Chapter 48 Troubleshooting
UAG5100 User’s Guide
483
• The UAG may not determine the proper IP address if there is an HTTP proxy server between the
UAG and the DDNS server.
I cannot create a second HTTP redirect rule for an incoming interface.
You can configure up to one HTTP redirect rule for each (incoming) interface.
The UAG keeps resetting the connection.
If an alternate gateway on the LAN has an IP address in the same subnet as the UAG’s LAN IP
address, return traffic may not go through the UAG. This is called an asymmetrical or “triangle”
route. This causes the UAG to reset the connection, as the connection has not been acknowledged.
You can set the UAG’s firewall to permit the use of asymmetrical route topology on the network (so
it does not reset the connection) although this is not recommended since allowing asymmetrical
routes may let traffic from the WAN go directly to the LAN without passing through the UAG. A
better solution is to use virtual interfaces to put the UAG and the backup gateway on separate
subnets. See
Asymmetrical Routes on page 247
and the chapter about interfaces for more
information.
I cannot set up an IPSec VPN tunnel to another device.
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the
IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically
and slowly. Make sure both the UAG and remote IPSec router have the same security settings for
the VPN tunnel. It may help to display the settings for both routers side-by-side.
Here are some general suggestions. See also
.
• The system log can often help to identify a configuration problem.
• If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled.
• The UAG and remote IPSec router must use the same authentication method to establish the IKE
SA.
• Both routers must use the same negotiation mode.
• Both routers must use the same encryption algorithm, authentication algorithm, and DH key
group.
• When using pre-shared keys, the UAG and the remote IPSec router must use the same pre-
shared key.
• The UAG’s local and peer ID type and content must match the remote IPSec router’s peer and
local ID type and content, respectively.
• The UAG and remote IPSec router must use the same active protocol.
• The UAG and remote IPSec router must use the same encapsulation.