Download as pdf or txt
Download as pdf or txt
You are on page 1of 95



Firmware Release Note

Release 2.20(AQQ.3)

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 1/95


Release 2.20(AQQ.3)

Release Note

Date: October 28 2010

Supported Platforms:

ZLD Version: V2.20(AQQ.3) | 2010-10-28
BootModule Version: V1.12 | 11/17/2009 18:05:22

Files lists contains in the Release ZIP file

File name: 220AQQ3C0.bin
Purpose: This binary firmware image file is for normal system update.
Note: The firmware update may take five or more minutes depending on the scale of device
configuration. The more complex configuration will take more update time. Do not turn off or
reset the ZyWALL while the firmware update is in progress. The firmware might get damaged, if
device loss power or you reset the device during the firmware upload. You might need to refer to
Appendix 3 of this document to recover the firmware.

File name: 220AQQ3C0.conf

Purpose: This ASCII file contains default system configuration commands.

File name: 220AQQ3C0.db

Purpose: This binary file contains default system signatures.
Note: The file is only needed when doing system recovery from damage.

File name: 220AQQ3C0.pdf

Purpose: This release file.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 2/95

File name: 220AQQ3C0.ri

Purpose: This binary firmware recovery image file is for emergent system firmware damage
recovery only.
Note: The ZyWALL firmware could be damaged, for example by the power going off or pressing
Reset button during a firmware update.

File name: 220AQQ3C0-enterprise.mib, 220AQQ3C0-private.mib

Purpose: The Enterprise and Private MIBs are to collect information about CPU and memory
usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical
data and monitor status and performance.

File name: firmware.xml

Purpose: This file is needed by ZyXEL Centralized Network Management (CNM) 3.0 or after.

Read Me First
1. The system default configuration is summarized as below:
 The default device administration username is “admin”, password is “1234”.
 The default LAN interface is lan1, which are P3, P4 and P5 ports on the front panel.
The default IP address of lan1 is
 By default, WWW/SSH/SNMP service can only be accessed from LAN subnet.
 The default WAN interface is wan1, and the secondary WAN interface is wan2. These
two interfaces will automatically get IP address using DHCP by default.
2. It is recommended that user backup the “startup-config.conf ” file first before upgrading
firmware. The backup configuration file can be used if user wants to downgrade to an older
firmware version.
3. If user upgrades from previous released firmware to this version, there is no need to restore to
system default configuration.
4. If it is difficult to configure via GUI (popup java script error, etc). It is recommended to logout
the configuration window and clear browser cache first, then try to login and configure again.
5. To reset device to system default, user can press RESET button for 5 seconds and the device
will reset itself to system default configuration then reboot automatically.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 3/95
 Note 1: After resetting, the original configuration will be removed. It is recommended to
backup the configuration before performing this operation.
 Note 2: After resetting, if user has subscribed to security licenses, user needs to connect
to internet with and refresh license information.
6. If there is problem to reboot successfully after firmware upgrade, please refer to Appendix 3:
Firmware Recovery.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 4/95

Known Issues:

1. [SPR: 091022383] Since F/W version 2.11
[Symptom] SSLVPN cannot work anymore if below case is tru
1) Configure one SSLVPN policy and activate the Network Extension
2) Add network A into Network List
3) User login SSLVPN from network A
4) The SSLVPN cannot be established and cannot work anymore
[Workaround] Reboot DUT and remove network A from Network List
2. [SPR: 091021328] Since F/W version 2.20
[Symptom] SecuExtender agent cannot be launched in Windows Vista and Windows 7 If the
“Computer Management/Services and Applications/Services/ZyWALL SecuExtender Helper”
is disabled on user‟s computer before user tries to login SSLVPN.
[Workaround] Enable ZyWALL SecuExtender Helper first before you try to login SSLVPN
3. [SPR: 090901070] Since F/W version 2.11
[Symptom] Microsoft RDP Client Control may not work after user installs MS
KB958469/958470/958471/956744. Using SSL VPN RDP function, after user install Remote
Desktop Client Control (, some PC may occur Javascript error.
This problem cause by MS KB958469/958470/958471/956744. When user never uses RDP
ActiveX control, and user install KB958469/958470/958471/956744, Windows will block the installer.

To solve this problem, user can reinstall the KB958469/958470/958471/956744 after user
failed to install msrdp.ocx. Go to Windows Update Site, the

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 5/95
KB958469/958470/958471/956744 will reappear on the web site. To install the RDP function
could be used.
More information can see Microsoft Support Site:
4. [SPR: 100427864] Since F/W version 2.11
[Symptom] ActiveX cannot be installed successfully when using SSLVPN RDP function
1) PC environment: Windows XP with SP3, using IE7 as browser.
2) Edit Object>SSL Application,add rules
- Type=Web Application,Server Type=RDP,Name=RDP_Windows
3) Create one SSLVPN policy which selects the SSL Application we created
4) Login SSL VPN but can not open RDP_Windows portal by Full Screen and 32-bit color.
5) GUI will ask user to install terminal services ActiveX Client continuously
This is because IE7 doesn‟t allow previously unused ActiveX controls running by default. We
need to change the default behavior to allow ActiveX controls in IE7. See below procedures
1) Click Tools > Internet Options
2) Select Security tab
3) Select Internet Zone and click “Custom level”
4) Enable the ActiveX option “Allow previously unused ActiveX controls to run without
5. [SPR: 080430468] Since F/W version 2.11
[Symptom] Cannot install SSL VPN RDP web component in Vista and WIN 2000
[Workaround] Windows XP SP3/RDP 6.1 breaks RDP connection through Internet Explorer.
Following is the SSL VPN RDP limitation table.
Application Reverse Proxy Mode
Operation RDP / VNC Full Tunnel Mode
System Web-based Application
Internet Explorer 7.0, 8.0+
Windows XP Internet Explorer 7.0, 8.0+ Internet Explorer 7.0, 8.0+
SP3 (Passed) (Passed)
Firefox 3.5(RDP: not
JRE 1.6_18 Firefox 3.5 Firefox 3.5 (Passed)
support; VNC: Passed)
Internet Explorer 7.0, 8.0+
Windows Vista Internet Explorer 7.0, 8.0+ Internet Explorer 7.0, 8.0+
SP1 (Passed) (Passed)
Firefox 3.5(RDP: not
JRE 1.6_18 Firefox 3.5 Firefox 3.5 (Passed)
support; VNC: Passed)
Internet Explorer 8.0+
Internet Explorer 8.0+ Internet Explorer 8.0+
Windows 7 (Passed)
(Passed) (Passed)
JRE 1.6_18 Firefox 3.5(RDP: not
Firefox 3.5 Firefox 3.5 (Passed)
support; VNC: Passed)

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 6/95
RDP : not support,
Linux OS Firefox 3.5 No Support
Apple MAC OS
10.4 Safari 4 + (Passed) No Support No Support
JRE 11.9
Apple MAC OS
10.5 Safari 4 + (Passed) No Support No Support
JRE 12.5

6. [SPR: 100210906] Since F/W version 2.20

[Symptom] Web Server cannot work with SSLVPN if disable Web Page Encryption in Web
5) Create an SSL Application which is Web Application Type
6) Disable Web Page Encryption in this SSL Application object
7) Create one SSLVPN policy with this SSL Application object
8) Login SSLVPN
9) The link on the SSLVPN portal cannot work
Do not disable Web Page Encryption in the SSL Application object when using Web
7. [SPR: 100212995] Since F/W version 2.20
[Symptom] FireFox will have no response in a specific case
1) OSX 10.4 + Firefox 3.5.7 + J2SE 5.0
2) Login SSLVPN with EPS checking
3) One error message “Unsupported OS” will pop up and cannot finish EPS checking
8. [SPR: 100421301] Since F/W version 2.11
[Symptom] Web content cannot be displayed correctly via Reverse Proxy after login SSLVPN
1) Create one SSL application with OWA type
2) Create one SSLVPN policy with the SSL Application we just created
3) Login SSLVPN via FireFox
4) Access the OWA server via SSLVPN portal
5) Select one mail and display its content
6) Logout SSLVPN
7) Repeat step 3) ~ 5) and the mail content might not be displayed correctly sometimes
[Workaround] Clear browser cache/cookie first before login SSLVPN again


© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 7/95
1. Hardware limitation for WEP Encryption. Since F/W version 2.20
When more than 1 virtual AP were created with WEP encryption and the virtual APs use the
same key index, ZyWALL will use Software mode to encrypt the data. This will highly impact
WLAN performance
Take ZyWALL USG 100 for example
1) Enable Super Mode + 2 Virtual AP with WEP encryption and same key index
Software Mode Encryption for the 2 Virtual AP 1~2 Mbps
2) Disable Super Mode + 2 Virtual AP with WEP encryption and same key index
Software Mode Encryption for the 2 Virtual AP 16~17 Mbps
3) Enable Super Mode + 1 Virtual AP with WEP encryption
Hardware Mode Encryption for the Virtual AP 27~28 Mbps
4) Disable Super Mode + 1 Virtual AP with WEP encryption
Hardware Mode Encryption for the Virtual AP 21~22 Mbps
2. Software limitation for WEP encryption. Since F/W version 2.20
Virtual AP needs to be disabled and enabled to use Hardware mode encryption in below
1) Create and activate two Virtual AP wlan-1, wlan-2 using WEP and same key index
2) Disable or Remove one of the 2 Virtual AP, said wlan-1
3) Wlan-2 will still use SW mode for packet transformation
4) To get Hardware mode packet encryption, we need to disable and enable wlan-2

1. [SPR: 070813118] Since F/W version 2.00
[Symptom] ZyWALL has the limitation on concurrent sessions for ZIP and RAR
decompression. If the limitation has been reached (typically in HTTP traffic), the event would
be logged and the action depends on the checkbox (Destroy compressed files that could not be
decompressed) is checked or not. If checked, compressed files would be destroyed, otherwise,
Unchecked the option of “Destroy compressed files that could not be decompressed” in the AV

Device HA:
1. [SPR: 071127734] Since F/W version 2.10
[Symptom] PC client may temporarily unable to connect to Device-HA backup device after
backup taking over for master.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 8/95
[Workaround] The virtual MAC address will be switch to backup device, and some PC clients
does not accept GARP notification, so PC client may needs to wait its ARP entry timeout or
refresh it manually.
2. [SPR: 100119576] Since F/W version 2.12
[Symptom] Preemption in device-ha AP mode cannot work when authentication is MD5
1) DUT1 enable device-ha, device role = backup, priority = 5, enable preemption, cluster id =
1, authentication = md5, password = 11111111, active interface = ge1, ge3
2) DUT2 enable device-ha, device role = backup, priority = 1, enable preemption, cluster id =
1, authentication = md5, password = 11111111, active interface = ge1, ge3
3) When DUT1 status is active, DUT2 is standby, disconnect the cable on DUT1‟s ge3.
4) The HA status will become DUT1: Fault, DUT2: Active
5) Connect the cable on DUT1‟s ge3, the HA status of DUT1: standby. DUT2: active, DUT1
should take the active back
Do not use authentication for Device HA

User Aware:
1. [SPR: 070202237] Since F/W version 2.00
[Symptom] An access user could gain access right after signing in ZyWALL (if properly
configured) and log out when he don‟t need to access the network resources anymore. But
sometimes user stays in signing in state after he closes the access window directly and the
resources could still be accessible.
[Workaround] For access users, user logout button to logout instead of closing window directly.
For administrations, enable user lease/idle detection for access users.
2. [SPR: 070813119] Since F/W version 2.00
[Symptom] Device supports authenticating user remotely by creating AAA method which
includes AAA servers (LDAP/AD/Radius). If a user uses an account which exists in 2 AAA
server and supplies correct password for the latter AAA server in AAA method, the
authentication result depends on what the former AAA server is. If the former server is Radius,
the authentication would be granted, otherwise, it would be rejected.
[Workaround] Avoid having the same account in AAA servers within a method.
3. [SPR: 100106335] Since F/W version 2.20
[Symptom] EPS checking will be failed for Windows Server 2008R2
1) Add an Auth. Policy rule with EPS checking for Windows Auto Update on Windows
Server 2008R2

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 9/95
2) Login DUT via GUI from Windows Server 2008 R2 64-bit which Windows Auto Update
is enabled
3) The EPS checking will fail

1. [SPR: 090918600] Since F/W version 2.12
[Symptom] Cellular interface cannot connected if the authentication password is empty
2. [SPR: 100105242, 100105292] Since F/W version 2.12
[Symptom] PPTP might not be able to connect successfully if it is configured via Installation
Wizard/Quick Setup. This is because 1) Installation Wizard/Quick Setup only allows PPTP
based interface to be configured with Static IP. 2) Installation Wizard/Quick Setup doesn‟t
allow user to configure PPTP based interface‟s Gateway IP Address. This may caused PPTP
cannot connect successfully if the PPTP Server IP is not at the same subnet with PPTP‟s based
[Workaround] Before dial PPTP connection, configure the Gateway IP of PPTP interface „s
based interface

Build in Service:
1. [SPR: 061208575] Since F/W version 2.00
[Symptom] If users change port for built-in services (FTP/HTTP/SSH/TELNET) and the port
conflicts with other service or internal service, the service might not be brought up
successfully. The internal service ports include 10443/1723/1701/2601-2604. Users should
avoid using these internal ports for built-in services.
[Workaround] Users should avoid using these internal ports for built-in services.
1. [SPR: 070814168] Since F/W version 2.00
[Symptom] VPN tunnel could not be established when 1) a non ZyWALL peer gateway
reboot and 2) ZyWALL has a previous established Phase 1 with peer gateway, and the Phase 1
is not yet expired. Under those conditions, ZyWALL will continue to use the previous phase 1
SA to negotiate the Phase 2 SA. It would result in phase 2 negotiation to fail.
[Workaround] User could disable and re-enable phase 1 rule in ZyWALL or turn on DPD
function to resolve problem.
2. [SPR: 070814169] Since F/W version 2.00
[Symptom] PKI does not interoperate with Windows CA server, when using SCEP.
3. [SPR: 100428888] Since F/W version 2.20
[Symptom] GUI might be hanged under certain condition
1) Reset to factory default configuration

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 10/95
2) Configure one VPN Connection properly and build it up
3) Enter GUI page Monitor > VPN Monitor > IPSec
4) Disconnect the VPN tunnel we just established
5) After the VPN tunnel being disconnected successfully, the “Disconnect” icon is still able to
be clicked. It should be able to be clicked since there is no VPN tunnel established
6) If we click the “Disconnect” when there is no VPN tunnel established, GUI will hang up
[Workaround] We may need to login GUI again for following configuration
4. [SPR: 100429119] Since F/W version 2.11
[Symptom] VPN tunnel might be established with incorrect VPN Gateway
1) Prepare 2 ZyWALL and reset to factory default configuration on both ZyWALLs
2) On ZyWALL-A
(1) Create 2 WAN interfaces and configure WAN1 as DHCP Client
(2) Create 2 VPN Gateways. The “My Address” is configured as Interface type and select
WAN1 and WAN2 respectively
(3) Create 2 VPN Connections named VPN-A and VPN-B accordingly which bind on the
VPN Gateways we just created
3) On ZyWALL-B
(1) Create one WAN interface
(2) Create one VPN Gateway. The Primary Peer Gateway Address is configured as
WAN1 IP address of ZyWALL-A and the Secondary Peer Gateway Address is
configured as WAN2 IP address of ZyWALL-A
4) Connect the VPN tunnel from ZyWALL-B to ZyWALL-A and we can see VPN-A is
connected on ZyWALL-A
5) Unplug WAN1 cable on ZyWALL-A
6) After DPD triggered on ZyWALL-B, the VPN Connection will be established again
7) On ZyWALL-A, VPN-A is connected. But actually ZyWALL-B should connect to VPN-B
after step 5)
[Workaround] Change the WAN1 setting of ZyWALL-A to Static IP

1. [SPR: 070912654] Since F/W version 2.10
[Symptom] Reserve an IP-MAC of a DHCP client in DHCP table will cause reserved
hostname turn to “none”, and after unreserved, this client will disappear from DHCP table.

