Zyxel Device Troubleshooting Guide: Checklists & Common Scenarios Before Contacting Support

When working with Zyxel devices in enterprise or SMB environments, this article outlines common issues you can run into by device type—Access Points (APs), Switches, and Firewalls—and provides pre-support checklists and diagnostics collection tips to help resolve problems efficiently.

AP

1. AP not coming online in Nebula during initial setup
2. AP appearing offline in Nebula
3. Wireless clients disconnecting
4. AP bridge(and all Nebula devices connected behind) offline in Nebula
5. Slow wireless speeds compared to wired clients

Switch

1. Switch not coming online in Nebula during initial setup
2. Switch appearing offline in Nebula
3. multicast/broadcast storms
4. High CPU/Memory usage or unusual behavior (e.g. lag, packet drops)

Firewall

1. Network disruptions caused by default max sessions limit per host
2. Content filter not blocking desired content
3. High CPU or memory usage
4. DHCP issues on LAN clients
5. Firewall policy misconfiguration

Access Points (AP)

1. AP Not Coming Online in Nebula (Initial Setup)

• Perform a factory rest by pressing RESET button located behind the AP for 10 seconds until LED turns off and starts to blink

• Is AP getting LAN IP from DHCP server (check DHCP table)
• Is AP getting correct default gateway
• Is AP getting proper DNS(try using public DNS 8.8.8.8)
  • Can it resolve d.nebula.zyxel.com
  • Can it resolve s.nebula.zyxel.com
• If AP is not getting an IP address from DHCP server, use ZON Utility to try and locate the AP
• If the AP is reachable at its IP(PING), access the WEB GUI via IP address on a web browser and perform a firmware update manually.  After the firmware update is down, perform the reset procedure again.
   

2. AP Appearing Offline in Nebula

• If the AP is reachable at its IP(PING), access the WEB GUI(login credentials in Nebula under “Site Settings”) via IP address on a web browser and check Cloud Control Status
• Is AP getting LAN IP from DHCP server (check DHCP table)
• Is AP getting correct default gateway
• Is AP getting proper DNS(try using public DNS 8.8.8.8).  
• Access the AP via SSH(login credentials in Nebula under “Site Settings”)or login to WEB GUI and check if it can resolve the following domains:
  • d.nebula.zyxel.com
  • s.nebula.zyxel.com
• If AP is not getting an IP address from DHCP server, use ZON Utility to try and locate the AP

3. Wireless Clients Disconnecting

• Make sure AP firmware is up to date
• Note if issue is affecting all clients or specific ones (device-specific issue vs. network-wide)
• In Nebula, review Event Logs(by wireless client MAC address) for disconnection time and check reasons 
  • authentication failure
  • Roaming
  • weak signal
  • Load balancing
  • Band steering
• Check channel utilization/interference during time of disconnect under:
  • Device > Access Point > [selected affected AP] > Access Point Usage and Connectivity

• If possible, temporarily disable advanced features (band steering, load balancing, smart mesh) to isolate root cause

• For client-specific issues, check if the wireless driver is up to date and verify power-saving settings
• For escalation to Zyxel Support, collect AP diagnostics via WEB GUI during or right after the issue—before power cycling, as a reboot will erase crucial logs:  
  • Maintenance > Diagnostics > Diagnostics Tab

4) AP bridge (and all Nebula devices connected behind) offline in Nebula

• Check if root AP is online and stable in Nebula (uplink AP in bridge configuration) 
• Verify bridge mode setup in Nebula under Access Point > Configure > AP & Port Settings
• Confirm mesh/bridge AP is powered and LEDs indicate activity (power, wireless link)
• Check wireless signal/link quality between root AP and bridge AP:
  • Check AP logs for Root AP disconnecting from bridge AP
  • Check root and bridge APs for high channel utilization during time of disconnect:  Device > Access Point > [selected affected AP] > Access Point Usage and Connectivity
  • If high utilization on 2.4ghz, try forcing wireless bridge link to 5ghz 
• If possible, connect a laptop to the bridge AP’s LAN port to test if it gets a LAN IP (to verify connectivity)
• For escalation to Zyxel Support, collect AP diagnostics via WEB GUI during or right after the issue—before power cycling, as a reboot will erase crucial logs:  
  • Maintenance > Diagnostics > Diagnostics Tab

After collecting diagnostics:

• Reboot both root and bridge AP and monitor for recovery
• If mesh AP is powered on but offline, you can try performing a factory reset (RESET button for 10 seconds until LED blinks) and re-adopt to Nebula by physically connecting wired uplink before moving back to wireless bridge AP

