USG 1100 critical issue - after upgrading from v4.31 to v4.33 routing from/to vlans stops working

imaohw

I upgraded a USG 1100 from v4.31 to v4.33 (on the way to v4.35) and routing from and to  vlans stopped working.

Once I upgraded to v4.33 the following routing scenarios (which work with firmware v4.31) stopped working:
- ping the USG from a device on a vlan
- access the internet from a device on a vlan
- ping from any device on a vlan to a device on a lan
- ping from any device on a lan to a device on a vlan  
- ping from any device on a vlan to a device on another vlan
- device on a vlan can not get an IP address from DHCP

The following routing scenarios continued to work as expected on v4.33:
- ping the USG from a device on a lan 
- access the internet from a device on a lan
- ping from any device on a lan to a device on another lan 
- device on a lan can get an IP address from DHCP

All network devices get their IP address from DHCP which is configured on the USG for each lan and vlan utilizing IP/MAC binding.  In my list above a device described as on a "lan" has network traffic which is untagged and gets its IP address from the subnet defined on the Ethernet tab of Network/Interface of USG. In my list above a device described as on a "vlan" has network traffic which is tagged with a vlan and gets its IP address from the subnet defined on the VLAN tab of Network/Interface of USG. 

When I roll the USG 1100 back to v4.31 (without any other changes) everything starts working again.

I'm happy to provide any additional information to get this critical issue resolved.  Currently the USG 1100 is back on 4.31. I have several other USGs and Zywalls that are waiting to be upgraded but I am holding off until this problem is fixed.

Zyxel_Emily

Hi @imaohw,

Yes, you can upgrade directly from v4.31 to v4.35.

In the following example, the original firmware of the running partition is 4.31. 

Running – 4.31

You can upload 4.35 to the standby partition and reboot the device. 

The firmware in the running partition now is 4.35. The firmware 4.31 is still kept in standby partition.

Standby – 4.31

Running – 4.35

PeterUK

Going to V4.33 for a VLAN what zone have you selected?

Form a device with static IP on the VLAN when you ping the internet (8.8.8.8) does it show as blocked in the logs?

try changing on the VLAN interface type from internal to general

imaohw

@PeterUK - thanks for responding. No changes in the configuration have been made from v4.31 to v4.33.  Different vlans are in different zones depending on the security policy that needs to be applied to traffic on that vlan.  See example below:



Interestingly there are no log entries for traffic from the vlan (I tried pinging 8.8.8.8) even when there is a security policy for all traffic in that zone set to log.  It is as if the USG is not "seeing" the traffic from vlans.

I will try changing the interface type to general.  Any particular reason for that suggestion?

PeterUK

Changing the interface type to general is a mix of external and internal and maybe there is a bug with VLAN's and internal unlikely but you never know.

Maybe a bug or change with – or _ try with base port without – or guest and Zone without _ names you may have to remove the VLAN and add it back in on V4.33

imaohw

@PeterUK - Thanks, I’ll play around and see if I can find a way to get it working. Although I would rather the issue be fixed.

Hopefully someone from Xyxel can take a look at it.

Zyxel_Emily

Hi @imaohw,

The firmware 4.35 has no such issue, so upgrade to 4.35 and try it again.

imaohw

@Zyxel_Emily - can I upgrade directly from v4.31 to v4.35?

I would like to keep v4.31 on the USG so I can roll back to a known working firmware if I need to.

Zyxel_Emily

Hi @imaohw,

Yes, you can upgrade directly from v4.31 to v4.35.

In the following example, the original firmware of the running partition is 4.31. 

Running – 4.31

You can upload 4.35 to the standby partition and reboot the device. 

The firmware in the running partition now is 4.35. The firmware 4.31 is still kept in standby partition.

Standby – 4.31

Running – 4.35