Object Reference

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 11/95
For those objects used by its own feature, we don‟t implement object reference function for it.
Since F/W version 2.20
For examples
1. Content Filter Profile is used by Content filter only. We don‟t implement object reference
function for it
2. IDP/ADP Profile is used by IDP/ADP only. We don‟t implement object reference function for

Dynamic DNS
1. Peanut Hull DDNS cannot work if the account is not paid. Detail information please visit
following link

Traffic Log
1. [SPR: 070912654] Since F/W version 2.20
[Symptom] When sending a log mail, three fields are gone. They are “Source Interface”,
“Destination Interface” and “Protocol”

1. Configure one PTR(FQDN) on device, map “” to, then use try to
try in browser, it can reach the server, but if type “” to
access yahoo website, it will fail. Then should type, then it works.
[Workaround] Type in IE directly or use Firefox..

Content Filter
1. [SPR: 100723365] Since F/W version 2.20
[Symptom] Content filter cannot block some website of new category such as
2. [SPR: 100413573] Since F/W version 2.20
[Symptom] In CF, add a new profile, Enable Custom Service. The action of category service
will all be PASS.

USB Storage
1. [SPR: 100708070] Since F/W version 2.20
[Symptom] When rename system name, the usb storage can not work.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 12/95

Modifications in 2.20(AQQ.3) – 2010/10/28

Modified for formal release

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 13/95

Modifications in 2.20(AQQ.3)b2 – 2010/10/28
1. [BUG FIX] 101007783
GUI login page displayed abnormal if country code is Japan(EA).
1. It can reproduce.
2. Chahged country code to EA, and reboot DUT.
3. GUI login page displayed abnormal.
4. Please refer the attached file about captrue GUI login page

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 14/95

Modifications in 2.20(AQQ.3)b1 – 2010/10/22
1. [BUG FIX] 100831234 ITS#: 55611
System Default PPP interface page can't be shown if using IE.
1. Using IE, login device. Goto page CONFIGURATION-->Interface-->PPP.
2. Double click a System Default PPP interface, eg ge1_ppp. OR select aSystem Default
PPP interface, then click Edit button.
3. The page will always show 'loading'. When using FireFox, this issue doesn't exist.
2. [BUG FIX] 101011243 ITS#: 55351
Any Pass action in CF Profile changes into default after device reboot.
(1) Add a new CF Profile, action is 'Pass'.
(2) Reboot the device, check GUI about CF profile.
(3) The configrature is changed. (Unsafe: Warm/Managed: Block/ Unrated: Warm/Server
Unavailable: Warm)

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 15/95

Modifications in 2.20(AQQ.2) – 2010/09/25

Modified for formal release

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 16/95

Modifications in 2.20(AQQ.2)b4 – 2010/09/15
1. [BUG FIX] 100914262
Content Filter can not support some newer categories.
1) Enable content filter. Create a filter profile, enable Content Filter Category Service, and
select all categories.
2) Visit some websites such as "". It will show the unknown or
unrated result.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 17/95

Modifications in 2.20(AQQ.2)b3 – 2010/08/27
1. [BUG FIX] 100809473
Click boot status hyperlink will make user logout.
1) Make DUT to Fallback to lastgood configuration.
2) Go to Dashboard page, Boot Status is Fallback to lastgood configuration. Click this
hyperlink, user will be forced to logout, and Device Error message will show: Wrong CLI
command, device timeout or device logout.
2. [BUG FIX] 100816131 ITS#: 52490
USG50 use IE connect web site megaupload can't download.
1) Use system-default configuration.
2) When use IE8 to capture the file, file could
not be downloaded.
3) This bug may not always reproduced, it may only happens on IE8 and slow PPPoE
3. [BUG FIX] 100810579
Zone field shows wrong content and can't be edited.
There are three issues about zone field.
1) Reset device, then goto Interface page. Check the pages of ervery interface, the zone
field shows "none". But in Zone page, different interface belongs to different zone.
2) Add a new bridge interface br0. Select Zone=WAN. Then apply. Edit the interface br0
again, the Zone field shows blank.
3) Edit interface wlan-1-1, change Zone into DMZ (or other zone), Then apply. It will
show "Zone interface is in use." It seems this Zone dorpdown list is useless. This problem
also exists in bridge interface.
4. [BUG FIX] 100810540
Configuration file will roll back to last good one when AD/LDAP bind DN password's
length is over 16.
1) Go to Object>AAA server, edit AD server settings and set Bind DN password as

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 18/95
"VPN=2010-ASDFG=1234", then apply the setting.
2) After reboot, the system can't apply the startup configuration file, it will apply last good
configuration file.
5. [BUG FIX] 100803113
Log active summary works abnormal
1) Go to Log . Log setting, click 'Active Log Summary' icon
2) Change each log action and check display in the summary table, something wrong.
Example, if we enable/disable log setting with e-mail server 1 but GUI will change the
USB storage's setting. Seems to be the index is wrong
6. [BUG FIX] 100809449
Some parts of USB Storage related pages is not exact in Simplified_Chinese version.
In Monitor->USB Storage page, "Device description" should be translated into "设备描述"
not " 设 备 状 态 ". In Maintenance-> Diagnostic ->Packet Capture page, "Available
Interface" should be translated into "可用接口" not "可用界面" PLS see attachment for
7. [BUG FIX] 100816168
Always shows in USB slot 2 even it is inserted in slot 1.
Insert an USB disk into USB slot 1, the extension-slot shows "2" on dashboard.
8. [BUG FIX] 100825899
It will pop up "No need to apply" after modify the configuration in Active Log Summary.
1) Go to page Log&Report->Log Setting, click "Active Log Summary".
2) Modify the configuration of "USB Storage".
3) Click "OK" and it will pop up "No need to apply".

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 19/95

Modifications in 2.20(AQQ.2)b2 – 2010/08/06
1. [BUG FIX] 100721123
Disable snmp and then reboot, command "show snmp status" will show error message and
GUI "System->SNMP" will always show "Loading".
1) Enter into "System->SNMP", disable snmp.
2) Reboot device.
3)Command "show snmp status" will show error message, and GUI always show
"Loading", but no error message.
2. [BUG FIX] 100714577
After reset device, Wizard will not show when first login Device.
1) Apply "system-default.conf", and then reset the device.
2) After reset, you will find the Wizard page do not be shown when first login device.
3) Compare with the files "startup-config.conf" and "system-default.conf", you will find
that they are different.And this is the main reason why the Wizard page not be shown.
3. [BUG FIX] 100705370, 100716786
3G stress with P2P failed.
1) The 3G card was E169u, DUT add a policy route let all traffic out through 3G card.
2) DUT ADP = enable, app patrol = enable and limit the BT traffic's bandwidth.
3) After BT + clubbox download over the weekend, 3G card can't get IP and console halt,
unplug the 3G card console will print oops message.
4. [BUG FIX] 100722243
Interface Gateway IP address should be blank if you havn't configure it at "Quick Setup".
1) Click "Quick Setup" button in "CONFIGURATION" page.
2) Quick Setup->WAN Interface->next, Ethernet Selection = wan1; click "Next", WAN
Type Selection = Ethernet; click "Next", IP Address Assignment = Static; click "Next", fill
in the "IP Address" such as "", and then click "Next". In "WAN
Configuration Summary" page, you will find the Gateway IP Address is "". Click

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 20/95
3) Network->Interface->Ethernet, edit interface wan1, you will find the Gateway is
"", and there is warning message "The value should be an IP address". And you can
not click "OK" button.
5. [BUG FIX] 100722211
Word should be divided by space.
1) Network->Routing->Policy Route, click the button "Add" at "Configuration".
2) In the "Add Policy Route" page, "1is highest priority" should be "1 is highest priority" at
"Bandwidth Shaping".
6. [BUGFIX] 100713473
The group object cannot be removed.
1) Object->User/Group->User, add a user: User Name=test, type = user.
2) Object->User/Group->Group, add a group: Group Name = group1, member=test.
3) Network->Routing->Policy Route, add a rule: User=group1, others set default. Then
4) Console: show groupname, you will find the reference count of group1 is 1.
5) Modify the policy route rule, change the User "group1" to any.
6) Console: show groupname, the reference count of group1 is still 1.And the group1
cannot be removed.
7. [BUG FIX] 100720956
DUT crash in that PQA field trial of both master and backup.
1) Master crashes and cosole dump message continually, and console cannot print message
by using magic key.
2) Backup crashes and console has dump message, and console cannot print message by
using magic key.
3) Please refer to attached file for both master and backup console dump message.
8. [BUG FIX] 100706586
We can not login the GUI because the zyshd daemon is terminated if you modify the name
of a ext-group-user type of user which has a long Group ID.The Group ID of the user
should be longer than 100 characters at best.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 21/95
1) Object->User/Group->User, add a user: Username=test; Type=ext-group-user; Group
12345678901234567890123456789012345678901234567890(length is 127). And then
2) Object->User/Group->User, change the username "test" to “test1”.
3) After modify the username, we can not login the GUI because the zyshd daemon is
9. [BUG FIX] 100723401
IPsec daemon will dead in config mode
DUT config:
phase 1
isakmp policy TEST
local-ip interface wan1
authentication pre-share
keystring 12345678
local-id type fqdn 11111
peer-id type any
fall-back-check-interval 300
lifetime 86400
mode main
transform-set des-md5
xauth type server default

phare 2
crypto map TEST_p2
ipsec-isakmp TEST
scenario remote-access-server
encapsulation tunnel
transform-set esp-des-md5
set security-association lifetime seconds 86400

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 22/95
set pfs group2
local-policy LAN1_SUBNET
remote-policy any
no conn-check activate
PC1 :
the config in attechment
10. [BUG FIX] 100720974
packet-trace dump are not consistent will cause automation cases failed.
1) In console, use 'packet-trace interface wan1 ip-proto icmp' to tracert ping check packets
will see ' > icmp: echo request' in 2.20patch1
2) In console, use 'packet-trace interface wan1 ip-proto icmp' to tracert ping check packets
will see 'IP > icmp 64: echo request seq 11330' in 3.00alpha_1.
3) In automation system, it will use ' icmp: echo request' to compare. In
3.00alpha_1, these cases will be failed.
11. [BUG FIX] 100727675
Sitemap does not include the link for usb storage
1) Login the DUT via GUI
2) press sitemap
3) sitemap does not include the link for usb storage
12. [BUG FIX] 100706431
Core Dump can not be downloaded in system space in GUI
Generate a Core Dump file, goto Maintenance>Diagnostics>Core Dump>File, select the
file in system space and download it. It can not be downloaded.
13. [BUG FIX] 100705337
It allows to select two same type of server groups when configure an authentication method
on GUI.
1) Configure two different AD servers correctly.
2) Add these two ad servers in an authentication method.
3) The AD server which is in the second position of Authentication Method doesn't work.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 23/95
14. [BUG FIX] 100705325
The length of group identifier for ext-group-user can be 127 only, but the warning message
show the maximum is 128.
1) Object-> user/group, add an ext-group-user type user, the length of group identifier is
2) Edit the user, the length of group identifier which shows in the CUI has been changed to
15. [BUG FIX] 100705319
It can't pop up warning message when allowed user is a group and the group include ext-
group-user the first time after reset the device.
1) Apply system-default.conf.
2) Add a user in object->User/Group: User Name = test; User Type is ext-group-user
3) Add a group in object->User/Group: Group Name = group1; Member = test
4) In VPN->L2TP page, enable ” Enable L2TP Over IPSec ” ; VPN Connction =
Default_L2TP_VPN_Connection; IP Address Pool = LAN1_Subnet; Authentication
Method = default; Allowed User = group1;
5) Apply. You will find there is no warning message. But if you change the Allowed User
"group1" to "admin" and apply, and then change back to "group1",the warning message
will come out this time.
16. [BUG FIX] 100707829
Active Log for USB Storage will fail.
1) Goto Configration-->Log Setting, click USB Storage.
2) Select ’enable normal logs’
3) From No.26 Interface Statistics, all the items are ’Disable Logs’.
4) This problem also exists when selecting ’enable normal and debug logs’
18. [BUG FIX] 100708104
CLI commond and GUI have different value limitation.
1) Under ’configure terminal’-->’packet-capture configure’. Input command ’split-
size ’ in consle. The max value canbe 2048. Set split-size 2048, then write the setting.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 24/95
2) Check Maintenance-->Diagnostics-->Packet Capture page. It shows the max value of
this field is 2000.
19. [BUG FIX] 100707821
"Limit-admin" user can't login GUI.
1) Create a "Limit-admin" user.
2) This user try to login DUT as "Limit-admin", the page always loading, fail to login.
3) The failure reason is 'showUsbStorageStatus.getAt(...)' is null or not an object.
20. [BUG FIX] 100708130
VPN stress test will fail with TestCenter
1) Setup a dynamic VPN in DUT
2) Use TestCenter to setup VPN with DUT and run VPN stress.
3) VPN can be established but traffic disappeared after about 15 seconds.
4) With TeraVPN, it works OK.
21. [BUG FIX] 100715659
Certificate show incorrect time in some special case.
1) At CLI, configure date/time like following setting
Router(config)# clock date 2010-01-03 time 00:00:00
2) regenerate ca by CLI command:
Router# debug ca regenerate
3) The time on valid from field of default certificate will show incorrect time like
following :
Router# show ca category local
certificate: default
type: SELF
subject: CN=usg300_0000AA791340
issuer: CN=usg300_0000AA791340
status: VALID
ID: usg300_0000AA791340
type: EMAIL
valid from: 2010-01-03 -1075961512:50364704:264499860 GMT
valid to: 2029-12-29 00:01:20 GMT

