USG 110 - SSL VPN - policy route

Hello together,

Sorry - I checked so many settings and it is still not working, maybe someone knows what to do.

I want to set up an SSL VPN tunnel. We are already using two IPSec tunnels and L2TP tunnels.

Main problem if the SSL VPN tunnel is - not traffic is coming back!

I checked the default SSL VPN policies, changed them a lot of times - but nothing it working.

Internal router IP: (lan1)

Internet net:

SSL VPN range:

SSL VPN Gateway:

I checked the conntion with Wireshark.

As example, if I try to get access to server, port 80 - The packet capture tool/Whireshark is always trying to send the packages (TCP Retransmission).

Source:, Destination - TCP Retransmission

Source:, Destination - TCP Retransmission

Added policies:

From SSL_VPN to any, Source any, Dest. any, allow

From SSL_VPN to ZyWall, Source any, Dest. any, allow

Added policy routes:

Incoming any, Source SSL VPN Range, Destination any, Next-Hop auto

Incoming any, Source any, Destination SSL VPN Range, Next-Hop auto

I would be very thanksfull if someone has further ideas.

Thanks a lot and best regards


All Replies

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 698  mod

    Hi @David582

    Welcome to Zyxel Community. 😀

    The SSL VPN Gateway IP address should not within SSL VPN range.

    You can change Network Extension Local IP to default IP and try it again.

    CONFIGURATION > VPN > SSL VPN > Global Setting

  • David582David582 Member Posts: 3
    edited August 20, 2019 5:12PM

    Hello @Zyxel_Cooldia

    Thanks a lot for your reply!

    I changed the GW - but still not change.

    Tunnel is connecting and I can ping/access the router (local ip, but no other server in the local net.

    By the way.. I am using the latest SecuExtender, version 4.03 and

    the latest USG 110 firmware, V4.33(AAPH.0).

    Again, thanks - best regards


    Edit: Picture of log firewall attached.

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 698  mod

    Hi @David582

    There is no need to add policy route for SSL VPN connection in USG. 

    Please delete policy route related to SSL VPN(or subnet, and try it again. 

  • Oha - I was sure that there is only a "small" problem - but I couldn't find it.

    Thanks for your reply. I deleted all policy route related to SSL VPN. First there was no change - but then I saw that "Use IPv4 Policy Route to Override Direct Route" was activated. I don't know why and I don't know why I did not see that till now. After deactivating the SSL tunnel was able to get access to the local net (

    If it is ok for - another small question.

    It would be nice if the SSL VPN tunnel can access some server through a IPSec tunnel ( For this I need a policy route, correct?! Tried it with:

    SSL VPN --> USG 110 --> IPSec

    Incoming SSL VPN, Source any, Destination IPSec range, Next-Hop IPSec Tunnel.

    Thanks and best regards, have a nice day


  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 698  mod
    edited August 21, 2019 4:54PM
Sign In to comment.