This article will troubleshoot the SecuExtender SSL VPN Client on Stand-alone & Nebula [For USG FLEX / ATP / VPN Series]. It includes disconnection right after connection, cannot connect to the SSL VPN, and SecuExtender cannot be opened, and Service "ZyWALL SecuExtender Helper" (ZyWALL SecuExtender Helper) failed to start. And solutions include firewall rule not allowing SSL VPN port [often 443], Visual C++ not installed, SecuExtender Adapter not responding/working, and the PC / Mac has ARM processor, which is not supported.
Table of Content
1. SSL VPN disconnects right after connecting
Sometimes, when connecting the SSL VPN client SecuExtender, right after connecting, it disconnects. The log indicates the following:
- USER XYZ has logged in to ZyWall
- USER XYZ has logged in to SSLVPN
- USER XYZ has logged out of ZyWall
If this happens, eventually check the password - in some cases, especially on older USG devices, when using special characters such as "!", "?" characters etc. in the password, this issue occurs. Using a simpler password without special characters might solve the problem.
Also, make sure that you do not use the same User twice.
Alternatively, check your driver settings according to this little guide:
The most current SecuExtender version is 184.108.40.206. If you’re not using this version, please update it first (SecuExtender_Windows220.127.116.11).
Before installing the latest SecuExtender, you should update your windows with the latest patches, install the SecuExtender software afterwards and try the SSL VPN connection again.
1.1 Solution steps
If the SSL VPN is still not working, follow the steps below and share the screenshot to check further.
1.1.1 See if SecuExtender Network Adapter is working or not
Go to device manager -> network adapters then check if the SecuExtender is working or not (TAP-Windows Adapter V9 for Zyxel SecuExtender)
1.1.2 See if Visual C++ 2015 is installed or not
Go to control panel -> programs. Then check if the “Visual C++ 2015” is installed or not
2) SSL VPN connection fails - Firewall rule missing
2.1 Solution Steps
If you cannot connect to the firewall via SSL VPN, this is mostly due to the fact that external access via HTTPS is not permitted in the firewall. The firewall needs to allow the SSL VPN traffic from WAN to Zywall, or else it will fail.
2.1.1 Check Firewall rule
Here it is sufficient to add the HTTPS port to the existing Default_Allow_WAN_To_ZyWALL rule.
2.1.2 Check if Service object contains HTTPS (or SSL VPN port)
Navigate to Configuration > Object > Service > Service Groupand make sure HTTPS is included:
2.1.3 Double-Check the HTTPS port for SSL VPN
There is also the possibility to adjust the HTTPS port in the SSL VPN settings.
So you can enable SSL VPN without opening external access to the web interface of your device.
The SSL VPN Port can be adjusted under
Configuration > VPN > SSL VPN > Global Setting
Do not forget to create the service object for the SSL VPN Port and add it to the Default_Allow_WAN_To_ZyWALL rule as described above.
More information below
From firmware v5.00 onwards you can use a different port for the SSL VPN, so only the SecuExtender can log in on this port, no admin nor any other user.
To set this up, you have to log into your USG and change the SSL-VPN port under
Configuration > VPN > SSL VPN > Global Setting
Next you need to create a firewall rule that allows this port from WAN to ZyWall. In general you can simply add a service under
Configuration > Object > Service
and add this new Service to the Default_WAN_to_Zywall group.
If you don't want to log in as an admin or user to the Web GUI of the device, you now can simply remove the HTTPS access from WAN to ZyWall. In general this can be done by removing the HTTPS service from the default_WAN_to_ZyWall group.
3) SecuExtender cannot be run on Windows Client / PC
In some cases it can happen that our VPN solutions cannot be run on a Windows client.
In many cases it is because these clients use ARM processors, which are not compatible in this scenario.
Our Client VPN solutions for SSL and IPSec have a limitation that they are not intended for use in connection with ARM processors.
Accordingly it is not possible to run VPN clients on devices with these processors.
3.1 Solution Steps
3.1.1 Alternative Solution - L2TP VPN
In order to still be able to use a remote VPN connection on the affected clients, L2TP over IPSec would be a possible alternative.
The setup guides for L2TP you can find here:
3.1.2 How do I find out if my PC is compatible with SecuExtender?
To find which processor is used on the client, navigate toSettings > System > Aboutand search for the option “Device specifications.”
The name of your computer’s processor and its speed are displayed to the right of “Processor.”
4) Service "ZyWALL SecuExtender Helper" (ZyWALL SecuExtende Helper) failed to start!
Sometime's it happens that the SecuExtender SSL VPN clients fails to start. Below we describe how to solve this issue.
4.1 Solution Guide
- Download the file which is attached to this KB-Article. Then enter your driver folder:
(Default on older Windows Systems) C:\Windows\System32\drivers
- Copy the tap0901_zyxel.sys to the folder.
- Reinstall the ZyWall SecuExtender programm
This should resolve your issue. Otherwise, please step into contact with our support staff!