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 25/95
(set date/time to "2010-01-23 00:00:00" and run "debug ca regenerate" will also get the
incorrect time.)
22. [BUG FIX] 100707873
Warning message is wrong.
1) Insert USB storage, and in System>USB Storage page, Activate USB storage service.
2) In Packet Capture page, select ’Save data to USB storage’, set File Size to 1000
(USB storage available is 982 MB), click Capture, warning message will pop up:
CLI Number:12
Error Number: -75012
Error Message: ’Error string not find!’
3) The error message should be ”The maximum value for this field is 982.”
4) Keep former setting unchanged, select ’Save data to USB storage’ to ’Save data to
onboard storage only’, then select ’Save data to USB storage’ again. There will be
warning message ”The maximum value for this field is 982.”
5) Set File Size to 982, click capture, warning message still pops up.
24. [BUG FIX] 100715660
USG cannot apply configuration successfully
1) Upgrade F/W to 2.20 Patch 2 B1
2) Upload USG2000 field trial configuration to USG and apply it
3) We found the configuration cannot be applied successfully and error log displayed
4) It failed on applying one NAT rule if the mapping type is Many 1-1
25. [BUG FIX] 100707871
Customized Login Page cannot work.
1) System > WWW>Login Page, Use Customized Login Page=enable -
2) Set Customized Login PAGE/TITLE
3) Click apply button.The "Apply" button is gray.
Browser:Firefox 3.0,Firefox 3.6, IE8.
It is OK in 2.12(XL.3)
26. [BUG FIX] 100707885
Chinese translation of USB Storage related pages are not ready.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 26/95
Chinese translation of USB Storage related pages are not ready.
Including Dashboard, Monitor-->USB Storage, Configuration-->System-->USB Storage,
Maintenance -->Diagnostics.
27. [BUG FIX] 100705336
Upgrade 2.12(AQQ.1) to 2.20(AQQ.1), the "Duration" of traffic log which shows in the
VRPT server is always 0.
1) PC1-----(Lan)USG100(Wan) --------Kiwi SYSLOG server (PC2)
2) Enter into "CONFIGURATION->Log&Report->Log Setting", and set the remote
server's address: PC2's IP, Log Format:VRPT/Syslog, Active log: enable traffic log.
3) Setup the software "Kiwi Syslog Daemon", and start the syslog daemon.
4) From PC1 access a web or download files from ftp server in usg100 Wan side, and find
that the "Duration" of traffic log which shows in the "Kiwi Syslog" is always 0.
28. [BUG FIX] 100707006 ITS#: 49264
Device sends update to DDNS server although the IP address doesn’t change.
1) Configure a DDNS profile "Eurilio", set WAN1 as Primary Binding Addressand choose
interface as IP Address.
2) Let this profile update successful.
3) Renew WAN1 and get the same IP, but we also find a log: "Update the profile Eurilio
has succeeded. The IP address of FQDN has not changed.".
4) But in such case if IP doesn't change, this profile doesn't need update,and should show
this log: "Update profile Eurilio has skipped due to same IP.".
29. [BUG FIX] 100121946 ITS#: 51567
Under bridge mode, DUT build one VPN with other zywall, enable Firewall feature, PC
behind DUT cannot ping VPN anoter side PC
PC1----ge1-DUT(bridge mode)-ge3--internet----wan-zywall5-lan---PC2
about DUT:
1> run "system-default.conf".
2> add one bridge rule, the member is ge1-ge7, the IP is
"", default gateway is "",
others keep default, apply.
3> disable Firewall from Console by inputting "no firewall activate -"write".

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 27/95
4> PC1 sets IP "", the default gateway is
""(DUT br0 interface IP).
5> PC1 enters into Configuration" Zone page, disale block intra-zone of all zones.
6> PC1 enters into Configutation" Firewall page, inacivate all of deny firewall rule,
then, enable Firewall, apply.
7> PC1 enters into VPN page, add one VPN
-ike: Local:br0; remote: zywall5 WAN ip(; preshared key:12345678
-ipsec: Local policy: PC1 IP(, remote policy: zywall5 LAN
about Zywall5:
1> LAN subnet is "", WAN ip is "",disable
Firewall, create opposite VPN rule for IPSec on
remote security gateway zywall5.
2> PC2 IP is "".
the VPN can be built successfully, but PC1 cannot ping PC2, if disable firewall of
DUT, PC1 can ping PC2.
30. [BUG FIX] 100617943 ITS#: 51177
MIB browser gets wrong ifOperStatus and ipAdEntifindex value.
1) Enable SNMP in device.
2) Set WAN1 = port1, WAN2 = port2, LAN1 = port3~port 5, LAN2 = port6,DMZ = port7.
3) Insert the cable into port7, and use MIB Browser to get ifOperStatus node, the result
shows DMZ port is down.
4) And the value of ipAdEntifindex node is mismatched with ifIndex.
31. [BUG FIX] 100705289
named.core created after firmware upgraded
1) After firmware upgrade, a named.core will be generated at /tmp/coredupm
Router> dir /tmp/coredump
File Name Size Modified Time
2010-07-05-05-21-05-named.core 786432 2010-07-05 05:21:06
2) It might be an issue in named
3) And it should a compressed zip file not .core file.
32. [BUG FIX] 100706426

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 28/95
Incorrect txtfield label name and default value in packet capture page
1) In Diagnostics -> Packet Capture page, the "file size" textfield should be replaced by
"capture pactet files" after integrated with USB Storage enhancement.
2) The textfield default value of "split threshold" shouldn't greater than "capture packet
33. [BUG FIX] 100628439
The file size of diagnostics info is 0
1) collect diagnostics info.
2) collect done and show the info
3) The file size of diagnostics info is 0
34. [BUG FIX] 100628425
The duplication CLI in the running configuration file.
1) Enable the usb_storage and disable the the usb_storage
2) show running config
3) There have dupllication CLI command.
35. [BUG FIX] 100705272
No USB Storage log when disk plug-in and remove
From DS document, system log should log some about disk plug-in and remove.
36. [BUG FIX] 100623152 ITS#: 51716
ZySH daemon is terminated when the AD/LDAP bind DN password's length over 16.
1) Go to Object>AAA server, edit AD server settings and set Bind DN password as
"VPN=2010-ASDFG=1234", then apply the setting.
2) Try to edit the AD server again; the system ZySH daemon will be terminated.
3) After reboot, the system can't apply the startup configuration file, it will apply last good
configuration file.
37. [BUG FIX] 100701016
Unfriendly extension slot information in dashboard

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 29/95
Unfriendly extension slot information in dashboard
38. [BUG FIX] 100628503
Insert Huawei E220 in usb1 and usb storage in usb2 or Insert two usb storage
Router> show extension-slot
No. Slot Device Status
1 PC Card none none
3 USB 2 none none
39. [BUG FIX] 100115237
The countdown using Google chrome to dial up display "NaN seconds left.."
1) Configure one IPSec VPN rule and try to dial up through Google chrome.
2) The countdown display "NaN seconds left..".
40. [BUG FIX] 100325349
The maximum length of UserName and password for SMTP Authentication should only
support 31 characters.
In Log & Report > Log Settings, edit System Log, fill in E-mail Server1 or Server2.
- enable SMTP Authentication, type 64 characters in UserName field and type 63
characters in password field.
(It match the accepted maximum length)
2) The GUI dump the error message 'Log length has reached the maximum number.'
3) In 2.1x GUI, the maximum length of UserName and password only support 31
4) In CLI, it also only support maximum 31 characters.
41. [BUG FIX] 100326492
VPN Phase 2 Settings, algorithm = SHA, but in edit page is SHA1.
VPN Phase 2 Settings, in VPN configuration grid, column of algorithm is "SHA", but in
edit page is SHA1.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 30/95
The display string formate is not consistent.
42. [BUG FIX] 100407272
On the web GUI "email daily report", if field was empty, the red "required"
On the web GUI "email daily report", if field was empty, the red "required" glyphs
overlaps with the text to the right.
43. [BUG FIX] 100427849
Wrong validation result for specific subnet in static route.
1) Go to static route> add a rule
2) the following subnet mask should be allow (not allow) allow) (not allow) allow) allow)
3) The not allow item should be allow.
44. [BUG FIX] 100413573
In CF, add a new profile , Enable Custom Service. The action of category service will all
be PASS.
1) In CF, add a new profile
2) Enable Custom Service Name = CF1. Press OK
3) Edit the CF1 profile,
the actions of CF category service will all be pass
Action of unsafe web pages = Pass
Action of Managed web pages = Pass
Action of Unrated web pages = Pass
Action when category server is unavailable = Pass
45. [BUG FIX] 100407267
1) Click NAT's hyper link "policy route", it's left tree panel don't highlight of "routing".

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 31/95
2) Click Content Filter's hyper link "Apply New Registration", it's left tree panel didn't
highlight of "Registration".
3) Click AppPatrol's hyper link "Apply New Registration" and "Update Signatures", it's
left tree panel didn't highlight the correct node.
4) Click System/WWW/Service control's hyper link "(See Trusted CAs)", it's left tree
panel didn't highlight the correct node of "Certificate".
1) Click NAT's hyper link "policy route", it's left tree panel don't highlight of "routing".
2) Click Content Filter's hyper link "Apply New Registration", it's left tree panel didn't
highlight of "Registration".
47. [BUG FIX] SPR ID: N/A ITS#: 53476
The GUI's Ethernet/VLAN/bridge DHCP IP poor size maximum value should not be 255.
1) The GUI's Ethernet/VLAN/bridge DHCP IP poor size maximum value should not be
2) If the pool only on class C, it was 253.
48. [BUG FIX] 100723402 ITS#: 52384
The "Join SSL_VPN Zone" checkbox is always not in ticked status when SSL VPN policy
name length more than 15.
Go to "VPN->SSL VPN", add a SSL VPN policy.
Set the policy name length more than 15 and tick "Join SSL_VPN Zone". Then apply.
3) Click "Edit" to check whether "Join SSL_VPN Zone" is in ticked status, but it shows
that it is not in ticked status.
50. [BUG FIX] 100803121
A policyd codedump be generated after firmware upgrade
1) Create a policy route with default arguments (all any)
2) Upgrade firmware then reboot
3) Go to diagnostics->codredump->file, then you will see a policyd coredump file be
51. [BUG FIX] 100804198
Change the name of "DNS" in Service Group will make device fallback to lastgood
configuration after reboot.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 32/95
1) Change the name of "DNS" to "DNS_GROUP" with default configuration file.
2) Reboot USG.
3) There will be an error messages "Fallback to lastgood configuration" on the console.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 33/95

Modifications in 2.20(AQQ.2)b1 – 2010/07/02
Support USB storage application

Show PPPoE and PPTP interface on Dashboard.

3. [BUG FIX] 100211933

Changing ge2 interface IP from static to dhcp client if the interface is in Monitored
Interface Summary of Device HA with a management IP, and then reboot DUT will cause
to apply configuration file failed.
1) Configure ge2 a static IP address. ex:
2) Enable Device HA and activate ge2 interface and configure a management IP. ex:
3) Disable Device HA and inactive ge2 interface in Monitored Interface Summary of Device
4) Change ge2 interface from static IP address to get automatically, and reboot DUT.
5) It can't reboot successfully when apply configuration file. The console show "ERROR:
device-ha ap-mode ge2 manage-ip Failed to apply startup-
config.conf. Try to apply lastgood.conf or system-default.conf. Save current startup-
config.conf to start-config-bad.conf"
6) The log show "ERROR: #configure terminal device-ha ap-mode ge2 manage-ip, Management IP should be in the same subnet"

4. [BUG FIX ] 091120871~091120875 100322927

1) Dashboard Widget arrangement get lost.
2) When changing the order of the widget on the dashboard, the new order is not saved
when logging out. Removed and added objects are ok.
1) If the Widgets on the Dashboard are re-arranged (different position) and User Logout
and Login the Widgets are back on the old position Bevon the re-arrangement. The same
happens if the User goes to a different Configuration Page and then back to the Dashboard.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 34/95
2) For example, you drag the widget 'device information' to another location, then after re-
login, this will not be saved.

5. [BUG FIX] 100514869 ITS#: 50443

Click the "Object Reference" in GUI several times, there will be more select boxes in the
Object Reference window. After close the Object Reference window, there will be a black
window in GUI.
1) Click the "object Reference" in GUI several times, there will be more select boxes
in the Object Reference window.
2) Close the object Reference window, there will show a black window in GUI.

6. [BUG FIX ] 100510421 ITS#: 49300

Some warning information appeared on the console when reboot the device.
1) Apply default configuration file.
2) Change the interface ge1 from internal type to external, and set the ping check to active.
3) Reboot the device, there will be warning on the console.

7. [BUG FIX] 100507304 ITS#: 49771

When use “ext-group-user” as SSL VPN user, if the SSL VPN license is 2, there will be
only 1 user can login the device.
1) Configure a SSL VPN environment.
2) PC connects to SSL VPN.
3) In default, there are two users can login the SSL VPN, but after one user login, another
can't login and the login page shows SSL VPN reach to the max account.

8. [BUG FIX] 100323038

sshipsecpm is dead for several times during VPN test.
1) The configurations of the two DUT are not so special that only one DUT1 is used
certificate signed by CHT tool, and another one is self-signed. DUT1's language is
English, and another one is Simplified Chinese. The configurations are attached.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 35/95
2) After finishing configure, DUT2 dial the VPN, then strange logs are printed
continuously in its console:
sshipsecpm is dead at Tue Mar 23 03:23:21 2010
sshipsecpm is dead at Tue Mar 23 03:23:26 2010
sshipsecpm is dead at Tue Mar 23 03:23:31 2010
Meanwhile, the vpn tunnel can't be setup.
3) After rebooting, it works totally OK. This can't be reproduced, but happened for
several times. It seems that this problem is related to certificate and language settings

9. [BUG FIX] 100423582

When run stress about NAT + FW + IDP + AV + AS + ADP+CF+ IPSec overnight,
several functions is dead.
Test tool: avalanche, Tera VPN tester1.
1) When run stress about NAT + FW + IDP + AV + AS + ADP+CF+ IPSec overnight,
several function is dead, like zebra, appd, and so on,detail see attached file2.
2) In second time, run about half an hour, the sshipsecpm is dead

10. [BUG FIX] 100504058

The ZySH daemon has Segmentation fault after adding firewall rule
1) Applying system-default.conf
2) Configuration > Firewall, to remove all firewall rule
3) To add a new firewall rule,
- From: WAN
- To : ZyWALL
- Service : Default_Allow_WAN_To_ZyWALL
- Access : allow
4) The ZySH daemon will occur segmentation fault.
5) It can reproduce, the core dump file be attached.

