dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1027

jimmyaolco
@63.228.92.x

jimmyaolco

Anon

310 woes

Got a weird issue going on with Zyxel's 310. I cannot get to my Bomgar remote appliance when behind a 310 (www.bomgar.com) Behind a usg50, usg300, usg20/20w--works flawless. Behind a $40 netgear from Wal-Mart works. Bomgar uses 443 TCP--no firewall rules filtering this and nothing in logs shows denied or blocked traffic.

I have a case open with zyxel and it's been escalated to tier 2. so far I haven't heard anything.

any ideas? im stuck

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Is the Bomgar on WAN or LAN side of the USG?
JPedroT
Premium Member
join:2005-02-18

JPedroT to jimmyaolco

Premium Member

to jimmyaolco
Tried the packet capture feature on the USG? It can help you narrow down your issue.
gb5102
join:2003-10-07
Saint Paul, MN

gb5102

Member

Any difference if you change the ZyWALL HTTPS management port to an alternate?(System>WWW)
By default the mgmt interface runs on 443, maybe something is causing it to conflict?

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Check the default firewall rules as well.
I will pay for shipping of the 310 to my house if you no longer want it. ))))
gb5102
join:2003-10-07
Saint Paul, MN

gb5102

Member

said by Anav:

Check the default firewall rules as well.

and make sure all 'deny' rules have logging enabled

jimmyaolco
@comcastbusiness.net

jimmyaolco

Anon

changed zyxel 443 to 4343--no change

I did do a diagnostic capture and sent this to zyxel. its full of nasty stuff regarding traffic to Bomgar. this works fine under a 110---they say nothing is different other than hardware between a 110 and 310

Bomgar is on WAN side of 310

default firewall rules look good
jimmyaolco

jimmyaolco

Anon

I have tried this behind 3 different 310's at 3 different locations with 3 different ISP's. again, behind any other FW it works. flashed the FW to the original--no change. reset to factory and only set WAN static--no change.

this sux.
gb5102
join:2003-10-07
Saint Paul, MN

gb5102

Member

said by jimmyaolco :

this sux.

definitely agree with you- this would be VERY frustrating, should be such a simple task...

-I wonder if it would make any difference if you change the internal port on the Bomgar unit to some random port, then on the 310- forward external 443 to internal [random port]. I know its a workaround not a fix...

-i wonder if this is specific to the Bomgar traffic, or if any internal device using 443 would exhibit this behavior. Any way you could try to forward 443 to a different device on your LAN temporarily to test? Maybe an AP or some other device using 443?

jimmyaolco
@comcastbusiness.net

jimmyaolco

Anon

Bomgar has its own public static and it not behind a firewall--direct to the internet.

we did change the Bomgar ports from 443 to 8200 (still using SSL, which is required and cannot be changed) no change--still doesn't work.

I cant forward external 443 because all other legit 443 traffic would break.

Bomgar analyzed their logs and say its on zyxel's end. they cant do anything to assist. how the hell did this thing make it to the market?

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Please provide diagram of your network. I can't picture it from your descriptions and as such it's quite hard to give you some advises.
JPedroT
Premium Member
join:2005-02-18

JPedroT to jimmyaolco

Premium Member

to jimmyaolco
And feel free to share the packet capture also

jimmyaolco
@billposs.com

jimmyaolco

Anon

Click for full size
diag_zysh.dbg.zip
38,353 bytes
  
attached is shitty network diagram and debug logs from the 310. what pisses me off is that it is very clear there are issues with the zyxel going to/from the Bomgar box. they aren't even really responding--either im annoying the hell out of them to fix this or they realize there is an issue and don't have a solution
gb5102
join:2003-10-07
Saint Paul, MN

gb5102

Member

OK so now I think I understand your setup- for some reason I was thinking the Bomgar is behind a 310, but in fact the client is behind the 310 making an outgoing connection to the Bomgar(remote IP address on wan side of 310). Basically exactly what you stated, but it took a while for the light bulb to illuminate on this end...

you said the log is "full of nasty stuff regarding traffic to Bomgar". Can you point out an exmple, nothing really caught my eye on a quick scan of the debug log

unfortunately I can;t think of anything at this point, this is definitely a stupid problem that should not happen...and even worse that you seem to be getting nowhere with ZyXEL support
gb5102

gb5102

Member

also some packet captures on your 310 might shed some light. I would do a capture of the Bomgar traffic on both the LAN and WAN interface of the 310

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano to jimmyaolco

MVM

to jimmyaolco
Please do packet capture on your WAN side. As far as I can tell from the debug file you have two WAN connections
WAN1 - 173.8.225.168 and WAN2_ppp - 207.225.112.7

I'm guessing based on the port number from the log that the Bombar's IP is 50.76.136.114
Then the log has few errors like this
fp_invalid_pkt_dump(): slowpath goes to wrong core0 (bound core2) in hooknum 0, vpnid= 0/0, TCP 50.76.136.114:8200-173.8.225.168
 
which I have no idea what it means.

That said, please do packet capture and post back.
Also, try to use only one WAN connection for the test (try both but always disable the other one).

Also, when you changed the port to 8200 did you explicitly typed in https://? Otherwise the browser will just use http:// by default.

If you did any forwarding for port 8200 delete it, it's not needed for LAN-to-WAN access.