ZyXEL Communications ZyWall USG 2000 User Manual page 903

I cannot get the application patrol to manage H.323 traffic.
Make sure you have the H.323 ALG enabled.
I cannot get the application patrol to manage FTP traffic.
Make sure you have the FTP ALG enabled.
The ZyWALL keeps resetting the connection.
If an alternate gateway on the LAN has an IP address in the same subnet as the
ZyWALL's LAN IP address, return traffic may not go through the ZyWALL. This is
called an asymmetrical or "triangle" route. This causes the ZyWALL to reset the
connection, as the connection has not been acknowledged.
You can set the ZyWALL's firewall to permit the use of asymmetrical route
topology on the network (so it does not reset the connection) although this is not
recommended since allowing asymmetrical routes may let traffic from the WAN go
directly to the LAN without passing through the ZyWALL. A better solution is to
use virtual interfaces to put the ZyWALL and the backup gateway on separate
subnets. See
for more information.
I cannot set up an IPSec VPN tunnel to another device.
If the IPSec tunnel does not build properly, the problem is likely a configuration
error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the
settings in each field methodically and slowly. Make sure both the ZyWALL and
remote IPSec router have the same security settings for the VPN tunnel. It may
help to display the settings for both routers side-by-side.
Here are some general suggestions. See also
• The system log can often help to identify a configuration problem.
• If you enable NAT traversal, the remote IPSec device must also have NAT
traversal enabled.
ZyWALL USG 2000 User's Guide
Asymmetrical Routes on page 437
Chapter 57 Troubleshooting
and the chapter about interfaces
Chapter 25 on page 447.
903