11. [BUG FIX] 100415782

Device will crash when collect diagnostic Information by HTTP.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 36/95
1) It can reproduce.
2) PC ping to continually.
3) Login web GUI by HTTP.
4) Go to page MAINTENANCE>Diagnostics, and then click the “Collect Now” button,
device will dump crash message.

12. [BUG FIX] 100520207 ITS#: 50590, 49660, 50580

In customer‟s environment, sometimes there will be ARP entries with "CM" flag, causing
USG can‟t accept ARP update for the MAC with new IP address.
1) It only appeared in customer environment.
2) Customer‟s environment:
DHCP server
3) Clients get IP from the DHCP server. The ARP entries in USG for some clients will be
flagged with “CM” and can not be updated.

13. [BUG FIX] 100121958

User cannot delete any email from SSLVPN of OWA application by IE browser
1) Create a ssl application of ZyXEL OWA and into sslvpn policy
2) User login sslvpn and using the OWA application
3) User cannot delete any e-mail by SSLVPN OWA application
4) If user connect zyxel OWA directly it will work well.

15. [BUG FIX] 100422412

SSLVPN with EPS can't login anymore after it's name has been changed.
1) Add an EPS object named "EPS" <Deleted>
2) Add a full tunnel SSLVPN which named "SSL", the tunnel is enabled EPS check with
3) WAN PC login SSLVPN with "test", login can be successful.
4) Change SSLVPN policy name to "IEEE", then WAN PC login SSLVPN with "test"
again, login will always fail. Reboot the DUT, the problem can be solved.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 37/95

17. [BUG FIX] 100528711 ITS#: 50646

SSL VPN full tunnel can‟t be established. The security extender breaks with “internal
SSL VPN full tunnel can‟t be established. The security extender breaks with “internal

18. [BUG FIX] 100507305 ITS#: 49893

Virtual server rule doesn‟t work correctly if the "Original IP" in that rule is a virtual IP
(not real wan IP).
1) USG has two WAN interfaces so customer adds two virtual server rules to forward the
FTP traffic to FTP server.
2) The "Original IP" in the two rules is virtual IP.
3) When you try to access the FTP server, you will see the virtual server rule doesn‟t work

19. [BUG FIX] 100602115 ITS#: 48128, 47343

Enable AS will cause send or receive mail abnormally.
1) Only can reproduce on customer's environment.
2) Customer's environment:
Mail client---Internet---WAN---LAN --SMTP server
3) If customer enable AS, sometimes mail client can not send mails to SMTP server

20. [BUG FIX] 100623152 ITS#: 51716

ZySH daemon is terminated when the AD/LDAP bind DN password's length over 16.
1) Go to Object>AAA server, edit AD server settings and set Bind DN password as
"VPN=2010-ASDFG=1234", then apply the setting.
2) Try to edit the AD server again; the system ZySH daemon will be terminated.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 38/95
3) After reboot, the system can??t apply the startup configuration file, it will apply last
good configuration file.

21. [BUG FIX] 100426614

CPU utilization keeps in 98% when access file from server on DUT's LAN via IPsec VPN.
1) Disable Firewall and ADP.
2) Using IPSec VPN Client to establish IPSec VPN tunnel between host and
remote file server.
3) When access files from remote server, cpu utilization keeps in high rate, throughput is
about 4.3M Bytes/Sec.
4) When cpu utilization keeps in high rate, other client is hard to establish another tunnel.
5) If there were two tunnels established and access remote file server at the same time, one
of tunnel will be terminated.
6) In firmware version 2.20(AQQ.0)C0 has same issue.
7) In firmware version 2.12 patch 1 C0, throughput is about 3M Bytes/Sec, cpu utilization
keeps on 70%.

22. [BUG FIX] 100504102

After Port Stealth testing, the status of port 0 and port 1 are closed.
Do stealth testing on

23. [BUG FIX] 100617944 ITS#: 50991

1) Test an external user in "ext-group-user" type user GUI page, it will fail when group
identifier length is longer than 68.
2) When add an "ext-group user" type user, if group identifier length is longer than 128,
there will be an error message "Wrong CLI command, device timeout or device logout".
But there is no statement about the length of group identifier in help page.
1) Set a group in AD server, the group identifier should be longer than 68, such as
Then add a user in this group, such as test.
2) Enter into "Object->User/Group", add an user with type "ext-group-user", set group
identifier the same as AD server group's group identifier.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 39/95
3) Enter into "AAA Server->Active Directory", add an AD rule and fill the necessary
4) Enter into "ext-group-user" type user, test user "test" in "Test" field. It will show "test do
not belong to the group".
5) Add an "ext-group-user" type user with group identifier length longer than 128.
There will be an error message "Wrong CLI command, device timeout or device logout".

24. [BUG FIX] 100619026 ITS#: 51686

Standby device still reply the interface ARP request.
1) Setup a HA environment with default configuration, use ge1( as the HA
2) In LAN side, use PC ping
3) The two device both reply the ARP request, Master use virtual MAC, Standby use
interface MAC.

25. [BUG FIX] 100623181

L2TP vpn can't be established with an AD group user when set "allowed user" as an "ext-
group-user" type user. This AD group user has the same group identifier as the "ext-group-
user" type user.
1) Add an "ext-group-user" type user "vpn".
2) Set a group in AD server with the same group identifier as user "vpn", and then add an
user in this group, such as "Judy".
3) Enter into "Object>>AAA Server>>AD", fill the necessary fields.
4) Enter into "VPN>>L2tp", set "allowed user" as user "vpn" and fill other necessary
5) Establish L2tp with user "Judy". It will fail with error "invalid username password".

26. [BUGFIX] 100222084

Firefox 3.6 can't open the SSLVPN web server and OWA server, but Firefox 3.5.8 can
1) PC = XP SP3 + Firefox 3.6 + JRE 1.6.0_18-b07
2) User login the SSLVPN from WAN then open the web server and OWA server link will
be fail in Full Tunnel Mode and Reverse Proxy Mode

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 40/95

27. [BUG FIX]

Symptom: Inline object creation cause previous configuration lost.

Modifications in 2.20(AQQ.1) – 2010/05/6

Modified for formal release

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 41/95

Modifications in 2.20(AQQ.1)b3 – 2010/05/4

1. [BUG FIX] 100504064

ZyWALL will be crashed while collecting diagnostic info sometimes
1) Update IDP signature to the latest
2) Collect diagnostic info
3) Sometimes ZyWALL will be crashed
2. [BUG FIX] 100422392
ZyWALL SecuExtender cannot be terminated automatically by closing the SSLVPN portal
1) Login SSLVPN with Full Tunnel mode using Windows 7
2) Close the SSLVPN Portal window by clicking “X” on right corner of the window
3) The ZyWALL SecuExtender won‟t be terminated automatically

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 42/95

Modifications in 2.20(AQQ.1)b2 – 2010/04/16

1. [BUG FIX] 100119485

Under certain condition, connectivity check cannot work on cellular interface
1. Insert AC880 card, edit the cellular1 interface in Interface> Cellular page, enable Nailed
up, filling APN option into CMNET, Dial string option into *99#, others keep default
2. The 3G can connect correctly
3. Edit cellular1 interface, enable Connectivity check, check method is icmp, check period
is 5, check timeout is 2, check fail tolerance is 3, and enable check this address ””,
4. Ping check can work, and the 3G interface is inactive
5. Edit the 3G rule second time, Enable Budget Control=enable ; Time Budget=enable ;
hours per month=30 ; Reset time and data budget counters=15 ; Actions when over
budget/Log=log-alert ; Enable recurring every 1 minutes ; New 3G
connection=Disallow ; Current 3G connection=Drop ; Actions when over 10 % of time
budget or 10 % of data budget ; Log=log-alert ; Enable recurring every 1 minutes
6. Edit the Cellular1 interface third time, disable Connectivity check, and in Device setting
field, select ”Device Selection” as ”Sierra Wireless AC880”, ”Band Selection”
as ”Auto”, apply, the rule can be saved without warning
7. But the connectivity check function still works, capture the packets from Cellular1
interface, there are lots of packets about ping request, and the traffic from LAN
to Cellular1 cannot walk through
2. [BUG FIX] 100121946
Under bridge mode, traffic cannot pass through the VPN tunnel if Firewall is activated
1. Configure ZyWALL with one bridge interface
2. Configure one IPSec tunnel which uses the bridge interface to build the IPSec tunnel
3. Configure one remote VPN gateway which WAN interface is not at the same network
with the ZyWALL‟s WAN interface which is used to build up the IPSec tunnel
4. Enable Firewall on ZyWALL
5. Establish the IPSec tunnel between the ZyWALL and remote VPN gateway
6. The traffic cannot pass through the IPSec tunnel and dropped by Firewall
3. [BUG FIX] 100204388

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 43/95
Error message displayed on GUI after enabling Redirect HTTP to HTTPS
1. Disable “Redirect HTTP to HTTPS”
2. Login ZyWALL GUI via HTTP service
3. Enter WWW page and enable “Redirect HTTP to HTTPS”
4. Click other page and the error message “URL request timeout. (3 minutes limit)”
4. [BUG FIX] 100310758
Incorrect CLI commands applied under certain condition
1. Create one Authentication Policy via GUI. Authentication = required and Force User
Authentication is selected
2. Edit the Auth. Policy again and change the Authentication from “required” to
“unnecessary”. Do not apply
3. Change the Authentication from “unnecessary” to “required” and apply
4. The “Authentication” field in summary page should be “force” instead of “required”
5. [BUG FIX] 100311928
ZySH daemon will be crashed when adding the maximum allowed interfaces including
WLAN interfaces into one bridge interface
1. Create one bridge interface with the maximum allowed interfaces including WLAN
interface as its member
2. ZySH daemon will be crashed after applying
6. [BUG FIX] 100312072
SNMP cannot work through IPSec tunnel
1. Create one IPSec tunnel between ZyWALLs
2. Enable SNMP service on remote ZyWALL
3. PC under local ZyWALL‟s LAN cannot query remote ZyWALL‟s LAN IP via SNMP
7. [BUG FIX] 100315140
After language changed, Site Map cannot be displayed anymore
1. Change the language from English to Traditional Chinese

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 44/95
2. Click Site Map but it cannot be displayed
8. [BUG FIX] 100315227
The On Top icons cannot work after language changed
1. Using FireFox 3.5 or 2.6 to login ZyWALL
2. Change the language from English to Traditional Chinese or Simplified Chinese
3. The On Top icons like “Help”, “About”, “Site Map” cannot work anymore
9. [BUG FIX] 100315275
SSL VPN‟s File Sharing menu bar‟s ”up” button translate to a strange meaning in
Traditional Chinese and Simplified_Chinese
1. Login DUT via SSLVPN
2. Change the SSLVPN language from English to Traditional Chinese or Simplified
3. The translation of menu bar‟s “up” is “上”
4. It should be translated to more readable wording like “上一層” or “上一頁”
10. [BUG FIX] 100316425
DHCP Service cannot work anymore after frequently modifying the DHCP server
1. Reset to default configuration
2. Connect one PC to LAN interface
3. Configure the DHCP lease time on LAN interface
4. Renew IP on the PC and check if the IP can be renewed
5. Repeat step 3~4 several times and the IP of the PC cannot be renewed anymore
11. [BUG FIX] 100317503
Incorrect Default Gateway Address displayed when configuring PPPoE interface‟s
Connectivity Check
1. Configure one PPPoE interface and make it connected
2. Edit the PPPoE interface again
3. Enable Connectivity Check and select Check Default Gateway
4. The Gateway IP address displayed is incorrect
12. [BUG FIX] 100317568

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 45/95
Session number cannot be queried via SNMP
1. Session number cannot be queried via SNMP
2. Error log “ERROR: #configure terminal show _zldmib session status, file not found!”
13. [BUG FIX] 100319791
Port Grouping page will disappear after language being changed to Simplified-Chinese.
1. Reset DUT to default configure file. Change language from English to
2. Go to Interface page, click ”以太网” tag, the ”端口群组” page will disappear. Only
click Interface page again, the ”端口群组” tag can show
14. [BUG FIX] 100322908
Translation is incorrect about ”MAC Address” in interface page
1. Change DUT‟s language to Simplified_Chinese
2. Go to 接口〉以太网 page, edit ge1 interface, in ”静态 DHCP 表”, MAC Address has
been translated to ”媒体存取控制”, it should be ”MAC 地址”
15. [BUG FIX] 100323027
The translation about ”i” note in certificate adding page is totally wrong
1. Change language from English to Simplified_Chinese, go to Certificate page to add a
2. There‟s an ”i” note about ”密钥类型”, it‟s translation is totally wrong
16. [BUG FIX] 100323045
The translation of Mapped Port Start is wrong in VPN connection
1. Change language from English to Simplified_Chinese,
2. in VPN Connection page, add a rule, the Mapped Port Start has been translated to ”映射
单口开始”, it should be ”映射端口开始”.
17. [BUG FIX] 100323106
In Simplified_Chinese environment, some translation are still Traditional_Chinese.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 46/95
1. Change language to Simplified_Chinese.
2. In 证书>可信证书 page, click 导入 button, Import Trusted Certificates window will
pop up, the button of ”Browser” has been translated into Traditional_Chinese instead of
3. The same problem happens in the page of 配置文件, 韧体上传 and Shell 脚本
18. [BUG FIX] 100323139
ZySH daemon will be terminated while issue CLI ” no radius-server host ”
ZySH daemon will be terminated while issue CLI ” no radius-server host ”
19. [BUG FIX] 100323166
During WLAN testing, ZyWALL sometimes will be crashed
During WLAN testing, ZyWALL sometimes will be crashed
20. [BUG FIX] 100325377
Translation is incorrect about ”Host Port” in Packet Capture page
Change language to Simplified_Chinese. Go to Packet Capture page, ”Host Port” has been
translated to ”主机名称”, it should be ”主机端口”
21. [BUG FIX] 100326493
EPS check will be failed when PC cannot pass the EPS object which is at the first priority
1. Create 2 EPS objects they have different passing criteria
2. Create one SSLVPN rule with below EPS configuration
1) Enable EPS check
2) Select the 2 EPS objects we just created
3) Login SSLVPN from a PC that will fail to pass the first EPS object we selected in
previous setting but pass the 2nd EPS object
3. The EPS check will be failed due to EPS check failed on the first EPS object checking
4. Bug actually it should be successful because the PC will pass the 2 nd EPS object
22. [BUG FIX] 100329625
VPN traffic related logs cannot be displayed on VRPT 3.5 server correctly

