?
Solved

Unable to connect inbound traffic through 2nd WAN of firewall

Posted on 2011-09-27
11
Medium Priority
?
1,427 Views
Last Modified: 2012-08-13
We have a very odd problem with an SBS 2011 server system.

We have a ZyXel USG-50 firewall connected to two ADSL lines. Line 1 works perfectly, and SMTP, PPTP etc route inbound to the server.

However WAN 2 is configured with identical rules but does not work properly. If we disable WAN 1 interface then we can connect inbound using SMTP, VPN, FTP, whatever we like. As soon as WAN 1 is enabled, the firewall reports ACCESS FORWARD in the logs when we try to VPN on WAN 2, but nothing appears to hit the server. It seems that we have a NAT issue but I am at a loss on this.

Can anyone throw some ideas this way? I have tried everything I can think of!
0
Comment
Question by:hfnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 36709456
It sounds like the firewall is set up in some knid of active/standby mode for the WAN and either not configured for or not able to load balance with the two links.
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 36709492
Some of these Zyxel USG's only use the WAN2 as a failover and when WAN1 is active it takes all of the incoming requests/sessions.  I'm not positive on your model.  One thing I'm sure of is that Zyxel has probably the best tech support team I've ever dealt with.  They are willing to remote into the USG and troubleshoot your problems for you and fix it.  Your best bet would be to call them and make sure it is possible and if it is they can help you accomplish it.
Zyxel Support

Good Luck HTH.
0
 
LVL 4

Author Comment

by:hfnet
ID: 36709526
It's set up in active/active mode and we're using WRR (Weighted Round-Robin), having tried LLF (Least Load First) with no luck. ZyXel WAN config
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 4

Author Comment

by:hfnet
ID: 36709724
Well I've been on the phone with ZyXel for over half an hour and they have not been able to offer any advice except to upgrading the firmware...
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 36709786
So why wouldn't you upgrade your firmware?  They upgrade their firmware to fix problems with it.  Maybe it is a problem...
0
 
LVL 4

Author Comment

by:hfnet
ID: 36710091
It's not a problem updating the firmware, but I am not onsite at the moment to do it. However, if WAN 2 works when you disable WAN 1, that would say that there is possibly a problem with routing that someone may have seen before. But I am quite happy closing the question off.
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 36710274
I wouldn't close the question until you get it fixed.  If the firmware upgrade fixes it then go ahead and close it.  We are here to help.  I have seen the problem you are talking about and it is usually because the gateway is set to failover mode and basically pushes everything through the primary WAN1.  But as you've shown that it isn't then maybe there is a problem with the firmware.  That is all.  I do still think Zyxel's support is really good.
0
 
LVL 4

Author Comment

by:hfnet
ID: 36710366
Well I am hopefully going onsite tomorrow morning, so we'll see what happens.

Thanks all for your help so far.
0
 
LVL 4

Accepted Solution

by:
hfnet earned 0 total points
ID: 36999857
Just an update to close this question; We were unable to do what we needed with the ZyXel, but when we put a Sonicwall TZ200 in, it worked correctly first time. Seems to be something wrong the the ZyXel.

Thanks all.
0
 
LVL 33

Expert Comment

by:digitap
ID: 37693334
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question