5. Slow Wireless Speeds vs Wired

• Ensure AP firmware and client Wi-Fi drivers are up to date
• Confirm if issue affects all wireless clients or specific devices
• Test speed using same server (e.g., speedtest.net) on both wired and wireless clients for accurate comparison
• Check signal strength and connection rate of affected client
  • in Nebula clients note -dbm signal during test
  • SSH:  show wireless-hal station info
• Check for channel interference under: 
  • Device > Access Point > [selected affected AP] > Access Point Usage and Connectivity
• Disable/reduce load-balancing or band steering temporarily to isolate cause
• If possible, connect a laptop to the AP’s LAN port to verify wired speedtest
• If using mesh, test client performance on AP with wired uplink to compare speeds
• For escalation to Zyxel Support, collect AP diagnostics via WEB GUI during or right after the issue—before power cycling, as a reboot will erase crucial logs:  
  • Maintenance > Diagnostics > Diagnostics Tab

After collected diagnostics:

• Reboot AP and client device to rule out temporary performance drops

Switches

1. Switch Not Coming Online in Nebula (Initial Setup)

• If setting up multiple switches, connect only the core switch first and wait for it to come online in Nebula before adding others.
• Perform a factory reset by holding the RESTORE button for 10 seconds
• SYS LED should become solid within ~5 minutes
• Is the switch getting a LAN IP from the DHCP server (check DHCP table)?
• Is it getting the correct default gateway?
• Is it getting proper DNS (try using public DNS 8.8.8.8)?
• Can the switch resolve(via WEB GUI or SSH):
  • d.nebula.zyxel.com
  • s.nebula.zyxel.com
• If the switch is not getting an IP from DHCP, use ZON Utility to discover the device
• If reachable via IP (PING), access the Web GUI and manually upgrade firmware
• After firmware update, perform reset again to try and re-connect to Nebula

If switch is on the latest firmware, receiving LAN IP from DHCP but is still not come online in Nebula, please collect techsupport diagnostics files to escalate with Zyxel Tech Support team:

• Maintenance > Tech-Support > Download ALL

2. Switch Appearing Offline in Nebula

• Check if the switch is still reachable via IP (PING)
• Log in to the Web GUI (credentials in Nebula under “Site Settings”) and check Cloud Control Status
• Verify the switch is getting:
  • LAN IP (DHCP table)
  • Correct default gateway
  • Proper DNS (use 8.8.8.8 if needed) 
• Use SSH or Web GUI to check domain resolution:
  • d.nebula.zyxel.coms.nebula.zyxel.com
• If reachable via IP (PING), access the Web GUI and manually upgrade to latest firmware
• If the switch is not getting an IP from DHCP, use ZON Utility to discover the device

If switch is on the latest firmware, receiving LAN IP from DHCP but is still not come online in Nebula, please collect techsupport diagnostics files to escalate with Zyxel Tech Support team:

• Maintenance > Tech-Support > Download ALL
• Reboot the switch and monitor for re-connection
• If persistent, perform a factory reset and re-adopt in Nebula

3) Multicast/broadcast storms

• Check Switch logs for broadcast storms and multicast storms during expected network disruption
• Check switch CPU usage in Nebula: 
  • Device > Switch > [affected switch] > CPU%
• Enable storm control on affected ports or VLANs
• Look for loops in topology – ensure loop protection and STP are enabled
• Identify source device flooding the network MAC address and/or packet captures
• Temporarily isolate or shut down suspected port to confirm behavior
• Review multicast settings (IGMP Snooping should be enabled if using multicast)

If switch is on the latest firmware, receiving LAN IP from DHCP but is still not come online in Nebula, please collect techsupport diagnostics files to escalate with Zyxel Tech Support team:

• Maintenance > Tech-Support > Download ALL

4) High CPU/Memory usage or unusual behavior (e.g. lag, packet drops)

• Check System Info in Nebula or Web GUI for CPU and memory utilization
• Review Event Logs for error messages or repeated process restarts
• Verify there are no loops or constant topology changes (enable STP)
• Monitor for excessive broadcast/multicast storms (enable storm control)
• Temporarily disable unused ports or segments and observe load changes
• If issue persists, collect diagnostics and escalate to Zyxel Support
  • Maintenance > Tech-Support > Download ALL

After collected switch diagnostic during time of high CPU/MEM

• Reboot the switch and monitor post-boot behavior

Firewall

1. Max Sessions Limit Per Host

If intermittent issues occur on one or a few LAN devices (e.g., page loading, accessing network resources, or reaching other devices), check the firewall logs for the source LAN IP and look for "max session limit reached" messages.