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 47/95
VPN traffic related logs cannot be displayed on VRPT 3.5 server correctly
23. [BUG FIX] 100331777
ZySH daemon will be crashed when doing Content Filter URL testing
1. Enter Anti-X > Content Filter > Filter Profile
2. Create one filter profile and enter http://~@ in URL to test
3. After trying to test this special URL, ZySH will be crashed

24. [BUG FIX] 100302129

The object reference of the bridge interface will include Device HA even it is not
monitored by Device HA
1. Create one bridge interface
2. Add this bridge interface to DMZ zone
3. Click the object reference for the bridge interface we just created
4. We will find that Device HA is in the reference list but actually it is not monitored by
Device HA
25. [BUG FIX] 100324212
The interface name cannot be displayed completely if the length of the interface name is
more than 9 characters
1. Rename one of the interfaces to have the length which is more than 9 characters
2. In interface summary table in Dashboard, the related interface name can be only
displayed with the first 9 characters
26. [BUG FIX] 100401004
Incorrect login behavior when pressing “Enter” with Username and Password are correctly
inputted in SSLVPN login page
1. Configure SSLVPN Login Domain Name
2. Enter SSLVPN login page with SSLVPN Login Domain Name
3. Input correct Username and Password and press “Enter” key directly
4. The GUI will enter User Login page instead of SSLVPN login portal
5. The default behavior of pressing “Enter” key in SSLVPN login page should do the

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 48/95
SSLVPN login process instead of normal user login
27. [BUG FIX] 100402137
PPTP tunnel cannot be connected successfully
1. Connect PPTP tunnel from PC to PPTP server like below topology
PC ----- (LAN)ZyWALL(WAN) ----- Internet ----- PPTP Server
2. The PPTP tunnel cannot be connected successfully
28. [BUG FIX] 100402124
The ZyWALL generated ICMP Redirect packet will be dropped by Firewall
1. Reset to default configuration
2. Configure one Policy Route with Next Hop as Gateway Type and the Gateway
address is in the LAN subnet
3. PC in LAN subnet sends ping traffic which will match the Policy Route we just
4. The ZyWALL should generate one ICMP Redirect packet to tell the PC that there is
another Gateway which we configured in Policy Route rule has faster path to reach
the destination. But actually not
29. [BUG FIX] 100407319
Change the user type from limited-admin to ext-user or ext-group-usr will be fail and
popup the Error message
1. Create one user with Limited-Admin user type
2. Change the user type of the Limited-Admin user we just created to ext-user or ext-
group user
3. GUI will return error message “CLI Number: 0, Error number: -3014, Error Message: Add
external type user has failed.”
30. [BUG FIX] 100318683
In CF, add a new profile without enabling anything. The action of category service will all
1. In CF, add a new profile. Name = CF1 without enable anything.(By default, Action of
unsafe web pages = Warn, Action of Managed web pages = Block, Action of Unrated
web pages = Warn, Action when category server is unavailable = Warn) Then click

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 49/95
2. Edit the CF1 profile, the actions of CF category service will all be pass, Action of
unsafe web pages = Pass, Action of Managed web pages = Pass, Action of Unrated
web pages = Pass, Action when category server is unavailable = Pass
31. [BUG FIX] 100121930
Dashboard display abnormal if using IE browser from ”Packet Capture” page
to ”DASHBOARD” page.
1. Use IE browser to login device
2. Go to page MAINTENANCE > Diagnostics > Packet Capture page, then go
to ”DASHBOARD” page
3. DASHBOARD page display abnormal on “Virtual Device” and “Interface Status
Summary” widget
32. [BUG FIX] 100407320
PC with Windows 7 installed can pass EPS check when the OS type is set to Windows
2008 or Windows 2008R2
1. Create one EPS object to check the Window OS type as Windows 2008 or Windows
2008 or Windows 2008R2
2. Create one SSLVPN rule with EPS check as previous configured
3. Use a PC with Windows 7 installed to login SSLVPN
4. It should be failed to pass the EPS check due to OS type but passed
33. [BUG FIX] 100322989
Device HA Backup cannot dial up IPSec tunnel successfully after taking over
1. Configure Device HA on Master and Backup properly and its monitored interface is
an Ethernet interface
2. Configure VPN tunnel with FQDN type as its My Address
3. Configure the Mapped IP of the FQDN of step 2 as one of DUT‟s ethernet interface‟s
IP address
4. Once Master is down, Backup cannot dial up the VPN tunnel successfully
34. [BUG FIX] 100113950
When the Mac Address format is ”XX-XX-XX-XX-XX”, the MAC clone function doesn‟t

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 50/95
1. Edit one specified interface
2. Click “Show Advanced Settings”
3. In Mac Address Setting section, select “Overwrite Default Mac Address” and
configure the Mac Address with the format as “XX-XX-XX-XX-XX-XX”
4. Capture the packets on the specified interface, the Mac address of the specified
interface is not changed to “XX-XX-XX-XX-XX-XX”
35. [BUG FIX] 100407322
If Group Identifier field hava space , GUI will pop out a error message ”Wrong CLI
command device timeout or device logout
1. Go to Configuration -> User/Group ->Add an ext-group-user
2. Group Identifier field input DC=xxx,[space]DC=xxx -> press OK
3. GUI will pop out error message ”Wrong CLI command device timeout or device
36. [BUG FIX] 100315249
Test special URL in “Test Web Site Category” causes GUI keeps loading
1. Create one Content Filter Profile
2. Enter this profile and input ”http://” in “URL to test” field, click the ”Test against
content filter category server”
3. GUI will keep loading
37. [BUG FIX] 100409424
ZyWALL cannot be logged in
1. Reset to default configuration
2. Enable SNMP service
3. Do SNMP Bulk request
4. Running for a while, ZyWALL cannot logged in and error message “Too many open

files in system” occurred

38. [BUG FIX] 100409426

The SSLVPN tunnel will be disconnected unexpectedly
1. Create one user and set its lease time to 1 minute

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 51/95
2. Create one SSLVPN rule with Full tunnel mode and allow the user we just created to
access the SSLVPN tunnel
3. Enable “Allow renewing lease time automatically” in Configuration > Object >
User/Group > Setting page
4. Establish the SSLVPN Full tunnel
5. Keep pinging ZyWALL‟s interface from the SSLVPN client
6. The SSLVPN tunnel will be disconnected after one minute
39. [BUG FIX] 100413635
When login SSL VPN and open RDP_Windows on portal to remote control server, remote
server login GUI pops out very slow
1. Create one SSL Application with RDP Web Application
2. Create one SSLVPN rule with the SSL Application object
3. Login SSLVPN with Windows 7(32-bit) + IE8
4. Open RDP on the SSLVPN portal and the response is very slow
40. [BUG FIX] 100325342
SecuExtender cannot install by ActiveX when using Windows 7 and IE 8 to login SSL
1. Prepare a PC which is installed Windows 7 and make sure SecuExtender have not
installed on this PC before
2. Login ZyWALL via SSLVPN using IE8 from the PC we prepared
3. The SecuExtender cannot be installed successfully and logout immediately
41. [BUG FIX] 090828851
ZySH daemon will be crashed when frequently refreshing Dashboard
1. Reset to default configuration
2. Attached many PC on LAN subnet and get the IP addresses dynamically
3. Login ZyWALL via GUI and sometimes ZySH daemon will be crashed

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 52/95

Modifications in 2.20(AQQ.1)b1 – 2010/03/12

1. [BUG FIX] 091020199

One log of IDP custom signature displays incorrectly
The IDP log content is not the same with the content when mouse over
2. [BUG FIX] 091022419
When change system name, user needs to reboot DUT to get correct system name by
1. Modify system name
2. Load ZLD private MIB file into MG-SOFT software and compile them
3. Use MG-SOFT to query DUT, got wrong system name which is not modified by step 1
4. If reboot DUT, MG-SOFT can query correct system name
3. [BUG FIX] 091029777
Under certain condition, the static DHCP record can‟t be released from DHCP Table.
1. Reset to default configuration
2. PC get IP from LAN and reserve it via Dashboard > DHCP Table
3. Configure DMZ to be a DHCP server and disable Firewall
4. Connect the same PC to DMZ and get another IP
5. Reserve the IP got from DMZ DHCP server and the error message popped up
6. Release the DHCP record got from LAN will success but release the DHCP record got
from DMZ will be fail
4. [BUG FIX] 091102056
DDNS HA didn‟t work if pull out Cellular card
1. Interface > Ethernet ,edit WAN interface
1) Enable Interface: active

2. Interface > Cellular,edit cellular2

1) Enable Interface: active

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 53/95
2) Zone: WAN
3) Profile Selection: Device; Profile1
4) PIN Code: 0000
3. Network > DDNS,add a rule
1) Profile Name: ddns1
2) DDNS type: DynDNS
3) Username: xxxx
4) Password: xxxx
5) Domain name:
6) Primary Binding Address: Interface(cellular2) ; IP address (Interface)
7) Backup Binding Address: Interface(wan1) ; IP address (Interface)
4. When cellular2 up and the WAN interface up, DUT update the ddns with Cellular2‟s IP
5. When pull out cellular2, DUT didn‟t update the ddns with WAN interface‟s IP address
5. [BUG FIX] 091105437
The log of VPN ping check is not right
1. Configure IPSec Connectivity Check with ICMP method
2. We can see one incorrect IPSec Ping Check log in log page like below
- Receive an ICMP IPSec connectivity check packet “request”...
3. “request” should be “reply”
6. [BUG FIX] 091118561
3G pin code unlock from dashboard and monitor page can‟t be saved to configuration
1. When pin code locked, go to dashboard or monitor page to unlock pin code
2. Once pin code unlocked successfully, reboot the device. But you will find the pin code is
locked again
3. The unlock action on dashboard and monitor should saved the configuration to cellular
7. [BUG FIX] 091126359
PPTP and PPPoE Authentication Type can‟t be saved via Wizard
1. In Wizard, interface Encapsulation is PPTP, click Next button. Authentication type is
2. Configure other fields with necessary fieds and finish the wizard

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 54/95
3. Go to ISP Account page, check corresponding account: the value of Authentication Type
is still Chap/PAP, not PAP
4. PPPoE has the same problem
8. [BUG FIX] 091201110
Error string not found after issuing a debug CLI command
1. Do not turn Boot Module debug flag
2. Enter CLI command “debug service-register erase service all”
3. ZySH return error message “ERROR: Error string not found”
4. It should return a meaningful error message
9. [BUG FIX] 091204287
Strange log triggered when logout from SSH connection
1. Login DUT via SSH service
2. Logout SSH
3. There are some strange logs triggered in log page
10. [BUG FIX] 091215063
Left panel doesn‟t expand when linking to system name page from Dashboard.
1. Change system language to Traditional Chinese
2. Left panel doesn‟t expand when linking to system name page from Dashboard
3. This issue doesn‟t happen when system language is English
11. [BUG FIX] 091223729
GUI will pop up error message when displaying the cache of content filter
1. Enable Content Filter
2. Add one profile
3. Create on Content Filter policy rule with the profile
4. Access the web sites and make the number of cache grow to the Max number
5. Try to display the last page of the cache
6. GUI returns the error message like “Wrong CLI…”
12. [BUG FIX] 091224805
In QuickSetup, the title name is wrong in summary page.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 55/95
1. Click Quick Setup Web Help and select the “VPN setup”
2. Select the “Advanced” type of VPN policy
3. Anyone “Scenario” and go to next page, and setup phase1 and phase2 accordingly
4. In Summary page, the title shows “Express Settings”
13. [BUG FIX] 091224807
Invalid validation error message in log mail subject field
1. Enter Configuration > Log & Report > Log Setting
2. Edit the System Log item
3. In E-mail Server 1, input more than 60 characters
4. The invalid field error message displays incorrect content
14. [BUG FIX] 091224808
VPN connection should not be able to dialed out when it is configured as Manual Key
1. Enter Configuration > VPN > IPSec VPN
2. Create one VPN connection with Manual Key configured
3. The “Connect” icon of the VPN Connection table can be click
4. Actually the “Connect” icon should not be able to click when VPN Connection is
configured as Manual Key
15. [BUG FIX] 091225951
Error message popped up when modifying the ADP profile name
1. Change the default ADP profile name then press “Save” button
2. GUI will pop up error message like “CLI number :0 Error number: -32034, Error
message: Show flood- detection failed”
16. [BUG FIX] 091228032
Mouse Over on HOST type address cannot show the basic content in NAT page.
1. Create one NAT rule and assign Host Type address object to Original IP or Mapped IP
2. Mouse over on the address object but nothing displayed
17. [BUG FIX] 091228990

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 56/95
There is no invalid field error message to remind user what is the max characters that user
can input
1. Enter Configuration > Object > Certificate page
2. Click “Add” icon to create a certificate
3. Input more than 31 characters in the Name field
4. There is no invalid field error message to remind user what is the max characters that
user can input
18. [BUG FIX] 091229084
Some wordings are not translated properly
1. Change the system language to Simplified Chinese
2. Enter 监控-〉统计-〉切换至图形视图,the button ”注册” need translate to ”刷新”
3. Enter 监控-〉Anti-X 统计数据-〉防垃圾邮件,the table ”状态” need use Simplified
Chinese, it‟s use Traditional Chinese
19. [BUG FIX] 091229109
The warning message is incorrect in certificate import page.
1. Enter Configuration > Object > Certificate page
2. Import a certificate
3. Select one PKCS#12 type certificate you want import from your disk
4. Leave the password empty and click OK
5. Error message popped up “errno:-17030; errmsg: Invalid PKI PKCS#12 password”. This
is correct and click OK to close the error message window
6. GUI will mark the Password field invalid but there is no description for it
7. There is no need to mark the Password field invalid
20. [BUG FIX] 091229148
Incorrect summary content when adding PPPoE via installation wizard
1. Reset to default configuration
2. Login to GUI and the installation wizard popped up
3. Select “I have Two ISP” and continue the configuration
4. Configure the first WAN as Ethernet interface
5. Configure the second WAN as PPPoE interface
1) Service Name: aaa

