authentication the ext-user user accounts I configured.

An external server such as AD, LDAP or RADIUS must authenticate the ext-user accounts. If the Zyxel Device tries to use the local database to authenticate an ext-user, the authentication attempt will always fail. (This is related to AAA servers and authentication methods, which are discussed in other chapters in this guide.)

I cannot add the admin users to a user group with access users.

You cannot put access users and admin users in the same user group.

I cannot add the default admin account to a user group.

You cannot put the default admin account into any user group.

The schedule I configured is not being applied at the configured times.

Make sure the Zyxel Device’s current date and time are correct.

I cannot get a certificate to import into the Zyxel Device.

1 For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the Zyxel Device. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys.

2 You must remove any spaces from the certificate’s filename before you can import the certificate.

3 Any certificate that you want to import has to be in one of these file formats:

• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.

• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.

• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The Zyxel Device currently allows the importation of a PKS#7 file that contains a single certificate.

• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.

• Binary PKCS#12: This is a format for transferring public key and private key certificates.The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the Zyxel Device.

Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.

I cannot access the Zyxel Device from a computer connected to the Internet.

Check the service control rules and to-Zyxel Device security policies.

I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly.

Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less.

I uploaded a logo to use as the screen or window background but it does not display properly.

Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less.

The Zyxel Device’s traffic throughput rate decreased after I started collecting traffic statistics.

Data collection may decrease the Zyxel Device’s traffic throughput rate.

I can only see newer logs. Older logs are missing.

When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.

The commands in my configuration file or shell script are not working properly.

• In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the Zyxel Device treat the line as a comment.

• Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the Zyxel Device exit sub command mode.

• Include write commands in your scripts. Otherwise the changes will be lost when the Zyxel Device restarts. You could use multiple write commands in a long script.

Note: “exit” or “!'” must follow sub commands if it is to make the Zyxel Device exit sub command mode.

See File Manager for more on configuration files and shell scripts.

I cannot get the firmware uploaded using the commands.

The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.

My packet capture captured less than I wanted or failed.

The packet capture screen’s File Size sets a maximum size limit for the total combined size of all the capture files on the Zyxel Device, including any existing capture files and any new capture files you generate. If you have existing capture files you may need to set this size larger or delete existing capture files.

The Zyxel Device stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires.

My earlier packet capture files are missing.

New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this.

IP reputation doesn’t work on IPv6 addresses.

At the time of writing, IP reputation is only for IPv4 addresses. See Reputation Filter for more information.

The SecuReporter banner keeps showing up.

See SecuReporter Banner for more information.

Resetting the Zyxel Device

If you cannot access the Zyxel Device by any method, try restarting it by turning the power off and then on again. If you still cannot access the Zyxel Device by any method or you forget the administrator password(s), you can reset the Zyxel Device to its factory-default settings. Any configuration files or shell scripts that you saved on the Zyxel Device should still be available afterwards.

Use the following procedure to reset the Zyxel Device to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file.

Note: This procedure removes the current configuration.

1 Make sure the SYS LED is on and not blinking.

2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.)

3 Release the RESET button, and wait for the Zyxel Device to restart.

You should be able to access the Zyxel Device using the default settings.

Getting More Troubleshooting Help

Search for support information for your model at www.zyxel.com for more troubleshooting suggestions.