• Check session usage per host under:
  • (Standalone on-premise mode) Monitor > Session > Session Monitor
  • SSH:  Router> show conn ip-traffic source
• Review current session limit under:
•  Security Policy > Session Control
• Increase per-host session limit if necessary (default is 1000 per host)
  • If after increasing the session limit, the behavior persists, reboot LAN client device or check sessions on LAN client device with tools “TCPView”
  • We do not recommend changing the session limit to “unlimited”
• Identify devices generating excessive sessions (e.g., torrent, malware, misconfigured apps)
• Use Application Patrol to block or throttle session-heavy applications
• Restart affected client device and monitor for recurrence

2. Content Filter Not Blocking Sites

• Ensure Content Filter is enabled under Security Service > Content Filter and correct profile is applied to the relevant policy.
• Enable SafeSearch and HTTPS Domain Filter for blocking HTTPS sites.
• Enable SSL Inspection to decrypt encrypted traffic for filtering.
• Add specific domains/keywords to Custom Block List for more precise filtering
  • For wildcard block use:  *.youtube.com
• Clear browser cache or use incognito mode to rule out cached results.
• Combine with DNS Filtering for more comprehensive blocking at the DNS level.
• Use packet capture to check for QUIC traffic (UDP port 443) if websites bypass filters.
  • If QUIC protocol is identified:
    • create security policy to block UDP 443 traffic
    • Add QUICK to App Patrol profile and apply

3. High CPU/Memory Usage

• Ensure firmware is up to date
• Monitor usage under Monitor > System Status > CPU/Memory
• Check process via SSH:
  • debug system ps
• Check CPU status via SSH:
  • Show cpu status
  • Show cpu average
  • Show cpu all
• Disable all UTM services temporarily and check for performance changes

If firewall is on the latest firmware, and the WEB GUI is accessible, please collect diagnostics files to escalate with Zyxel Tech Support team:

• Maintenance > Tech-Support > Download ALL

If diagnostics have been collected:

• Reboot device and observe behavior post-restart 

4. DHCP Issues on LAN Clients

If LAN clients fail to obtain IP addresses or experience intermittent connectivity:

• Verify DHCP server is enabled:
  • Configuration > Network > Interface > [LAN interface] > DHCP Setting
• Ensure DHCP pool range does not conflict with static IPs or exceed subnet size
• Use CLI to view active DHCP leases:
  • Router> show ip dhcp binding
• Release/renew IP on client device or use 
• “ipconfig /release” && “ipconfig /renew” (Windows)
• Check for rogue DHCP servers on the network — use packet capture or Wireshark to identify unexpected DHCP offers (Note: Look for multiple DHCP Offer messages responding to the same Discover)
• Perform a packet capture to observe the DHCP handshake (DORA: Discover, Offer, Request, Acknowledgment) This can help identify where the process fails — e.g. client sends Discover, but no Offer is received
• Filter by protocol bootp or ports 67/68 to isolate DHCP traffic
• If Discover is sent but no Offer received, the DHCP server may be unreachable or overloaded If Offer is received but no Request/Ack follows, client may be misconfigured or ignoring the reply

Reboot firewall or affected switch if issue persists across multiple clients

5. Firewall Policy Misconfiguration

If certain traffic is unexpectedly allowed or blocked, or users report inability to access internal or external services:

• Review relevant security policies under: Configuration > Security Policy > Policy Control
• Check rule order — rules are evaluated top-down. Ensure intended policies are not shadowed by broader rules above.
• Verify correct source/destination zones, addresses, and services are selected.
• Check action type (allow/deny) and associated profile settings (e.g., Content Filter, App Patrol, IDP).
• Temporarily move the suspected policy to the top of the list to test if it resolves the issue (revert once confirmed)
• If VPN-related, check corresponding VPN rule and security policy are both present and correctly configured

Perform packet capture for affected traffic: Maintenance > Diagnostics > Packet Capture Use filters to narrow capture by IP/port and analyze for matching policies

Before Contacting Zyxel Tech Support

For all device types, collect the following:

• Device diagnostics or tech-support files via Web GUI
• Screen captures of Nebula Event Logs or configuration
• Specific timestamps of issue occurrence
• Ping/traceroute results if network path is in question

Always collect diagnostics before rebooting the device, as logs may be lost during power cycles.