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 57/95
2) User Name: aaa
3) Enable nail-up
6. In the summary page of Internet Access Configuration page, the content is incorrect
21. [BUG FIX] 091229169
There is no field error message to remind user when inputting more than 255 characters
1. Enter System > DNS page
2. Create one A record with FQDN content more than 255 characters
3. Click OK but system cannot save the configuration successfully
4. GUI should have field invalid error message to remind user and cannot allow user to
click OK button
22. [BUG FIX] 091230289
The custom signature still works even it was deleted
1. Create one custom signature like below
1) Severity: Low
2) Platform: All
3) Service: ICMP
4) Policy Type: Scan
5) Header Option: Transport Protocol = ICMP, Type = 8, Code = 0
2. Activate this custom signature in the related IDP profile and make sure this custom
signature works
3. Delete the custom signature
4. We found the custom signature still works and it could be found in the IDP profile
23. [BUG FIX] 091230303
The error message for the invalid field is incorrect for some fields
1. Try to add a NAT or DDNS rule
2. In rule name field, input more than 31 characters
3. There will be an error message for indicating the invalid field and remind the constraint
of that field
4. The content of the error message is wrong that it said the max characters we can input is
30 but actually it should be 31
24. [BUG FIX] 091230376

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 58/95
The wording of the error message of the invalid field is incorrect
1. Edit an Ethernet interface
2. Configure its Connectivity Check and assign the invalid IP address format to “Check
this address”
3. The error message for this invalid field will be popped up and displays “The value
should be an IP address or an FQDN”
4. “an FQDN” should be changed to “a FQDN”
25. [BUG FIX] 100104012
IP/MAC Binding cannot reset to default after applying system default configuration
1. Apply default configuration file. Connect PC to LAN port and connect WAN port to
2. Activate IP/MAC Binding for LAN and WAN
3. Apply system default configuration
4. We found the IP/MAC Binding for WAN are still activated
26. [BUG FIX] 100104093
The default value is different when adding a user object from different place
1. Add a user object via Configuration > Object > User/Group > User page, GUI will
assign default value for “Description” field
2. Add a user object via Configuration > VPN > SSL VPN > Access Policy Summary‟s
policy edit page, GUI won‟t assign the default value for “Description” field
27. [BUG FIX] 100104124
The Force User Authentication is disabled when changing the Authentication status
1. Add a EPS object ”dd”
2. Add a Authentication policy ”tt”,enable Enable EPS Checking,enable Periodical
checking time=3, add dd to slected EPS not apply
3. Change Authentication status from required to unnecessary, do not apply.
4. Change Authentication status from unnecessary to required again, you will find the
checkbox of Force User Authentication change from enable to disable, the others setting
are reserved
28. [BUG FIX] 100106345

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 59/95
Wording issue: the Warning Message: “Default L2TP crypto map is goiong to be deleted.
You can recover it via L2TP CLI command”.” has wrong word “goiong”, it should be
1. Enter into Configuration> VPN connection page
2. Remove the default VPN connection rule
3. The warning sentence “Warning Message: ‟Default L2TP crypto map is goiong to be
deleted. You can recover it via L2TP CLI command.‟” pops up
4. It has one wrong word “goiong”, it should be “going”
29. [BUG FIX] 100106358
Under certain condition, adding user object in L2TP VPN page is not right
1. Enter into Configuration> L2TP VPN page
2. Add one user by clicking “Create new object”
1) User name is “aa”
2) Password is “1234”, Retype is “1234”
3) Authentication Timeout Settings is “Use manual Settings”
4) Lease time is “22”
5) Reauthentication time is “22”
3. This rule can be saved without any warning, but checking this user, the “Authentication
Timeout Setting” option is still “Use Default Settings”
30. [BUG FIX] 100106400
Extension Slot display issue for Huawei 3G card.
1. Insert Huawei E220 3G crad
2. 3G‟s Status displayed error in Extension Slot as below
# Slot Device Status
2 USB 1 Huawei E220/E270/E800/E18 0Inactive
31. [BUG FIX] 100107482
AV White/Black List cannot allow more than 80 characters filled in
1. Enter into Configuration> Anti-Virus> Black/White list> Black list page
2. Add one rule, filling log characters (more than 80 characters) in File Pattern field, there
is no any warning

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 60/95
3. Click OK button, one window “Wrong CLI command, device timeout or device logout”
pops up
32. [BUG FIX] 100107487
Display setting change will affect Priority setting.
1. In Monitor> View Log page, Show Filter. Display=Anti-Spam, Priority=alert, click
2. Change Display=Anti-Virus, you will find that the Priority has been changed to any t the
33. [BUG FIX] 100108579
In AV> Black/white list page, add one rule, under certain condition, the rule saved is not
1. Enter into Configuration> Anti-virus> Black/White list page
2. Add one black list rule (or white list rule), in adding window, uncheck ”Enable”
checkbox, fill in ”1” in File Pattern, apply
3. Check the rule saved, this rule is still enabled
34. [BUG FIX] 100111680
Under certain condition, user can‟t login DUT
1. Create one Auth. Method including Radius Server(first), and Local(second)
2. Make the Radius Server can‟t be reachable by DUT
3. Login DUT via GUI with a local user in DUT cannot be successful
35. [BUG FIX] 100111699
Under certain condition, ADP profile rule cannot be edited successfully
1. Enter into Configuration> Anti-x> ADP> Profile page
2. Edit one profile
3. In Scan Detection field, select all rules, inactive them, the log option is ”log alert”, the
Action option is ”block”, click ”OK” button
4. One error message ”Wrong CLI command, device timeout or device logout” pops up,
and checking the rule saved, it is not right
36. [BUG FIX] 100112888

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 61/95
When adding two user defined trunk into DUT which have long name, the name showed in
Default WAN Trunk field is incomplete
1. Enter into Configuration> Interface> Trunk page
2. In User Configuration, add two user defined trunks,
3. These two trunks‟ name showed in Default WAN Trunk field is incomplete
37. [BUG FIX] 100113962
3G budget will be reset when 3G interface disconnected because of idle time out.
1. Insert one 3G card, add a 3G interface.
1) Disable Nailed-Up
2) Configure the idle timeout value
3) Configure the Time Budget
2. After the 3G interface disconnected due to idle timeout, the Time Budget will be reset
38. [BUG FIX] 100113972
Wording issue, one log about ping check has wrong word “an”, it should be “a”
One log about TCP mode ping check “Receive an TCP IPSec Connectivity check packet
request” has wrong word ”an”, it should be “a”
39. [BUG FIX] 100114086
Use MG-Soft Software look CPU information , log have Error Message “#configure
terminal show _zldmib session status, file not found”
1. Enable SNMP
2. Server Port=161, Get Community=public, Set Community=private,
Trap/Community=blank, Destination=blank
3. Use MG-Soft Software look CPU information
4. Log have Error Message “#configure terminal show _zldmib session status, file not
40. [BUG FIX] 100114100
Configure static PPPoE based on ge3 via Quick Setup, the dns order is incorrect in DNS

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 62/95
1. Configure PPPoE interface via Quick Setup
2. Configure this PPPoE interface with static IP Address
3. Configure two DNS servers for its first and second DNS server
4. Configure other settings accordingly
5. After finish the setup, the DNS order is incorrect
41. [BUG FIX] 100114134
Outgoing traffic from DUT itself cannot follow Policy Route configuration
1. Configure two WAN interfaces, one is Ethernet and another is 3G interface
2. Add one Policy Route, from ZyWALL to Any, next hop is the 3G interface
3. Configure Syslog Email Server properly and click “E-mail Now”
4. We found sometimes the mail traffic goes out via the Ethernet interface or goes out via
the 3G interface but carry the incorrect interface IP address
42. [BUG FIX] 100118397
Sometimes HTTPS cannot follow Firewall configuration
1. Reset to default configuration
2. Create Firewall rule to allow some services from WAN to ZyWALL without HTTPS
3. Change the default Firewall rule to be deny
4. Accessing ZyWALL via HHTPS should not work but sometimes it works after reboot
DUT several times
43. [BUG FIX] 100119445
There is not content displayed when mouse over the Local/Remote Policy in VPN
1. Create one VPN Connection Local/Remote Policy assigned
2. Move mouse over the Local/Remote Policy but there is not object content displayed
44. [BUG FIX] 100119473
CLI for displaying the RAM size cannot work
1. “show ram-size” cannot work
2. It should display the ram size according to the product
45. [BUG FIX] 100119492

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 63/95
The “Window Size” item can‟t be saved correctly when editing a custom signature
1. Anti-x>IDP>Custom Signatures, add a new signature
1) name = Test
2) Severity = low
3) Platform = all
4) Service = ICMP
5) Policy Type = Scan
6) Transport Protocol = TCP, Window Size equals to 16190, other settings are default
2. Edit this signature again, in “Window Size” item, the ”equal” is not selected
46. [BUG FIX] 100119517
Interface Status Summary at Dashboard always displays Dialing
1. Configure one PPP interface and activate it
2. Click the dial icon of the PPP interface in Interface Status Summary table in Dashboard
3. The pop up window always display “Dialing…”
47. [BUG FIX] 100120705
There is no warning message when user intends to upload the startup-config.conf
1. There is no warning message when user intends to upload the startup-config.conf
2. There is one warning message popped up when user intends to upload the startup-
config.conf in before 2.20
48. [BUG FIX] 100120721
Static DHCP IP/MAC binding cannot work for bridge interface
1. Create one bridge interface with all interfaces joined
2. Configure this bridge interface as a DHCP server
3. Connect one PC to DUT and can get the IP address A from DUT correctly
4. Create one Static DHCP IP/MAC binding “IP-B<->PC‟s MAC” in the bridge interface
5. Renew the IP address on the PC but the PC still gets IP address A
49. [BUG FIX] 100120740
The sorting result is not correct in AppPatrol Statistics

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 64/95
1. Enable Application Patrol and make some traffic through DUT
2. Enter MONITOR > AppPatrol Statistics
3. In Protocol Statistics, sorting result is not correct
50. [BUG FIX] 100120784
Test one empty URL in “Test Web Site Category” causes GUI keeps loading
1. Create one Content Filter Profile
2. Enter this profile and input nothing in “URL to test” field
3. GUI will keep loading
51. [BUG FIX] 100121844
When add a pppoe account in ISP Account, the Service Name can‟t be saved correctly
1. Add one ISP account as below
1) Profile Name = pppoe
2) Protocol = pppoe
3) Authentication Type = Chap/PAP
4) User Name = testzywall
5) Password = 1234
6) Service Name = pppoe
7) Idle timeout = 0
2. Check this pppoe account just you added, you will find the Service name is blank, not
52. [BUG FIX] 100121849
In PPTP interface , the ISP Setting did not show the corresponding content of pptp account
1. Create one ISP account with PPTP protocol
2. Create one PPP interface with this PPTP ISP account
3. The ISP Setting in the PPP interface edit page does not display the corresponding
53. [BUG FIX] 100121930
Dashboard display abnormal if using IE browser from ”Packet Capture” page
to ”DASHBOARD” page
1. Use IE browser to login device

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 65/95
2. Go to page MAINTENANCE > Diagnostics > Packet Capture page, then go
to ”DASHBOARD” page
3. DASHBOARD page display abnormal on “Virtual Device” and “Interface Status
Summary” widget
54. [BUG FIX] 100125239
DHCP configuration could not be saved when DHCP relay has a wrong value
1. Edit DMZ interface
2. Set it as DHCP Relay and server is Apply it
3. Edit the DMZ interface again
4. Change the DHCP Relay server IP to “192.168” first
5. Change the DHCP setting to DHCP Server. Start Address is and pool size
is 25. Apply it
6. Edit the DMZ interface again
7. The DHCP setting is still DHCP Relay instead of DHCP server
55. [BUG FIX] 100126382
IPSec SA won‟t be removed in remote gateway when IPSec Fallback successfully
1. Create one VPN Connection with Primary and Secondary gateway and IPSec Fallback is
2. Make DUT Fail Over and Fallback once
3. Check the secondary gateway and found the SA on remote secondary gateway was not
56. [BUG FIX] 100201066
The configuration won‟t be saved correctly when configuring PPPoE via Quick Setup
1. Configuring PPPoE interface via Quick Setup and sets its service name including “%”
2. After finishing the PPPoE configuration via Quick Setup, the PPP interface setting is not
correct when editing that PPP interface
57. [BUG FIX] 100203203
Device will apply lastgood.conf or system-default.conf after reboot
1. Create one user named “abcde” via GUI

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 66/95
2. Create one user named “abcd” which user type is “ext-user” or “ext-group-user” via GUI
3. Reboot DUT
4. DUT will try to apply lastgood.conf or system-default.conf
58. [BUG FIX] 100204340
Site Map window might be closed when clicking a specific area in the Site Map window
1. Open Site Map window
2. Click some empty area in the Site Map window
3. The Site Map window might be closed
59. [BUG FIX] 100205425
The signature version of IDP/AV in License Service Status table in Dashboard is abnormal
1. Login DUT via GUI
2. Refresh the table of License Service Status
3. The signature version of IDP/Av displayed abnormally
60. [BUG FIX] 100205463
Some characters are overlapped when using Traditional Chinese or Simplified Chinese
1. Add a Static DHCP rule for LAN interface
2. Edit the LAN interface again and found the wording of the grid of the DHCP static
setting is overlapped
61. [BUG FIX] 100207588
VLAN interface cannot be applied successfully in a specific case
1. Create one VLAN interface called vlan0 with a Static DHCP setting record
2. Remove the VLAN interface vlan0
3. Create one VLAN interface called vlan3 with the same setting as vlan0 we just removed
4. The VLAN interface vlan3 cannot be applied successfully with one warning message
popped up
62. [BUG FIX] 100207599
3G Budget will be reset every 30 seconds in a specific case
1. Create one 3G interface with below setting

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 67/95
1) Enable Budget Control
2) Enable Time Budget and Data Budget
3) Reset time and data budget counters on the 5th day of each month
2. Configure the system date to the date which is configured in item 3 of step 1
3. 3G Budget will be reset every 30 seconds
63. [BUG FIX] 100208653
Device will apply lastgood.conf or system-default.conf after reboot
1. Create maximum number of DNS MX records
2. Create additional one DNS MX record and it should be failed
3. Reboot DUT
4. DUT will try to apply lastgood.conf or system-default.conf
64. [BUG FIX] 100209721
The release date of the EPS signature is wrong
1. The release date of EPS signature in 2.20 B4 is 2009/11/19
2. The release date of EPS signature in 2.20 B5 is 2009/1/21. It is incorrect
65. [BUG FIX] 100209767
EPS check with Avira_Antivir_Personal_v2009 traditional Chinese edition will always fail
1. Configure one EPS object with checking Avira_Antivir_Personal_v2009
2. PC installs Avira_Antivir_Personal_v2009 Traditional Chinese version
3. Create one SSLVPN policy with checking this EPS object
4. PC logins to SSLVPN will always fail due to EPS checking
66. [BUG FIX] 100210895
EPS checking will be still performed even the Auth. Policy is not in the schedule
1. Create one Auth. Policy with EPS checking required and schedule assigned
2. Login DUT via GUI at the time which is not in the schedule
3. The EPS checking will be still performed
67. [BUG FIX] 100222079
SSL VPN‟s File Sharing menu bar‟s ”up” button to translate wrong Traditional Chinese

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 68/95
1. Login DUT via SSLVPN
2. Change the SSL VPN GUI language to Traditional Chinese, the menu bar‟s ”up” was to
translate wrong Traditional Chinese word = 運作中
68. [BUG FIX] 100224215
3G interface cannot be activated in a specific case
1. Create one 3G interface via GUI and disable it at first
2. Edit this 3G interface again
3. Activate this interface and click Apply
4. GUI will return “No need to apply” and this is not correct
69. [BUG FIX] 100301012
PC can PING Internet host even PING service is removed from Exceptional Service table
in Auth. Policy page
1. Reset to default configuration
2. Enable Authentication Policy
3. Create one Auth. Policy rule. From LAN_SUBNET to ANY, Authentication = force
4. Remove all rules in Exceptional Service table
5. Add PING service first then DNS Service
6. Remove PING service from Exceptional Service table
7. We found PC under LAN_SUBNET can still PING Internet hosts

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 69/95

Modifications in 2.20(AQQ.0) - 2010/02/25

Modify for formal release

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 70/95

Modifications in 2.20(AQQ.0)b6 – 2010/02/23

1. [BUG FIX] 100211949

In Device-HA mode, Backup cannot build up VPN tunnels successfully after it tool over
1. Configure Device HA properly on Master and Backup and its monitored interface is a
bridge interface
2. Configure one VPN rule on both Master and Backup with My Address configured as
FQDN type
3. Make sure the VPN tunnel can be dialed up in Master
4. Make Backup take over but the VPN tunnel on Backup cannot be dialed up successfully
2. [BUG FIX] 100211954
In Device-HA mode, Master cannot build up the VPN tunnel successfully if the My
Address in VPN Gateway is configured as IP address
1. Configure Device HA AP Mode properly on Master
2. Configure one VPN rule properly and My Address in VPN Gateway is configured as IP
3. The interface which owned the My Address is monitored by Device HA
4. The VPN tunnel cannot be dialed up

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 71/95

Modifications in 2.20(AQQ.0)b5 – 2010/01/29

PPTPALG supports PPTP Server at LAN
Update Java certificate expiration date to 2012/1/20
3. [BUG FIX] 091222674
Login DUT with a normal user will be fail after Login DUT over 50 times with different
1. Use different users to login DUT over 50 times
2. Login DUT with a new user and cannot login successfully
4. [BUG FIX] 091229192
Webpage will stay in ”loading” status after special operation.
1. Reset DUT to system-default configuration file
2. Go to Log Setting page, edit Remote Server 1: Server Address=, Active
Log=enable normal logs, apply
3. Go to Object> Schedule page, the webpage will stay in ”loading” status
5. [BUG FIX] 091229204
DUT will apply system-default configuration when F/W from v2.12 upgrade to 2.20b4 and
then reboot DUT.
1. Upgrade to 2.20 B4
2. Downgrade to 2.12
3. Apply system-default configuration, and change system name via GUI
4. Upgrade to 2.20 B4
5. Reboot DUT
6. Failed to apply starup-config.conf, Because ” ERROR: force-auth default-rule
authentication allow no log ”.
6. [BUG FIX] 091230324
Under certain condition, Ping Check doesn‟t work

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 72/95
PC --- LAN(DUT)WAN--- Internet
1. Use system default configuration
2. Leave WAN port unplug
3. Enable Ping Check on WAN interface, the check period is 5, others keep default
4. Plug back the WAN interface
5. The PC can access Internet but there is no Ping packet sent out via WAN interface
7. [BUG FIX] 091231492
EPS check of KAV 2009/2010 always fail in Windows 2000
1. Create EPS object to check KAV 2009 or KAV 2010
2. Create one Auth. Policy to check the EPS
3. Login DUT from host which runs Windows 2000 and always fail
8. [BUG FIX] 100104033
EPS Failure for checking Kaspersky_Internet_Security_v2009
1. Add a EPS rule for check Kaspersky_Internet_Security_v2009
1) Endpoint Operating System : Windows
2) Window Version : Windows XP2
3) Endpoint must have Personal Firewall installed : Enable
4) Allowed Personal Firewall List : Kaspersky_Internet_Security_v2009
5) Endpoint must have Anti-Virus software installed : Enable
6) Allowed Anti-Virus Software List : Kaspersky_Internet_Security_v2009
2. Install KIS v8.0.0.523 on Windows XP2, and login device will always checking failure
9. [BUG FIX] 100104076
All button of File Sharing can‟t work via SSL VPN
1. Edit Object>User/Group>User,add a test1
2. Edit Object>SSL Application,add rules
1) Name=Filesharing_NAS;Shared Path=\\\sic
3. Edit web eWC/SSL VPN/Access Privilege,add rules
1) Name=File_share,User / Group Member=test1,SSL Application List /
4. test1 can browse Windows file sharing folder but can‟t use all of button: New

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 73/95
10. [BUG FIX] 100104109
AUX cannot work.
1. Enable aux interface
2. Click the connect icon, but nothing happened
11. [BUG FIX] 100105162
If the quick setup PPPoE‟s username include symbol ‟%‟ will can‟t save the setting.
1. Press the Quick setup button to setup PPPoE with username = az%99 then press next to
2. Check the interface-> PPP interface‟s setting is not saved
12. [BUG FIX] 100113049
Dial up L2TP over IPSec tunnel cause DUT crazily sends hello packets to client.
1. Reset to default configuration
2. Create 2nd VPN connection
3. L2TP client dials up the L2TP tunnel and found there are lots of L2TP hello packet
sends to L2TP client

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 74/95

Modifications in 2.20(AQQ.0)b4 - 2009/12/25

GUI Web Help is ready
Multi-Language is ready
New CLI command “policy-route controll-virtual-server-rules”. Below is the short description
for the CLI command
1) In the past, 2.1x firmware, NAT 1-1 and NAT-Loopback functionality is achieved by
creating additional Policy Route rules on TOP of Policy Route table automatically. The
content of Policy Route table is possibly like below
(1) From LAN_SERVER1 to any, nexthop is WAN1, SNAT: outgoing interface
(2) From LAN_SERVER2 to any, nexthop is WAN2, SNAT: outgoing interface
(3) From LAN to any, nexthop is WAN_TRUNK, SNAT: outgoing interface
2) In 2.20 release, the Routing and Source NAT priority of NAT 1-1 and NAT-Loopback is
lower than Policy Route
3) If user configured several NAT 1-1 and NAT-Loopback rules in 2.1x firmware, there is
one possibility to let the new created NAT 1-1 and NAT-Loopback cannot work anymore
after upgrading to 2.20 firmware.
When creating a new NAT 1-1 or NAT-Loopback NAT rule in 2.20 firmware, DUT won‟t
create the related Policy Route rule for that NAT rule but create the accordingly NAT 1-1
or NAT-Loopback Routing/SNAT rules automatically with lower priority than Policy
Route. But it might not work because some OLD Policy Route Rule created in 2.1x
firmware might overwrite its functionality like 1) (3) above
4) We create one CLI command to make the Routing/SNAT priority of NAT rule higher than
Policy Route to avoid this situation
5) policy-route controll-virtual-server-rules activate
Make the priority of Routing/SNAT of NAT rules lower than Policy Route
6) no policy-route controll-virtual-server-rules activate
Make the priority of Routing/SNAT of NAT rules higher than Policy Route
7) If system detects firmware upgrading from those before 2.20, system will make the priority
of Routing/SNAT of NAT rules higher than Policy Route
8) System will make the priority of Routing/SNAT of NAT rules lower than Policy Route by
default configuration

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 75/95
Add i-note to tell user that creating a certificate with DSA-2048 will take long time

Remove two obsolete categories and automatically maps them to related new categories
1) sexuality-alternative-lifestyles alternative-sexuality-lifestyles
2) alcohol-tobacco alcohol and tobacco
Japanese is one of the supported languages
Japanese is not supported anymore
If user uses Japanese in former firmware, it will be set to English automatically after
upgrading to 2.20 B4 firmware
7. [BUG FIX] 090827638
IDP custom signatures can be exported, but cannot imported by default name:
1. Anti-x>IDP>Custom Signatures, click the checkbox of Export, then Export it which
filename called custom.rules
2. Anti-x>IDP>Custom Signatures, delete all custom signatures
3. Anti-x>IDP>Custom Signatures, add a new signature
4. Anti-x>IDP>Custom Signatures, import the custom

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 76/95
5. All custom signatures are disappeared
8. [BUG FIX] 090828859
VPN of PFS group behavior is incorrect.
1. Setting the PFS use DH1 group on DUT1 phase2 rule
2. Setting the PFS use none on DUT2 phase2 rule
3. VPN tunnel still can establish between DUT1 and DUT2
9. [BUG FIX] 090901031
Manual key VPN of policy enforcement function cannot work.
PC1 --- DUT1 --- VPN --- DUT2 --- PC2
1. Add a manual key rule on DUT1, and enable policy enforcement by CLI command
2. Add a policy route on DUT1 from Any to Remote Subnet
3. Add a manual key rule on DUT2
4. The policy enforcement cannot work. because the PC1 still can ping to PC2
10. [BUG FIX] 091124142
GUI service object of ICMP protocol cannot see ”User Defined ICMP type” ICMP type.
1. Go to page Configuration > Object > Service, add a service object
2. In ICMP protocol does not see that ”User Defined ICMP type” type
11. [BUG FIX] 091124212
The encryption ESP packet always send wrong interface if the DUT have two WAN
1. This issue happens on PQA gateway
2. PQA gateway has two wan interfaces that pppoe1 and pppoe2
3. Establish IPSecVPN tunnel by pppoe1 interface
4. Make sure IPSecVPN tunnel established, but the encryption ESP packet always send out
from pppoe2 interface
5. The issue cannot solve by any method (e.g. policy route or metric).
12. [BUG FIX] 091126385
When address range ip more than three ,SNAT don‟t work

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 77/95
1. Create one address object with Range Type and over three IP addresses
2. Configure one Policy Route rule which do the SNAT with the Range Type address
object just created
3. PC on LAN cannot access Internet
13. [BUG FIX] 091203243
After enable AS, sending Mail via VPN cannot work
Mail Server --- DUT1 --- VPN --- DUT2 --- Mail Client
1. Build on Site-To-Site VPN between DUT1 and DUT2
2. Create one Any to Any AS rule
3. Send mail via this VPN tunnel cannot success

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 78/95

Modifications in 2.20(AQQ.0)b3 - 2009/11/20

EPS Signature Update to for supporting more AV/Firewall signatures
The new supported signatures are listed as below
1) Norton_AntiVirus 2010
2) Norton_Internet_Security 2010
3) Norton_360 Version, version 3
4) TrendMicro_PC-Cillin_Internet_Security 2010
5) TrendMicro_PC-Cillin_Internet_Security_Pro 2010
6) TrendMicro_PC-Cillin_AntiVirus 2010
7) Avria AntiVir Personal 2009
8) Microsoft_Security_Center
9) Windows_Firewall
To update EPS signature to, please enter below CLI command after firmware upgrade
Router> debug eps signature load-def

And you will find the EPS signature is updated via below CLI command
Router> show eps signature status
EPS signature information:
Current version :
Release date : 2009-11-19
Signature numbers : 18
Synchronize the system default configuration for all models. This enhancement will make the
system default configurations between all models similar with the common policies
1) User guest is removed
2) The default lease time for admin is set to 30 minutes
3) Add default PPPoE ISP accounts for each default PPP interfaces
4) Bind the default PPPoE ISP accounts to the default PPP intetrfaces
5) Add GRE service object by default
6) Add GRE service object into service group Default_Allow_WLAN_To_ZyWALL by
7) Remove default user customized trunks
8) Remove default user configurable service control rules for

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 79/95
9) Synchronized the default firewall rules for all models
10) Remove LAN_ADP, DMZ_ADP and ZyWALL_ADP anomaly profiles from default
11) Add ADP_PROFILE into default configuration and bind to default anomaly rules
12) Bind ADP_PROFILE to default anomaly rules
13) Add IDP signature rule from any to WLAN binding with LAN_IDP profile
14) Add default AV rules
15) Activate BWM by default(For performance testing, please turn off BWM first)
There are some GUI enhancements for GUI
1) Mouse Over Enhancement
When moving the mouse pointer on an object, GUI will display the basic content of that
object. Supported objects are User Goup/Address/Address Group/Service/Service
2) Invalid Field Error Message Description Enhancement
When user enters an invalid value checked by accordingly GUI pages, the error messages
describing why they are invalid will be more user-readable.
3) Add State(Province) and Town(City) fields when creating a new certificate
4) Configuration Apply enhancement.
When applying a configuration via GUI, GUI will pops up a window with 4 options for
(1) Immediately stop applying the configuration file
(2) Immediately stop applying the configuration file and roll back to the previous
(3) Ignore errors and finish applying the configuration file
(4) Ignore errors and finish applying the configuration file and then roll back to the
previous configuration
There will a log generated when interface renamed
Add Object reference for OSPF
Add CLI command to display URL Cache by range
Router# show content-filter url-cache begin 1 end 5
No. Category TTL URL

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 80/95
1 Computers/Internet 4320
2 Social Networking 4235
3 Social Networking 3910
4 Search Engines/Portals 4295
5 Proxy Avoidance 4320
Support IPSec ESP ALG
The peer GWs have no need to enable NATT if ZyWALL in between. Below is an example
(Acts as an NAT Router)
ZyWALL-A and ZyWALL-B can establish the VPN tunnel because DUT has IPSec ESP ALG
supported (IPSec Pass Through)
SSLVPN Windown 7 Support for both 32-bit and 64-bit
User can't set empty string in eWC->Content Filter->Denied Access Message.
User can set empty string in eWC->Content Filter->Denied Access Message
When user set Denied Access Message empty and access the internet,
if the URL matches the category which should be blocked, web browser would
redirect to the Redirect URL directly without showing any Denied Access Message
and category.
In GUI, Maintenance > Diagnostics > Packet Capture > Capture > Interface
The left side interface list named “Interfaces” and the right side interface list named
“Allowed interface”

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 81/95
In GUI, Maintenance > Diagnostics > Packet Capture > Capture > Interface
The left side interface list named “Available Interfaces” and the right side interface list
named “Capture Interfaces”
In GUI page, Configuration > Auth. Policy > Authentication Policy Summary
The default rule displays “action” with “allow”, “drop” and “deny”
In GUI page, Configuration > Auth. Policy > Authentication Policy Summary
The default rule displays “Authentication” with “required” and “unnecessary”
And Log with “no”, “log” and “log alert”
Via CLI, default mode of the interface group is “normal” when creating a new interface-
Via CLI, default mode of the interface group is “trunk” when creating a new interface-
13. [BUG FIX] 090814172
Ping Check section cannot be configured anymore after enabling Ping Check
1. Enter VPN/ IPsec/ VPN connection
2. Add or Edit a rule
3. Enable the ping check section and apply
4. Edit the rule again
5. Cannot disable Ping Check anymore
14. [BUG FIX] 090915152
SIP phone register FAIL when SIP ALG use port 5070
1. Edit Configuration> Network>ALG,Enable SIP ALG
2. Set SIP Signaling Port = 5070
3. V300 use 5070 port register to SIP server FAIL
15. [BUG FIX] 090929397
IP/Mac Binding cannot work properly

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 82/95
1. Apply default configuration
2. Create/enable a correct IP/MAC binding item on ge1 and make sure the host can access
3. Edit the IP/MAC binding item and replace a wrong MAC
4. The host shouldn‟t access Internet but it could
16. [BUG FIX] 091020246
The ”Customized Access Page” setting can‟t be apply correctly.
1. Apply default configuration
2. Configuration>System>WWW>Login Page, use ”Use Customized Login Page”
3. Upload a picture as ”Customized Access Page” and apply the setting after upload
4. Exit this page and then enter this page again,you will see the setting of ”Customized
Access Page” is ”color” not ”picture”.
17. [BUG FIX] 091020250
3G interface in Default WAN Trunk sometime works incorrcet.
1. Enable AUX interface
2. Insert E270 3G card in USB 1 slot
3. Configuration> Network> Interface> Cellular, ebable cellular2 and Fill in necessary
setting, then dial up 3G connection
4. Unplug WAN1 & WAN2 physical line
5. Configuration> Network> Interface> Trunk, check
SYSTEM_DEFAULT_WAN_TRUNK have cellular2 interface, but LAN host‟s traffic can‟t
out to internet
18. [BUG FIX] 091021311
The button ‟Show Advance Settings/Hide Advance Settings‟ in Vlan page is abnormal.
1. In VLAN page, add a new vlan interface
2. Click ‟Show Advance Settings‟ button. You will see advanced settings is shown on page
and the button ‟Show Advance Settings‟ is changed into ‟Hide Advance Settings‟
3. Click the ‟Hide Advance Settings‟. Advanced settings is hiden on page but the button is
not changed into ‟Show Advance Settings‟ again
4. Then the button is useless. Click it, nothing will change
19. [BUG FIX] 091021313

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 83/95
after enabling ”Auto Destination Address” checkbox, the policy rule saved is not right
1. Add one policy rule in Routing page, select ”Next-Hop” to dynamic VPN(except
Default L2tp vpn rule), enable ”Auto Destination Address”, save it
2. check this policy again, the ”Auto Destination Address” checkbox disappears, it is not
20. [BUG FIX] 091022366
After dial L2TP successfully, PC cannot ping(or ftp) DUT through its LAN IP address
1. Build one L2TP VPN successfully
2. Add one Policy Route rule, the source is DUT LAN subnet, the destination is L2TP pool,
next hop is ”Default_L2TP_VPN tunnel”
3. PC can ping LAN hosts, but cannot ping (or ftp) DUT LAN IP address
21. [BUG FIX] 091023471
PPP interface of PPTP protocol cannot work.
1. In 2.20 default configuration, the PPTP connection always fails
2. If will firmware downgrade to 2.12 and apply 2.12 default configuration will work fine
3. If running 2.12 configuration on 2.20 firmware, it will work fine
22. [BUG FIX] 091026533
Click Dashboard twice, the GUI will hang
1. Enter into GUI of DUT, the default page will be ”Dashboard”
2. Click ”Dashboard Tab”
3. The GUI will keep loading and have no response
23. [BUG FIX] 091027644
L2TP over IPSec with NAT-T doesn‟t work
1. Connect L2TP from a host which is under a NAT Router
2. The L2TP tunnel will not connect successfully

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 84/95

Modifications in 2.20(AQQ.0)b2 - 2009/10/17

Turn on NAT Loopback when creating NAT rules via GUI
GUI Site Map is ready
GUI Login Page Customization is ready
EPS signature KAV 2009/2010 is ready. For updating the new EPS signature, please enter
below CLI command after upgrading to 2.20 b2 firmware
Router> debug eps signature load-def
Router> show eps signature anti-virus
No. Name Detection
1 Kaspersky_Anti-Virus_v2009 yes
2 Kaspersky_Anti-Virus_v2010 yes
New 3G card support for Huawei E180 and E800
In VLAN edit page, add Zone selection for user quick configuration
There will be a log messages for Interface renaming
There is some enhancement for App.Patrol rules in GUI
1) In policy summary page, the “BWM In/Out/Priority” field will show “no/no/7” if Inbound
and outbound BWM of the policy are disabled(0 is disable)
2) In policy edit page, the “Priority” field and “Maximize Bandwidth Usage” selection will be
hidden if both Inbound and Outbound BWM setting are disabled
3) In policy edit page, the default Priority will be 4 for configuring BWM
GUI I-Note is ready
In GUI dashboard, add Interface status and Extension slot information
For L2TP authentication, supports special characters “!@#$%^&*()” as password

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 85/95
Display Mac address while show WLAN interface via CLI
There is help page in GUI right panel and old GUI link
Remove the GUI right panel help page and old GUI link
In GUI configuration page, click “Show All Setting” and “Show Basic Setting” will
display advanced setting and hide advanced setting accordingly
In GUI configuration page, click “Show Advanced Setting” and “Hide Advanced Setting”
will display advanced setting and hide advanced setting accordingly
15. [BUG FIX] 090818327
User Group cannot be edited via GUI
1. add on user which name is ”user1”
2. add one user group which name is group1
3. edit the group1 rule, add the user ”user1” to this rule, click ”apply”
4. the rule cannot be saved, one error messeage showed ”Wrong CLI command, device
timeout or device logout”
16. [BUG FIX] 090819548
System time is not correct after rebooting the DUT
1. In system Date/Time page
2. set the time and date setup is manual
3. set time zone is GMT+8
4. reboot DUT
5. DUT system time will be added more 8 hours compared with original time
17. [BUG FIX] 090819549
The first login wizard cannot be completed
1. Reset to system default configuration
2. Login to DUT and the wizard will be popped up

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 86/95
3. Configure WAN as Ethernet or PPPpE mode
4. It always failed and error messages displayed
18. [BUG FIX] 090819699
IPSec tunnel cannot be built up again using IxVPN
1. Build one IPSec tunnel using IxVPN
2. Disconnect the IPSec tunnel and the tunnel cannot be built up again
3. Reboot DUT and the IPSec tunnel can be built up again
19. [BUG FIX] 090820772
External group user cannot work
1. Add a external group type user
2. Relate the external group user to AD server
3. Add the AD server object to the default Auth Method
4. Login DUT from GUI with the external group user
5. Browser shows Internal Server Error
20. [BUG FIX] 090820784
Test external group user will always fail
1. Add an external group user
2. Test this external group user in Configuration Validation will always fail
21. [BUG FIX] 090820819
Modem common comand ” & ” can‟t be saved in Initial String.
1. Edit Configuration> Network> Interface> Auxiliary, Initial String= AT&Fl0m0,
2. Check Configuration> Network> Interface> Auxiliary, Initial String= AT
22. [BUG FIX] 090820940
If the checking failure message includes “`”, the web page cannot be opened successfully
when EPS check failed

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 87/95

Modifications in 2.20(AQQ.0)b1 - 2009/08/17

ZLD Packet Flow 2.0
Web GUI 2.0
SSLVPN Portal for Web GUI 2.0
Customized Log Page for Web GUI 2.0
Object Reference Query
Disable According Policy Route Rule while Interface Link Down or Ping Check Failed
Block non-SNATed Packet by Firewall
Device DNS Query Bind with Specific Interface
Unified Interface Enhancement
Packet Capture using GUI
Cellular Budget Support
Device HA Bridge Interface Support
Device HA Easy Configuration for VLAN Interface
Bypass Content Filter for VPN Traffic
RIP & OSPF VLAN Interface Support
MSN Loin/Logout Log Support

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 88/95
EPS (End Point Security)
Authentication Policy
IPSec Fall Back Support
AAA Enhancement for External Group User

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 89/95

Appendix 1. Firmware upgrade / downgrade procedure

The following is the firmware upgrade procedure:

1. If user did not backup the configuration file before firmware upgrade, please follow the
procedures below:
 Use Browser to login into ZyWALL as administrator.
 Click Maintenance > File Manager > Configuration File to open the Configuration File
screen. Use the Configuration File screen to backup current configuration file.
 Find firmware at in a file that (usually) uses the system model name with
the .bin extension, for example, “210AQQ0C0.bin”.
 Click Maintenance > File Manager > Firmware Package to open the Firmware Package
screen. Browser to the location of firmware package and then click Upload. The
ZyWALL automatically reboots after a successful upload.
 After several minutes, the system is successfully upgraded to newest version.

The following is the firmware downgrade procedure:

1. If user has already backup the configuration file before firmware upgrade, please follow the
procedures below:
 Use Console/Telnet /SSH to login into ZyWALL.
 Router>enable
 Router#configure terminal
 Router(config)#setenv-startup stop-on-error off
 Router(config)#write
 Load the older firmware to ZyWALL using standard firmware upload procedure.
 After system uploads and boot-up successfully, login into ZyWALL via GUI.
 Go to GUI  “File Manager” menu, select the backup configuration filename, for example,
statup-config-backup.conf and press “Apply” button.
 After several minutes, the system is successfully downgraded to older version.

2. If user did not backup the configuration file before firmware upgrade, please follow the
procedures below:
1. Use Console/Telnet /SSH to login into ZyWALL.
2. Router>enable
3. Router#configure terminal
4. Router(config)#setenv-startup stop-on-error off
5. Router(config)#write
6. Load the older firmware to ZyWALL using standard firmware upload procedure.
7. After system upload and boot-up successfully, login into ZyWALL via
8. Router>enable
9. Router#write

Now the system is successfully downgraded to older version.

Note: ZyWALL might lose some configuration settings during this downgrade procedure. It is
caused by configuration conflict between older and newer firmware version. If this situation
happens, user needs to configure these settings again.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 90/95

Appendix 2. SNMPv2 private MIBS support

SNMPv2 private MIBs provides user to monitor ZyWALL platform status. If user wants to
use this feature, you must prepare the following step:

1. Have ZyWALL mib files (zywall.mib and zyxel-zywall-ZLD-Common.mib ) and install to your
MIBs application (like MIB-browser). You can see zywallZLDCommon (OLD is
2. ZyWALL SNMP is enabled.
3. Using your MIBs application connects to ZyWALL.
4. SNMPv2 private MIBs support three kinds of status in ZyWALL:
(A) CPU usage: Device CPU loading (%)
(B) Memery usage: Device RAM usage (%)
(C) VPNIpsecTotalThroughput: The VPN total throughput (Bytes/s), Total means all
packets(Tx + Rx) through VPN.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 91/95

Appendix 3. Firmware Recovery

In some rare situation, ZyWALL might not boot up successfully after firmware upgrade. The
following procedures are the steps to recover firmware to normal condition. Please connect
console cable to ZyWALL.

1. Restore the Recovery Image

 If one of the following cases occur, you need to restore the “recovery image”
 Booting failed, device show error code while uncompressing “Recovery Image”.

 Device reboot infinitely.

 Nothing displays after “Press any key to enter debug mode within 3 seconds.” for
more than1 minute.

 Startup message displays “Invalid Recovery Image”.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 92/95

 The message here could be “Invalid Firmware”. However, it is equivalent to

“Invalid Recovery Image”.

 Press any key to enter debug mode

 Enter atuk. The console prompts warning messages and waiting for the confirmation.
Answer „Y‟ and start to upload “recovery image” via Xmodem.

 Use the Xmodem feature of terminal emulation software to upload the file.
 Wait for about 3.5 minutes until finishing Xmodem.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 93/95

 Enter atkz –f –l to configure FTP server IP address

 Enter atgo to bring up the FTP server on port 1

2. Restore Firmware
 If “Connect a computer to port 1 and FTP to to upload the new file” displays
on the screen, you need to recover the firmware by the following procedure.

 You will use FTP to upload the firmware package. Keep the console session open in order
to see when the firmware recovery finishes.
 Set your computer to use a static IP address from ~ No matter
how you have configured the ZyWALL‟s IP addresses, your computer must use a static IP
address in this range to recover the firmware.
 Connect your computer to the ZyWALL‟s port 1 (the only port that you can use for
recovering the firmware).
 Use an FTP client on your computer to connect to the ZyWALL. This example uses the ftp
command in the Windows command prompt. The ZyWALL‟s FTP server IP address for
firmware recovery is
 Log in without user name (just press enter).
 Set the transfer mode to binary. Use “bin” (or just “bi” in the Windows command prompt).
 Transfer the firmware file from your computer to the ZyWALL (the command is “put
1.01(XL.0)C0.bin” in the Windows command prompt).

 Wait for the file transfer to complete.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 94/95

 The console session displays “Firmware received” after the FTP file transfer is complete.
Then you need to wait while the ZyWALL recovers the firmware (this may take up to 4

 The message here might be “ZLD-current received”. Actually, it is equivalent to

“Firmware received”.

 The console session displays “done” when the firmware recovery is complete. Then the
ZyWALL automatically restarts.

 The username prompt displays after the ZyWALL starts up successfully. The firmware
recovery process is now complete and the ZyWALL is ready to use.

© Copyright 1995-2010, ZyXEL Communications Corp. All rights reserved. 95/95

You might also like